The Supreme Court has issued notice on a Public Interest Litigation (PIL), which seeks directions to different departments of the Central government to take appropriate steps against four foreign credit information companies (CICs) for alleged financial data privacy violations of citizens.
The Bench led by Chief Justice of India DY Chandrachud agreed to consider the matter and appointed K Parameswar as the Amicus Curiae to assist the Court.
The Apex Court directed that the present development be informed to the petitioner-in-person, who was not present in the court. The matter was listed for further hearing on July 15.
The petition contended that the four private multinational companies with head offices and data storage systems located outside India have been retrieving and storing sensitive financial information of banking customers without their consent and selling it further.
These companies include Transunion CIBIL Limited, Experian Credit Information Company Of India Pvt Ltd, Equifax Credit Information Services, and CRIF High Mark Credit Information Services Pvt Ltd.
The petitioner submitted that this constituted a grave violation of the Right to Privacy as laid down in the landmark judgement of KS Puttaswamy vs UOI.
The plea said the Respondents 5, 6, 7 & 8, after collecting the above-mentioned sensitive data from all the Banks, Financial Institutions and from various other sources, all illegally without the knowledge & by forced consent of the customers, literally dressed up & repackaged the sensitive confidential information of the customers and was put on sale for all their members, for any type of lending institutions in the country or abroad and for the general public and profit from them in a very big way.
It contended that the companies have been in dire breach of the ‘Privacy Principles’ of the CICR Act 2005 (Credit Information Companies Regulation Act). The CICR Act regulated the CICs by ensuring that there was no breach of confidential information of the banking data and citizens.
The guidelines have been laid down as per the Act, which monitor the collection, storage, and dissemination of credit information, ensuring consumer privacy and data security, and facilitating efficient credit markets.
The petitioner submitted that 12 main principles under the Act have been violated by the present CICs. These include:
4.1: Privacy Principle on Personal Data;
4.2: Privacy Principle on “Care in collection of Credit Information”;
4.3: Privacy Principle on “Personal Data Collection Purpose”;
4.4: Privacy Principle on “Personal Data Preservation/ Archiving” ;
4.5: Privacy Principle on “Data Security & Secrecy” ;
4.6: Privacy Principle on “Data Collection Limitation” ;
4.7: Privacy Principle on “Data Accuracy & Security of Credit; Information” – Abused & Violated;
4.8: Privacy Principle on “Unauthorized access to Credit Information” ;
4.9: Privacy Principle on “Access & Modification “of Credit Information ;
4.10: Privacy Principle on “Data Use Limitation” ;
4.11: Privacy Principle on “Alteration of Credit Information files & Credit Reports”;
4.12: Privacy Principle on “Offenses & Penalties”