By Shobhit Shukla
This article is adapted from a blog post published in The CCG Blog, which can be accessed here.
India’s latest draft data protection law, the Digital Personal Data Protection Bill, 2022 (‘Bill’)*, stipulates certain situations in which an individual’s consent for processing their personal data is ‘deemed’. It sets out certain purposes for such non-consensual processing in ‘public interest’, and includes ‘credit-scoring’ in Clause 8(8)(d). Put simply, the Bill allows an individual’s personal data to be processed non-consensually and without any notice, where such processing is for credit-scoring.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Evolution of credit-scoring in India
Credit-scoring is a process by which a lender (or its agent) assesses an individual’s creditworthiness i.e., their notional capacity to repay their prospective debt, as represented by a numerical credit score. Until recently, lenders in India relied largely on credit scores generated by credit information companies (‘CICs’), licensed by the Reserve Bank of India (‘RBI’) under the Credit Information Companies (Regulation) Act, 2005 (‘CIC Act’). CICs collect and process ‘credit information’, comprising chiefly the details of an individual’s outstanding loans and history of repayment/defaults, to generate such scores. However, with the expansion of digital footprints and advancements in automated processing, the range of datasets deployed to generate credit scores has expanded significantly. Thus, lenders are increasingly using credit scores generated algorithmically by third-party service-providers. Such agents aggregate and process a wide variety of alternative datasets relating to an individual, alongside credit information – these may include the individual’s employment history, social media activity, and web browsing history. This allows them to build a data-intensive credit profile of (and assign a more granular credit score to) the individual, to assist lenders in deciding whether to extend credit.
While neither the Bill nor its explanatory note explain why credit-scoring constitutes a public-interest ground for non-consensual processing, it may be viewed as an attempt to remove the procedural burden surrounding notice-and-consent. For credit-scoring, if entities are required to comply with notice-and-consent to process each stream of an individual’s personal data, the procedural costs may disincentivise them from accessing certain data-streams. Consequently, with limited data to assess credit-risk, lenders may avoid extending credit to certain sections of individuals. Alternatively, they may decide to extend credit despite the supposed inadequacy of personal data, thereby exposing themselves to higher risk of repayment defaults. While the former approach would be inimical to financial inclusion, the latter could possibly result in accumulation of bad loans on lenders’ balance sheets. Thus, encouraging data-intensive credit-scoring may conceivably be viewed as a legitimate public interest.
However, even if this were to be accepted, a complete exemption from notice-and-consent for credit-scoring, as proposed in Clause 8(8)(d), poses a disproportionate risk to individuals’ right to privacy and data protection. The efficacy of notice-and-consent in enhancing informational autonomy remains debatable; however, the exemption from this requirement without any accompanying safeguards ignores specific concerns associated with credit-scoring.
Deemed consent for credit-scoring: Understanding the risks
First, the provision allows non-consensual processing of all forms of personal data, regardless of any correlation of such data with creditworthiness. In effect, this would encourage lenders to leverage the widest possible range of personal datasets. As research has demonstrated, the deployment of disparate datasets increases incidences of inaccuracy as well as of spurious connections between the data-input and the output. In credit-scoring, historical data using which the underlying algorithm is trained may conclude, for instance, that borrowers from a certain social background are likelier to default in repayment. Credit-scores generated from such fallacious and/or unverifiable conclusions can embed systemic disadvantages into future credit-decisions and deepen the exclusion of vulnerable groups. The exemption from notice-and-consent would only increase the likelihood of such exclusion – this is since individuals would not have any knowledge of the data-inputs used or the algorithm using which such data-inputs were processed and consequently, no recourse against any credit-decisions arrived at via such processing.
Second, the provision allows any entity to process personal data for credit-scoring. Notably, CICs are specifically licensed by the RBI to, inter alia, undertake credit-scoring. Additionally, in November 2021, the RBI amended the Credit Information Companies Regulations, 2006, to provide an avenue for entities to register with any CIC, subject to the fulfilment of certain eligibility criteria, and to consequently access and process credit information for lenders. By allowing any entity to process personal data (including credit information) for credit-scoring, the Bill appears to undercut the RBI’s attempt to limit the processing of credit information to entities under its purview.
Third, the provision allows non-consensual processing of an individual’s personal data for credit-scoring at any instance, even before they have expressed any intention to avail credit. Effectively, this would provide entities a free rein to pre-emptively mine troves of an individual’s personal data. Such data could then be processed for profiling the individual and behaviourally targeting them with customised advertisements for credit products. Clearly, such targeted advertising, particularly without any opt-out, would militate against the individual’s right to informational self-determination. Further, as an RBI-constituted Working Group has noted, targeted advertising of credit products can promote irresponsible borrowing by individuals, leading them to debt entrapment.
Alternatives for stronger privacy-protection in credit-scoring
Thus, the complete exemption from notice-and-consent for processing of personal data for credit-scoring, threatens individual rights disproportionately. Moreover, it may undermine precisely the same objectives that policymakers may be attempting to fulfil via the exemption. Thus, Clause 8(8)(d) of the Bill requires serious reconsideration.
First, Clause 8(8)(d) may be deleted before the Bill is enacted into law. In view of the CIC Act, CICs and other entities authorised by the RBI shall, notwithstanding the deletion of the provision, continue to be able to access and process credit information relating to individuals non-consensually – such processing shall remain subject to the safeguards contained in the CIC Act, including the right of the individual to obtain a copy of such credit information.
Alternatively, the provision may be modified to limit the exemption from notice-and-consent to certain forms of personal data. Such personal data may be limited to ‘credit information’ (as defined under the CIC Act) or ‘financial data’ (as may be defined in the Bill before its enactment) – consequently, the processing of such data for credit-scoring would not require compliance with notice-and-consent. In the context of credit-scoring, the processing of data carrying logically intuitive correlations with creditworthiness would correspond more closely to the individual’s reasonable expectations. An appropriate delineation of this nature would also minimise the scope of fallacious and/or discriminatory correlations between data-inputs and creditworthiness.
As another alternative, Clause 8(8)(d) may be modified to empower a specialised regulatory authority to notify credit-scoring as a purpose for non-consensual processing, but within certain limitations. These could relate to certain forms of personal data and/or to certain kinds of entities specifically authorised to undertake such processing. This would resemble proposals under the Personal Data Protection Bill, 2019 and the draft Personal Data Protection Bill, 2018 – both required any exemption from notice-and-consent to be notified by regulations. Further, this was to be preceded by a consideration of, inter alia, the individual’s expectation in the context. In addition to this balancing exercise, the Bill should require the regulatory authority to consult with the RBI, before any exemption for credit-scoring is notified. Such consultation would facilitate harmonisation between data protection law and sectoral regulation surrounding financial data.
*For the complete comments submitted by the Centre for Communication Governance, National Law University Delhi to the Ministry of Electronics and Information Technology on the Digital Personal Data Protection Bill, 2022, please click here – https://bit.ly/3WBdzXg)
Shobhit Shukla is a Project Officer at the Centre for Communication Governance, NLU Delhi. His interests lie in the intersections of technology, financial regulation, and constitutional law & policy.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- DPDP Bill 2022: ‘Deemed’ Consent, To Users’ Detriment
- Protecting Personal Data: Where Grievance Redressal Falls Short
- Data Privacy Regime In India: Its Genesis And Evolution
- What’s Missing From The Consent Manager Framework In The Data Protection Bill, 2022