The expansion of the internet and the various applications that comes with it have brought many conveniences into our lives. There is one aspect, though, which is the cause for an increasing concern amongst users - data privacy. The concern surrounding data privacy becomes all the more relevant in the Fintech space where data security and trust is the backbone governing customer relationships

Fintech companies operating in the digital lending space adopt innovative methods to scale up their business. Instead of relying on traditional financial data, they use alternative data to make credit decisions. Alternative data for credit scoring can cover contacts, frequent call lists, access to mobile storage space, reading texts and chats, search history, GPS location history and even social media activities.

These personal details are also in some cases leveraged in debt recovery, as some lenders contact borrowers’ friends and families to pressure them to repay debts. Alternative lending enables people to access credit, but with far fewer safeguards than traditional lenders would provide. Also, on many instances, alternative lenders do not always follow the debt recovery procedures as per regulations.

Need for privacy policy

The use of data, whether it is traditional and offered by consumers voluntarily or alternative data that has been tapped into, has meant that companies need to have a proper policy in place telling consumers how it is being used.

The Information Technology Rules, 2011, which cover data protection in India, say that privacy policies should specify what type of data is being used, the purpose of data collection, the third parties with which data will be shared and the option for the user to withdraw their consent. A grievance redressal system also needs to be in place.

In practice though, privacy policies of companies may end up being vague and hard to under- stand for the lay user. A study* of privacy policies in 48 fintech firms in India in 2019 shows while 95% of the companies did fulfill the basic requirement of actually formulating and having a privacy policy, none of the companies were fully compliant with the parameters set by the IT Rules . In fact, 43 per cent did not give enough details of the security practices and procedures followed and only 10 per cent had a grievance redressal system in place. Only one company gave users the option of a privacy policy in a language that was not in English, as per the study.

This study demonstrates the need for companies to ensure that they have a clear and comprehensive privacy policy in place that the end-users understand. Customers also need to be provided platforms to voice concerns or grievances.

Instances of privacy policy slip-ups

Any privacy breach will result in an erosion of customer trust, apart from causing financial damages in many cases. In some cases, unethical practices or absence of a comprehensive privacy policy in place can lead to mental and emotional trauma in customers

A simple example of a privacy policy breach is when a fintech company sends out newsletters, promotions or other email communication and inadvertently uses the open CC field in an email. Sometimes, a company may also falter and not blank out phone numbers or personal information of other customers/contacts/former employees in their communication. This may seem like a small oversight but it is a serious breach of privacy of an individual who has trusted the company with his or her email and contact information.

Recently, the Reserve Bank of India (RBI) cautioned the public about unauthorized lending applications following unethical practices for loan recoveries. These practices include cyber- bullying and shaming by contacting families or acquaintances of defaulters, which caused mental trauma to the customers as the data pertaining to defaulters of loans was easily avail- able to tap into. Such instances have been seen in Telangana, Tamil Nadu, Delhi and Kerala already.

This cyber bullying and shaming even led to suicides as reported in the media**. The in- creased need for liquidity during the lockdown and increased borrowing online has proved to be a breeding ground for fraudsters. These illegal fintech-based applications are a cause for concern, and users must take precautions by doing a background check before borrowing money using an app. Red flags for these include no payment history check, immediate pressure, lack of fee details, unsecured lender websites, missing addresses, etc.

What should a good privacy policy look like?

An ideal privacy policy is a legal statement or document that clearly reveals how the company gets, uses, reveals and handles customer data in line with the IT rules cited earlier. Customers should be able to opt out of the bank/financial institution/online lender’s notifications, emails, offers, SMSs and other services.

A good privacy policy should seek free consent from the user. Consent also involves affirmative action from the user, for example, allowing users to click a button and asking them if they are sure or if they wish to go ahead.

In case of a third-party partnership, lenders/companies need to assess the security and privacy policies of the partners. Data recovery and backups need to be in place. How a company uses or shares information with third parties also needs to be specified in the privacy policy.

Personal Data Protection Bill

Recognizing the need for sound legislation on data and privacy, the Personal Data Protection Bill was introduced to the Lok Sabha in 2019. This Bill, which is being reviewed and debated, pertains to “the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India.” It also applies to processing of personal data by an Indian company, the State, any Indian citizen or anybody who is incorporated under the Indian law. The Bill applies to these entities even when they are not present in India but the data processing pertains to businesses carried out in India. Currently the bill is reported to be in the final stages of parliamentary review.

In conclusion

The need for online platforms and lenders to be transparent about data can’t be highlighted enough. Also, whether or not there are regulatory frameworks, engaging in ethical practices and self-regulation is the need of the hour. From the customer perspective, it is important that they update themselves about a company’s privacy policy and offer consent when they

*:In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights and FinTech in India (July 2019)

**:Harassment by digital lending apps driving defaulters to suicide, but no action from RBI