My data or yours? Unravelling Multi-Party Privacy (MPP) among consumers of digital credit in India

NEW DELHI: In the wake of India’s unprecedented surge in digital financial services, IIIT-Bangalore and CUTS International hosted an important workshop in Bangalore to discuss the complexity of Multi-Party Privacy (MPP) within the country’s evolving digital lending sector. 

At this hybrid event, project findings were presented which have been conducted by the two institutions, with funding from the Centre for Effective Global Action (CEGA) at the University of California, Berkeley, USA.

The research led by Prof. Janaki Srinivasan, V. Sridhar, and T.K. Srikanth from IIIT-Bangalore, along with Amol Kulkarni and Asheef Iqubbal from CUTS, provided insights into privacy and consent challenges in digital lending. 

The study emphasised that while co-owned data is important for expanding access to credit, users ideally expect consent from all parties involved. However, due to practical reasons many users feel constrained by app designs that lack mechanisms for seeking permission before sharing co-owned data. 

The study also highlighted that Digital Lending Providers frequently use alternative data sources, such as e-commerce transactions and telecom records, to assess creditworthiness for collateral free loans and it raises multi-party privacy concerns for the consumers. Regulations addressing these concerns in digital lending are still evolving.

The workshop comes at a critical juncture in India’s digital financial expansion, particularly in digital lending. The previous financial year saw an unprecedented 154 billion transactions through the Unified Payment Interface (UPI), accounting for approximately 80% of all payments in the country. Building on this success, the Reserve Bank of India (RBI) has announced plans to launch the Unified Lending Interface (ULI), aiming to revolutionise access to digital lending much as UPI transformed digital payments.

The workshop featured insights from leading voices in the digital finance sector. Rakesh Maheshwari, Former Sr. Director and Group Coordinator of Cyber Laws and Data Governance at MeitY, expressed the view that the existing digital lending guidelines released by the RBI and the provisions on consent, data retention, and purpose as outlined in the Digital Personal Data Protection (DPDP) Act 2023 cover most aspects of privacy applicable to digital lending.

Jatinder Handoo, CEO of the Digital Lenders Association of India (DLAI), provided details on the steps taken by digital lending platforms (DLPs) to comply with privacy and data protection regulations. He highlighted the Self-Regulating Organisation (SRO) model initiated by the RBI as a positive step towards better management of consumer and business interests of DLPs. He also mentioned DLAI's initiatives in creating an open financial fraud repository to facilitate knowledge exchange among DLPs.

Ranjeet Rane, Research Head at the Reserve Bank Innovation Hub, stressed the need to balance regulatory interventions with promoting innovation in the digital lending space. He advocated for both process and product innovation, emphasising the importance of leveraging technological advancements in digital financial services while addressing potential privacy and security concerns of users.

Misha Sharma, Head of Household Finance at Dvara Research, while appreciating the research team's methodology, highlighted the need for benchmark studies to compare DLPs and educate consumers. She also noted that current regulations focus on “consumer verification” and should shift towards “consumer protection.”

Sumit Ghoshal, Senior Partner at AZB & Partners, discussed the high costs incurred by DLPs in complying with multiple regulations (e.g., DPDP Act, Consumer Protection Act, Digital Lending guidelines). He stressed the need for integrating all rules and regulations into a unified framework.

Garima Agarwal, Researcher at the Centre for Internet and Society, emphasised the importance of understanding differential privacy needs for different data segments by DLPs. She also commended the grievance redressal process established by the RBI as a step in the right direction.

The workshop concluded with a number of takeaways for consumers, DLPs, and regulatory organisations. The PIs indicated that the report shall be made available soon in open repository for public use.