Centre cracks down on unauthorized use of personal data amid digital protection reform
With the Digital Private Data Protection Act, 2023 on the horizon, the Union home ministry intensifies efforts to curb illegal access to sensitive personal information, targeting fintech and consumer tech companies.
ADVERTISEMENT
As the Union government gears up to notify the Digital Private Data Protection Act, 2023 (DPDP), law enforcement agencies are escalating their efforts to address the unauthorized use of personally identifiable information (PII) by technology companies, as per reports.
A recent directive from the Union home ministry, relayed through the Indian Cybercrime Coordination Centre (I4C), mandates the cessation of any unauthorized use of Permanent Account Numbers (PAN) of Indian citizens by fintechs and other consumer technology firms.
Known as 'PAN enrichment' services, these operations allowed loan distribution to companies to develop customer profiles based on PAN numbers, facilitating the cross-selling of credit and financial products.
A recent report indicated that the National Payments Corporation of India had already terminated all unauthorized uses of customer data related to Unified Payments Interface (UPI) handles.
Industry insiders have revealed the modus operandi behind these unauthorized practices. Many companies exploited customer PAN numbers to access backend systems of the Income Tax Department, allowing them to retrieve sensitive details such as full names, addresses, and phone numbers.
While these operations did not constitute data leakage, they involved the unauthorized use of government systems, managed by technology service providers.
Though it is challenging to pinpoint which fintechs utilised these services, multiple sources indicate that consumer lending channels, loan sourcing agents, and credit aggregators frequently relied on these unauthorised practices.
This crackdown appears to be part of a broader initiative by the government to eliminate any unauthorized access to citizens’ PII ahead of the implementation of strict data protection regulations. The DPDP Act of 2023 mandates that data processing by service businesses must occur only with explicit consent and through authorised channels.
