Digital Lending in India: How the DPDP Regime Reshapes Liability, Privacy, and Data Transfers

Introduction

India has noted increased consumption of personal loans, and with the advent of technological advancements, the consumption of digital loans has only increased in our society. Increased access to loans has brought with it serious data privacy concerns. Eventually, addressing these concerns, the RBI issued Digital Lending Guidelines (DLG) regulating India's entire digital lending spectrum. The RBI also sought to strengthen data privacy protection through these guidelines, but violations remain rampant today. Amidst this, the Ministry of Electronics and Information Technology introduced the Digital Personal Data Protection (DPDP) Act 2023 and Draft Rules 2025. This blog will critically analyze how the draft DPDP Rules and DPDP Act (collectively referred to as the ‘DPDP Regime’) in conjunction with DLG could impact the functioning of entities involved in digital lending.

Question of Liability and Classification Fiasco

Under the DPDP Regime, it is the Data Fiduciary (DF) who is made responsible for non-compliance under the Act and not the Data Processor. In the digital lending framework as per DLG, there exist multiple stakeholders such as Digital Lending Applications (DLA), Lending Service Providers (LSP), and Regulated Entities (RE). Thus, there is a pressing need to determine the status of such stakeholders as ‘Data Fiduciary’ or ‘Data Processor.’

A DF determines the purpose and means of processing data. While LSPs are classified as agents of REs, this does not exclude them from being considered DFs. They independently process personal data for tasks such as customer acquisition and underwriting assistance. For such tasks, LSPs could also deploy their own algorithms through DLAs, as DLG doesn’t restrict this.

Furthermore, LSPs could also act as recovery agents, utilizing the data collected to fulfill loan recovery obligations. They could devise their means for processing this data, and independently determining the user purpose of the data collected to achieve recovery. The control of REs in this regard over LSPs is limited to minimal guidance on recovery without specific strict instructions restricting their scope.

REs also has a credible case for being considered as DFs. Under the DLG, they are primarily responsible for determining the creditworthiness of borrowers. To do so, REs would have to determine the purpose and means of processing such data, making them bound to be covered under this definition.

Under the DLG, REs are held responsible for data privacy, aligning with global practices where DFs bear responsibility for breaches committed by the data processors they employ. This may create an impression that, within the DPDP framework’s Section 8 as applicable on Digital Lending, its only REs that dictate the terms of data processing, while LSPs and DLAs function merely as data processors. However, while the DLG mandates REs to disclose policies governing the use and storage of data by LSPs and DLAs, it does not require REs to formulate these policies as per their own purpose. Consequently, LSPs and DLAs may independently draft such policies, allowing them to determine the purposes and means of data processing.

As a result, the DLG effectively permits REs, LSPs, and DLAs to exercise control over the ‘restrictions on the use of data’, implicitly suggesting that each of these entities could, to some extent, determine the purpose and means of data processing. Thus, any assumption that REs alone function as DFs would be erroneous, as the DLG does not grant them exclusive authority to issue specific instructions regarding data processing. Instead, the DLG primarily sets restrictions on data storage without explicitly preventing LSPs or DLAs from determining the purpose or means of data processing.

While the DLG places responsibility on REs for ensuring data privacy, a combined reading of the DPDP framework and DLG suggests that LSPs and DLAs may also be considered DFs. A key implication of this interpretation is that despite the DLG’s attempt to limit the liability of REs, such an approach may ultimately be rendered ineffective. Instead, it could result in independent liabilities for LSPs and DLAs under the DPDP Act, thereby undermining the intended regulatory structure.

 But from the user's point of view, it ensures a system of checks and balances upon each other as it widens the scope of responsibility for other stakeholders. From a business point of view, the advent of the DPDP Regime results in an added point of concern for DLAs/LSPs who were previously not burdened with the threat of enforcement action as it was primarily RE’s Concern.

Data Transfer and Localisation

Data transfer is a closely contested issue in India, especially when it involves information related to financial transactions. The DLG does not directly address cross-border transfer (CBT) of data but states particularly that ‘all data’ must be ‘stored only’ in India. On a plain reading, this stipulation prohibits CBT of data of any kind. This creates operational hurdles for stakeholders. Firstly, the DLG applies a blanket ban on the transfer of ‘Data’ (which includes any representation of information as defined in the DPDP Act) without delving into the specific nature of such data, such as ‘Digital Personal Data’ Such a restriction appears broad and could pose higher compliance costs for entities. Secondly, it creates inconsistencies among other regulated FinTech firms, such as in the cases of Account Aggregators, who are not required to store data exclusively in India. Even in the case of Payment System Operators (PSOs), who must store data in India, the RBI has clarified the specific nature of data that must be locally stored.

This data localisation policy appears to conflict with the current DPDP Regime, as Section 16 allows CBT of data, provided specific requirements (Rule 14) prescribed by the government for DFs are followed. But a harmonious interpretation of both these authorities could show us that, the DLG’s sector-specific CBT ban might be held superior to the general mandate under the DPDP Act.

Even in the scenario where DFs involved in digital lending are designated as Significant Data Fiduciaries (SDFIs), they would be classified as such under Section 10. This section notifies DFs as SDFIs based on various factors, including but not limited to the volume and sensitivity of personal data being processed. The sensitivity and volume of such financial data are expected to increase in the context of digital lending. SDFIs have higher obligations than DFs under the DPDP Framework. Even then, Draft Rule 12 does not prohibit Cross-Border Data Transfers (CBT). Instead, it merely imposes additional restrictions on the categories of personal data that cannot be transferred.

Such differentiation under the DPDP Regime itself is questionable as its designation as SDFIs based on the volume of personal data transactions could create an unequal playing field for fresh industry entrants and old players. The overall policy outlook of the data localisation of RBI in the context of DLG appears to conflict with the DPDP regime. The RBI should consider clarifying the types of data that can be transferred overseas and those that must be mandatorily localized. Otherwise, restricting all data across its entirety, regardless of its nature, lacks a reasonable nexus with regulatory objectives and best business practices. Aligning the DLG with the DPDP Framework and its previous notified practices as in the case of PSOs would enhance regulatory consistency.

Right to Be Forgotten

Interestingly, the DLG framework allows users to exercise their right to be forgotten or delete ‘data.’ However, the reference to ‘data’ here is ambiguous as it does not pinpoint personal data as done in the DPDP Regime. Further, this right under the DLG appears absolute, as it remains silent about the necessity of storing data under other laws. In contrast, Section 12 explicitly states that if storing data is necessary to comply with other laws, the right to be forgotten cannot be fully exercised. This could cause regulatory confusion among stakeholders involved in this business.

A possible way of understanding this hurdle is that the data processed by these stakeholders is often highly sensitive. Minutely classifying it as ‘Personal Data’ could leave room for retaining data by arguing it is not personal data. Though this outlook appears pro-user, it could create operational hurdles for the stakeholders involved.

Data Retention and Exploitation

FinTech companies providing DLAs and LSPs are prohibited from storing personal data beyond what is minimally required for their operations. However, this could effectively be bypassed by FinTech firms obtaining Non-Banking Financial Companies (NBFC) licenses, as there are no such restrictions on REs. Doing so would also attract additional restrictions on NBFCs itself.

Effectively all participants under DLG i.e. REs, LSPs, and DLAs are required to specify the length of time for which data can be stored. It doesn’t specify a period for retaining data, but Section 8 imposes restrictions on the retention of data with additional restrictions on specified DFs in Schedule 3 of Draft Rules 2025. Currently, FinTech DFs such as LSPs and DLAs are not covered under these restrictions in Schedule 3. Section 8 mandates that data be retained only until its intended purpose is fulfilled. In digital lending, this necessitates defining multiple specific ‘purposes’ in data collection and consent notices to account for ancillary circumstances. Limiting data retention solely to loan issuance and servicing could restrict REs and FinTechs from processing data for crucial functions like loan recovery in case of default.

Digital lending relies heavily on customer data, and defining the ‘purpose’ for consent from FinTech’s perspective should be broad enough to retain past financial transaction details for adequate underwriting support to REs. While determining creditworthiness is a task for REs under the DLG, the growing involvement of FinTech firms acquiring RE licenses has blurred these lines. These requirements would compel FinTech firms to broaden the scope of consent for data retention beyond the loan period. This could be argued as allowed under the DLG, as FinTechs can assist with loan underwriting, and until and unless the customer onboarded does not explicitly withdraw its consent for the data once shared for such LSPs the data still serves a purpose for providing underwriting assistance to REs.

Issue of Jurisdiction

The RBI's Integrated Ombudsman Scheme addresses grievances related to services regulated by RBI. Under the DLG which is regulated by RBI, REs bear primary responsibility for data protection, and thus the scheme applies to them.

However, the proposed DPDP Regime through Section 27 also holds DFs accountable through the Data Protection Board (DPB), where DLAs or LSPs, along with REs, could be covered. This creates regulatory confusion concerning data privacy enforcement and individual rights. Thus, clarification is highly needed from the concerned authorities on this front.

Conclusion

Digital lending businesses are highly data-intensive and require steady access to customers' data. From the perspective of regulated entities (REs), the more data they hold, the better they can assess the creditworthiness of individuals. As these businesses deal with highly sensitive personal data, they naturally attract close monitoring and regulation. However, such monitoring and restrictions should not be so burdensome as to undermine the very essence of the business, which revolves around data.

Digital lending has the potential to significantly improve credit accessibility. Imposing excessively restrictive measures, such as a blanket ban on data transfers, risks disincentivizing innovation and growth in the sector. Small immediate steps like aligning data localisation practices in consonance with the DPDP regime could also bring great relief to the industry’s players. Clear guidance on the issue of forum of disputes in reference to a breach of data could also help consumer address their grievance effectively. Overall considered regulations are necessary but same should aim to foster innovation rather than stifling it in the name of protection. 

This article has been authored by Prashant Shivaji Dound, a student at the National Law University, Nagpur. This blog is part of the RSRR's Rolling Blog Series.

 .