Question

Under Sections 20 and 23(2) of the Credit Information Companies (Regulation) Act, 2005, a CIC, Z, enters into an agreement to share borrowers' credit information with a specified user (insurance company) ostensibly for insurance underwriting purposes. However, Z's internal audit reveals that the CIC systematically provided credit information to a third party (a private debt collection agency) not designated as a specified user under the regulations. Z's officers claim that the third party paid for the information, and the practice continued for 18 months before detection. Z did not maintain adequate records or consent from borrowers for this sharing.  Which of the following correctly applies Section 20 and Section 23(2) to this violation?

A Z is liable under Section 23(2) with fine not exceeding ₹1 crore because Z willfully performed acts in breach of privacy principles referred to in Section 20, specifically by unauthorized sharing with non-specified users
B Z is not liable under Section 23(2) because the fine under that provision applies only to false statements in returns; unauthorized sharing is covered under Section 22
C Z's liability is limited to civil damages; Section 23(2) applies only to criminal conspiracies involving multiple entities
D Z is liable but penalty is limited to ₹25 lakhs maximum because the violation involved information sharing, not possession or access restrictions
E Z cannot be held liable because specified users may independently choose to share information with third parties as long as borrower consent exists somewhere in the chain
Practice Next

Hey! Ask a query