📢 Too many exams? Don’t know which one suits you best? Book Your Free Expert 👉 call Now!

    Question

    Under Sections 20 and 23(2) of the Credit Information

    Companies (Regulation) Act, 2005, a CIC, Z, enters into an agreement to share borrowers' credit information with a specified user (insurance company) ostensibly for insurance underwriting purposes. However, Z's internal audit reveals that the CIC systematically provided credit information to a third party (a private debt collection agency) not designated as a specified user under the regulations. Z's officers claim that the third party paid for the information, and the practice continued for 18 months before detection. Z did not maintain adequate records or consent from borrowers for this sharing.  Which of the following correctly applies Section 20 and Section 23(2) to this violation?
    A Z is liable under Section 23(2) with fine not exceeding â‚ą1 crore because Z willfully performed acts in breach of privacy principles referred to in Section 20, specifically by unauthorized sharing with non-specified users Correct Answer Incorrect Answer
    B Z is not liable under Section 23(2) because the fine under that provision applies only to false statements in returns; unauthorized sharing is covered under Section 22 Correct Answer Incorrect Answer
    C Z's liability is limited to civil damages; Section 23(2) applies only to criminal conspiracies involving multiple entities Correct Answer Incorrect Answer
    D Z is liable but penalty is limited to â‚ą25 lakhs maximum because the violation involved information sharing, not possession or access restrictions Correct Answer Incorrect Answer
    E Z cannot be held liable because specified users may independently choose to share information with third parties as long as borrower consent exists somewhere in the chain Correct Answer Incorrect Answer

    Solution

    Section 20 of the CICRA, 2005 requires every CIC, credit institution, and specified user to "adopt the following privacy principles in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information." The principles explicitly address sharing restrictions and prohibit unauthorized disclosure. Section 23(2) provides: "Every credit information company or a credit institution or any specified user, wilfully, performing any act or engaging in any practice, in breach of any of the principles referred to in section 20, shall be punishable with fine not exceeding one crore rupees." Z's systematic sharing with non-specified users directly violates Section 20's privacy principles regarding authorized sharing and secrecy. The key elements satisfied are: (i) willfulness (systematic 18-month practice); (ii) breach of Section 20 privacy principles (unauthorized sharing beyond specified users); (iii) CIC as responsible entity. The fine is not capped at ₹25 lakhs; the statute explicitly provides for fines up to ₹1 crore for privacy principle violations. Section 22 addresses unauthorized access, not unauthorized sharing to third parties (which is Z's conduct). Option (A) correctly applies Section 23(2) by linking the breach to Section 20 privacy principles with maximum penalty of ₹1 crore.

    Practice Next
    More Administrative Interpretation and Maxims Questions

    Relevant for Exams:

    ask-question