Under Sections 20 and 23(2) of the Credit Information Companies (Regulation) Act, 2005, a CIC, Z, enters into an agreement to share borrowers' credit information with a specified user (insurance company) ostensibly for insurance underwriting purposes. However, Z's internal audit reveals that the CIC systematically provided credit information to a third party (a private debt collection agency) not designated as a specified user under the regulations. Z's officers claim that the third party paid for the information, and the practice continued for 18 months before detection. Z did not maintain adequate records or consent from borrowers for this sharing.  Which of the following correctly applies Section 20 and Section 23(2) to this violation?

Section 20 of the CICRA, 2005 requires every CIC, credit institution, and specified user to "adopt the following privacy principles in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information." The principles explicitly address sharing restrictions and prohibit unauthorized disclosure. Section 23(2) provides: "Every credit information company or a credit institution or any specified user, wilfully, performing any act or engaging in any practice, in breach of any of the principles referred to in section 20, shall be punishable with fine not exceeding one crore rupees." Z's systematic sharing with non-specified users directly violates Section 20's privacy principles regarding authorized sharing and secrecy. The key elements satisfied are: (i) willfulness (systematic 18-month practice); (ii) breach of Section 20 privacy principles (unauthorized sharing beyond specified users); (iii) CIC as responsible entity. The fine is not capped at ₹25 lakhs; the statute explicitly provides for fines up to ₹1 crore for privacy principle violations. Section 22 addresses unauthorized access, not unauthorized sharing to third parties (which is Z's conduct). Option (A) correctly applies Section 23(2) by linking the breach to Section 20 privacy principles with maximum penalty of ₹1 crore.