Delhi HC seeks RBI’s stand on PIL plea over data protection

Delhi HC Seeks RBI's Stand on PIL Plea Over Data Protection

UPSC Prelims + Mains Study Note

1. At a Glance

Delhi High Court has issued notice to the Reserve Bank of India (RBI) and the Centre on a PIL alleging that Non-Banking Financial Companies (NBFCs) operating through digital lending applications (DLAs) are violating borrowers' right to privacy and data protection. [S1]
The case tests whether existing RBI regulation is effectively enforced, not merely issued — a governance question central to GS-II and GS-III.
Intersects three major contemporary frameworks: RBI (Digital Lending) Directions, 2025, the Digital Personal Data Protection (DPDP) Act, 2023, and the constitutional right to privacy (Article 21, Puttaswamy judgment, 2017).
Directly relevant to UPSC themes of regulatory oversight, fintech governance, consumer protection, and judicial activism through PIL. [S1][S2]

2. Why in the News

January 8, 2026: A Bench of Chief Justice D.K. Upadhyaya and Justice Tejas Karia of the Delhi High Court directed RBI to file a counter-affidavit in response to a PIL filed by Himakshi Bhargav. [S1]
The HC observed the petition "raised a serious concern" and asked RBI to specifically detail action taken for enforcement of the 2025 Digital Lending Guidelines. [S1]
The petition alleged that despite the RBI Digital Lending Guidelines of 2025, certain DLAs continued to:
Access prohibited mobile phone resources (contact lists, call logs, file/media, telephony functions). [S1][S2]
Deploy coercive consent mechanisms — broad, non-negotiable privacy policies as a condition of service. [S1]
Engage in disproportionate data collection with no reasonable nexus to KYC or credit assessment purposes. [S1]

3. Background & Evolution

Pre-2022: Digital lending was largely unregulated; predatory lending apps proliferated, often accessing entire phone books and using borrowers' contacts for coercive recovery. [S2]
September 2, 2022: RBI released the Guidelines on Digital Lending — the foundational framework mandating data minimisation, explicit consent, and prohibition on accessing certain phone resources. [S2][S3]
May 8, 2025: RBI released the Reserve Bank of India (Digital Lending) Directions, 2025, replacing and consolidating the 2022 guidelines. Key upgrades:
Comprehensive data protection mandates including data localisation (all data stored in India). [S2]
Data processed overseas must be repatriated within 24 hours and deleted from foreign servers. [S2]
Privacy policies must publicly disclose all third parties with access to personal data. [S2]
Applicable to Regulated Entities (REs) — banks and NBFCs — and their Lending Service Providers (LSPs). [S2][S3]
July 1, 2025: RBI operationalised a Directory of Digital Lending Apps (DLAs) on its website, listing all DLAs deployed by Regulated Entities. [S3]
August 2023: The Digital Personal Data Protection Act, 2023 was enacted, providing the overarching statutory framework for personal data processing in India. [S2]
January 2026: Delhi HC PIL marks the first high-profile judicial challenge to the enforcement of the 2025 Directions. [S1]

4. Core Static Facts

Parameter	Detail
Triggering PIL	Filed by Himakshi Bhargav before Delhi HC
HC Bench	CJ D.K. Upadhyaya + Justice Tejas Karia
Date of HC Order	January 7, 2026 (Wednesday); reported January 8, 2026
Respondents notified	RBI + Union of India (Centre)
Primary Regulation	RBI (Digital Lending) Directions, 2025 (released May 8, 2025)
Predecessor Regulation	RBI Guidelines on Digital Lending, September 2, 2022
Overarching Statute	Digital Personal Data Protection Act, 2023
Constitutional basis	Article 21 — Right to Privacy (K.S. Puttaswamy v. Union of India, 2017)
Entities covered	Banks, NBFCs, Lending Service Providers (LSPs), Fintech DLA operators
Prohibited data access	File/media, contact list, call logs, telephony functions
Data localisation rule	All borrower data must be stored in India; overseas-processed data repatriated within 24 hours [S2]
DLA Directory	Operationalised by RBI from July 1, 2025 [S3]
NBFC-P2P compliance	Must comply with DPDP Act, 2023 + all RBI directions [S3]
Key Section invoked in PIL	Section 12 of RBI Digital Lending Guidelines (coercive consent prohibition) [S1]
Regulator	Reserve Bank of India (Department of Regulation)

5. Multi-Dimensional Analysis

Legal / Constitutional

The right to privacy under Article 21 (per the 9-judge Puttaswamy bench, 2017) covers informational self-determination — DLAs accessing contact lists without genuine necessity directly infringes this. [S1]
The PIL invokes the principle of purpose limitation and data minimisation — concepts now codified in the DPDP Act, 2023 and mirrored in RBI's 2025 Directions. [S1][S2]
Consent validity is a core legal issue: the petition argues that "broad and non-negotiable privacy policies as a condition of service" render consent involuntary, making it legally invalid under Section 12 of the Digital Lending Guidelines. [S1]
Delhi HC's direction to RBI to file a counter-affidavit detailing enforcement action sets a judicial accountability precedent for financial regulators. [S1]

Regulatory / Governance (Administrative)

The case exposes the enforcement gap: RBI has issued comprehensive directions (2022, 2025), yet non-compliance reportedly persists — raising questions about regulatory capacity and supervisory architecture. [S1][S2]
Dual regulatory overlap: DPDP Act, 2023 (administered by the proposed Data Protection Board under MeitY) and RBI's sector-specific directions create a layered but potentially fragmented compliance environment. [S2][S3]
RBI's DLA Directory (July 2025) is a transparency measure, but the PIL suggests it has not deterred prohibited data practices. [S3]
The HC specifically asked RBI to discuss "action taken for enforcement" — signalling judicial impatience with rule-making without rule-enforcement. [S1]

Economic

India's digital lending market is one of the fastest growing globally; NBFCs and fintech lenders serve hundreds of millions of underbanked borrowers. [S2]
Weak data protection enforcement risks consumer harm at scale — particularly for low-income borrowers with limited financial literacy who cannot effectively withhold consent. [S1]
Excessive/coercive data practices can distort credit assessment by using behavioural surveillance proxies rather than legitimate creditworthiness metrics. [S2]

Ethical / Governance

Coercive consent undermines the normative foundation of data protection law: consent must be free, specific, informed, and unambiguous. [S1][S2]
Digital lending platforms' use of phone contacts for collection harassment (a documented phenomenon pre-2022) raises serious ethical concerns about weaponising personal relationships. [S1]
The case highlights power asymmetry: individual borrowers cannot negotiate privacy policies with large NBFCs, making regulatory enforcement the only effective check. [S1]

Technological

Digital Lending Apps (DLAs) use API-level access to Android/iOS permissions to harvest device data beyond what is technically necessary. [S2]
RBI's prohibition on accessing "file and media, contact list, call logs, and telephony functions" targets specific Android permission categories — a technologically specific regulatory intervention. [S2][S3]
Data localisation requirements (storage in India; 24-hour repatriation from overseas) reflect a global trend of data sovereignty in financial services. [S2]

6. Recent Developments (Last 12–18 Months)

May 8, 2025: RBI released consolidated RBI (Digital Lending) Directions, 2025, replacing 2022 guidelines; introduced stricter data localisation, third-party disclosure norms, and DLG provisions. [S2][S3]
July 1, 2025: RBI operationalised the Digital Lending Apps (DLA) Directory on its public website. [S3]
August 2023 (recently notified rules): DPDP Act, 2023 framework continued to be operationalised; Data Protection Board of India yet to be fully constituted as of early 2026. [S2]
January 7, 2026: Delhi HC issued notice to RBI + Centre on the Himakshi Bhargav PIL; directed RBI to file a counter-affidavit detailing enforcement action. [S1]
PIB (2025): Government confirmed that RBI had taken "several measures to strengthen the digital lending ecosystem," including framing guidelines and requiring registration of DLAs. [S3]

7. Prelims Hooks

The RBI (Digital Lending) Directions, 2025 replaced the earlier Guidelines on Digital Lending issued on September 2, 2022. [S2]
Section 12 of the RBI Digital Lending Guidelines pertains to consent norms; the Delhi HC PIL specifically cites this section. [S1]
RBI's digital lending framework prohibits DLAs from accessing: file/media, contact list, call logs, and telephony functions of borrowers' phones. [S2][S3]
The DLA Directory was operationalised by RBI from July 1, 2025. [S3]
Data localisation rule under RBI 2025 Directions: Borrower data must be stored in India; data processed overseas must be repatriated within 24 hours and deleted from foreign servers. [S2]
The PIL was filed before a bench comprising Chief Justice D.K. Upadhyaya and Justice Tejas Karia of the Delhi High Court. [S1]
The Digital Personal Data Protection Act was enacted in 2023; NBFC-P2P lending platforms are explicitly required to comply with it under RBI norms. [S2][S3]
The right to privacy was declared a fundamental right under Article 21 by a 9-judge constitutional bench in K.S. Puttaswamy v. Union of India (2017). [S1]
Regulated Entities (REs) under digital lending guidelines include scheduled commercial banks and NBFCs — not standalone fintech apps (which must partner with an RE). [S2]
The PIL petitioner alleged "coercive consent mechanisms" — where acceptance of broad privacy policies is a condition for availing services, rendering consent involuntary. [S1]
The HC directed RBI to file a counter-affidavit (not merely a reply) — a stronger procedural direction indicating the court's seriousness about the matter. [S1]
Implementing ministry for the DPDP Act, 2023: Ministry of Electronics and Information Technology (MeitY); the adjudicating body will be the Data Protection Board of India. [S2]
The Default Loss Guarantee (DLG) arrangement is one of the key new provisions introduced in the 2025 Directions (not present in the 2022 guidelines in this form). [S2]

8. Mains Relevance

GS Paper II — Governance, Constitution, Polity, Social Justice - Syllabus heading: Government policies and interventions for development; statutory, regulatory and quasi-judicial bodies; citizens' rights - Relevant sub-themes: Role of RBI as regulator; PIL as tool of accountability; right to privacy under Article 21.

GS Paper III — Economy; Science & Technology - Syllabus heading: Indian economy and issues relating to planning; fintech; cybersecurity; data localisation; regulatory frameworks

Probable Mains Questions:

"The Delhi HC's notice to RBI over non-enforcement of digital lending guidelines reveals a structural gap between rule-making and rule-enforcement in India's financial regulatory architecture. Critically examine." (GS-II/III, 250 words)
"The right to informational privacy under Article 21 is increasingly threatened by data-intensive fintech models. Analyse the adequacy of India's legal and regulatory framework to address this challenge." (GS-II, 250 words)
"Evaluate the key provisions of the RBI (Digital Lending) Directions, 2025 with respect to consumer protection and data sovereignty. What enforcement mechanisms are available to the RBI?" (GS-III, 150 words)

9. Related Topics to Study Next

Topic	Connection
K.S. Puttaswamy v. Union of India (2017)	Constitutional foundation of the right to privacy invoked in this PIL
Digital Personal Data Protection Act, 2023	Overarching statutory framework governing data processing; overlaps with RBI's sector rules
Non-Banking Financial Companies (NBFCs) — Regulatory Framework	The entities accused of violations; understanding RBI's supervisory powers over them
Public Interest Litigation (PIL) — Scope and Limitations	PIL as used here is a judicial accountability tool for regulatory enforcement
RBI's Regulatory Sandbox and Fintech Governance	Broader context of how RBI oversees emerging technology in finance
Data Localisation in India — Policy Debate	24-hour repatriation rule reflects this larger policy position
Coercive Contracts and Consumer Protection Law	Relevance of Consumer Protection Act, 2019 to non-negotiable digital privacy policies

10. Common Errors / Trap Areas

Confusing the 2022 Guidelines with the 2025 Directions: The 2025 Directions replaced the 2022 guidelines — they are not amendments. Examiners may test which year's rules were "enforced" in this PIL (answer: 2025). [S2]
Misidentifying the implementing authority for DPDP Act: It is MeitY (not RBI, not Home Ministry). RBI issues sector-specific data norms; the DPDP Act's Data Protection Board is the cross-sectoral adjudicator. [S2]
Assuming NBFCs are not regulated by RBI: NBFCs are directly regulated by RBI — unlike payment aggregators which may fall under different frameworks. Digital lending guidelines apply to RBI-registered NBFCs. [S2][S3]
Conflating PIL petitioner and court direction: The PIL petitioner (Himakshi Bhargav) made the allegations; the HC directed RBI to respond — do not attribute the court's observations to the petitioner or vice versa. [S1]
Overstating the DLA Directory's scope: The directory lists DLAs of Regulated Entities only — it does not cover all fintech apps; unregistered/illegal apps operate outside this directory. [S3]

11. Sources

[S1] "Delhi HC seeks RBI's stand on PIL plea over data protection" — The Hindu, January 8, 2026 — (Tier 4) — Article content provided as primary source
[S2] "Government and RBI have taken several measures to Strengthen Digital Lending Ecosystem" — Press Information Bureau — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2200567 — (Tier 1)
[S3] "Regulatory framework, Digital Lending Apps (DLA)" — Press Information Bureau — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2241255 — (Tier 1)
[S4] RBI (Digital Lending) Directions, 2025 — RBI Notification — https://rbidocs.rbi.org.in/rdocs/notification/PDFs/GUIDELINESDIGITALLENDINGD5C35A71D8124A0E92AEB940A7D25BB3.PDF — (Tier 1)