On 7 January 2026, the Delhi High Court took up a Public Interest Litigation (PIL) regarding alleged data privacy violations by Digital Lending Apps (DLAs).
The case involves RBI’s 2025 Digital Lending Guidelines, which provide key mandates relating to protection of customer data and privacy. While these guidelines prohibit DLAs from accessing borrower’s phone data such as media, call logs, and contacts without explicit consent, the petitioner has alleged that several platforms continue to collect excessive personal data and deploy coercive consent mechanisms.
Background
In 2025, India emerged as the world’s third-largest fintech startup ecosystem, behind the US and the UK. Over the last decade, India’s digital payments ecosystem has undergone a monumental shift. The success of Unified Payments Interface (UPI) and the rise of cashless payments during the COVID-19 pandemic were some major contributing factors for this transformation. On the other hand, the rapid digitisation also triggered a parallel expansion in the demand for instant loans and digital credit.
According to the findings by the RBI Working Group on Digital Lending, there were over 1,100 digital lending apps available in India for Android users in 2021, operating without direct regulatory oversight. This growth was accompanied by rising allegations against digital lenders regarding data misuse, coercive recovery practices, and data privacy and transparency concerns. Around the same time, several Chinese-owned loan apps came under investigation and were subsequently blocked for involvement in money laundering and large-scale misuse of data. In 2022, Google removed over 2,000 non-compliant lending apps following concerns raised by the authorities.
Against the backdrop of these developments, the RBI intervened in August 2022 by issuing comprehensive Digital Lending Guidelines. These guidelines were revised on 8 May 2025, replacing the 2022 guidelines as well as consolidating the 2023 guidelines on Default Loss Guarantees (DLGs) which were further consolidated under Reserve Bank of India (Non-Banking Financial Companies – Credit Facilities) Directions, 2025.
Present Scenario: The Regulatory Architecture
RBI’s Digital Lending Guidelines mainly apply to three parties: (i) Regulated Entities (REs), i.e., banks, Non-Banking Financial Companies (NBFCs), etc., (ii) Lending Service Providers (LSPs) which act as intermediary platforms in the credit process, and (iii) Digital lending Apps (DLAs). However, the ultimate legal responsibility regarding data privacy and security of the customer’s personal information lies with the Regulated Entity (RE).
I. Key Data Privacy Mandates for REs under the RBI’s Digital Lending Guidelines
RBI guidelines impose strict data governance obligations on REs, including the following:
• REs are required to provide the borrower with a Key Fact Statement (KFS) detailing all terms of the loan prior to acceptance or signing of the loan agreement.
• No data can be collected without explicit consent from the borrower. Only minimal, essential information required for the loan process can be stored by the LSPs.
• Accessing phone data of the borrower, such as media files, call logs, and contact lists, is strictly prohibited. A one-time access may be granted to features such as camera, microphone, or location, strictly for the purposes of Know Your Customer (KYC) or loan processing, subject to explicit borrower consent.
• The borrower may revoke or deny consent, restrict sharing of data with third parties, or even request deletion of collected data.
• The REs are responsible for ensuring a transparent privacy policy by LSPs and fintech platforms involved.
• Banks and NBFCs are required to publish clear data storage policies outlining all protocols.
• All data is required to be stored on servers in India. Any data which is processed abroad must be deleted within 24 hours and is allowed to be stored only within India.
II. RBI directory of Digital Lending Apps
Along with the guidelines, RBI also announced a public directory of Digital Lending Apps (DLAs) with effect from 1 July 2025, consisting of all DLAs deployed by Regulated Entities (REs). The list is publicly accessible through the Centralised Information Management System (CIMS) portal of the RBI and has over 1,600 registered DLAs. This measure aims to curb the illegal lending platforms which were operating in India without regulatory oversight by allowing borrowers to independently verify the regulatory legitimacy of a lending app before sharing any personal or financial data.
III. Fundamental Right to Privacy
The regulatory framework governing digital lending in India is constitutionally anchored in the recognition of privacy as a fundamental right, as also laid down by the Supreme Court in the 2017 decision in Justice K.S. Puttaswamy v. Union of India. This principle was also reinforced by the Supreme Court in a September 2018 ruling where it held that Aadhaar is not mandatory for opening or maintaining bank accounts. As a consequence, fintech and digital lending platforms cannot legally compel users to submit Aadhaar or biometric data as a precondition for accessing credit.
Further, the RBI mandates relating to data privacy are aligned with the Digital Personal Data Protection Act (DPDP Act) 2023, which states that consent for collecting personal data must be explicit, purpose-specific, and time-bound, and broad or bundled user permissions are prohibited. 
Core Issue Behind the Delhi High Court PIL
RBI’s 2025 Digital Lending Guidelines, together with the DPDP Act establish a unified legal position: that fintech and digital lending platforms cannot operate in a way that overrides individual data privacy rights. However, despite the existence of these comprehensive regulatory frameworks and data privacy mandates, allegations of data misuse continue to surface. Allegations include illegal access of mobile phone resources by digital lending apps, and excessive data collection beyond that required for Know Your Customer (KYC) or loan processing.
The petitioner, a student, Himakshi Bhargav, through her counsel, filed a Public Interest Litigation (PIL) with the Delhi High Court . The main arguments include that several Digital Lending Applications operate in clear violation of Section 12 of the RBI Digital Lending Guidelines dated 8 May 2025, and that “borrowers are compelled to accept broad and non-negotiable privacy policies as a condition for availing services, rendering consent involuntary and contrary to Sections 12 of the Guidelines”. The PIL cites the Supreme Court decision in Justice K.S. Puttaswamy v. Union of India. It also notes that another detailed complaint was submitted to the RBI on 18 November 2025, identifying specific violations of the RBI Guidelines and supported by documentary evidence, however, there was no enforcement action or public response to the same.
The petitioner has also sought directions for Google and Apple to remove digital lending applications which operating without registration or which have failed to comply with the guidelines.
In its order dated 7 January 2026, the High Court has sought an affidavit from the RBI seeking a response to the allegations as well as a detailed record of actions taken for enforcing the Digital Lending Guidelines 2025.
Road Ahead
The Delhi High Court PIL highlights the gap between regulatory intent and enforcement accountability within India’s digital lending ecosystem. Although the RBI guidelines have been a welcome step during the rapid digitisation of India’s fintech sector, allegations and concerns regarding data privacy raise serious questions regarding whether legal safeguards can translate into real-world protection for borrowers.
In upcoming deep-dive reports on India’s fintech sector, we will analyse various aspects of India’s fintech sector, including RBI’s digital lending framework, the evolving role of banks and NBFCs, and India’s path towards responsible digital lending practices.
Uploaded On: 
Author: 
