New Delhi: The Delhi high court on Wednesday asked the Centre and the Reserve Bank of India to file their responses to a petition seeking suspension of the licences of several non-banking financial company (NBFC) digital lending applications (DLAs), such as Slice, Branch, Home Credit and Simpl, for allegedly accessing borrowers’ data illegally without consent.
Hearing a petition filed by Himakshi Bhargava, a bench of chief justice D K Upadhyay and justice Tejas Karia said the matter raised serious concern and fixed it for further hearing on April 1.
In her petition, filed through advocate Kunal Madan, Bhargava, a 22-year-old political science (honours) student, alleged that several digital lending apps, despite the RBI’s Digital Lending Guidelines, 2025, illegally access mobile phone resources such as files, media, contacts and call logs, and collect data far beyond what is required for onboarding or Know Your Customer (KYC) purposes.
The 2025 guidelines, which apply to the digital lending activities of commercial banks, state cooperative banks and NBFCs, lay down regulatory requirements, seek to curb excessive data collection from borrowers, provide a grievance redressal mechanism, and expressly prohibit NBFC-backed digital lending apps from accessing mobile phone resources such as files, media, contact lists, call logs and telephone functions.
The guidelines also mandate that any data collected by a digital lending app must be strictly need-based and obtained only with the borrower’s prior and explicit consent.
The petition further alleged that several digital lending apps, through their privacy policies and operational practices, flout the regulatory framework by including clauses that allow access to borrowers’ contact lists for transaction facilitation, thereby enabling the apps to obtain sensitive user permissions after installation.
“The unchecked access has allowed digital lending platforms to transform smartphones into real-time surveillance devices, harvesting borrowers’ private data well beyond what is necessary. By embedding intrusive permissions into app architecture, permissions often sought post-installation, sometimes without notice and always under coercive consent regimes, these applications access contact lists and call logs,” the petition stated.
The court, in its order, also directed the RBI to specify in its affidavit the steps taken to enforce its Digital Lending Guidelines, 2025, and the action taken against entities for violating them.
“We thus require the RBI to file a counter-affidavit, CA, on the action taken for the enforcement of the guidelines, 2025. The counter-affidavit to be filed by RBI shall also disclose the action that has been taken against the entities in case of violation of the said directions,” the court said in its order.
Editorial Context & Insight
Original analysis & verification
Methodology
This article includes original analysis and synthesis from our editorial team, cross-referenced with primary sources to ensure depth and accuracy.
