ABSTRACT:
The rapid expansion of digital lending and financial technology (FinTech) platforms in India has significantly enhanced access to credit and accelerated financial inclusion. However, this growth has also fostered a parallel ecosystem of excessive data harvesting, unauthorized data sharing, and coercive exploitation of personal and device-level information.
This paper conceptualizes such data harvesting practices by loan applications and FinTech operators as a form of economic crime, highlighting how personal data is collected beyond necessity, monetized, and weaponized to enable predatory lending, harassment, extortion, and other abusive practices.
By enquiring and by passing in empirical evidence from regulatory reports, enforcement actions, and documented case studies, the study critically evaluates the adequacy of India’s existing legal framework, particularly the Information Technology Act, 2000, the Reserve Bank of India’s digital lending regulations, and the Digital Personal Data Protection Act, 2023. The analysis reveals regulatory fragmentation, enforcement gaps, and compliance challenges that continue to facilitate the misuse of personal data despite an evolving statutory regime.
Aims and Objectives of the Study
The present study is undertaken with the following aims and objectives:
- To conceptualise data harvesting as an economic crime by analysing how the misuse of personal data by loan apps results in economic exploitation, unfair enrichment, and systemic market harm.
- To examine the operational practices of loan apps and FinTech operators with specific focus on excessive data collection, coercive consent mechanisms, algorithmic profiling, and abusive recovery methods.
- To analyse the adequacy of the existing Indian legal framework, including the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, RBI digital lending guidelines, and general criminal law, in addressing data-driven economic offences.
- To identify enforcement challenges and regulatory gaps arising from technological complexity, jurisdictional issues, and regulatory fragmentation. To propose legal and policy reforms aimed at recognising, preventing, and prosecuting exploitative data harvesting as an economic crime.
INTRODUCTION
Digital lending platforms and mobile-based loan applications have emerged as defining features of contemporary financial markets, reshaping access to credit through big data analytics, alternative credit scoring, and instant digital onboarding. In India, this rapid growth has been driven by widespread smartphone penetration, robust digital identity infrastructure, and interoperable payment systems, positioning FinTech as a key instrument of financial inclusion. However, the increasing dependence on digital systems has simultaneously intensified the risks of data theft, unauthorized access, and misuse of personal information. In India, such threats are primarily governed by the Information Technology Act, 2000, which establishes the foundational legal framework for addressing cybercrimes, including data theft and unauthorized disclosure. This article provides an in-depth analysis of data theft under the IT Act, examining its legal provisions, penalties, notable judicial and regulatory cases, and preventive mechanisms for safeguarding sensitive information.
The study further situates these concerns within India’s broader digital transformation, marked by its status as the world’s second-largest internet market and an unprecedented scale of data generation. While the Digital Personal Data Protection Act, 2023 has emerged as a cornerstone of India’s data governance regime, it also raises complex questions regarding individual privacy and state power. The expansion of government surveillance capabilities through mechanisms such as the Central Monitoring System and Network Traffic Analysis underscores the growing tension between national security imperatives and civil liberties. Drawing on constitutional principles affirmed in the landmark Justice K.S. Puttaswamy v. Union of India (2017) judgment, this paper critically examines whether India’s evolving legal framework adequately balances innovation, security, and the fundamental right to privacy in an increasingly data-driven economy.