On 7 April 2023, Google notified that it will be updating its Personal Loan policy, which will come into effect from 31 May 2023.

As per the preview of the Financial Services Policy (“Google Policy”) shared by
Google personal loan apps are prohibited from accessing sensitive data such as photos and contacts. More specifically, permissions will be prohibited for: storage; images; contacts; location; numbers and videos.

In this context, it may be noted that the Digital Lending Guidelines provide for a one-time access to certain mobile features such as camera, location, microphone etc. by the personal loan apps for the purposes of onboarding the customer and KYC verification. Whether the prohibition placed in the Google Policy on accessing location and images will be aligned with such KYC requirements, will become clear only after release of the detailed Google Policy.

Also, in our view, while prohibiting automatic access to features such as contacts, location and media files is in interest of customer privacy, a complete restriction on access to such mobile features can also interfere substantially with customer right to use her own data and the loan journey experience.

Customers may wish to provide access to selected media files, location, and other features on a case to case, and as and when needed and consented basis. For example, it is not difficult to imagine that a customer may, for redressal of a grievance or other facilitation, want to upload or provide access to specific screenshot. An absolute prohibition in such access which completely disables customer choice is also contrary to customer’s right to her data. The balance, therefore, lies between the two extremes of automatic access and absolute prohibition. Therefore, one hopes that the Google Policy will provide a more customer centric approach, which protects as well as empowers customer choice in privacy.

As a side note, it’s interesting that in the country specific guidelines for Pakistan, the Google policy permits only NBFC (regulated entities) to register a lending app and restricts each NBFC to a single lending app. In contrast, the Google Policy for India continues to enable lending apps from both regulated and unregulated entities (which must declare that the app is just a platform for facilitating money lending by the NBFC/bank to the customers). This approach is aligned with the way the digital lending market is working in India, where the fintech sits as the customer interface while the regulated entity works in the green room to provide the financial support. However, given RBI’s continuous concern on the role of unregulated entities in digital lending, one may see further guardrails emerging for monitoring digital apps provided by unregulated entities.

Authored by
Shivi Rastogi, Managing Partner
Tanya Nair, Associate

More from Amicus