...
...
Next Story

The data questions the Meta-CRED deal raises

Financial data occupies a unique position in the digital economy because it captures not what people say or search, but how they earn, spend, borrow and repay.

Updated on: Jul 03, 2026 07:22 AM IST
By ,
Advertisement

Meta’s $900-million investment in Indian fintech platform, CRED, comes with an important assurance: Meta will not gain access to CRED users’ financial data merely because it has acquired a minority (20%) stake. That clarification seeks to address immediate privacy concerns and reflect the basic safeguards embedded in India’s Digital Personal Data Protection (DPDP) Act, 2023. Yet the episode raises a larger public policy question. If the law can regulate the transfer of personal data, is it equally equipped to govern the concentration of economic power built around financial data, digital ecosystems and artificial intelligence?

The Meta-CRED transaction is not evidence that India’s privacy law has failed, write Tarun Kumar and Ashish Bharadwaj
The Meta-CRED transaction is not evidence that India’s privacy law has failed, write Tarun Kumar and Ashish Bharadwaj

India’s digital payments architecture has rightly been celebrated as a public policy success. Through the Unified Payments Interface (UPI), the country built interoperable payment infrastructure that prevented platform dominance from translating into payments dominance. WhatsApp Pay’s limited success despite its massive user base illustrates that open public infrastructure can preserve competition.

Also Read | Meta names Kunal Shah as WhatsApp's new head, invests $900 million in CRED

Financial data occupies a unique position in the digital economy because it captures not what people say or search, but how they earn, spend, borrow and repay. Hence, our financial transaction records reveal spending patterns, borrowing behaviour, repayment discipline and consumption preferences. Aggregated over millions of users, they become a strategic economic asset capable of informing credit decisions, product design, fraud detection and increasingly, AI models.

This distinction matters. A platform may comply fully with the DPDP framework. Users may provide valid consent. No unlawful sharing of personal information may occur. Yet firms can still derive significant competitive advantages from behavioural intelligence generated through lawfully processed data. Economic power today increasingly stems not merely from possessing personal data, but from analysing it, generating inferences, training algorithms and integrating insights across products and services.

Meta’s history of regulatory misadventures show why this broader conversation deserves attention. From the 2018 Cambridge Analytica scandal and the European Union’s record GDPR fine in 2023 to the Competition Commission of India’s 213.14 crore penalty in 2024 over WhatsApp’s privacy policy and data-sharing practices, the company has repeatedly faced scrutiny over privacy and competition. These precedents do not imply any impropriety in the CRED investment. They do, however, reinforce the need for governance frameworks that anticipate systemic risks rather than respond only after violations occur.

This is where India’s regulatory debate must evolve. Privacy law alone cannot resolve questions of digital sovereignty. Nor can it adequately address the convergence of data, competition and algorithmic power. As fintech platforms expand into lending, insurance, wealth management and AI-enabled financial services, governance challenges will increasingly arise from the inferences and market power generated around data rather than from unlawful data transfers themselves.

The next phase of reform should therefore focus on institutional coordination rather than legislative expansion alone. The Data Protection Board, the Competition Commission of India, the Reserve Bank of India and sectoral regulators should develop a coherent framework for overseeing financial data ecosystems. Greater transparency in algorithmic decision-making, meaningful data portability, independent audits of high-risk AI systems and closer scrutiny of strategic investments in data-rich sectors would complement, rather than mimicking the DPDP framework.

India’s digital public infrastructure has become a global benchmark because it balanced innovation with openness. The same philosophy must now guide financial data governance. The Meta-CRED transaction is not evidence that India’s privacy law has failed. It is evidence that privacy is only one part of a much larger governance challenge. As financial data increasingly becomes a source of economic and strategic power, the real policy challenge is not just who possesses personal data but also who controls the financial intelligence built upon it. India’s next chapter in digital governance will be defined by how well it answers that question.

Tarun Kumar is a public policy researcher associated with the School of Public Policy and Governance, TISS Hyderabad. The views expressed are personal

 
SHARE THIS ARTICLE ON