India: Reserve Bank's Digital Lending Directions 2025, including data protection provisions entered into force (No. RBI/2025-26/36)

On 8 May 2025, the Reserve Bank of India's Digital Lending Directions 2025, including data protection obligations for digital lending services, entered into force. The directions apply to commercial banks, co-operative banks, non-banking financial companies, and all-India financial institutions. They require regulated entities to obtain explicit consent from borrowers for data collection and to limit access to personal data strictly to what is necessary. The directions prohibit the collection and storage of biometric data and mandate that all personal data be stored on servers located within India. If data is processed outside India, it must be deleted from foreign servers within 24 hours. Lending service providers must comply with equivalent data restrictions, and regulated entities must maintain and publicly disclose comprehensive privacy policies. These provisions establish enforceable standards for data minimisation, localisation, and transparency in the digital lending sector.