A sting operation video on mobile payments company Paytm, released by news website Cobrapost, shows Paytm Senior Vice President Ajay Shekhar Sharma allegedly saying that the Indian Prime Minister’s Office (PMO) had asked the company for user data. MediaNama is unable to independently verify the authenticity of this video, and it is worth pointing out that the video isn’t available in full. This video has been released as a part of the ‘Operation 136’ sting operation series, largely focusing on news organisations and their alleged willingness to promote political agenda.

In the video, Ajay Shekhar Sharma, who is the younger brother of Paytm founder Vijay Shekhar Sharma, allegedly tells the undercover reporter: “Jab JK mein band huye the na pathar … toh personally PMO se phone aya tha kaha gaya tha ki data de do ho sakta hai ki Paytm user hon…” [Translated: When there was a curfew in Jammu & Kashmir due to stone pelting, then the Prime Ministers Office personally called asking for data, because it’s possible that some people might have been Paytm users].

Note that Sharma did not say that Paytm complied with the PMO’s alleged demand or not, although, the voiceover in the Cobrapost video said that they did.

In a blog post titled “Your Paytm data is NEVER shared with anyone“, the company has said that:

There is a video going around on social media and it falsely claims that we shared some data with 3rd parties. Nothing can be further from the truth. We never share your data with anyone: any company/ any government or any country. At Paytm, your data is yours. Not ours, or of a third party, or of the government. Our policy allows ONLY legally compliant data requests from the law of the land to get access to data for necessary investigations. To further clarify, in the past, we have neither received requests nor shared any data without a legally compliant request from a bonafide agency and through proper process and channels. You can be sure that no data is shared with anyone whom you would not have given us permission to share it with. This is the holy grail of trust between us. Any person claiming otherwise is not aware of the policy and is not authorised to speak on behalf of the company.

Note that it has the company has not challenged the authenticity of the video itself, only the claim. It has also not explicitly commented on the alleged request from the PMO, though the overarching statement regarding third parties does cover it.

Paytm’s Privacy Policy

The fintech company writes in its privacy policy that by downloading and using the Paytm application/ website/WAP site “you expressly give us consent to use & disclose your personal information in accordance with this Privacy Policy. If you do not agree to the terms of the policy, please do not use or access Paytm.” It also adds that “our privacy policy may change at any time without prior notification. To make sure that you are aware of any changes, kindly review the policy periodically.”

As ‘Personal Information’, Paytm includes all information that can be linked to a specific individual or to identify any individual, such as name, address, mailing address, telephone number, email ID, credit card number, cardholder name, card expiration date, information about your mobile phone, DTH service, data card, electricity connection, Smart Tags and any details that may have been voluntarily provide by the user in connection with availing any of the services on Paytm- as ‘Personal Information’.

It also writes that when you browse through Paytm, it may collect information regarding the mobile/ tab device details, domain, and host from which you access the internet, the Internet Protocol [IP] address of the computer or Internet service provider [ISP] you are using, and anonymous site statistical data.

100 million KYC-compliant wallet customers

As of November 2017 Paytm had 282 million registered users, and in April it announced that more than 100 million of its wallet customers have completed their know-your-customer (KYC) process, as mandated by the Reserve Bank of India. For KYC, users share details like Aadhaar, passport, driving license among other documents with Paytm.

Mobikwik also chimes in

One of Paytm’s competitor MobiKwik, which was not targeted by the sting, has also chimed a statement saying that all customer data is securely stored in a database with “high-end encryption”. If asked to share information about a person’s financial transaction details for investigations on tax evasion or any illegal activity, they will abide the court order, MobiKwik said.

Siladitya adds: The biggest question that must be raised here is why do Indian tech majors like Paytm not release a comprehensive transparency report. Facebook, a company that has deservedly been attacked for its poor handling of user data releases a transparency report every 6 months. Facebook’s report shares the total number of requests made by the government and even offer’s a breakdown of what percentage of the requests were acted upon. This is standard practice for most global tech firms. Paytm CEO, Vijay Shekhar Sharma has been vocally supportive of the RBI’s directive on data localisation by payment firms and has targeted foreign firms for their data handling practices. Yet Paytm fails to match the basic standards on transparency set by these foreign companies.