Delhi-based thinktank Centre for Accountability and Systemic Change said WhatsApp’s “unlawful trials” for its payments services should stop, and that the RBI and National Payments Corporation of India (NPCI) should put on record the permission granted for the pilot, including all communication between RBI, NPCI and WhatsApp regarding the same. The thinktank said this in an interim application (see below) filed in the Supreme Court on February 10. CASC had petitioned the Supreme Court in July 2018 about WhatsApp’s failure to comply with Indian laws, including its failure to appoint a grievance officer, and this is a fresh application to the existing petition. This development comes after RBI and NPCI have green-lit the launch of WhatsApp’s payments service.

WhatsApp started a UPI payments service pilot in February 2018, in partnership with ICICI Bank. We have reached out to WhatsApp for comment, and shall update the story when they respond.

The application alleged that WhatsApp Pay is in violation of RBI’s data localisation norms issued in April 2018, and does not have a local office or a grievance officer in India. It further prayed that the Supreme Court should look “into the behind the door activities of the Respondents”. It added:

“WhatsApp is in violation of data localization norms as per RBI [but] is clandestinely continuing beta testing of its Payments Systems on one million Indian users. Moreover, it has now been reported that WhatsApp Pay will be rolled out to more customers, despite there being no report submitted to this court about WhatsApp”s full compliance with RBI Data localization norms (sic)”.  — from the application

The respondents in the case are MeitY, TRAI, RBI, and numerous other Union ministries.

What the application seeks:

  • Indians can not be reduced to ‘guinea pigs’: It further said that the reported 1 million Indians using WhatsApp Pay’s pilot can not be “reduced to guinea pigs,” and that their sensitive personal data, including financial data cannot be stored outside India. It also alleged that WhatsApp is the only third party app which is currently listed live on the NPCI website, despite not complying with RBI’s norms.
  • RBI’s data localisation mandate had no exceptions: WhatsApp Pay’s beta testing is “completely illegal” and can not be allowed because the trials of WhatsApp Pay were approved in February 2018, and RBI’s localisation norms were released in April 2018, and the circular did not mandate any exceptions, the application said. Furthering of WhatsApp Pay to even more Indians can not be allowed, it added.
  • RBI’s FAQs on data localisation ‘ultra vires’: It even reprimanded the FAQs issued by the RBI in 2019, which “toned down” its own norms laid down in April 2018, and said that the FAQs were “ultra vires” — beyond RBI’s legal power or authority — because they have no file number or notification number. The April 2018 circular had statutory backing under the Payment and Settlement Systems Act, 2007, and can not be toned down by means of FAQs, it added.
  • No blanket permission for trials: WhatsApp has not brought “all material facts” before the Supreme Court and has not put on record the permission granted to it for trials, CASC alleged. “There cannot be any blanket permission for trials, and same should be restricted by duration, number of banks involved and monetary limits,” it added. Besides, it said that while WhatsApp has claimed compliance with RBI data localisation norms, RBI’s affidavit filed in November 2019 had proved that it was not the case.

Questioned WhatsApp’s security: It also said that WhatsApp was compromised by the “Pegasus virus,” and claimed that Facebook, WhatsApp and Instagram “are integrating their data, thus rendering the entire user data, irrespective of the service, at risk”. It added that WhatsApp Pay should first comply with data localisation norms before dealing with users’ financial data, which is classified as sensitive personal data under the law. Readers should note that the Personal Data Protection Bill, 2019, which is currently being deliberated upon by a Joint Parliamentary Committee has categorised financial data under sensitive personal data, and such data has to be mirrored in India, and can only be processed outside depending on certain conditions. However, it has not become a law as of now.

Questioned WhatsApp parent Facebook’s security: “No action is taken in India against companies which have scant regards for privacy of Indians,” CASC said and alleged that WhatsApp’s “other related companies” have a “poor data security record”. It highlighted the recent hack of Facebook’s own Instagram and Twitter accounts to support the argument. It also said that Facebook has suffered numerous data breaches including a data breach of 267 million users in December 2019 and 419 million users in September 2019, and while the US has fined it $5 billion, no action has been taken in India, despite its involvement in Cambridge Analytica.

CASC’s petition had sought direction for WhatsApp to comply with Indian laws

On July 27, 2018, the organisation had petitioned the Supreme Court about WhatsApp’s failure to comply with Indian laws, including its failure to appoint a grievance officer. It stated that WhatsApp is a foreign company with over 200 million users, but without any servers or offices in India. It further said that having an office and a grievance officer for users is necessary under Indian law.

Further reasons that the petition sought compliance for:

  1. Cooperation with law enforcement: The petitioner states that WhatsApp is not co-operating with Indian intelligence agencies in their probe on terrorist activities. At the same time, government service and law enforcement in India is using WhatsApp to render their services, but they do not have a person of contact at WhatsApp should they face any problems. “The biggest messaging platform has no WhatsApp number of its own, which in turn is dangerous for the Rule of Law in India.”
  2. Grievance redressal requirements: WhatsApp is not complying with the IT Act 2000, which mandates that all intermediaries appoint a grievance officer. The government allowing WhatsApp to do so is discriminatory as it puts restrictions on others but gives WhatsApp a “free hand”. Further, WhatsApp current grievance officer is based out of the US, making the position ineffective.
  3. Taxes: WhatsApp does not pay any taxes in India, which violates the freedom to do business under Article 19.
  4. RBI’s localisation mandate: “WhatsApp must be directed to store the data in Indian servers as mandated by Reserve Bank of India, and pay taxes on income caused due to its operations in India,” the petition states.
  5. WhatsApp as an OTT service, and its regulation: WhatsApp being an OTT service which enables users to make calls, send messages and media, just like TSPs, does not follow any grievance redressal and data localisation norms that govern TSPs.
  6. Violating poll conduct: Political parties use WhatsApp groups to message voters during the 48-hour silent period.