The Supreme Court on Thursday issued notice in a petition seeking the Reserve Bank of India to frame necessary regulations to make sure that Indians’ data collected on UPI platforms such as Amazon Pay, Google Pay, and WhatsApp Pay, is not exploited by these companies. The petition, which was filed in September by Communist Party of India MP Binoy Viswam, had also sought that Indians’ right to privacy should be protected from being misused by “giant corporations” for their “financial ends”. It also sought that WhatsApp Pay’s full-scale operations be halted until it proves all legal compliances. Bar and Bench first tweeted about this.

The Finance Ministry, IT Ministry, Home Ministry, CERT-In, Reserve bank of India, the National Payments Corporation of India, Amazon, Google, Facebook, and WhatsApp have been listed as respondents in Viswam’s petition. Viswam is being represented by senior Advocate Shyam Diwan, and Advocates Sriram Parakkat, and MS Vishnu Shankar. Parakkat told MediaNama that the Supreme Court will take up the case four weeks from now.

RBI, NPCI have ‘tuned a blind eye’

In the petition, Viswam essentially argued that RBI and NPCI have allowed certain payment services in India despite non-compliance. The “RBI & the NPCI instead of fulfilling their statutory obligations and protecting and securing the sensitive data of users are compromising the interest of the Indian users by allowing the non compliant foreign entities to operate its payment services in India,” Viswam said. “Conduct of the RBI and the NPCI puts the sensitive financial data of Indian users at huge risks, especially when these entities have been continuously accused of abusing dominance, and compromising data, among other things,” he continued.

In April, 2018, RBI had issued a circular directing all payments system operators to ensure that Indians’ financial data is stored within India itself. “However since the systems providers especially WhatsApp and Google Pay failed to follow the deadline of October 2018, and therefore the RBI in order to help the WhatsApp, Google Pay etc, and in complete disregard to the security of financial data of Indian users toned down the April 2018 Circular by issuing Frequently Asked Questions (FAQs) [in June 2019] and permitted the processing of all payment transaction abroad (including domestic transactions),” the petition alleged

His petition also argued that in the absence of a data protection law in the country, it is the responsibility of the state to ensure that basic norms of data protection are complied with, especially by non-state actors that handle Indians’ data purely for business reasons. “Although these entities are based in United States and take Indian data abroad, however in absence of any strong scrutiny and responsibility the data shared on their platform is at very high risk of being misused.

“Moreover these entities in the past have not only been blamed for misusing the data of its users, but has also been accused of reneging the promises made to the law makers and regulators. However the Respondents i.e. RBI and NPCI, instead of actively looking into such allegations have turned a blind eye, and have permitted the operation of Amazon, Google and WhatsApp in the UPI platform even contrary to public interest.”

Google and Facebook already have access to immense personal data of millions of Indians, and if they are permitted to collect “unrestricted” financial data via the UPI platform, it will give them draconian control over Indians’ sensitive data, Viswam said in the petition. “The continuation of Amazon Pay, Google Pay, and WhatsApp Pay, without proper safeguards ensuring that no data gathered by these entities through its payment service would be transferred outside India, stored indefinitely and shared with parent companies would be against the national interest,” Viswam contended.

‘WhatsApp should be directed to have an office in India’

Viswam alleged that WhatsApp Pay has been green lit in India serious non compliances and breach of UPI guidelines. He said that NPCI, just on the basis of an audit report done by consultancy firm Deloitte, informed the RBI that WhatsApp had complied with the central bank’s data localisation norms, Viswam alleged in the petition. He also alleged that when a fraud was detected at a unit of Infrastructure Leasing and Financial Services in 2019, at least 22 violations of auditing standards by Deloitte and KPMG were reported. “NPCI has blindly relied on the Audit Report of WhatsApp prepared by Deloitte”, Viswam contended in the petition, adding that both RBI and NPCI have failed to do an independent audit of WhatsApp Pay.

Viswam also argued that WhatsApp will continue to flout regulations and norms in its business practices. He also said that WhatsApp’s own security has been compromised in the past, mentioning how the NSO Group’s Pegasus was used to target several Indians.

WhatsApp neither has any registered office in India nor does it have a full time representative posted in the country, Viswam said, and added that as a result, suing WhatsApp or holding it criminally liable would involve “practical difficulties”, in the event of a privacy breach or data theft. Viswam prayed that WhatsApp be directed to open a registered office in India, ensure that financial data collected via WhatsApp Pay is deleted immediately after it has been used for its intended purpose, and not to share any kind of data with parent Facebook.

Also read