wordpress blog stats
Connect with us

Hi, what are you looking for?

Why is the Razorpay-AltNews scenario a reminder of Section 91’s vast powers?

What are the legalities of Razorpay’s compliance with orders resulting in thousands of Alt News donors’ data revealed to the government?

The Delhi Police’s investigation into Alt News’ alleged foreign funding sources has resulted in the government collecting the names and transaction details of the fake news busting platform’s donors.

It has brought “data security” and “privacy” as buzzwords in the mainstream media, while alarming thousands of people around the country.

And why wouldn’t they be alarmed? After all, they just woke up to find that police officials can access the transaction details of a donation that they had made to a cause that they believe in and which the state appears opposed to.

Worse, there’s almost nothing that either the supported NGO or the payment gateway managing the transactions can do about it.

Such is the state of the investigations of cases that violated the Foreign Contribution (Regulation) Act (FCRA). In this article, we’ll look at what repercussions Razorpay might have faced had it denied co-operation and examine the extent of the state’s powers when it comes to investigating allegations of receiving funds from abroad.

Advertisement. Scroll to continue reading.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.


On the legality of Razorpay’s actions

Alt News has denied any allegations of foreign funding, calling them “categorically false”. In a statement, the news website also added that Razorpay had disabled its payment account. Razorpay, on the other hand, claimed that this had been done “temporarily as a safety precaution”. The payment link was later restored after a few hours.

Alt News later alleged that Razorpay had given away the personal data of thousands of its donors to the Delhi police without any prior information. The surrendered data allegedly included the names, addresses, bank account, PAN card and Aadhar card numbers.

MediaNama reached out to Razorpay, whose representative emphasised that the payments platform had shared “a certain percentage” of Alt News’ donor data with the authorities as it was bound to follow a written order under Section 91 of the Criminal Procedure Code. The organisation reiterated that this shared data did not contain the addresses, bank account, PAN card and Aadhar card numbers of the donors.

The Razorpay representative did not mention exactly what data the company had surrendered to the cops saying that they can’t comment on the details of an ongoing investigation.

What kind of data does Razorpay collect? As per industry insiders, Razorpay stores the names, emails, contact numbers, GSTIN (optional), notes by merchant and the time of creation of that customer entity. They also store order ID, amount, description, payment mode (card, UPI, wallet), payment instrument reference (UPI ID) and bank transaction reference number for each payment.

Advertisement. Scroll to continue reading.

The payment gateway’s servers automatically classify each payment as international or domestic by default using the originating payment instrument. Cards usually have a bank identification number (the first few digits of a card number) which is used to identify the country of origin,

What would happen if Razorpay did not follow the order? “If we don’t operate by the government’s regulations, we could lose our RBI sanctioned operations licence,” the representative said. “This wouldn’t just result in losses for our business. We have thousands of clients with millions depending on our gateway and they would all be affected overnight.”

What does Razorpay’s privacy policy state? It must also be noted that Razorpay’s privacy policy clearly mentions that the company will disclose information to “comply with legal process” and that the company is “not required to question or contest the validity” of any government request.

The policy states: “We may disclose your Personal Information to third parties in a good faith belief that such disclosure is reasonably necessary to a) take actions regarding suspected illegal activities; b) enforce or apply our terms and conditions and Privacy Policy; c) comply with legal process, such as search warrant, subpoena, statute, or court order; or d) protect our rights, reputation and property, or that of our Users, Affiliates, or the public.”

What does Section 91 of the CrPC say? Section 91 of the CrPC, under whose orders Razorpay surrendered the donor data, states:

“Whenever any Court or any officer in charge of a police station considers that the production of any document or other thing is necessary or desirable for the purposes of any investigation, inquiry, trial or other proceeding under this Code by or before such Court or officer, such Court may issue a summons, or such officer a written order, to the person in whose possession or power such document or thing is believed to be, requiring him to attend and produce it, or to produce it, at the time and place stated in the summons or order.”

Advertisement. Scroll to continue reading.

It also notes that any person required to produce a document under this section “shall be deemed to have complied” or have someone else produce the requisite document in their stead.

Does Razorpay have a mechanism to monitor offshore transactions? While Razorpay offers all of its merchants the option to enable or disable international payments, the company’s spokesperson told MediaNama the platform does not allow foreign transactions unless the merchant has an FCRA certificate.

The spokesperson added that Alt News did not produce an FCRA certificate before Razorpay and so the payment gateway had disabled foreign transactions from the backend. “There is no way the organisation could have received any offshore donation through Razorpay,” the spokesperson said.

However, Razorpay has not clarified whether it takes similar action against other entities also under investigation.

What did the experts have to say?

Companies do not have much of a choice: Delhi High Court lawyer Divyam Nandrajog told MediaNama, “Complying with law enforcement is a standard practice for every organisation.”

“It is a statutory duty that all companies must follow if they receive a notice,” he added. “If the company has received a notice under Section 91, then they have to reply by law. Because of how the section is worded, it is tough to oppose. Saying, ‘We cannot respond’ or ‘This request is unnecessary’ will not help the company and can instead bring more legal trouble for them. Even criminal proceedings can be initiated against them.”

Advertisement. Scroll to continue reading.

“Here, the allegation is that there was foreign funding, that may turn out to be an incorrect allegation. But right now, it is part of a legitimate investigation into the funding of Alt News,” he said. “Believing that the prosecution of Zubair is wrongful is different from cooperating in the investigation. That is not a call a company is going to take. A company will prioritise self preservation.

Are self-incrimination or Puttaswamy grounds to challenge Section 91? “Even when there is a preliminary inquiry into inappropriate funding by an investigation agency, it doesn’t mean the state has the ability to have a deep purview in a non-specific perspective of everyone,” said Nandrajog.

He also cited the Supreme Court’s landmark 2017 Puttaswamy judgement that declared privacy as a fundamental right, protected under Article 21 and Part III of the Constitution, adding, “Since Puttaswamy, any law that intrudes into privacy or any enforcement will certainly have to be looked at from a proportional perspective. Our surveillance laws, such as the Telegraph Act, don’t allow sweeping 360 degree surveillance. They allow targeted surveillance.”

He also said the right against self-incrimination – which is a guaranteed constitutional right – might be a basis to oppose Section 91. “Courts might assess, allow and even stay Section 91 notices on that ground,” he said. However, he did not think that Zubair’s case was one of self-incrimination.

Section 91 does not mandate wholesale data sharing: “Section 91 of the CrPC does not require wholesale data sharing of the kind indulged in by Razorpay,” said technology policy consultant Prasanto Kumar Roy. “Razorpay is mandated to respond to a Section 91 order but may choose to not comply with illegal or unreasonable demands. If there are sweeping requests for data that are unreasonable or which violate other laws, you can respond within reason.”

He said that previously, certain companies have legally pushed back against cops using Section 91 to demand email account passwords, entire customer databases or specific IP addresses of people associated with the company being investigated.

Advertisement. Scroll to continue reading.

Divyam Nandrajog also agrees that the police do not need wholesale data from Razorpay for the FCRA investigation. He said that just collecting “transaction modules” from Razorpay should be enough for the authorities to track down from which banks Alt News had been getting its donations from.

“Also considering Razorpay’s privacy policy, even if there was any wiggle room, a Razorpay user or merchant affiliate cannot expect the company to stand up for their privacy,” noted digital rights activist Srinivas Kodali. He added that in the absence of any personal or non-personal data legislation, companies in India “do not give customers confidence that they can keep their data safe.”

Levers of government censorship

The concerns surrounding the sanctity of payments data of individuals and companies have grown louder as the government has looked to keep a tighter lid on financial data generated from India over the past two years, with changes such as platforms saving card data for recurring payments, card tokenisation, storage of payments data within India and more.

Without any laws regarding data usage in place, Indians do not have any clear recourse to fight back against state encroachment on personal data. So far, the Central government has used this loophole to bring in two main levers of censorship against anti-establishment organisations.

  • Social media regulations: Under the IT Rules 2021, the government has mandated social media companies to proactively identify and take down “defamatory or harmful” content; set up grievance redressal cells and appoint key officials in these roles to act as intermediaries with authorities; publish regular compliance reports; and take down any offensive content within 36 hours of a government order as well as maintain records of disabled content for 180 days.
  • Financial regulations: Anti-establishment news organisations and NGOs have faced the brunt of the authorities’ eyes on their finances. On July 9, the Enforcement Directorate filed a charge sheet against Amnesty International India Private Limited (AIIPL) and others in a money laundering case. This takes place about a month after the arrest of veteran activist Teesta Setalvad who has been under the scanner for a few years for allegedly accepting $290,000 between 2004 and 2014 as contributions for her Sabrang Communications and Publishing, which is not registered under the FCRA.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Read also:

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?

News

After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples

News

In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection

News

The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.

News

The provisions around grievance redressal in the Data Protection Bill "stands to be dangerously sparse and nugatory on various counts."

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ