While RBI, NPCI Remain Silent, WhatsApp Fails To Ease Payments Privacy Fears

Legal troubles persist for WhatsApp Pay even after the messaging platform clarified that its UPI-based payments service fully complies with data localisation norms of the Reserve Bank of India. But a petition filed before the Supreme Court before the approval contends that the NPCI’s approval for WhatsApp Payments should be stayed. 

In November last year, WhatsApp got an approval from National Payments Corporation of India (NPCI) to launch its payments service in a graded manner starting with a maximum registered user base of 20 Mn in UPI. NPCI relied on Deloitte’s audit of WhatsApp Pay’s compliance with data localisation norms. 

“NPCI is saying the technology audit by Deloitte is sufficient. They are not saying that we have verified through our own means whether they are storing data in India or not. India has enough technical experts in IITs and other places. Why not set up an independent committee to review the compliance?,” says Sriram Parakkat, a lawyer representing Rajya Sabha MP Binoy Viswom in the case.

What has added to the controversy surrounding WhatsApp Pay is the introduction of a new global privacy policy that details the amount of data that WhatsApp shares with parent company Facebook and its partners, with no opt out option for users. Though the messaging company has maintained that its India payments service is governed by a separate policy, experts are concerned that this may not always be the case. 

Earlier this week, WhatsApp tweaked its privacy policy language in a blog post a day after Inc42 sent detailed questionnaires to the Reserve Bank of India (RBI) and National Payments Corporation of India (NPCI) regarding their stand and regulatory responsibilities with respect to WhatsApp Payments in light of the controversial new privacy policy. Interestingly, the January 28 blog post on the privacy separation, the November 21, 2020 version of the payments service privacy policy and its December 28, 2020 version show significant differences in how WhatsApp and Facebook will store and share data with authorities and regulators for compliance issues.

Apar Gupta, a lawyer and digital rights activist affiliated to Internet Freedom Foundation (IFF), contended that the distinction between the messaging and the payment privacy policies may not always be upheld because quite often users will be interacting in chat messages before making a payment.

“The assertion of end-to-end encryption in user interactions is correct. However, at that same point in time, there are large troves of metadata for instance, which may be available even under the existing privacy policy, that could include a transfer of money through WhatsApp and a conversation. Hence, there is an interdependency between both policies,” he explained.

The Many Legal Challenges Against WhatsApp’s Contentious Privacy Policy

Meanwhile, the IFF has moved the Supreme Court seeking a stay on WhatsApp’s updated privacy policy which it described as ‘highly invasive’ and has been unilaterally forced upon Indian users. It also asked the apex court to pass an interim order restraining WhatsApp from sharing any user data with Facebook for marketing or other purposes.  

Taking a dig at the confusion arising from the two separate policies, Paytm founder Vijay Shekhar Sharma tweeted: “So an unregulated entity that is ready to collect/ use any and every data of users & businesses is claiming that on same screen of same app, it will have a separate privacy policy implemented.” 

In effect, WhatsApp’s dual policy means that it would have to segregate data, then share part of it with Facebook, while also complying with data localisation norms for payments data. However, there is no clarity yet on how this complex process will be carried out and if government authorities or banking partners will keep a watch on a real-time basis. 

Last week, the Supreme Court allowed an application by Yedhu Menon, an IT professional, to join the case brought on by Binoy Viswom. Menon said in a press note that numerous questions remain to be WhatsApp regarding its encryption systems, security protocols that will be used to transmit data, scope of data sharing with parent companies etc.

Another application to the SC by a cyber professional named Vaibhav Gupta sought to inform the court that an experiment done by him to analyse network traffic after completing a transaction on WhatsApp Pay showed that data was being shared with multiple IP addresses owned by Facebook in the US. 

However, in this context it is important to note that the RBI data localisation norms mandate that the payments data should be stored in India after a 24-hour window. As such it isn’t a violation of the norms if payments data goes out within that period — the moot question that is being raised by several quarters is if international payments companies delete the data abroad in the aftermath.

RBI And NPCI Remain Silent Spectators

Viswom’s petition had alleged that the RBI and NPCI, instead of fulfilling their statutory obligations, are compromising the interest of Indian users by allowing the non-compliant foreign entities like Facebook, Google and Amazon to operate digital payment services in India.

The NPCI in its counter affidavit to the apex court has said that:

“It is humbly submitted that RBl’s directions issued vide circular dated 6 April 2018 on storage of payment system data pertain only to payment data storage and not data sharing. The Answering Respondent has not issued any instructions to payment system operators on data sharing by TPAPs of UPI. Matters related to data privacy and data sharing come under the domain of the Government of India and TPAP Respondents ought to comply with all laws that are in force. in India…” 

The RBI also has evaded the issue taking a similar line in its affidavit:

“RBI has not issued any instructions on data sharing by TPAPs or the participants of UPI. Matters related to data privacy and data sharing come under the domain of the Government of India.”

Why are the regulators blinking where there’s a possibility that data sharing practices of international payments companies might compromise the financial data of Indian citizens?

According to senior Supreme Court lawyer Sanjay Hegde, the reluctance stems from the absence of a data protection law in the country as regulators don’t want to define privacy or assume any responsibilities for privacy protections exceeding their remit. While the Personal Data Protection Bill has been in the works for a few years now, it has still not become law. The government is likely to table the bill in the budget session of Parliament which began yesterday (January 29). 

“Does money have a right to privacy? There are many conceptual issues that have not been defined in the absence of privacy legislation. If at least there was a standard to define privacy, then RBI or other regulators could have made suitable norms and enforced them… The failure is of deliberate legislative inaction,” says Hegde.

Facebook has been at the centre of data privacy controversies time and again — be it the Cambridge Analytica scandal which arguably led to the RBI data localisation norms in the first place, the data leak of 267 Mn users reported in December 2019 or the recent breach when Facebook data including phone numbers of 6 Lakh Indian users was put up for sale on Telegram. Even as WhatsApp continues facing backlash in the Indian market, many users have moved to alternative platforms like Signal and Telegram.

The repeated floundering on privacy matters begs the question: Should the government and regulators be relying on a single audit by an MNC where the financial data of millions of Indian citizens is at stake?