Legal troubles persist for WhatsApp Pay even after the messaging platform clarified that its UPI-based payments service fully complies with data localisation norms of the Reserve Bank of India. But a petition filed before the Supreme Court before the approval contends that the NPCI’s approval for WhatsApp Payments should be stayed.
In November last year, WhatsApp got an approval from National Payments Corporation of India (NPCI) to launch its payments service in a graded manner starting with a maximum registered user base of 20 Mn in UPI. NPCI relied on Deloitte’s audit of WhatsApp Pay’s compliance with data localisation norms.
“NPCI is saying the technology audit by Deloitte is sufficient. They are not saying that we have verified through our own means whether they are storing data in India or not. India has enough technical experts in IITs and other places. Why not set up an independent committee to review the compliance?,” says Sriram Parakkat, a lawyer representing Rajya Sabha MP Binoy Viswom in the case.
Apar Gupta, a lawyer and digital rights activist affiliated to Internet Freedom Foundation (IFF), contended that the distinction between the messaging and the payment privacy policies may not always be upheld because quite often users will be interacting in chat messages before making a payment.
In effect, WhatsApp’s dual policy means that it would have to segregate data, then share part of it with Facebook, while also complying with data localisation norms for payments data. However, there is no clarity yet on how this complex process will be carried out and if government authorities or banking partners will keep a watch on a real-time basis.
Last week, the Supreme Court allowed an application by Yedhu Menon, an IT professional, to join the case brought on by Binoy Viswom. Menon said in a press note that numerous questions remain to be WhatsApp regarding its encryption systems, security protocols that will be used to transmit data, scope of data sharing with parent companies etc.
Another application to the SC by a cyber professional named Vaibhav Gupta sought to inform the court that an experiment done by him to analyse network traffic after completing a transaction on WhatsApp Pay showed that data was being shared with multiple IP addresses owned by Facebook in the US.
However, in this context it is important to note that the RBI data localisation norms mandate that the payments data should be stored in India after a 24-hour window. As such it isn’t a violation of the norms if payments data goes out within that period — the moot question that is being raised by several quarters is if international payments companies delete the data abroad in the aftermath.
RBI And NPCI Remain Silent Spectators
Viswom’s petition had alleged that the RBI and NPCI, instead of fulfilling their statutory obligations, are compromising the interest of Indian users by allowing the non-compliant foreign entities like Facebook, Google and Amazon to operate digital payment services in India.
The NPCI in its counter affidavit to the apex court has said that:
“It is humbly submitted that RBl’s directions issued vide circular dated 6 April 2018 on storage of payment system data pertain only to payment data storage and not data sharing. The Answering Respondent has not issued any instructions to payment system operators on data sharing by TPAPs of UPI. Matters related to data privacy and data sharing come under the domain of the Government of India and TPAP Respondents ought to comply with all laws that are in force. in India…”
The RBI also has evaded the issue taking a similar line in its affidavit:
“RBI has not issued any instructions on data sharing by TPAPs or the participants of UPI. Matters related to data privacy and data sharing come under the domain of the Government of India.”
Why are the regulators blinking where there’s a possibility that data sharing practices of international payments companies might compromise the financial data of Indian citizens?
According to senior Supreme Court lawyer Sanjay Hegde, the reluctance stems from the absence of a data protection law in the country as regulators don’t want to define privacy or assume any responsibilities for privacy protections exceeding their remit. While the Personal Data Protection Bill has been in the works for a few years now, it has still not become law. The government is likely to table the bill in the budget session of Parliament which began yesterday (January 29).
“Does money have a right to privacy? There are many conceptual issues that have not been defined in the absence of privacy legislation. If at least there was a standard to define privacy, then RBI or other regulators could have made suitable norms and enforced them… The failure is of deliberate legislative inaction,” says Hegde.
Facebook has been at the centre of data privacy controversies time and again — be it the Cambridge Analytica scandal which arguably led to the RBI data localisation norms in the first place, the data leak of 267 Mn users reported in December 2019 or the recent breach when Facebook data including phone numbers of 6 Lakh Indian users was put up for sale on Telegram. Even as WhatsApp continues facing backlash in the Indian market, many users have moved to alternative platforms like Signal and Telegram.
The repeated floundering on privacy matters begs the question: Should the government and regulators be relying on a single audit by an MNC where the financial data of millions of Indian citizens is at stake?