The Supreme Court Thursday agreed to hear a petition filed by Rajya Sabha MP Binoy Viswam who has sought a direction to the RBI to frame necessary regulations to ensure that data collected on UPI platforms is not exploited or used in any manner other than for processing payments. A bench headed by Chief Justice S A Bobde issued notices and sought responses from the Centre, Reserve Bank of India (RBI), National Payments Corporation of India (NPCI) and others including Google Inc, Facebook Inc, WhatsApp and Amazon Inc on the plea.
Issue notice returnable within four weeks, said the bench, also comprising Justices A S Bopanna and V Ramasubramanian. In his plea, Viswam, the Communist Party of India (CPI) leader, has sought a direction to the RBI and the NPCI to ensure that data collected on Unified Payments Interface (UPI) platforms is not shared with their parent company or any other third party under any circumstances. The MP has said that he has filed the plea for the protection of fundamental right to privacy of millions of Indian citizens who are using UPI.
In India, the UPI payments system is being regulated and supervised by Respondent no. 1 (RBI) and Respondent no. 2 (NPCI), however the RBI and the NPCI instead of fulfilling their statutory obligations and protecting and securing the sensitive data of users are compromising the interest of the Indian users by allowing the non-compliant foreign entities to operate its payment services in India, the plea has alleged. The RBI and NPCI have permitted the three members of Big Four Tech Giants’ i.e. Amazon, Google and Facebook/WhatsApp (Beta phase) to participate in the UPI ecosystem without much scrutiny and in spite of blatant violations of UPI guidelines and RBI regulations, it claimed.
The plea has alleged that this conduct of RBI and NPCI put the sensitive financial data of Indian users at huge risks, especially when these entities have been continuously accused of abusing dominance and compromising data, among other things. It said these allegations have become particularly worrisome at a time when India has banned host of Chinese applications on the ground that those applications were or could be used for data theft and could lead to security breaches.
It further sought a direction that RBI and NPCI should ensure that WhatsApp is not permitted to launch full scale operations of WhatsApp Pay’ in India without fulfilling all legal compliances to the satisfaction of the court regarding requisite regulatory compliances. It said that in April 2018, the RBI, with a view to secure the data of Indian users, had issued a circular directing all system providers to ensure that entire data relating to payment systems operated by them are stored in systems only in India and they were asked to ensure compliance by October 15, 2018.
The plea claimed that later, the RBI toned down the April 2018 circular by issuing Frequently Asked Questions (FAQs) and permitted processing of all payment transaction abroad, including domestic transactions. In the said FAQ it was clarified that in cases of data processing done abroad, the data should be deleted from the systems abroad and brought back to India within 24 hours, the plea said.
It has sought the apex court’s direction to declare the FAQ dated June 26, 2019 issued by the RBI as ultra vires to the circular dated April 6, 2018. The plea referred to another pending petition in the apex court and said that in that matter, the counsel appearing for WhatsApp had undertook that his client would not go ahead with payment services without complying with all the regulation in force.
It alleged that Google and Facebook already have access to immense personal data of millions of Indian users and if they are permitted to collect unrestricted financial data of Indian users while operating at the UPI platform, the same would give them draconian control over sensitive Indian data.