The Karnataka High Court recently dismissed a petition challenging a police notice issued to digital payments gateway PhonePe for user information after a client used the app to engage in allegedly illegal sports betting-related transactions.
PhonePe had challenged the police notice on the ground that it was only an intermediary and that it also had a duty to protect client privacy.
However, Justice M Nagaprasanna opined that the protection of customer privacy cannot overshadow lawful investigations, especially in the current digital era where cybercrime has become more complex.
“Today, the conventional crimes have receded and new age crimes have sprung in large number. The new age crimes are cybercrimes – the clandestine modern offences. Such offences demand swift, targeted and effective response. The police must be empowered within the limits of law to unearth digital footprints that could otherwise vanish. Therefore, while privacy as contended by the petitioner should be maintained, it cannot be wielded as a shield against lawful investigation," the judge said in his April 29 ruling.
The Court added that the need to protect the confidentiality of customer data must coexist with accountability.
"The protection of consumer privacy cannot eclipse the lawful imperative of investigating officers to secure evidence and take the investigation to its logical conclusion. ‘Confidentiality must coexist with accountability.'"
The matter was related to a cheating case filed in 2022. A man claimed that he had used PhonePe to make multiple deposits of money (about 6,000 in total) with a sports betting website, while India versus South Africa cricket matches were going on.
However, he was later unable to withdraw money from his virtual wallet and the website was eventually blocked from access. He, therefore, filed a complaint seeking the return of his money and accused the website of cheating him.
In connection with this complaint, the police issued a notice to PhonePe, informing it of the registration of a complaint into the alleged use of its platform for the deposit of money with online gambling websites. The notice was issued in December 2022, under Section 91 (summons to produce document or other thing) of the then-prevailing Code of Criminal Procedure (CrPC).
The notice also sought information from PhonePe on the details of the user to whom such payments were made, whether PhonePe did any due diligence before onboarding customers, whether PhonePe suspected any fraud and if it had noticed any online gambling-related activity on its platform. It was further asked to furnish a list of customers who are involved in online gambling.
PhonePe challenged this notice. It argued that it had a legal obligation to protect the confidentiality of user data under the Payment and Settlement System Act, 2007 and the Bankers Books Evidence Act, 1891, and that it can only share such private information if a court passes an order to do so.
The Court, however, held that even these laws permit the sharing of information with statutory authorities, which includes investigating agencies. It added that the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2011, too require online intermediaries to provide information to investigation officers within 72 hours of a lawful request being made.
The Court concluded that Phone Pe cannot claim to be immune from investigatory summons when criminality is suspected.
"The duty to protect data must yield, where public interest and criminal investigation intersect," it said.
It acknowledged that such information requests must be specific and not a fishing expedition. In this case, however, the Court ruled that the police notice issued to PhonePe was not per se illegal, particularly since the aim was to unearth a possible money trail between several accounts that may be involved in illicit financial transactions.
It proceeded to dismiss PhonePe's petition.
