In the recent case of PhonePe Private Limited v. State of Karnataka1, the Karnataka High Court ("High Court") addressed the responsibilities of digital payment intermediaries in sharing user transaction data during a criminal investigation. Through his judgement, Justice Nagaprasanna ruled that the "duty to protect data must yield, where public interest and criminal investigation intersect ".
Background of the Case
PhonePe Private Limited ("PhonePe"), a prominent digital payment platform in India, was issued a notice under Section 91 of the Code of Criminal Procedure 1973 ("CrPC") by an Investigating Officer of the Bangalore police. The notice was issued pursuant to an investigation into online gambling websites, where the PhonePe platform was used to facilitate the financial transactions. The notice required PhonePe to submit a significant amount of information including the URL/ IP address of the merchant, source through which the merchant was onboarded, transaction details from the date of onboarding of the merchant, and merchant KYC and due diligence details amongst others. Upon receiving this notice, PhonePe filed a writ petition under Articles 226 and 227 before the High Court seeking direction by the issuance of a writ of mandamus, ordering the police to conduct the investigation in strict compliance with the enactments and regulations to which PhonePe is subject.
PhonePe contended that it is an intermediary under Section 79 of the Information Technology Act 2000 (the "IT Act") and neither PhonePe nor its employees were accused of the crime. Furthermore, since it is a unified payment interface ("UPI") provider, it is regulated by the Payment Settlement Systems Act 2007 (the "PSS Act"), and the Bankers Books of Evidence Act 1891 ("BBE Act"), which bars the divulgence confidential information of the customers. PhonePe argued that it would only be permitted to submit the information requested in the notice subject to an order of a court, and the notice provided by the Investigating Officer is contrary to the law.
The question before the court was whether the notice issued by the Investigating Officer would be tenable or if the same would be contrary to the provisions of the PSS Act and the BBE Act.
Section 91 of the CrPC
Under Section 91, whenever a court or any officer in charge of a police station considers that the production of any document or other thing is necessary or desirable for the purpose of any investigation, inquiry, or other proceeding under the CrPC, such court or officer may issue a notice to such person requiring him to produce the same. However, under Sub Section 3(a), it is specified that the Section shall not affect the BBE Act.
Decision of the Karnataka High Court
The High Court dismissed PhonePe's petition, emphasizing that the protection of consumer privacy cannot be deemed to override the lawful imperative of the investigating officers to secure evidence and conclude investigations. The court referred to Section 87 of the IT Act and the associated Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2011 (the "Intermediary Rules") which, under Rule 3, mandates that information must be provided by an intermediary within 72 (seventy two) hours of receipt of an order from the Investigating Officer.
The High Court ruled that PhonePe cannot contend that being a digital payment system, it cannot divulge information. Upon examining Section 22 of the PSS Act, the High Court observed that the entity regulated under the PSS Act would have a duty to keep the documents confidential except where disclosure if made under the provisions of the Act, made with the express or implied consent of the customer concerned or if "such disclosure is in obedience to the orders passed by a court of competent jurisdiction or a statutory authority in exercise of the powers conferred by a statute". Furthermore, the High Court analyzed the provisions of the BBE Act and ruled that under Section 2(4) a legal proceeding would also include an inquiry in which evidence may be required or in which any investigation or inquiry is required under the CrPC. Therefore, notice under Section 91 can be considered to be notice under Section 2(4) of the BBE Act.
The High Cour opined that "today, the conventional crimes have receded and new age crimes have sprung in large number. The new age crimes are cybercrimes – the clandestine modern offences. Such offences demand swift, targeted and effective responses. The police must be empowered within the limits of the law to unearth he digital footprints that could otherwise vanish. Therefore, while privacy as contented by the petitioner should be maintained, it cannot be wielded as a shield against a lawful investigator"
In ruling that the statutory safeguards provided under the BBE Act and the PSS Act would not immunize digital payment institutions from investigatory summons, the court held that the notice under Section 91 of the CrPC must not be a fishing expedition. The Investigating Officer must be permitted to investigate and require the submission of evidence when criminality is suspected. Furthermore, the High Court ruled that the power of the Investigating Officer acting as a statutory authority under Section 91 of the CrPC for the purpose of summoning the documents of an intermediary is within the bounds of the law.
Conclusion
The ruling the in this case has significant implications for digital payment platforms operating in India. It clarifies that these platforms are not exempt from complying with lawful requests for user data. While the court acknowledged the importance of consumer privacy, it emphasized that such rights must yield when public interest and criminal investigations intersect. It would be the responsibility of the platforms to ensure that the data, while being protected from unauthorized access, is accessible to law enforcement agencies when the same is required by law. It is essential to establish cooperation between digital platforms and law enforcement agencies to effectively combat cybercrimes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
