Reserve Bank of India has told the Apex Court that it has no responsibility to conduct “audit of members of United Payments Interface (UPI) ecosystem” & responsibility to ensure that private firms like Google & WhatsApp comply with norms lie with National Payments Corporation of India (NPCI).
The RBI, in its affidavit filed in the Supreme Court, also said that the matters related to “data privacy & data sharing” come under the domain of the Central Govt.
The RBI’s affidavit, which also sought dismissal of the Public Interest Litigation, was filed in the response of a plea of Rajya Sabha MP Binoy Viswam seeking direction to it to frame regulation to ensure that data collected on UPI platforms is not “exploited” or used in any manner other than for processing payments.
A bench comprising CJI SA Bobde & Justice AS Bopanna & Justice V Ramasubramanaian Thursday fixed the plea of the Rajya Sabha MP for hearing on Feb 1.
The affidavit said “it is submitted that RBI’s directions issued vide circular dated April 6, 2018 on storage of payment system data pertain only to payment date storage & not sharing or privacy. RBI has not issued any instructions on data sharing by TPAPs (Third Party Application Providers) or the participants of UPI. Matters related to data privacy & data sharing come under the domain of Government of India.”
It also said that the responsibility to ensure that companies like Amazon, Google & WhatsApp comply with the laws & norms governing the UPI lied with NPCI & not with RBI.
The affidavit said that since NPCI is the owner & operator of the UPI, it would be more appropriate for them to respond on the status of “compliance of WhatsApp with the system rules /procedural guidelines governing UPI. “
It also rejected the plea of the lawmaker that the RBI was under an obligation to audit the firms engaged in UPI transactions.
It said that “It is also denied that the RBI has the responsibility to conduct audit of the members of the UPI ecosystem”.
The federal bank said that earlier it had not taken any “disruptive” action against WhatsApp & Google as they were already providing customer services & later they complied with the conditions given in the RBI’s circular.
“…Accordingly as WhatsApp & Google were already functioning as TPAPs & providing customer services at the time of issuance of the circular, no disruptive action against them was contemplated in the interest of general public . The same approach was followed by RBI with all the non-compliant entities which are similarly placed.
“It may also be noted that NPCI was advised not to permit full scale operations of WhatsApp till the time they are fully compliant with the requirements of the RBI directions. NPCI subsequently allowed ‘go live’ of WhatsApp on UPI only after ensuring that WhatsApp was fully compliant with the circular,” the affidavit stated.
Earlier, WhatsApp had denied in the court the allegations that its data can be hacked by Israeli sypware Pegasus, which had led to a controversy last year over breach of privacy following claims that Indian journalists & human rights activists were among those globally spied upon by unnamed entities.
Prior to this, the Supreme Court on Oct 15 last had issued notice to RBI & others on the plea of Viswam seeking direction for framing regulation to ensure that data collected on UPI platforms is not “exploited” or used in any manner other than for processing payments.
It had also sought responses of the Centre, Reserve Bank of India (RBI), National Payments Corporation of India (NPCI) & others including Google Inc, Facebook Inc, WhatsApp & Amazon Inc on the plea.
Viswam, the Communist Party of India (CPI) leader, has sought a direction to the RBI & the NPCI to ensure that data collected on Unified Payments Interface (UPI) platforms is not shared with their parent company or any other third party under any circumstances.
The plea has claimed that “In India, the UPI payments system is being regulated & supervised by Respondent no. 1 (RBI) & Respondent no. 2 (NPCI), however the RBI & the NPCI instead of fulfilling their statutory obligations & protecting & securing the sensitive data of users are compromising the interest of the Indian users by allowing the non-compliant foreign entities to operate its payment services in India”.
“The RBI & NPCI have permitted the three members of ‘Big Four Tech Giants’ i.e. Amazon, Google & Facebook/WhatsApp (Beta phase) to participate in the UPI ecosystem without much scrutiny & in spite of blatant violations of UPI guidelines & RBI regulations,” it alleged.
The plea has alleged that this conduct of RBI & NPCI put the sensitive financial data of Indian users at huge risks, especially when these entities have been “continuously accused of abusing dominance & compromising data”, among other things.
It said these allegations have become particularly worrisome at a time when India has banned host of Chinese applications on the ground that those applications were or could be used for data theft & could lead to security breaches.
It has further sought a direction that RBI & NPCI should ensure that WhatsApp is not permitted to launch full scale operations of ‘WhatsApp Pay’ in India without fulfilling all legal compliances to the satisfaction of the court regarding requisite regulatory compliances.