On July 5, fact-checking portal Alt News shared that the payment gateway Razorpay, which they used for accepting donations, had shared some of its donor data with the police. The news triggered outrage with many social media users expressing disappointment with Razorpay, calling the act a violation of privacy. While some found Razorpay’s reply saying they were required to comply as they had received summons under Section 91 of the Criminal Procedure Code (CrPC) admissible; others insisted that the company’s actions had enabled state surveillance, and it should have instead contested the request from authorities, citing instances where tech giants like Apple and Twitter had done the same. Razorpay's CEO and co-founder Harshil Mathur in a statement on Friday said that the company had to give the data asked for by the government, as per all the legal advice they received.
Here’s what researchers and experts have to say about Razorpay's actions, and what customers can expect from tech companies in India in the absence of an overarching privacy law and data protection laws.
The summons to Razorpay under CrPC Section 91 were sent as part of an investigation in a case involving journalist and AltNews co-founder Mohammed Zubair. After being arrested over a tweet from 2018 where he posted a screenshot from a 1983 Hindi movie, which was alleged to have hurt Hindu sentiments, Zubair was then charged with additional sections including Section 35 of the Foreign Contribution (Regulation) Act (FCRA), which refers to punishment for accepting foreign contribution or any currency or security from a foreign source. It remains unclear whether the summons came from the Delhi Police or the Enforcement Directorate (ED), and what the nature of data shared by Razorpay was. It is also unclear why Razorpay had briefly disabled AltNews’s account. Moneycontrol has reported that the data sought was about source and destination of transactions over a couple of months, and not personally identifiable information (PII) data of donors like bank accounts, PAN and addresses. Razorpay in their statement, too, has said they haven't given PAN numbers and pin codes to the government.
Pranesh Prakash, co-founder of the Centre for Internet and Society and an affiliated fellow at Yale Law School’s Information Society Project, says that some of the comparisons on social media – like parallels with Apple in the US refusing to comply with the Federal Bureau of Investigation (FBI)’s orders to help unlock a phone recovered from one of the shooters in the 2015 mass shooting in San Bernardino, California – are flawed, and don’t help understand the Razorpay situation better. “Not only are the legal systems in India and the US different, but even in the US, companies like Apple do occasionally cooperate with requests from law enforcement for user data stored with them, which is different from the San Bernardino case of an encrypted device,” he says.
But considering the possible pressure from the government for not complying, and the risk of losing out on a payment aggregator license from the Reserve Bank of India or other ways their business could be targeted, Razorpay couldn’t really risk not complying, says independent privacy researcher Srinivas Kodali. He says most companies do not have the time or intent to contest such orders in the interest of consumers’ privacy, pointing to the instance of climate activist Disha Ravi’s arrest, where Delhi police said they had sought and received information from Google about whether Disha had edited a particular Google document.
Expecting Razorpay to reject the police summons is also unrealistic considering their privacy policy says they are “not required to question or contest the validity of any search warrant, subpoena or other similar governmental request” that they receive, Srinivas notes.
Pranesh says that there are a few occasional instances, like when Yahoo India in 2011 refused to provide email ids of certain persons to the Controller of Certifying Authorities; the request in that case, however, was made under Section 28 of the Information Technology Act, he says. “When it comes to CrPC Sections 91 and 92, there isn’t any good case law or precedent on what kind of information the police or magistrates may or may not get based on these sections. Given that there is no overarching privacy law in India, and banking laws may not apply since Razorpay isn’t a bank, it would have been useful for a company like Razorpay in such an instance to push back and take this to court and establish a precedent for privacy rights under CrPC Sections 91 and 92,” Pranesh says. “Given the precedent in the Puttaswamy judgment which lays down exceptions to privacy like necessity and proportionality, Razorpay could have argued under Puttaswamy as to whether the request made by the police was legitimate or not," he adds.
In its July 5 statement, AltNews had also said that the donor data was shared by Razorpay without informing them. Pranesh notes that the company sharing this information with their customer would have at least given them the opportunity to contest the request in court if they wished to. Harshil Mathur of Razorpay in his statement said, "We tried to reach out to the registered mobile numbers of the business and share this information with them but could not reach them. In hindsight, we understand it may have been difficult for them to get on the phone in such a situation and we could have tried to find other channels."
The upcoming Personal Data Protection Bill would also not have impacted Razorpay’s actions, says Srinivas, as it is not a case of a data breach or cyber security lapse, but intentional data sharing with investigation agencies. Even privacy breach concerns could possibly be raised only if there was evidence that the police had leaked the donor data to political parties who could misuse it, he adds.
Donations are accepted by AltNews under the Pravda Media Foundation, a not-for-profit company. The donations are eligible for tax exemption under Section 80G of the Income Tax Act, and information sought from donors includes their name, phone, email id, address, PAN number and nationality. Srinivas says that online platforms, in general, do not offer any privacy, as governments and regulators can always demand payment data.
While AltNews says it doesn’t accept foreign donations, which would be heavily surveilled, Srinivas says that since all payments data would also be available with the National Payments Corporation of India (NPCI) and RBI as well as the bank where AltNews has its account, the police could have issued a similar notice to the bank which would have also had to comply.
Apart from cryptocurrency which is not legal in India, Srinivas says transacting in cash is the only alternative, which still doesn’t offer complete anonymity. Since these are donations, AltNews itself is also legally required to maintain records of donor information including PAN number and transaction details even in the case of cash donations. “The intermediaries, like the banks and NPCI, are removed and fewer entities would have your data. But AltNews would still have the records and might have to share it with investigation agencies if asked,” he notes.
Pranesh says that since the donor information is also accessible by government agencies like the Central Board of Direct Taxes and the Income Tax Department, in this instance, it’s not just about the police or a government entity gaining access to the donor data, but the legal grounds on which the access has been gained. Srinivas calls it a structural issue and says that legal and financial systems are presently designed in such a way that police and other authorities do end up having access to such data. “At the end of the day, you cannot privately donate money to any organisation in India unless they're a political party,” he notes.
The discussion over Razorpay sharing the donor data with the police has also elicited many comparisons with anonymous political donations allowed through electoral bonds. Both Pranesh and Srinivas agree that while funding for any political activity as well as non-profit organisations must be transparent, political parties cannot continue to be allowed to accept anonymous donations without accountability while NGOs on the other hand are subjected to heavy surveillance and stringent regulations.