Alt News Vs Razorpay: Can Payment Gateways Be Compelled To Share Customer Payment Data?

India's payment ecosystem finds itself embroiled in an unusual controversy.

The arrest of Mohammed Zubair, founder of a fact-checking website Alt News, led to investigative agencies seeking data of donations to the platform via Razorpay, requests to which the payment gateway acceded.

Alt News, in statements posted on its social media handle on Tuesday, said that Razorpay had first disabled its account. The account was later reactivated. Alt News informed its readers and donors that Razorpay had handed over payments data to the investigative authorities.

"We also wish to inform all of you that Razorpay handed over Alt News donor data to the police. This was done without informing us, or without even a preliminary investigation of any violation on the part of Alt News," the statement said.

The payment gateway did not deny this but argued that it had little choice.

“We had received a written order from legal authorities under Section 91 of CrPC (Criminal Procedure Code) and we are mandated to comply with the same as per the regulation under the provisions of Indian law,” Razorpay said in its statement issues in response to Alt News' comments.

The incident has brought to the fore a number of questions. What is the bar to hand over payment data of customers to law enforcement agencies? Can payment service providers refuse to hand over such data? Is customer consent required before they do?

Payment industry executives said such requests are not uncommon.

A senior payments industry official, speaking on the condition of anonymity, said such demands from the police or other investigative agencies are common. During investigations into money laundering, fraudulent payments, fund diversion, etc., investigative authorities have been issuing written orders under Section 91.

Section 91 of the CrPC empowers a court or the officer of a police station to demand documents as part of a trial, investigation or inquiry.

Section 102 of the CrPC is also used as part of such investigations to freeze user accounts, the payments industry official said. This section allows police officials to seize any property which may have been stolen or which is found under circumstances which create suspicion of any offence.

A second payments industry official, who also spoke on the condition of anonymity, said these laws were used by police and the Enforcement Directorate recently when dealing with illegal digital lending application. Through this data, the police was able to pin down information on amounts borrowed by customers, usurious interest charged by these applications and penalties levied.

In the face of such requests, most payment firms will hand over the data.

Payment firms are not being discretionary in deciding which data to share, the second official said.

Both officials quoted above also said they are not legally required to inform customers before sharing such data with investigative agencies.

However, Bhargavi Zaveri-Shah, a fintech regulation and policy expert, said that firms should do at least a basic level of check on whether the demand for data is coming for a legitimate investigation.

"We need to first establish whether the demand for data is coming from a court order or from an investigator. If it is from the police, the payment company should check if they have any reason to believe that there have been violations under the Foreign Contribution (Regulation) Act," she said. "A customer will have a legitimate expectation that a firm is doing at least some basic checks before sharing their data."

"Moreover, if payment companies lose business because of their data sharing policies, then investors should ideally question such a policy," Zaveri-Shah added.

Advocate Prashant Mali, a cyber law and privacy expert, said companies have limited legal recourse when dealing with such notices from the police.

“You can challenge these orders in court, but you won't get relief. Typically companies do comply with such orders,” Mali said. Once India's data protection laws are enacted, such orders could be curtailed, he added.

According to NS Nappinai, Supreme Court lawyer and founder of Cyber Saathi, such requests from the police are common. However, the police is required to specify what specific data they need which will help them in their investigation.

"It is not that all payments data of a merchant is open for the police to check. The request has to be specific to the investigation based on reasonable doubt and cannot be a fishing inquiry. In the event that a person does not comply with a notice under Section 91 CrPC, investigative agencies can obtain a formal court order to secure the required data," Nappinai said.

The incident was also another instance where access to payment systems was blocked for a specific user or set of users, albeit temporarily.

A similar situation had emerged recently when UPI handles of accounts related to crypto firms were blocked. Is this justified? "Any payment system can decide to discourage or not accept risky transactions," former RBI Deputy Governor R Gandhi had told BQ Prime then.