Delhi High Court: In a case wherein the petitions had been filed in the nature of Public Interest Litigations, for the issuance of appropriate writs, order or directions directing the respondent to direct Google Pay India Services (P) Ltd. (‘Google Pay’) to cease their operations in India for violation of regulatory and privacy norms, the Division Bench of Satish Chandra Sharma, C.J.*, and Subramonium Prasad, J.*, observed that third-party apps such as Google Pay were designed to provide a large customer base to participating banks and a third-party app such as Google Pay obtained approval from National Payments Corporation of India (‘NPCI’) for operating on the UPI platform. Therefore, the Court dismissed the petitions and held that Google Pay was a mere third-party app provider for which no authorisation from Reserve Bank of India (‘RBI’) was required under the provisions of Payments and Settlement Systems Act, 2007 (‘PSS Act’).
The petitioner contended that Google Pay had violated privacy norms by gaining access to and using consumers’ personal data such as Aadhar details which was in contravention of Section 29, 38(g) and 38(i) of the Aadhar Act, 2016 (‘Aadhar Act’); the PSS Act and the Banking Regulation Act, 1949. Further, it was stated that operations of Google Pay in India as a payment system provider were unauthorized for want of obtaining necessary permissions and hence Google Pay storing sensitive information of Indian citizens would tantamount to an offence by a company as per Section 43 of the Aadhar Act. It was further submitted that upon a perusal of the terms and conditions of Google Pay, it emerged that the Google Pay application which operated on the UPI platform had been performing a role of facilitator of transactions. Therefore, Google Pay had been performing the role of a Payments System Provider (‘PSP’) without obtaining valid authorisation from the RBI as per Sections 4 and 7 of the PSS Act, and therefore this constituted an offence by a company under Section 26 of the PSS Act.
It was further submitted that Google Pay did not find a mention under the list of entities authorized under the PSS Act read with Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008, for setting up and operating a payment system in India. It was further contended that by virtue of Google Pay not finding a mention in this list, Google Pay was an unauthorized payment system service and as an unauthorized payments systems operator, Google Pay had obtained unfettered access to its customers’ personal information such as AADHAR, PAN and other transaction details. It was also alleged that Google Pay violated the privacy of its users by requiring phone numbers, sharing contacts, amongst other personal details. Further, it was alleged that Google Pay had not adhered to the RBI Circular dated 06-04-2018 issued under Section 10(2), 18 of the PSS Act, which mandated all payment system providers such as NPCI to ensure that all data pertaining to payment systems operated by them was stored in a system only in India.
Analysis, Law, and Decision
The Court after referring to Sections 2(1)(i), 2(1)(p) and 2(1)(q) of the PSS Act which defined ‘payment system’, ‘system participant’ and ‘system provider’ respectively and Section 7 of the PSS Act which gave power to the RBI to grant authorisation for payment systems, opined that NPCI was the operator of the UPI system for transactions in India and was a “system provider” which was authorized by the RBI under the PSS Act to extend its services for facilitating transactions and on the other hand, the transactions carried out via UPI through Google Pay were only peer-to-peer or peer-to-merchant transactions and was not a system provider under the PSS Act.
The Court opined that the Unified Payment Interface Procedural Guidelines, 2019 (‘UPI Guidelines, 2019’) also made it clear that data might be stored under two types, namely, ‘customer data’ and ‘customer payments sensitive data’. While the former might be stored with the app provider in an encrypted format, the latter could only be stored with the payment services providers bank systems, and not with the third-party app under the multi model API approach that Google Pay had opted for. Thus, the Court held that it did not find any merit in the petitioner’s contention that Google Pay was actively accessing and collecting sensitive and private user data.
The Court observed that third-party apps such as Google Pay were designed to provide a large customer base to participating banks. A third-party app such as Google Pay obtained approval from NPCI for operating on the UPI platform and in the multi bank application system which Google Pay had adopted, the NPCI provided a common library for integration to Third-Party App Provider (‘TPAP’) on behalf of PSP banks. The Court further opined that the Procedural Guidelines, 2019 shed light on the models used in UPI and under the model which was dependent on bank architecture which Google Pay had opted for, all transactions were routed through participating banks which were connected to the NPCI-NET. Further, the Court noted that the RBI had issued the Certificate of Authorisation to the NPCI to operate various retail payment systems in India including UPI.
The Court, after referring to the counter affidavit filed by the RBI, held that Google Pay was a mere third-party app provider for which no authorisation from RBI was required under the provisions of PSS Act. Thus, the Court dismissed the present petitions.
[Abhijit Mishra v. Reserve Bank of India, 2023 SCC OnLine Del 5094, decided on 07-08-2023]
*Judgment authored by: Chief Justice Satish Chandra Sharma and Justice Subramonium Prasad
Advocates who appeared in this case :
For the Petitioner: Petitioner in Person;
For the Respondents: Kirtiman Singh, CGSC; Arun Kathpalia, Senior Advocate; Ramesh Babu M. R., Manisha Singh, Nisha Sharma, Saurabh Kumar, Abhishek Kr. Singh, Diksha, Waize Ali Noor, Shreya Vedantika Mehra, Advocates.