Delhi High Court Dismisses PILs Alleging Violation Of Regulatory And Privacy Norms By Google Pay

The Delhi High Court has dismissed two public interest litigations filed against Google Pay alleging that the payment platform violated regulatory and privacy norms under the Indian law.

A division bench of Chief Justice Satish Chandra Sharma and Justice Subramonium Prasad rejected the petitions moved by Abhijit Mishra, who sought directions on Reserve Bank of India to direct Google Pay to cease its operations in India for the alleged violation.

One of the PILs moved by Mishra sought direction upon the UIDAI to initiate action against Google Pay for collecting, storing and using the users’ Aadhar information in the violation of the Aadhar Act, 2016.

Supporting RBI’s submission, the court said that Google Pay is a mere third party app provider for which no authorisation is required from RBI under the provisions of Payments and Settlement Systems Act, 2007.

“In light of the foregoing, this Court does not find any merit in the present Writ Petitions. The same are dismissed, along with pending application(s), if any,” the court said.

It was Mishra’s case that Google Pay had violated privacy norms by using consumers’ personal data such as Aadhar details being in violation of Section 29, 38(g) and 38(i) of the Aadhar Act, 2016; the Payments and Settlement Systems Act, 2007, and Banking Regulation Act, 1949.

It was also submitted that the storage and use of such sensitive and personal banking information would tantamount to an offence by a company as per Section 43 of the Aadhar Act, 2016.

Mishra also contended that operations of Google Pay in India as a payment system provider were unauthorized for want of obtaining necessary permissions and hence, the payment platform was storing sensitive information of Indian citizens would tantamount to violations under law.

On the other hand, the counsel representing RBI submitted that the central bank has granted a certificate of authorization to the National Payments Corporation of India and has entrusted it with the responsibility of operating retail payments and settlement systems in India.

It was also submitted that the NPCI also performs the role of a regulator of domestic payment systems.

RBI also contended that since UPI is a platform operated and controlled by NPCI, Google Pay functions as an application merely to provide its services on the UPI platform and it cannot be said that the payment application is a Payment Systems Provider in itself.

Dismissing the pleas, the court said that NPCI is the operator of UPI system for transactions in India and is a “system provider” authorized by RBI to extend its services for facilitating transactions.

The bench also said that the transactions carried out via UPI through Google Pay are only “peer-to-peer or peer-to-merchant transactions” and thus, it is not a system provider under the PSS Act, 2007.

“The UPI Guidelines, 2019 also make it exceedingly clear that data may be stored under two types, namely, 'customer data' and 'customer payments sensitive data'. While the former may be stored with the app provider in an encrypted format, the latter can only be stored with the payment services providers bank systems, and not with the third party app under the multi model API approach that Google Pay has opted for.”

The bench found no merit in Mishra’s submission that Google Pay is actively accessing and collecting sensitive and private user data.

It also said that the RBI’s response showed that the central bank has issued the Certificate of Authorisation to NPCI to operate various retail payment systems in India including UPI.

“In view of the counter affidavit filed by the RBI it is clear that Respondent No.2 is a mere third party app provider for which no authorisation from RBI is required under the provisions of PSS Act,” the court said.

Title: ABHIJIT MISHRA v. RESERVE BANK OF INDIA & ANR and other connected matter

Citation: 2023 LiveLaw (Del) 713

Click Here To Read Order