The GPay app which is operated by Google India Digital Services Pvt Ltd has informed the High Court of Delhi that customers’ transaction data can be shared with third parties after taking the prior permission of NPCI and payment service providing (PSP) banks. An affidavit has been filed by Google before a bench of Chief Justice D N Patel and Justice Prateek Jalan. The affidavit is in response to a PIL that demanded action against 'Google Pay' (GPay) for allegedly violating the RBI's guidelines related to data localization, storage, and sharing.
The hearing took place at the High Court on Thursday for the 10th of November as the Centre and Reserve Bank of India (RBI) had not filed their responses until then. The affidavit by Google contended that as per Unified Payment Interface (UPI) procedural guidelines, issued by the National Payments Corporation of India (NPCI), apps like Gray have been granted the permission to share customers’ transaction data with third parties and group companies if prior permission of NPCI and PSP banks is duly taken. The data GPay stores is ordinary data like name, address, email ID, and transaction-related details which are in accordance with the NPCI guidelines and it does not store payment sensitive data like debit card number or UPI PIN. It has come to light that customer's payment sensitive data is stored only on the servers of the PSP bank.
A petition was filed by advocate Abhishek Sharma who asked Google to not share any data from UPI switch with any other party. The affidavit filed by Google was in response to the petition mentioned above. It is also stated by Google that it has been complying with the guidelines provided by the NCPI which govern the functioning of all third-party application providers (TPAPs) like GPay. As several other remedies are available to Abhishek Sharma, it is claimed that the petition was not maintainable. He had other remedies like the customer care feature in the app or approaching the NPCI in accordance with the Payment and Settlement Systems Act of 2007 or asking RBI to exercise its supervisory jurisdiction. Google further added that there are other apps like GPay but no petition has been filed against any of those apps but particularly filed against Google. In the plea, Sharma gave an option to Google that the company can choose to give an undertaking to not store data on its app under the UPI ecosystem and further not to share it with any third party, including its holding or parent company. The plea also claimed that Google has been storing personal sensitive data which is in contravention of UPI procedural guidelines given in October 2019, which stated that personal sensitive data cannot be stored by any third-party application like GPay but can be stored by PSP bank systems. Google has also denied claims that said customers' payment sensitive data is accessed by GPay in accordance with the guidelines from the PSP banks where data is stored. It was also accused of having an access to customers' locations to gain revenue from offering highly targeted or personalized advertising opportunities to advertisers, but this allegation was baseless and denied by Google.