GPay allowed to share customer’s UPI data under law: Google

Google has further contended that there are other TPAPs like GPay, but the petition has been “selectively filed” against it.

September 24, 2020 06:02 pm | Updated September 25, 2020 12:51 am IST - New Delhi

A customer’s payment sensitive data is stored only on the servers of the PSP bank, Google has claimed. Photo: Twitter/@GooglePay

A customer’s payment sensitive data is stored only on the servers of the PSP bank, Google has claimed. Photo: Twitter/@GooglePay

Google India Digital Services Limited on Thursday told the Delhi High Court that its GPay App, being a TPAPs (Third Party Application Providers), is allowed under the law to share customer’s UPI (Unified Payments Interface) transaction data with third parties and group companies.

In an affidavit, Google India said the National Payments Corporation of India’s (NPCI) ‘procedural guidelines’ do not impose an absolute prohibition or restriction on a TPAP’s ability to share data or information, if it was done with prior permission of the NPCI and the bank concerned.

It said the NPCI’s procedural guidelines make a clear distinction between ‘Customer Data’ (name, mobile number, gender, address, email ID, location etc.) and ‘Customer Payment Sensitive Data’ (account number, expiry date of debit card, last six digits of debit card, UPI PIN etc.).

Google India said while it was permitted to store ‘Customer Data’ it was not permitted to store ‘Customer Payment Sensitive Data’.

Location info

Google India further stated that it collects location information from the customers for the purpose of detecting suspicious activities and fraud. It said there is no regulatory or statutory prohibition on GPay from accessing, collecting, storing and processing the location data of the customers for transactional security.

It also stated that GPay terms of service clearly say that UPI transaction data will not be used for any monetisation purpose such as advertisements by any entity other than Google India.

The tech-giant’s submission came in response to a petition by advocate Abhishek Sharma seeking action against GPay for allegedly violating the central bank’s guidelines related to data localisation, storage and sharing norms.

The plea claimed that the company was storing personal sensitive data in contravention of UPI procedural guidelines of October 2019, which allows such data to be stored only by Payment Service Provider (PSP) bank systems and not by any third party application.

The plea sought direction to the RBI to take appropriate punitive action against the NPCI and revoke its authorisation to operate and regulate the UPI payment system, on account of risking customer payments data, its failure to audit Google India Digital Service Pvt Ltd and take any steps against it despite its acts of flagrant and serious non-compliance of applicable laws.

The High Court will hear the case on November 10.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.