Data PrivacyPhonePe Ruling: Data Privacy Boundaries in Fintech

In the case of PhonePe Private Limited v. State of Karnataka & Ors. (W.P. No. 3757 of 2023), (GM-Police), pronounced on 29 April 2025, the Hon’ble Karnataka High Court (“HC”) was confronted with a critical question at the intersection of fintech regulation, privacy, and police investigative powers.

BACKGROUND: THE REGULATORY FLASHPOINT

PhonePe Private Limited (hereinafter referred to as “the Petitioner”) is a company incorporated under the Companies Act, 1956, engaged in providing digital payment solutions through its mobile application. It functions as a system provider within the Unified Payments Interface (hereinafter referred to as “UPI”) ecosystem, enabling users to transfer and receive funds and facilitating merchant transactions across various sectors.

In connection with an investigation into suspected illegal online gambling transactions, the State of Karnataka, represented through its Investigating Officer (hereinafter referred to as “the Respondent”), initiated proceedings involving certain financial transactions routed through multiple payment gateways, including a betting-related transfer dated 09 September 2022 processed via the Petitioner’s platform. The case involved allegations of illegal online gambling and fraudulent transactions, punishable under Sections 66C and 66D of the Information Technology Act, 2000 (hereinafter referred to as “IT Act”), read with Section 419 and Section 420 of the Indian Penal Code (hereinafter referred to as “IPC”).

On 7 December 2022, the Bengaluru Rural C.E.N. Police, acting under the Respondent, issued a notice under Section 91 of the Code of Criminal Procedure, 1973 (hereinafter referred to as “CrPC”) to the Petitioner. The notice referred to a specific transaction dated 9 September 2022 and required the production of extensive information and documentation.

The Petitioner was directed to furnish detailed information, including confidential transaction records, merchant Know Your Customer (“KYC”) details, and account credentials relating to specific transactions. The notice alleged that the Petitioner’s platform had facilitated merchants engaged in illegal financial activities.

Subsequently, the Petitioner approached the High Court by filing a writ petition against the Respondent, seeking judicial intervention with respect to the ongoing investigation and the requirements set out in the notice.

THE CORE LEGAL ISSUE BEFORE THE COURT

Whether the summons issued by the Investigating Officer invoking Section 91 of the Cr.P.C., directing the Petitioner to furnish information involving confidential transaction details/full account credentials of registered Phone Pe users/merchants for the purpose of freezing of the transactions of a particular registered user without complete investigation is tenable or otherwise

CONTENTIONS OF THE PARTIES

The Petitioner submitted that it operates solely as an intermediary under Section 79 of the IT Act and as a system provider within the UPI payments ecosystem regulated under the Payment and Settlement Systems Act, 2007 (hereinafter referred to as “PSSA” or “the Act”). It emphasized that the UPI platform is owned and managed by the National Payments Corporation of India (hereinafter referred to as “NPCI”), and neither the Petitioner nor its employees have been named as accused in the FIR. According to the Petitioner, it merely facilitates transactions between users and has no role in authorizing or executing the payments in question.

Relying on Section 15 and Section 22 of the  Act, the Petitioner contended that system providers are under a statutory obligation to maintain the confidentiality of documents and information relating to payment systems. Such disclosure, it argued, can only be made when specifically required under the statute, with the consent of the concerned participant, or pursuant to an order of a competent court or statutory authority.

It was further argued that, by virtue of Section 22(2) of the Act, the provisions of the Bankers’ Books Evidence Act, 1891(hereinafter referred to as ”BBEA”) apply to system providers. Under the BBEA, records cannot be compelled to be produced unless directed by a court or judge. The Petitioner highlighted that Section 91(3) of the CrPC preserves the applicability of the BBEA Act, thereby preventing the Respondent from issuing a direct summons for such records without judicial authorization.

The Respondent, however, contended that in the present era of rising cybercrimes, including online gambling and financial fraud, the police must have the authority to swiftly obtain information necessary for a fair and effective investigation. It was argued that Section 91 of the CrPC expressly empowers a police officer to issue a written order for the production of documents relevant to an investigation, and this power is not curtailed by the provisions of the Act or the BBEA Act.

The Respondent further relied on the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021(hereinafter referred to as “Rules”). In particular, Rule 3(1)(j) which obligates intermediaries to provide requisite information within seventy-two hours of receiving a lawful written order from an authorized government agency.

The Respondent claimed that the notice issued under Section 91 CrPC was about a specific transaction linked to a broader money trail across several accounts possibly connected to unlawful gaming. The production of information by the Petitioner was essential to trace the money trail and preserve digital evidence, which could otherwise be lost. The Respondent therefore urged that the petition be dismissed, and the Petitioner be directed to comply with the notice.

JUDICIAL OBSERVATIONS AND REASONING

In examining the submissions of both parties, the High Court observed that there was no substantial dispute on the underlying facts. The crux of the matter lay in balancing two competing considerations, the statutory obligation of payment system providers to maintain confidentiality under the Act and the BBEA and the investigative powers vested in the police under Section 91 of the CrPC.

The  Court pointed out that Section 91 CrPC gives a court and a police station officer the authority to demand the production of papers required for a trial, investigation, or inquiry. Importantly, sub-section (3) guarantees the continued applicability of exceptional enactments such as the BBEA. According to the Act, a system provider is required to maintain the confidentiality of payment system data, unless disclosure is permitted by the statute, participant consent is obtained, or a competent court or statutory authority directs otherwise.

The Petitioner argued that the Respondent does not qualify as a statutory authority within the meaning of Section 22 of the Act, and that any disclosure must first be authorized by a court order. The High Court rejected this contention, holding that an Investigating Officer exercising powers under the CrPC is indeed a statutory authority capable of making a lawful demand for such information. The confidentiality provisions themselves acknowledge this exception.

Regarding the BBEA, the Court recognized that BBEA Section 5 generally requires an order from a court or judge, but clarified that “legal proceeding” in Section 2(4) includes investigations under the CrPC. As such, a Section 91 CrPC notice falls within its scope, and the SP-rank reference does not vitiate the notice in these facts.

The High Court further observed that similar questions had been addressed by other High Courts. Such decisions consistently affirmed that statutory confidentiality cannot be invoked as an absolute bar to the exercise of lawful investigative powers.

The High Court concluded by restating that although maintaining confidentiality is a major legal obligation, there are some exceptions. The duty to protect data must give way to the legitimate process of gathering evidence when the public interest and the demands of a criminal investigation collide. In this instance, it was determined that the notice was not an indiscriminate or speculative demand, but rather that it was targeted, narrowly focused on a single transaction, and clearly related to an ongoing inquiry.

THE VERDICT AND ITS IMPLICATIONS

Building on this reasoning, the High Court dismissed the writ petition, finding that the Petitioner’s reliance on the Act and the BBEA as an absolute shield against disclosure was unfounded. It upheld the notice issued under Section 91 CrPC as a lawful and proportionate exercise of investigative power, consistent with both the language and the intent of the law.

From a regulatory standpoint, the decision bolsters the ability of law enforcement to work directly with intermediaries in following digital money trails linked to illegal activity. It also reflects the judiciary’s approach to aligning the growth of fintech with the pressing need to address evolving threats such as online gambling, fraud, and cyber-enabled offences.

In practical terms, fintech companies must view legal preparedness as a core operational requirement. Privacy safeguards must be balanced with the statutory duty to assist investigations. By affirming the Investigating Officer’s authority under Section 91 CrPC, the Court has not only clarified an important point of law but has also underscored the role of payment service providers as active stakeholders in protecting the integrity of India’s digital financial ecosystem.

AMLEGALS REMARKS

The High Court dismissed the writ petition, finding that the Petitioner’s reliance on the Act and the BBEA as a complete protection against disclosure was unfounded. It upheld the Section 91 CrPC notice as a lawful and proportionate exercise of investigative power.

This judgment establishes for fintech intermediaries that the obligation to protect user data, while critical, is not absolute. The statutes that impose confidentiality also carve out exceptions where disclosure is necessary to protect public safety, preserve the integrity of the financial system, or support lawful investigation.

For any queries or feedback, feel free to reach out to rohit.lalwani@amlegals.com or mridusha.guha@amlegals.com