Google has further contended that there are other TPAPs like GPay, but the petition has been “selectively filed” against it.
Google India Digital Services Limited on Thursday told the Delhi High Court that its GPay App, being a TPAPs (Third Party Application Providers), is allowed under the law to share customer’s UPI (Unified Payments Interface) transaction data with third parties and group companies.
In an affidavit, Google India said the National Payments Corporation of India’s (NPCI) ‘procedural guidelines’ do not impose an absolute prohibition or restriction on a TPAP’s ability to share data or information, if it was done with prior permission of the NPCI and the bank concerned.
It said the NPCI’s procedural guidelines make a clear distinction between ‘Customer Data’ (name, mobile number, gender, address, email ID, location etc.) and ‘Customer Payment Sensitive Data’ (account number, expiry date of debit card, last six digits of debit card, UPI PIN etc.).
Google India said while it was permitted to store ‘Customer Data’ it was not permitted to store ‘Customer Payment Sensitive Data’.
Google India further stated that it collects location information from the customers for the purpose of detecting suspicious activities and fraud. It said there is no regulatory or statutory prohibition on GPay from accessing, collecting, storing and processing the location data of the customers for transactional security.
It also stated that GPay terms of service clearly say that UPI transaction data will not be used for any monetisation purpose such as advertisements by any entity other than Google India.
The tech-giant’s submission came in response to a petition by advocate Abhishek Sharma seeking action against GPay for allegedly violating the central bank’s guidelines related to data localisation, storage and sharing norms.
The plea claimed that the company was storing personal sensitive data in contravention of UPI procedural guidelines of October 2019, which allows such data to be stored only by Payment Service Provider (PSP) bank systems and not by any third party application.
The plea sought direction to the RBI to take appropriate punitive action against the NPCI and revoke its authorisation to operate and regulate the UPI payment system, on account of risking customer payments data, its failure to audit Google India Digital Service Pvt Ltd and take any steps against it despite its acts of flagrant and serious non-compliance of applicable laws.
The High Court will hear the case on November 10.