Was Razorpay legally bound to share Alt News’s data? Yes and no

You’re online, you stumble across a cause you support, you decide to donate. A few clicks later, you’ve entered your payment details, the amount is debited, and you’re done. This is possibly just one of many, many transactions you’ve made that day.

Later, you’re told the police have been informed of your transaction, the amount, and the cause towards which you donated. Understandably, you’re shocked. But is this legal?

Over the last few days, words like “privacy”, “data” and “security” have been floating around on social media ever since payment gateway Razorpay shared data with the police of those who donated to fact-checking portal Alt News. This is part of the police’s investigation into whether Alt News violated the Foreign Contribution (Regulation) Act by receiving donations from abroad.

Alt News has emphasised that these allegations are “categorically false”. In a statement, Alt News also said Razorpay had disabled its payment account. Razorpay claimed this had been done “temporarily, as a safety precaution”. The payment link was later restored.

But was Razorpay legally bound to hand over all this data to the police? Could it have chosen not to comply with the police’s request for data?

The police served Razorpay a notice under section 91 of the Code of Criminal Procedure. Razorpay’s privacy policy says it will disclose information to “comply with legal process” and that the company is “not required to question or contest the validity” of any government request.

A Razorpay spokesperson told Newslaundry the company had shared a “percentage” of donor data, “not all”, after they were informed of alleged FCRA violations.

“If we don’t operate by regulations, we could lose our licence,” the spokesperson said. “This would not affect just one or two businesses, but millions overnight. Any and every financial institution regulated by RBI would do so.”

Supreme Court lawyer Vrinda Bhandari told Newslaundry that “compliance with law enforcement” is a “statutory duty”.

“It is standard practice that all companies have to follow if they receive a notice,” she said. “If the company has received a notice under section 91, then they have to reply by law. It’s really hard to oppose and say ‘we will not respond’ or ‘this request is unnecessary’ because the text of section 91 is very broadly worded.”

If a company does not comply, Bhandari added, the police can initiate criminal proceedings for non-cooperation.

“Believing that the prosecution of Zubair is wrongful is different from cooperating in the investigation,” she said. “That is not a call a company is going to take. It’s a call the judiciary has to take. If the allegation is that there was foreign funding, that may be an absolutely incorrect allegation. But if it is part of the investigation, it is a legitimate part of the inquiry to see what the funding is.”

So, yes, Razorpay was legally bound to share information.

But data and privacy experts said the company could have opposed the requests on grounds of it being a “disproportionate” request for a data dump. It could have also refused the request on grounds of self-incrimination, as enshrined under Article 20(3) of the Constitution.

“Let’s assume there are questionable donations that need investigation, or a preliminary inquiry by an investigation agency,” said Ameet Dutta, partner at Saikrishna & Associates. “It doesn’t mean the state has the ability to have a deep purview in a non-specific perspective of everyone.”

He cited the Supreme Court’s landmark judgement in 2017 that declared privacy as a fundamental right, protected under Article 21 and Part III of the Constitution.

“After these judgements, any law that intrudes into privacy or any enforcement will certainly have to be looked at from a proportional perspective,” Dutta said. “Our surveillance laws, such as the Telegraph Act, don’t allow sweeping surveillance. They allow targeted surveillance.”

Dutta also said the right against self-incrimination – which is a constitutional right – can be a basis to oppose section 91. “Courts will generally assess, allow and even stay section 91 notices on that ground,” he said.

Mishi Chaudhary, the founder and legal director of the Software Freedom Law Centre in Delhi, told Newslaundry that in the absence of comprehensive data legislation, companies in India indulge in “wanton and wilful” misconduct.

“Section 91 of the CrPC does not require wholesale data sharing of the kind indulged in by Razorpay,” she said. “This instance tells us how users are being held hostage to a government that wants to spy on and control its own citizens, and companies that have no qualms about ratting their customers out. It underscores the government trying to use all tools to exercise censorship by proxy.”

While Indian companies “crawl when asked to bend”, Chaudhary said, American intermediaries like Twitter are now trying to “bat for users’ rights” against the government – referring to Twitter petitioning the Karnataka High Court against some of the government’s orders to “take down” tweets.

Shweta Mohandas, policy officer at Bengaluru’s Centre for Internet and Society, said Razorpay’s conduct has raised concerns also because it’s a fintech company.

“Because it’s about where your money is going and if it’s safe, you think it’s a sensitive matter and hence secure,” Mohandas said. “There are public safety provisions but you never know how it can be used against people.”

Radhika Jhalani, legal counsel at SFLC, also pointed out that when a person donates to an organisation, they assume their data is safe.

“However, most of these organisations end up giving their data to law enforcement,” she said. “Razorpay’s privacy policy also clearly states that they will not be questioning any law enforcement request that they get. At the same time, we cannot emphasise enough on the lack of data protection policies in India. There are drafts floated around and rights to privacy enshrined in the Supreme Court. But how will I get compensation? There is no remedy for it.”

The Razorpay-Alt News case will also make people more cautious.

“A lot of people donate to organisations but don’t want it out in the open,” Jhalani said. “Our political leanings are as much a right to privacy as anything else. When you donate to these organisations, it sort of profiles you. For example, if you donate to Alt News, they will assume you must be a leftist.”

“It is a genuine privacy concern,” Bhandari said. “Every media house has proceedings going on right now. This is a great way to self censor or create a chilling effect for someone who wants to donate to Alt News or any other such media organisation.”

Interestingly, Razorpay’s spokesperson said merchants must have FCRA certificates and FCRA bank accounts to accept foreign donations. Alt News, the merchant in this case, does not, which means it isn’t even possible for someone with a foreign bank account to donate through Razorpay.

However, if an Indian with an Indian bank account is abroad and wants to make a payment in rupees, they would be able to do so.

The spokesperson added that Razorpay was not obligated to inform the merchant that they would be sharing information for the police. The company’s privacy policy also accounts for “consent” from merchants to share information with authorities in cases of suspected illegal activity or legal requests.

The spokesperson added, “We understand that Alt News wanted to accept payments at the time so we reactivated the account once we were informed that there was no FCRA violation. It’s easy for people to ask for a Razorpay boycott, but the same rules will apply to every regulated institution.”