“Facebook does not use WhatsApp payment information for commercial purposes, it simply helps pass the necessary payment information to the bank partner and NPCI. In some cases, we may share limited data to help provide customer support to you or keep payments safe and secure," WhatsApp said in a clarification posted on its platform on Friday. A WhatsApp spokesperson confirmed the update but declined to comment further.
Mint reported on 10 April that WhatsApp, the newest entrant in India’s payments market, had said it may share customers’ payments data with its parent Facebook, at a time when Facebook is dealing with questions about how it uses customer data. Last week, Facebook co-founder and chief executive Mark Zuckerberg testified before US lawmakers after it emerged that London-based data-mining firm Cambridge Analytica had inappropriately accessed data on Facebook users in the run-up to the 2016 US elections.
Based on the Unified Payments Interface (UPI) platform, WhatsApp launched payments on trial for some of its users in February. It is expected to introduce the service to all its users soon.
After the Mint report, the National Payments Corporation of India (NPCI), the body that oversees the UPI platform, reached out to WhatsApp, asking the company to clarify the wording of its data privacy policies on payments, a person familiar with the matter said, requesting anonymity.
According to a recent circular by NPCI, the banks associated with third-party payment apps like WhatsApp and PhonePe need to get exclusive permission from NPCI before they share customer data.
There have been other regulations introduced recently for payment firms.
Earlier this month, the Reserve Bank of India (RBI) issued a notice stating that all payments firms will now be required to store all the payment-related data in India. It requires companies to report compliance within six months.
“The government should include the third-party data sharing under the proposed privacy act and it should clearly be part of the law making. Data privacy act is necessary and immediately necessary," said Subho Ray, president of Internet and Mobile Association of India (IAMAI), adding that server localization alone won’t help.
Other experts agreed with Ray. Even in other countries, there have been calls for new data privacy regulations that put consumers in charge of their own data and restrict the ways in which internet firms can use customer data. Critics say that internet firms have been allowed almost limitless freedom in exploiting customer data to make money and have called for laws modelled on European Union’s (EU) General Data Protection Regulation (GDPR), which envisages strict rules for handling personal data of users.
GDPR comes into effect next month.
Last July, the government said a 10-member committee of experts headed by former Supreme Court justice B.N. Srikrishna will come up with a draft data protection bill for India.
“According to the IT Act, there are two restraints, among others, on how customer data can be handled in sensitive cases such as payments. One, the firm that is transferring the data to another company needs to ensure that company has the same, if not better, security standards as itself. Second, the company receiving the customer data can only use it in the specific, limited context. If WhatsApp, for instance, is transferring customer data on payments to Facebook, Facebook can only use it in the context of payments, and not for any other purpose," said Namita Viswanath, partner, IndusLaw.