Home / Opinion / Columns /  The AltNews funding case and Razorpay’s data privacy worry

Twitter has taken the Indian government to court over what it views as “arbitrary" and “disproportionate" directions to take down content and block accounts. Last year, Meta Platforms Inc’s WhatsApp began legal proceedings in New Delhi against India’s new internet rules demanding chat traceability. Such an obligation, the service contends, will force it to break its promise of end-to-end encryption, posing risks to users. Beyond those high-profile cases, though, a bigger worry is the deteriorating operational environment for ordinary digital businesses in India. Their rapid growth is routinely applauded, but the minefields they navigate don’t get enough attention.

That changed last week with Razorpay, a Bengaluru startup that acts as a payment gateway. The firm unwittingly kicked up a storm after it emerged that it had been compelled to supply customer data in a police investigation against AltNews, a fact-check website that annoys the government. On 17 June, Mohammed Zubair, one of AltNews’ two co-founders, was arrested for allegedly hurting religious sentiments. The original complaint was over a tweet referencing an old Bollywood movie he sent more than four years ago. Since then, however, the Delhi Police have widened the charges to include alleged violation of a law that prohibits non-profits from accessing foreign funds without registration. AltNews received money “through Razorpay from Pakistan, Syria, Australia, Singapore, and the UAE, which all require further investigation," a public prosecutor told the magistrate at the techie-turned-journalist’s bail hearing on 2 July. Zubair’s lawyer has denied all charges.

The website of AltNews states it does not accept overseas payments; besides, the fact checker’s Razorpay gateway only connects to Indian payment instruments such as bank accounts, digital wallets or credit and debit cards. So the police probe, at least based on what the prosecutor has revealed thus far, is about the overseas location of devices used for payment—which doesn’t prove donations from foreigners. Therefore, Razorpay users are quite right to ask why the firm gave AltNews donors’ data to the police, potentially leaving customers vulnerable to harassment for their political views. The answer is simple: Razorpay didn’t have a choice. The police demanded information using its sweeping powers under Section 91 of India’s criminal procedure code. So while the gateway didn’t provide a data dump of everything it had on customers , it had to share the phone numbers, IP addresses and payment instruments used for transactions over a period. Specific demands are impossible for an intermediary to turn down without risking its licence.

A digital service provider faces serious consequences for not complying with a Section 91 notice. In a blog post, Delhi-based lawyer Abhinav Sekhri explains how Alibaba’s cloud business in the country had earned less than $2,000 from hosting the website of an allegedly fraudulent business, but because it hadn’t adequately responded to the data demand of the police team, its bank account was frozen. Alibaba got interim relief from India’s Supreme Court on a third hearing in November, Sekhri writes. To think that Razorpay could gave gotten itself a quick court order against the Delhi Police’s notice is wishful thinking.

The only hope lies in a data protection law, which has already been five years in the making. It may help them build trust if service providers are required to provide colour codes indicating whether a particular piece of personal data obtained by them will be given to the police on demand; or if at least a court order will be required first. Regulated businesses deserve a further layer of protection. In the Razorpay fiasco, the police notice should ideally have been routed via the Reserve Bank of India. RBI has to be satisfied the data won’t be used for an unrelated purpose such as carrying out tax raids on AltNews donors.

It’s hard to be optimistic about any of this. No matter how stringent any Indian privacy law is on paper, the state is bound to seek an exemption for itself on grounds of national security. Such a carve-out, according to one internet security analyst, will mean that any firm could in theory obtain sensitive data on its business rivals by getting a police inquiry started on a competitor’s customer.

Digital startups in India aren’t asking for much more than the freedom to keep their operations running, their proprietary data secure and their reputation with customers intact. Founders have another worry: They shouldn’t be arrested for obstruction of justice in cases where the data being asked of them is disproportional to the scope of the inquiry or irrelevant to its stated purpose.

As the Razorpay episode has shown, a big vulnerability—for both India’s digital economy and its democracy—may be the plight of its smaller firms. 

Andy Mukherjee is a Bloomberg Opinion columnist covering industrial companies and financial services in Asia.

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
More Less

Recommended For You

Trending Stocks

Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout