The arrest of Mohammed Zubair, journalist and co-founder of a fact-checking news website Alt News has sparked outrage not only on the issue of falling press freedom in India, but also on the issue of data privacy.
On June 27, Zubair was arrested by the Delhi Police for his four-year-old tweet referencing a still from a 32-year-old Bollywood movie. The Police alleged that his tweet "hurt religious sentiments". Later, the Police also alleged that he and his company violated provisions of the Foreign Contribution Regulation Act (FCRA) that bars non-profits from accessing foreign funds without registration. During a hearing before a local court, the state submitted that Zubair "accepted payments through RazorPay from Pakistan, Syria, Australia, Singapore, UAE, which all require further investigation".
Also Read | The Scene From 1983 Film That Got Mohammed Zubair Arrested
Razorpay, an eight-year-old payment gateway startup is used by Alt News, and many others, to accept payments. Alt News stated that it never enabled international payments and Razorpay too came out with a statement stating that foreign payments were not enabled for the company.
Seeking to probe Alt News, the Enforcement Directorate asked the Delhi Police to share Zubair's account-related information that would detail persons who made payments to the company. On July 5, Alt News released a statement claiming that Razorpay had shared all of their donor's data with the Police without informing them. This sparked a PR nightmare for Razorpay and donors were worried about their privacy and any possible repercussions by the state.
The controversy has yet again highlighted the lack of a data privacy law in India, tilted in favour of protecting people's interests and until then, the dire need for guidelines for businesses to adopt when handling data sharing requests.
BOOM spoke to lawyers, tech privacy experts and sources in the payment gateway industry to understand the problem of data privacy and what it implies.
Could Razorpay have refused compliance with the legal request?
Not really. The Police demanded for the donor's data under Section 91 of the Criminal Procedure Code (CrPC) which gives sweeping powers to a Police officer to issue a written order to produce "any document or other thing" that he feels is necessary to proceed with an investigation. In this case, the Police felt the donor's data was essential to verify and probe the alleged FCRA violations.
"The request was reasonable. Only if the Police's request was unreasonable, Razorpay could have thought of other alternatives. There were no strong grounds to challenge the request", a source familiar with the issue told this reporter on condition of anonymity. "Razorpay is a regulated financial institution. The government could've pulled their licence had they not complied with the law".
Razorpay's privacy policy clearly states that personal information, such as donor's data, could be shared with third parties in order to comply with the legal process and that the company is not required to question or contest the validity of such legal requests.
Even if Razorpay's licence was left untouched, there could've been several other repercussions for the company and its executives— the Police could have made them a party to the FCRA case (for aiding and abetting Alt News), could've arrested its executives for obstruction of justice, could have freezed Razorpay's bank accounts, and overall make it hard for them to do business.
Contesting the legal request and bringing it to finality in the Indian courts would take months, if not years.
In a blog post, Delhi High Court lawyer Abhinav Sekhri detailed how in the case of Alibaba Cloud Services in 2021, the Madhya Pradesh police had directed Alibaba's bank to freeze its account only because it had failed to adequately respond to a legal request. It took months for Alibaba to secure an interim relief from the Supreme Court, even though the company had nothing to do with the Police case.
"There is no due process at all", privacy expert Srinivas Kodali told BOOM. "Even if Razorpay had refused to provide the transaction data, what stops the Police from approaching Razorpay's bank and seeking these details?" Kodali asked.
What are the current regulations on data sharing?
In India, laws around data sharing and retention are unclear, especially since it does not have a data protection law in place yet. The data protection bill, pending for the past 5 years, in its current form provides almost blanket exemptions to the government on grounds of national security— a ground frequently raised by the current dispensation, and frowned upon by the Supreme Court, to justify investigations— and other grounds, defeating the very purpose of a data protection law.
"Even having safeguards within the law does not necessarily mean it will be practised by the Police," Kodali said. He said while right to privacy is a fundamental right after the Supreme Court judgement, but clearly it's not followed or cared for.
Delhi HC lawyer Abhinav Sekhri told BOOM that as long as a rough framework around data protection is not in place, "we'll be shooting arrows in the dark" in cases of data sharing and data protection. "We are then leaving the fate of the case to past precedents and wisdom of the Judge. Who knows what the Judge will think and decide? Once a law is in place, it will bring in some clarity. Without it, the situation is hopeless".
Even the Reserve Bank of India, the regulator of financial institutions like Razorpay, does not have clear policies in place for data sharing. "The least what they can do is have the RBI define how companies like Razorpay can handle such legal requests. Today, even if Razorpay wants to refuse compliance, it has no law backing it," the source familiar with the issue said.
Because of this ambiguity in the regulatory environment, companies like Razorpay end up complying with CrPC notices for data sharing, presumably after legal advice, instead of adopting a more confrontationist path with the authorities.
A look at the privacy policies of major payment companies like PayU, Instamojo, JusPay, CCAvenue, and PayPal India reveals that all of these companies will share their customer's personal data with legal authorities when requested.
What implications could it have on Alt News' donors?
In Alt News' case, even though the Police request for the donor's data is seemingly to verify if any contributions were received from foreign individuals, one cannot be fully assured it will be used only for that specific purpose.
Read | The Mystery Of The Twitter Handle That Led To Mohammed Zubair's Arrest
"Technically, they now have a list. A list of people supporting people or organisations that the government regards as syndicates", Sekhri, the lawyer said. He was referring to Solicitor General of India Tushar Mehta's arguments before the Supreme Court calling Zubair part of a "syndicate pushing tweets to destabilise society". "The Police now have a data dump of these individuals, but chances of probing, say 10,000 donors, are minimal. But of course, they now have a list".
What are the data sharing practices in other countries?
When it comes to sharing personal information of customers, most companies internationally comply with legal requests. For instance, in the United States, subpoenas by Police authorities, much like Section 91 CrPC, is one of the many ways through which authorities could extract user information.
But there's a difference.
"In the US, if the law enforcement collects a whole lot of data on you, you can have a court hearing on the scope of the investigation. In India, you don't have that yet", Sekhri said.
In Europe, Article 6 of the General Data Protection Regulation (GDPR) lists out specific conditions a request must fulfil in order to be deemed lawful. Article 21 of the GDPR also gives its citizens the right to object to processing of their data. Any exemptions to these rights would need to be "necessary and proportional" and specific, under Article 23 of the GDPR.
"You can refuse to share data in Europe and have the backing of law. We do not have anything of that sort here", the source familiar with the Razorpay issue said.
Kodali told BOOM that law enforcement agencies across the world have powers to obtain data from companies for purposes of investigation but the real problem lies in the weaponization of data. "If seen in the context of Alt News' case, any possible microtargeting of donors is the real problem. This could have a chilling effect on anyone who wants to donate to Alt News or any other media organisation they believe in", Kodali warns.
Saurav Das is an independent investigative journalist. He tweets @OfficialSauravD.