TMT CASE LAW: PhonePe Private Limited vs State of Karnataka

The petitioner, PhonePe Private Limited, is a digital payment app registered under the Companies Act, 2013. It provides UPI-based financial services and is an intermediary under the Information Technology Act, 2000. The company is a "system provider" under the Payment and Settlement Systems Act, 2007.

A cybercrime complaint was filed in Bengaluru concerning a loss of INR 6,150 through cricket betting applications. The FIR involved a user who lost funds transferred through PhonePe to a betting website during a cricket match. The Bengaluru Cyber Crime Police issued a notice to PhonePe under Section 91 of the Code of Criminal Procedure (CrPC), seeking detailed information about transactions and merchant data associated with the online sports betting fraud case.

The police requested extensive data from PhonePe, including onboarding details, URLs, IP addresses, KYC, transaction logs, and any prior reports of gambling activity. PhonePe objected to the notice on the grounds of confidentiality and intermediary protection and approached the Karnataka High Court, challenging the legality of the notice and seeking its quashing.

PhonePe contested the notice on the following grounds:

1. Intermediary Status: PhonePe contended that it functions merely as an intermediary under Section 79 of the Information Technology Act, 2000 (“IT Act”), and thus is eligible for safe harbor exemptions from liability under Section 79 of the IT Act.

2. Confidentiality: PhonePe contended that providing such information would violate customer confidentiality protected under the Payment and Settlement Systems Act, 2007 (“PSSA”), and the Bankers' Books Evidence Act, 1891 (“BBEA”). Confidential information can only be disclosed upon a court’s order and not by the summons issued by investigative officers. 

3. Section 91 of the CrPC exempts the Indian Evidence Act, 1872 and the BBEA, and therefore, the notice issued by the Investigating Officer (IO) under Section 91 is not applicable to it in the absence of compliance with the BBEA’s requirements. Section 91 refers to the summons by the court or police officer to produce documents or other things.

1. Investigative Powers: The State argued that the police, under the IT Act and CrPC, have the authority to seek necessary information/documents from intermediaries like PhonePe for conducting a fair investigation.

2. Regulatory Requirement: The State argued that under the IT Act and Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”), intermediaries like PhonePe are required to provide information to law enforcement agencies (within twenty-four hours of receiving an order). The State argued that PhonePe, having failed to comply with such obligations, has violated the Central Government's guidelines intended to safeguard against unlawful activities, including those involving merchants engaged in cricket betting, thereby breaching its duties under Section 87 of the IT Act.

3. Privacy vs Public Interest: The State maintained that compliance with lawful investigation should take precedence over confidentiality and privacy obligations, especially in cases involving cybercrime and illegal betting. It argued that confidentiality should not hinder lawful investigative processes, especially when dealing with sophisticated digital offenses.

The Karnataka High Court dismissed the writ petition filed by PhonePe, stating that consumer confidentiality must be balanced with lawful investigation and cannot override the duty to assist in criminal inquiries. The Court held that a lawful investigation prevails over arguments of commercial confidentiality.  The main findings of the High Court are enumerated below:

1. Reconciling Privacy Rights with Investigative Needs: The Court ruled that the obligation to protect data must give way when public interest and the needs of a criminal investigation come into play. The Court stated, "The protection of consumer privacy cannot eclipse the lawful imperative of investigating officers to secure evidence and take the investigation to its logical conclusion. Confidentiality must coexist with accountability.”

2. No absolute immunity:  The Karnataka High Court held that PhonePe’s claim of absolute protection under the PSSA and the BBEA was legally untenable. The Hon’ble Court held that safeguards under BBEA would not immunise institutions from investigatory summons when criminality is suspected. These statutes do not exempt intermediaries from cooperating with criminal investigations conducted under the CrPC. The Court further clarified that while a Section 91 CrPC notice must be narrowly tailored to avoid becoming a “fishing expedition,” it remains valid if investigators demonstrate reasonable suspicion of a money trail linked to criminal activity.

3. Investigating Officer’s Statutory Powers: The Court found that an IO under the CrPC is a statutory authority empowered to summon/call for information necessary for investigation, from intermediaries like PhonePe under Section 91 CrPC and such powers are not negated by the PSSA or BBEA, provided the request aligns with statutory safeguards and procedural fairness.

4. Court’s Interpretation of Intermediary Obligations: Section 79 of the IT Act grants intermediaries a “safe harbour,” protecting them from liability for third-party content if they observe due diligence and do not actively participate in the unlawful act. The Court held that intermediary status under Section 79 does not grant absolute immunity.

   
   

   While intermediaries are generally protected from liability for user actions, they are still obligated to comply with the lawful directions of government agencies and investigating officers when information is sought for legitimate criminal investigations. The Court clarified that the safe harbor of Section 79 does not override other statutory obligations, particularly those under the Criminal Procedure Code (CrPC). When an investigating officer issues a notice under Section 91 of the CrPC for information relevant to a criminal case, intermediaries are legally bound to comply. The Court reiterated that while intermediaries must protect user data and privacy, this protection is not absolute and must yield to lawful requests in the public interest of investigating serious offenses. It emphasised that confidentiality “must coexist with accountability,” and intermediaries cannot use data privacy as a shield to block legitimate investigations.

The Karnataka High Court has held that although the right to privacy is a fundamental right guaranteed by Article 21 of the Constitution, it is not without limits. The Court noted that when there is a competing public interest, such as the need for criminal investigations or the prevention of serious crimes, the right to privacy may need to be balanced against these concerns. This judgment is important in the areas of fintech law, cyber law, and data privacy. It makes it clear that intermediaries such as PhonePe cannot be above police inquiry. It also emphasises that confidentiality legislations do not preclude statutory obligations to cooperate with criminal investigations. The decision balances public interest and user privacy by providing law enforcement with access to the vital information needed to battle cybercrime.

In case of feedback, suggestions, or queries, please reach out to the C&M team on

tmt@chandhiok.com