.svg)
A judge at the Delhi High Court has dismissed two lawsuits against Google Pay, after ruling that the popular mobile payment service falls outside the scope of India’s payments system laws.
In 2020, a member of the public filed a public interest litigation (PIL) against the Reserve Bank of India (RBI), seeking a cease and desist order against Google Pay.
First introduced to India in the 1980s, a PIL is an almost cost-free legal action that can be filed by any individual or organisation on behalf of the public.
The only requirement for a PIL to be heard in court is that its claims are genuinely in the public interest, and are not “frivolous” or seeking private or monetary gain.
In the case of Google Pay, the petitioner behind the PIL is a man in his mid-30s named Abhijit Mishra.
A former IT consultant, Mishra has made a name for himself by filing about one PIL a month since 2020, on topics ranging from welfare to fintech to the rights of micro, small and medium-sized enterprises (MSMEs).
In his first PIL concerning Google Pay, Mishra alleged that Google Pay is conducting an “unauthorised operation” in India due to non-compliance with the country’s Payment and Settlement Systems (PSS) Act 2007.
Specifically, Mishra alleged that Google Pay failed to obtain authorisation from the RBI as a “payment system operator” prior to its launch in India in 2019, as is required under Section 4 of the act.
Also in 2020, Mishra filed a second PIL related to Google Pay against the Unique Identification Authority of India (UIDAI), the agency that administers Aadhaar.
Aadhaar is the world’s largest digital ID programme, and its databases contain personal information of more than 1.27bn Indian citizens.
Building on his claim that Google Pay is acting as an authorised payment system operator, Mishra also alleged that Google Pay has violated the Aadhaar Act 2016 and the Banking Regulation Act 1949.
With reference to both acts, Mishra claims that Google Pay has violated protections against unauthorised access of citizens’ personal and financial information, and has violated rules against the storage of such data outside India.
Google Pay is not a 'payment system operator'
After hearing arguments from the RBI, the court ruled that Google Pay is not a payment system operator and has never been under any obligation to become authorised as one.
Chief justice Satish Sharma, issuing the judgment, said Mishra has “wholly misconceived” Google Pay’s role in India’s payment system, and that his PILs were “devoid of any merits”.
“The Petitioner has totally misconstrued and utterly misunderstood the provisions of the PSS Act 2007, as well as the services provided by Google,” he said.
“Google is a mere third-party app provider for which no authorisation is required under the provisions of the PSS Act, 2007.”
Additionally, the court confirmed that Google Pay does not access and store customer data in the way that Mishra alleged in his petition.
Under the hood of UPI
Since Mishra’s claims focused on Google Pay’s role in the Unified Payments Interface (UPI), the RBI took the opportunity to educate him on how the instant payments system works from a legal and technical perspective.
Firstly, UPI is operated by the National Payments Corporation of India (NPCI), a subsidiary of the RBI, under a certificate of authorisation that was issued in 2009.
As UPI is a platform that is operated and controlled by the NPCI, Google Pay functions as an application “merely” to provide its services via the UPI platform, the court heard.
As such, Google Pay is neither a “payment system operator” or a “payment system provider” (PSP) under the terms of the PSS Act.
As the RBI explained, PSPs are entities that provide “front end or the final applications to be used by customers”.
In the case of UPI, the PSPs are the banks whose customers send and receive money via the payment system, and it is through these banks that third-party app providers (TPAPs) participate in UPI.
Initially, UPI launched under a single-bank model, where one TPAP partnered with one bank, and all transaction requests received from the user of the TPAP would be routed through the same bank.
In 2017, however, the NCPI introduced a multibank model, whereby a single TPAP could connect to UPI through multiple PSP banks. This adjustment helped to increase efficiency and reduce failed transactions.
In its submissions to the court, the RBI included a letter it sent to the NCPI permitting Google Pay to partner with four banks — Axis Bank, ICICI Bank, HDFC Bank and State Bank of India — to access UPI under the multibank model.
“Therefore, Google provides the necessary customer interface through its application, i.e. Google Pay, while the transactions are processed through these sponsor PSP banks,” said the RBI.
In addition, Google Pay’s status as a TPAP means that it is not permitted to access or store sensitive personal data in the way that Mishra alleged in the lawsuit.
According to the RBI, the 2019 UPI Procedural Guidelines make it “exceedingly clear” that two types of data — “customer data” and “customer payments sensitive data” — may be collected through UPI, and must be handled accordingly.
“While the former may be stored with the app provider in an encrypted format, the latter can only be stored with the PSP’s bank systems, and not with the third-party app under the multibank model.
“We therefore do not find any merit in the Petitioner's contention that Google Pay is actively accessing and collecting sensitive and private user data.”
