India’s central bank and the ministry for information technology have raised concerns over Whatsapp’s sharing of payments data with its parent company Facebook, potentially delaying a wider launch of the service currently available to a small set of users.

“They raised concerns over WhatsApp sharing data with Facebook, which many see it as a threat to data privacy in the country,” said a source in the government.

The Reserve Bank of India and the Ministry of Electronics and Information Technology, have held talks with the National Payments Corporation of India, a body which was formed to facilitate digital payments in the country, two sources told FactorDaily.

At the time of launch, some incumbent payment players such as Paytm* had criticised Whatsapp payments, calling the service insecure and that it sent financial data of Indian users to servers outside of India. With over 240 million users in India, Whatsapp is pervasive and is a potential threat to existing payment companies.

Also see: WhatsApp in-chat payments feature is bad news for digital wallets, payment companies in India

WhatsApp’s peer to peer payment service was launched in India in February 2018 to a small set of users in private beta. Sometime in late 2017, Facebook employees had started trying out the service.

That Whatsapp shares data with its partner bank ICICI Bank and parent company Facebook came to light when it updated its privacy policy two months ago. The company said that it uses Facebook’s infrastructure when payments are done.

“Facebook does not use WhatsApp payment information for commercial purposes, it simply helps pass the necessary payment information to the bank partner and NPCI. In some cases, we may share limited data to help provide customer support to you or keep payments safe and secure,” the Whatsapp blog said.

Whatsapp’s promise to its users in early days was not just free messaging but also privacy and security. To keep chats private, Whatsapp had started encrypting data end to end in 2016. But to launch payments, it would have had to store transaction data that can be accessed later because Indian laws require payments service providers to keep auditable records to prevent money laundering and fraud.

The question of data privacy isn’t just a local concern. It appears that even WhatsApp’s co-founder Jan Koum who quit the company in April had disagreements with Facebook over data privacy. “The founders also clashed with Facebook over building a mobile payments system on WhatsApp in India,” the Washington Post reported.

After the Facebook-Cambridge Analytica scandal, there has been increasing concerns about WhatsApp sharing payments information with its parent. “Meity is opposed to sharing of payments information under any circumstances and had raised the issue with RBI,” said the second source.

The NPCI appears to be satisfied with WhatsApp’s declaration that Facebook can’t use the data for any commercial purpose. “Many group companies share the infra so no issue on that. The main issue is what is the data used for,” said a senior NPCI executive.

The NPCI has allowed WhatsApp to continue in beta stage until it reaches one million payment users and WhatsApp hasn’t crossed that milestone yet. Data from sources show that in April WhatsApp had merely done 1.77 lakh transactions. Google Tez had 60 million, and Paytm clocked 63 million transactions in the same month.

According to the first source,  the NPCI will soon come up with a uniform policy for everyone in the payments business. The body has also given time to companies to make their services interoperable. As of May 1, 2018, WhatsApp was not fully interoperable as it only allows transfer to other WhatsApp users. The payments body will only allow WhatsApp to launch payments to all its users once it is fully interoperable.

The outcome of the meetings between RBI, Meity and NCPI have not been discussed yet.

Deal with Data

Most companies that allow payments over India’s unified payments interface have a parent like WhatsApp has Facebook. Google Tez is run by Google, Flipkart owns PhonePe, Paytm has its own UPI platform, and Amazon has Amazon Pay.

Apart from Whatsapp, the rest of the UPI platforms confirmed that they do not share any payment data with their parent companies. “Paytm’s payments business doesn’t share any data with Paytm Mall. There is no need of the data to be shared,” said Kiran Vasireddy, the chief operating officer of payments at Paytm.

A PhonePe spokesperson said that the company doesn’t share any transaction data with Flipkart or any of its group companies. “All the transaction data stays with us,” the spokesperson said.

A Google executive said that the UPI password is locked in the devices and that Google doesn’t have any access to Tez’s payment data. “All the payment data stays with partner bank… we just provide the platform,” said a Google executive.

The Ministry’s concerns over sharing data is shared by experts as it leaves scope to be misused. “Given that the customer service is being provided by WhatsApp, why should Facebook need the data? Their explanation doesn’t make sense, WhatsApp is a separate company. If it is for not commercialisation then the explanation doesn’t make sense,” said Pranesh Prakash, an affiliated fellow with Yale Law Schools Information society project.

Legal experts feel that Facebook will make a business case because of lack of laws in the country. “India doesn’t have regulations around consent, which makes it a big concern,” said Puneet Bhasin, a cyber law expert and president of Cyberjure Legal Consulting. She adds that for companies like Facebook analysing data is a form of making money.

The Indian government has tasked a committee headed by former Supreme Court Judge B N Srikrishna to frame data protection laws for the country. It is likely to propose a data regulatory structure on the lines of the Securities and Exchange Board of India or Insurance Regulatory and Development Authority with an appellate authority and designated courts of appeal within the year, FactorDaily had reported.

“To clarify, WhatsApp is not a PSP. We are a third-party provider of a UPI-based payments service. Please refer to applicable NPCI guidelines that provide guidance that we follow on how data is captured and shared,” a WhatsApp spokesperson said in an email response. PSP is short for payment service provider.

Data stays in India

Under the new RBI guidelines, WhatsApp, like other foreign firms, will be asked to set up a server in the country, which is not the case right now. The apex bank said in April that all payment data should reside in India. “The government will soon communicate with WhatsApp to set up a server in India to store the payments data locally,” said the first source.

“The data sharing and usage is an issue as much in India as it is global. So now with RBI guidelines, it is clear that data has to reside in India and can be shared with consumer consent,” said a senior NPCI official.

The timelines are, however, not clear.  Neither is the purpose of storing data in India. “It should be clear what purpose data localisations is meant to serve. There are many purposes why an entity would be asked to do data localisation,” said Prakash. Indian law enforcement agencies often find accessing data from companies such as Facebook and Google difficult as they are US companies.

Storing data in India will allow easier access for law enforcement agencies and better jurisdiction over these companies. “The moment you keep the data outside, the right over the data stays with the other country. There are problems with surveillance, and there can be misuse of data,” said Vasireddy.

Also see: The FD Guide to living in the age of snoops

“There is no real need for processing payment related data outside the country while eventually storing the same locally. Processing any data outside the country also leaves behind an imprint or trail of the same on the servers through which it is processed and hence defeats the purpose of data localisation,” the PhonePe spokesperson said.

* See disclosure.

---