The dispute originated from a 2022 complaint lodged by a man who claimed he deposited ₹6,000 via PhonePe into an online sports betting website during an India vs South Africa cricket series. According to the complainant, the platform soon became inaccessible, and he was unable to withdraw his funds. Accusing the platform of cheating, he filed a formal police complaint.
In response, police issued a notice to PhonePe under Section 91 of the then-applicable Code of Criminal Procedure (CrPC), seeking user transaction details and data linked to gambling-related activity. Authorities also asked whether PhonePe had implemented any due diligence measures while onboarding users and if any red flags were raised internally regarding betting activities.
The Legal Battle: Privacy or Shield?
PhonePe contested the police notice in court, asserting that under the Payment and Settlement Systems Act, 2007 and the Bankers’ Books Evidence Act, 1891, it had a statutory obligation to maintain user confidentiality. The company argued that user data could only be disclosed upon receipt of a formal court order.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
However, Justice M Nagaprasanna, who delivered the judgment, rejected this argument. The court stated that while privacy is a valuable right, it cannot obstruct legitimate law enforcement processes. Notably, the judge acknowledged that “new-age cyber crimes” such as online gambling necessitate “a swift, targeted, and effective response.” The court added that the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2011 mandates digital platforms to furnish user data to investigating officers within 72 hours of a legitimate request.
Accountability in the Age of Data
In a detailed observation, Justice Nagaprasanna underlined the importance of balancing user confidentiality with state accountability.
“Confidentiality must coexist with accountability,” the court noted, further stating that the “protection of consumer privacy cannot eclipse the lawful imperative of securing evidence.”
The court ruled that the police notice was both targeted and legally valid, aimed at tracking possible illegal financial transactions, not a speculative data fishing exercise. It also clarified that laws do permit intermediaries to share user data with investigative agencies under specific, legitimate circumstances.
With that, the court dismissed PhonePe’s petition, effectively reinforcing the position that fintech companies operating at scale must not only safeguard user rights but also cooperate with law enforcement when faced with credible evidence of misuse.