Introduction:

In a significant judgment that balances the interests of digital privacy with the imperatives of criminal investigation, the Karnataka High Court in PhonePe Private Limited vs. State of Karnataka & Anr, Writ Petition No.3757 of 2023, delivered a ruling that has major implications for fintech intermediaries and data privacy jurisprudence in India. The petitioner, PhonePe Private Limited, a leading digital payment intermediary, approached the Court seeking quashing of a police notice issued under Section 91 of the Criminal Procedure Code (CrPC). This notice directed PhonePe to furnish transaction details and full account credentials of certain users and merchants registered on its platform in connection with an ongoing criminal investigation, reportedly related to online betting and cybercrime activities. The petitioner contended that such disclosure would violate statutory protections under various financial and digital privacy laws. However, the State, through its legal representatives, countered this position by asserting that the notice was lawfully issued to trace illegal financial flows tied to criminal operations. The matter came up before Hon’ble Justice M. Nagaprasanna, who eventually dismissed the petition, holding that public interest and the effective pursuit of criminal investigations could override intermediary confidentiality in specific circumstances.

Arguments of both sides:

The petitioner, PhonePe Private Limited, submitted that it operates solely as an intermediary under Section 79 of the Information Technology Act, 2000, and as such is protected from liability for third-party data and activities. It argued that under the Payment and Settlement Systems Act, 2007 (PSSA), and guided by provisions of the Bankers Books Evidence Act, 1891, it had no statutory obligation to disclose confidential customer data to investigating officers unless mandated by a court order. The company emphasized that it is not a traditional bank and has no active involvement in specific financial transactions; therefore, it should not be treated as an entity holding discoverable evidence under Section 91 of the CrPC. Counsel for the petitioner, Advocate Nitin Ramesh, strongly relied on the statutory framework which, according to him, restricts the direct handover of sensitive information without the supervision or approval of judicial forums. He cited Section 91(3) CrPC to argue that the provision itself creates an exception for records protected under special laws like the Bankers Books Evidence Act, and hence the notice issued by the police was ultra vires and liable to be quashed. Additionally, PhonePe submitted that Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2011, also calls for due diligence but does not compel handing over sensitive data on the basis of mere police requests. Further, the petitioner warned that compliance with such notices could set a dangerous precedent by compromising customer trust and endangering data security.

On the other hand, the State, represented by AGA Mohammed Jaffar Shah, justified the issuance of the Section 91 CrPC notice by invoking the rising prevalence of cybercrime and the growing complexity of tracing money trails in the digital ecosystem. The prosecution argued that under Section 91, both courts and police officers in charge of police stations have statutory power to summon documents relevant to a criminal case. They submitted that the PSSA and the Bankers Books Evidence Act do not override the CrPC but must coexist to facilitate lawful investigations. The State pointed to Rule 3 of the 2011 IT Rules, which mandates intermediaries to furnish information within 72 hours of receiving a request from law enforcement. Furthermore, the prosecution claimed that PhonePe had failed to cooperate with the investigation, particularly when the accused parties had reportedly used the platform to conduct illegal transactions related to cricket betting. The State emphasized that public interest and justice must not be thwarted by blanket claims of privacy, especially when the information sought is central to unravelling a criminal conspiracy. It was also submitted that the request for data was not a “fishing expedition” but was based on specific leads derived from the investigation.

Court’s judgement:

After a detailed analysis of the relevant legal framework and the nature of the request under challenge, Justice M. Nagaprasanna ruled in favor of the State, dismissing the writ petition filed by PhonePe. The Court observed that while the right to privacy is a constitutionally protected right, it cannot be used to shield suspects or accused persons from lawful investigations. It emphasized the growing menace of cybercrime and the need for effective tools to investigate such crimes in the digital age. The Court opined that digital footprints, if not swiftly acted upon, may disappear or become untraceable, thereby hampering the course of justice. Justice Nagaprasanna noted, “The duty to protect data must yield, where public interest and criminal investigation intersect. The protection of consumer privacy cannot eclipse the lawful imperative of investigating officers to secure evidence and take the investigation to its logical conclusion. Confidentiality must coexist with accountability.”

The bench rejected the contention that the Bankers Books Evidence Act bars disclosure unless permitted by a court. Citing Section 2(4) of the Act, which includes inquiries and investigations under CrPC, the Court held that a Section 91 notice issued during an investigation could be treated as one under the 1891 Act. It clarified that Section 91(3) CrPC does not exempt intermediaries like PhonePe from producing relevant information, especially when such data forms the cornerstone of a cybercrime investigation. The Court further held that the Information Technology Rules, 2011, require intermediaries to comply with such requests within 72 hours, and the role of digital platforms in enabling seamless financial transactions makes them vital sources of evidence in the present context. The bench noted that the Investigating Officer is a statutory authority under the CrPC and has the legal mandate to requisition information when such action is essential to progress an investigation.

Refusing to entertain the argument that the Payment and Settlement Systems Act overrides the Bankers Books Evidence Act, the Court stated that both statutes must be interpreted harmoniously. In doing so, it upheld the legitimacy of the notice issued under Section 91 of the CrPC and ruled that it was neither vague nor a mere roving inquiry. Rather, it was a legitimate and specific tool employed in pursuit of a money trail that connected various accounts potentially linked to illegal betting operations. The Court concluded that the power of the Investigating Officer to demand relevant documents from digital intermediaries is squarely within the bounds of law and cannot be curtailed merely by invoking privacy statutes, especially where crime and public interest are involved.

Justice Nagaprasanna’s judgment strikes a nuanced balance, reiterating the State’s responsibility to maintain law and order in the digital era while reminding digital platforms of their duty to cooperate with lawful investigations. The decision sends a strong message to fintech and digital intermediaries that their technological neutrality does not exempt them from cooperating with criminal probes. It reiterates that the judicial system recognizes both the sanctity of personal data and the necessity of uncovering digital evidence when the situation demands. The ruling thus paves the way for clearer legal expectations on intermediaries in the age of digital forensics.