Confidentiality vs. Accountability: The Karnataka HC decision in the PhonePe Case

July 10, 2025
Dispute between state of karanataka and phone pe

By Vikrant Rana, Anuradha Gandhi and Rachita Thakur

Background of the Case

The genesis of the present Legal Dispute between PhonePe Private Limited and the State of Karnataka was in 2022, when a user reported losing funds after making payments on an online sports betting website though various payment gateways including PhonePe.[1] Pursuant to this complaint and subsequent investigation, on December 7, 2022, the investigating officer issued notice directing PhonePe to furnish confidential transaction details and full account credentials of registered PhonePe users and merchants in connection to the reported crime. PhonePe, filed a Writ Petition under Article 226 and 227 of the Indian Constitution before the Hon’ble Karnataka High Court, challenging the legitimacy of this notice and argued that it be declared bad in law and therefore unenforceable.[2]

Why PhonePe was served a Notice by the Police?

The basis for issuance of notice to PhonePe was registration of Crime No. 193 of 2022 at C.E.N Police Station Bangalore Rural District. The complaint was registered for offenses committed under Section 66C and Section 66D of the Information Technology Act, 2000 (hereinafter referred to as ‘IT Act’) along with Section 419 and Section 420 of the Indian Penal Code, 1860. The complainant alleged that he was a victim of a cyber-fraud committed by unknown persons and has lost money while making transaction on an online gambling website through several payment gateways including PhonePe. The police, based on the investigation alleged that a fraudulent transaction amounting to INR 17,400 was made to the bank account held in the name of ‘R J Infotech’ though PhonePe’s Gateway channel.[3]

Therefore notice under Section 91 of the Code of Criminal Procedure, 1973 (hereinafter referred to as ‘CrPC’) was issued on the ground of PhonePe providing facilities to Online Gambling Websites for conducting illegal financial transactions. The said section empowers any court or officer in charge of a police station to issue a summon for the production of any document or other thing deemed necessary or desirable for the purpose of any investigation, inquiry, trial, or other proceedings under the code.[4]

Arguments on behalf of PhonePe

  1. Intermediary Safe Harbor – Section 79 of IT Act provides intermediaries with a safe harbor from liability for third party content uploaded on or transmitted through their platform without their knowledge.[5] PhonePe contended that it role was limited to that of an “intermediary”, implying a limited degree of responsibility for user initiated transaction emphasizing that the National Payments Corporation of India is the actual owner of the UPI Platform and that neither the company itself nor any of its employees were implicated as accused parties in the underlying crime.
  2. Confidentiality Obligation under other Laws – Section 22 of Payment and Settlement Systems Act, 2007 (hereinafter referred to as ‘PSS Act’) mandates confidentiality of payment system records.[6] Further, Section 5 of Bankers Books Evidence Act, 1891 (hereinafter referred to as ‘BBE Act’) states that a bank officer cannot be compelled to produce original books in any legal proceeding unless by a specific order of a court or a judge, issued for a special cause.[7] On the basis of these provisions, PhonePe argued that it operates under the regulatory framework of the PSS Act and the BBE Act, both of which, barred the disclosure of confidential customer information without a specific court order. Therefore, contending that PhonePe is not obligated to furnish the relevant information upon receiving a notice from the Investigation Officer unless a specific Court order is received.

Arguments on behalf of the State of Karnataka

  1. Disclosure necessary for Effective Investigation: The State countered by emphasizing the critical need for police to access necessary information for fair and effective investigations, particularly in the context of the cybercrime landscape where digital footprints can swiftly disappear.
  2. Failure to comply with Central Guidelines: The state alleged that PhonePe had failed to comply with Central Government guidelines, specifically Rule 3(1)(j) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereinafter referred to as ‘Intermediary Guidelines’) which mandates the intermediaries to provide user data to investigating officers within a strict time frame of 72 hours of lawful request.[8]
  3. No immunity under the PSS Act and BBE Act: It was contended that Section 22 of the PSS Act itself permits an Investigating Officer to seek information and that the safeguards under the BBE Act do not immunize institutions for investigatory summons when criminality suspected [9]

Understanding the Courts Interpretation

  1. Status of Investigating Officer under the PSS Act

The Court then focused on Section 22 of the PSS Act, which, while mandating confidentiality of payment system records, contains a crucial exception permitting disclosure in obedience to orders passed by a court of competent jurisdiction or a statutory authority in exercise of the powers conferred by a statute. The Court held that an investigating officer, acting under the power conferred by the CrPC is precisely such statutory authority. Therefore, PhonePe’s contention of non-divulgence based on the PSS Act was rejected, as the Act itself permits such disclosure under specified circumstances.

  1. Extent of Safe Harbor under Section 79 of the IT Act

The Court clarified that while Section 79 provides a safe harbor from liability for third party transactions and content, it does not exempt intermediaries from their obligation to cooperate with lawful criminal investigations.

  1. Obligation of Intermediaries under the Intermediary Guidelines

The Court highlighted Rule 3(1)(j) of the Intermediary Guidelines observing that it explicitly mandates intermediaries to provide information to government agencies within 72 hours upon receiving a lawful order and emphasized that this rule served as a direct statutory basis supporting the police’s power to seek information.

  1. Balancing Privacy and Investigation

The Court explicitly acknowledge the escalating threat of “new age crimes” and the need for “swift, targeted. And effective response.” It stated that while consumer privacy is important, it cannot eclipse the lawful imperative of investigating officers to secure evidence and take the investigation to its logical conclusion. This judicial stance reflects an implicit application of proportionality test, where any state intrusion into privacy must have a legitimate aim, be necessary, proportionate and include robust procedural safeguards. (For more information on Consumer Privacy, refer – https://ssrana.in/articles/wringing-consent-from-consumers-a-violation-of-privacy-and-consumer-rights/)

Relevance of Past Judicial Pronouncements

  1. The Central Bank of India v. P.D. Shamdasani – This judgement established that the BBE Act and the CrPC are not in conflict but can coexist. It clarified that the BBE Act provides specific mechanism for seeking confidential information, but it does not negate the general powers of the investigation under CrPC. In the present case, reliance on this judgement allowed the Court to show that the two statues operate harmoniously.[10]
  2. M. Ponnuswamy v State of Tamil Nadu – This judgment clarified that the banker-customer relationship and the duty of secrecy are not absolute, especially when funds are linked to criminal activity. In the present case, the Court used this precedent to reinforce that the nature of the transaction superseded the general banker-customer confidentiality[11]
  3. Kattabomman Transport Corporation Limited v. State Bank of Travancore – This judgement stated that a banker cannot refuse to divulge information during an investigation under Section 91 of the CrPC despite the provisions of section 5 of the BBE Act. The precedent served as a direct authority to support the Court’s core finding that statutory safeguards under the BBE Act do not grant absolute immunity to financial institutions from lawful investigatory summons.[12]

Whether UPI apps are compelled to disclose customer information to the Police?

Who are Payment System Providers?

PhonePe and other similar platforms fall within the scope of ‘Payment System Providers’ (hereinafter referred to as ‘PSPs’) as per Section 2(1) (i) of the PSS Act 2007. A payment system means a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. This includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.[13]

Who regulates the operations of Payment System Providers?

Rule 3 of RBI’s Master Direction on KYC, 2016 (hereinafter referred to as KYC Directions’) includes PSPs within the ambit of ‘Regulated Entities’ which means that these providers are governed and regulated by the RBI.[14]

RBI Guidelines on disclosure of Customer Information

Rule 55 of the KYC directions mandate that Regulated Entities must keep customer information confidential, treating all data collected through contractual relationships or for account opening as secret and prohibiting its use for cross-selling or other purposes without explicit customer permission. However, it allows for certain situation in which information may be disclosed:

  1. Where disclosure is under compulsion of law,
  2. Where there is a duty to the public to disclose,
  3. Where the interest of RE requires disclosure, and
  4. Where the disclosure is made with the express or implied consent of the customer.[15]

(For more information on recent RBI guidelines on Data Privacy, refer to https://ssrana.in/articles/rbi-introduced-digital-lending-direction-2025/)

Disclosure of Personal Information under the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDP Act’)

The DPDP Act classifies processing of personal data for the state in certain situations as legitimate data processing under Section 7 of the Act. Section 7(d) permits the processing of personal data when it’s necessary to fulfill a legal obligation under any Indian law that requires a person or entity to disclose information to the Indian government or its agencies. However, any such processing must strictly adhere to the disclosure provisions specified in that particular law.[16]

Further, the processing of personal data in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India from is exempted from DPDP obligations. Section 17(c) exempts such processing from all obligations except the restrictions on cross border transfer, orders of the DPB and the undertaking of reasonable security safeguards to prevent breach of personal data. This indicates the intention of legislature to not meddle in the investigation of criminal complaints and other criminal proceedings.[17]

Whether User Privacy shall yield to Criminal Investigation and General Public Interest?

The Hon’ble Karnataka High Court, in the PhonePe case, has correctly evaluated and balanced individual interest of users and general public interest. The Court has rightly observed that individual interest shall yield to general public interest. Furthermore, the RBI guidelines governing PSPs like PhonePe clearly state that disclosure of otherwise confidential customer information is permitted when in compliance with law or in public interest. The Court satisfied these two conditions. Firstly, the Court affirmed the powers of the investigating officer under Section 91 of the CrPC to seek information necessary to bring a criminal investigation to its logical end. Secondly, it discussed the rising threat of cybercrimes wherein digital footprint serves as a critical piece of evidence and must be preserved at the first instance given its nature and vulnerability to swift erasure. (For more information on balancing privacy and public interest, refer – https://ssrana.in/articles/privacy-vs-public-interest-balancing-of-right-in-digital-era-the-debate-over-right-to-be-forgotten/)

Prateek Chandgothia, Assessment Intern at S. S. Rana & Co. has assisted in the research of this article.

[1] https://www.medianama.com/2025/05/223-phonepe-ordered-to-share-merchant-data-online-betting-case/

[2] https://timesofindia.indiatimes.com/city/bengaluru/karnataka-hc-rejects-phonepes-plea-against-information-sharing/articleshow/121145671.cms

[3] Para 9, PhonePe Private Ltd. V. State of Karnataka, W.P. No. 3757 of 2023 (GM-POLICE) (Kar. High Court) (Apr. 29, 2025)

[4] The Code of Criminal Procedure, 1973, § 91, No. 2, Acts of Parliament, 1974 (India).

[5] The Information Technology Act, 2000, § 79, No. 21, Acts of Parliament, 2000 (India)

[6] The Payment and Settlement Systems Act, 2007, § 22, No. 51, Acts of Parliament, 2007 (India)

[7] The Bankers’ Books Evidence Act, 1891, § 5, No. 18, Acts of Parliament, 1891 (India).

[8] The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, r. 3(1)(j), No. G.S.R. 139(E), Min. of Elecs. and Info. Tech., 2021 (India).

[9] PhonePe Private Ltd. v. State of Karnataka, W.P. No. 3757 of 2023 (GM – POLICE) (Kar. High Court Apr. 29, 2025)

[10] The Central Bank of India v. P.D. Shamdasani,  AIR 1938 Bom 33

[11] A.M. Ponnuswamy Nadar vs The State Of Tamil Nadu (1985) 2 MLJ 492

[12] Kattabomman Transport Corporation Limited v. State Bank of Travancore AIR 1992 KER 351

[13] Q.9, FAQs, Payment and Settlement Systems Act 2007, RBI – https://www.rbi.org.in/commonperson/English/Scripts/FAQs.aspx?Id=420

[14] Rule 3 (Definitions) – https://www.rbi.org.in/CommonPerson/english/scripts/notification.aspx?id=2607#1

[15] Rule 55 (Secrecy Obligations and Sharing Information) – https://www.rbi.org.in/CommonPerson/english/scripts/notification.aspx?id=2607#1

[16] The Digital Personal Data Protection Act, 2023, § 7(d), No. 22, Acts of Parliament, 2023 (India).

[17] The Digital Personal Data Protection Act, 2023, § 17(c), No. 22, Acts of Parliament, 2023 (India).

More Articles

  1. GST Rate Revisions 2025 and Their Impact on LMPC Declarations
  2. Nepal Blocks 26 Social Media Platforms in Historic Ban
  3. AI Chats Became Public Records: Privacy Crisis Unfolds
  4. Digitization of Transport Data and Securing Personal Information
  5. Battling Hydra-Headed Piracy: JioStar Secures Dynamic+ injunction from Delhi High Court
  6. First Solar v. Adani’s MSPVL: A Cautionary Tale on FTO Due Diligence as a Shield in Global Markets
For more information please contact us at : info@ssrana.com