Could data provided by Paytm, the mobile wallet, help identify stone-pelters in Kashmir? And did the PMO call up Paytm seeking such data? And did Paytm violate provisions of the Information Technology Act in both seeking and parting with the data?
The questions have assumed significance following the sting operation carried out by investigative news portal Cobrapost. In the video uploaded by Cobrapost, the Vice President of Paytm Ajay Shekhar is heard telling the undercover journalist that he had personally received a call from the PMO seeking data on users in Kashmir on the pretext that some of the Paytm users could be among the stone-pelters!
But says the legal director of Software Freedom Law Centre (SFLC) Prashant Sugathan, “no website or mobile application can share users’ personal data, which includes sensitive personal data like one’s Aadhaar details, to any person or agency without following the norms laid down in the IT Act. It cannot be done randomly. Based on the limited information we have from the videos of the Cobrapost expose, it seems that the law has been flouted.”
Section 69 of the IT Act states that only if “sovereignty or integrity of India, the security of the State, friendly relations with foreign stales or public order” is in danger “or for preventing incitement to the commission of any cognisable offence” can websites or mobile apps share details with any government agency. But, as per the section 69 of the IT Act, the reasons for sharing personal details have to be “recorded in writing, by order.”
There are rules, says Prashant, which clearly lays down the procedure for sharing user’s data. “It is very similar to the rules of phone-tapping,” he says
Prashant is talking about the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, which says; “No person shall carry out the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub-section (2) of section 69 of the Act, except by an order issued by the competent authority.”
“Provided that in unavoidable circumstances, such order may be issued by an officer, not below the rank of Joint Secretary of the Government of India, who has been duly authorised by the competent authority,” the rule further reads. In case of an emergency, as per the rule, decryption “may be carried out with the prior approval of the Head or the second senior most officer of the security and law enforcement agency”.
A clarification on Friday by Paytm says “our users' data is 100% secure and has never been shared with anyone except law enforcement agencies on request”. But under what circumstances? On request or on the basis of an order, which is clearly required as per law?
“Further clarification” put out by Paytm on Saturday, however, claims; “To further clarify, in the past, we have neither received requests nor shared any data without a legally compliant request from a bonafide agency and through proper process and channels.”
Yet, the puzzle remains unsolved as Paytm will have to clarify what kind of national interest was being served if and when the data were indeed shared.