On 29th April 2025, the Karnataka High Court delivered a significant order in the case PhonePe Private Limited vs. State of Karnataka & Anr., arising out of a writ petition filed by the fintech giant, PhonePe. The petition raised the most pressing dilemmas in today’s rapidly growing fintech landscape: user privacy vs. powers of investigative authorities.
Context of the PhonePe case
The petition was triggered by a notice issued to PhonePe under Section 91 of the Code of Criminal Procedure, 1973 (“Cr.P.C”.) by the Investigating Officer (“IO”) of C.E.N Police Station Bangalore Rural District. This notice was issued in connection with investigation into Crime No. 193 of 2022, registered for offences punishable under Sections 66C and 66D of the Information Technology Act, 2000 (“IT Act”), as well as Sections 419 and 420 of the Indian Penal Code, 1860. The case involved allegations of cyber fraud through digital means, wherein a person lost funds while transacting through several payment gateways (including PhonePe) for cricket betting, to unidentified accused persons.
In the said notice, the police sought extensive information from PhonePe, including details such as the URL, IP address, or mobile app provided at the time of onboarding; standard operating procedures and due diligence measures followed during onboarding and post-onboarding risk monitoring; the source of onboarding (direct or via reseller); complete transaction and IP log history; websites used by the merchant; any prior reports of gambling from law enforcement or customers; KYC details of the merchant and associated reseller; a list of other merchants linked to the reseller; the settlement process followed after receiving payments; detection of suspicious transactions during monitoring; actions taken against such merchants; and a list of merchants found to be involved in online gambling.
PhonePe, upon receiving the notice, immediately approached the Karnataka High Court, seeking the issuance of the mandamus writ directing the investigating authorities to conduct the investigation in Crime No. 193 of 2022 strictly in accordance with the applicable legal framework, including various enactments which the petitioner claims govern its operations. Additionally, PhonePe sought a declaration that the notice is bad in law and liable to be quashed.
PhonePe’s Arguments:
a. PhonePe contended that, being a payment system provider under the Unified Payments Interface (UPI) ecosystem, it is governed by the Payment and Settlement Systems Act, 2007 (“PSSA”), and accordingly, the provisions of the Bankers’ Books Evidence Act, 1891 (“BBEA”) apply to the information it collects. PhonePe’s stand was that, Section 22 of the PSSA read with Sections 5 and 6 of the BBEA, bars it from disclosing confidential customer information except in accordance with a court order.
b. PhonePe further pointed out that Section 91(3) of the Cr.P.C. expressly subordinates the provision to the BBEA, and therefore, the notice issued by the IO under Section 91 is not applicable to it in the absence of compliance with the BBEA’s requirements.
c. Additionally, PhonePe contended that is an intermediary under Section 79 of the IT Act and as such has no role to play in the transactions leading the filing of the First Information Report which is essentially between the National Payments Corporation of India and the payer.
State’s Arguments:
d. State contented that the police authorities under the IT Act have the power to seek necessary information/ document from PhonePe to conduct fair investigation.
e. Additionally, the State contended that PhonePe is bound by Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”), which mandates that an online gaming intermediary, shall, within twenty-four hours of receiving an order from a lawfully authorised Government agency, provide information under its control or possession, or extend assistance for investigative, protective, or cybersecurity purposes. The State argued that PhonePe, having failed to comply with such obligations, has violated the Central Government's guidelines intended to safeguard against unlawful activities, including those involving merchants engaged in cricket betting, thereby breaching its duties under Section 87 of the IT Act.
Judgement by the Karnataka High Court:
a. The Hon’ble Court, to reconcile the statutes quoted, pointed out that a reading of the PSSA itself shows that disclosure of the information in obedience to the orders passed by a court of competent jurisdiction or a statutory authority in exercise of the powers conferred by a statute, is permitted. The court pointed out that an IO clothed under the Cr.P.C. is undeniably an authority permitted to carry out investigation including calling for requisite information/ documents.
b. The Hon’ble court pointed out that on the contention that the PSSA has an overriding effect due to the wordings of Section 32, has no bearing as Section 22 of the PSSA itself permits an IO to seek information/ documents from the PhonePe.
c. The Hon’ble Court held that safeguards under BBEA, would not immunise institutions from investigatory summons when criminality suspected. The Hon’ble Court went on to state that “The duty to protect data must yield, where public interest and criminal investigation intersect.”.
d. The Karnataka High Court held that PhonePe’s claim of absolute immunity from disclosure under the PSSA and the BBEA was not legally sustainable. While a Section 91 Cr.P.C. notice must be specific and not a fishing inquiry, such a notice is valid if based on a reasonable suspicion of a money trail involving multiple accounts. The IO, acting under statutory authority, is legally empowered to summon documents from intermediaries.
e. Finally, the Court dismissed the writ petition after emphasizing that consumer confidentiality must be balanced with lawful investigation needs and cannot override the duty to assist in criminal inquiries. Accordingly, the petition was dismissed.
Impact on FinTech’s:
The judgment clearly affirms that fintechs must comply with disclosure requests not only from courts but also from statutory bodies, including police authorities. Accordingly, fintechs should:
a. Understand, acknowledge, and formally notify the top-level management that disclosure requests may be received not only by way of a court order but also as legally valid requests or instructions from various statutory bodies, including police authorities. This awareness should be institutionalized to ensure timely, compliant, and coordinated responses to such requests.
b. Generic refusal citing privacy laws or intermediary status will no longer shield the platform in cases involving suspected fraud, gambling, or money laundering. Platforms are now expected to ensure that any denial of such requests is based on legitimate aim, proportionality, and legality which are more aimed at securing the rights of individuals rather than hindering investigations.
c. Create an internal standard operating procedure (“SOP”) to ensure that any request from court or statutory authorities including police authorities are complied with as expeditiously as possible. Failure to comply with the timelines prescribed under the Intermediary Guidelines may jeopardise the intermediary’s entitlement to safe harbour protection under Section 79 of the IT Act. Therefore, the SOP should clearly define processes for prompt verification, assessment, and disclosure of information in accordance with applicable laws, while maintaining records of all such communications and disclosures for audit and compliance purposes.
d. Fintech’s involved as online gaming intermediaries or financial intermediaries must be ready to respond within 24 hours to requests from law enforcement agencies.
e. Privacy Policy and Terms of Service will have to be updated to reflect that privacy is not absolute and may be overridden in case of criminal investigations, especially in cases involving suspected fraud, online gaming, gambling, or money laundering.
Compliances by FinTech:
This case sets a new compliance standard for Indian Fintech’s, requiring them to balance user privacy with lawful investigations. Investigation support must now be treated as a core compliance function, alongside KYC, AML, and data protection.
Authors: Ms. Namrata Dubey , with inputs from Ms. Sharda Balaji
