Facebook does not have access to transaction data, which is encrypted and in compliance with data localisation guidelines, said WhatsApp, in a clarification on its data and privacy policy for payment services based on the Unified Payments Interface (UPI). In its blogpost, the Facebook Inc. owned messaging platform said that it will ensure that UPI payments through WhatsApp will be completely secure and in full compliance with the data localisation guidelines issued by Reserve Bank of India (RBI). “The UPI transaction data is encrypted, and Facebook doesn’t have access to this data in clear format,” it said.
While the government has told WhatsApp to roll-back its proposed privacy policy update and the company has delayed its roll-out by three months, the global messaging platform is currently facing legal challenges over its new terms of service and payments facility, given the proposed changes to WhatsApp’s privacy policy. It has been taken to court several times in the last few years over alleged non-compliance with RBI rules and regulations. Further, some of the petitions filed before the courts also alleged that the platform also violates privacy rights of its users.
In November last year, WhatsApp got the green light from regulators to launch its UPI payments service in a graded manner, with user registration restricted to 20 million at present, after two years of beta-testing phase. The blog says that WhatsApp India’s Payments Privacy Policy will solely take care of the privacy concerns with regards to WhatsApp Pay. “WhatsApp India actively monitors necessary compliances and may share UPI transaction data for identified exceptions with affiliates and regulators subject to regulatory approvals to stop illegal use of WhatsApp payments in compliance with applicable laws and regulation,” it said.
Does Facebook have access to WhatsApp Pay?
It is unclear what sort of data Facebook will or may receive from WhatsApp on its users’ UPI payments. The blog is fairly vague when it says that Facebook doesn’t have access to encyrpted UPI transaction data in a clear format, but adds that “When we share information with service providers, we require them to use your information on our behalf in accordance with our instructions, terms, and applicable law.”
What information is collected?
- Customer details: The company has access to the user’s UPI virtual payment address (VPA) or ID, but it does not store the UPI PIN and does not store customer payment sensitive information such as the one-time password (OTP), full account number, or any debit card details.
- Payment information: For UPI payments, WhatsApp Pay will require the sender’s VPA, receiver’s VPA, phone number, payment amount, currency, date, time and transaction number. “When the sender makes a payment to a WhatsApp contact, we collect account and transaction information, including the sender’s and receiver’s names and BHIM UPI IDs,” the blog said.
- Information from service providers: WhatsApp India says it works with service providers like WhatsApp Inc. and other Facebook companies to operate, improve, customize, support, and market payments in a secure manner. “We work with companies to assist with customer support, and we receive information from them that you provide over the phone or email,” it said.
- Information from banks and NPCI: Payment service provider banks and National Payments Corporation of India (NPCI) provide information to WhatsApp about the user, their financial acccounts and payment transactions. “For example, we may receive information about you or your transactions from a PSP bank, including information to confirm your registration, the payment sender’s or receiver’s name, account information and status, balance sufficiency, transaction and account identifiers, risk or fraud alerts, and the like,” it said. The information shared between UPI users and the bank is subject to privacy policies of the banks, it added.
How is this data used?
The company says that all the information it receives goes back to improve, customize, support and market its services, which in the payments space usually means protecting users from fraud, abuse and misconduct.
“WhatsApp India works with the other Facebook Companies, including Facebook Inc. (“Facebook”) and WhatsApp Inc., to provide Payments, including to send payment instructions to PSP banks. We also use the information to customize, market and improve Payments, including cross-selling, promotions, providing value-added services and other NPCI approved purposes, and in accordance with applicable law,” it said.
It is important to note that since WhatsApp Pay and its bank partners are subject to regulations set by the RBI and the NPCI, much of the information and data fields collected by WhatsApp is fairly standard across all third-party UPI mobile apps. However, the clear conflict in the case of WhatsApp is the ability for the messaging service to share anonymous aggregated data or meta-data with its “affiliates” and other Facebook-owned platforms.
While WhatsApp’s new privacy policy aims to create an inter-operable experience across its app platforms, WhatsApp Pay admits that affiliate businesses either currently support or will be in a position to market its UPI service. At the minimum it can market WhatsApp Pay through other ecosystem apps.
What do the liability clauses say?
WhatsApp India says it will not be liable for any profits or loss occurring through the payment transaction and that its aggregate liability will not exceed ₹1,000. “WhatsApp does not have control over the payment and therefore cannot provide refunds or facilitate chargebacks. WhatsApp is not liable for errors caused by the PSP, your or other banks processing the transactions, or NPCI, or for unauthorized transactions. We assume no responsibility for the underlying transaction of funds, or the actions or identity of any transfer recipient or sender,” according to the WhatsApp India Payments Terms of Service,” it said.
Also read:
- ‘Govt should ban WhatsApp Pay for privacy violations’, says Atmanirbhar Digital India Foundation: Report
- ‘Delete WhatsApp if it compromises data’: Key takeaways from hearing on WhatsApp’s privacy policy in Delhi HC
- WhatsApp’s Privacy Policy Explained: Why Messaging App’s Users Are Porting To Signal, Telegram
- WhatsApp Users Get Prompt To Accept New Terms Of Service, Privacy Policies
