Overview
PhonePe is a leading Indian digital payments and financial services platform, managing transactions, investments, and insurance for millions of users. As a Data Fiduciary (the entity determining why and how your personal data is processed), PhonePe handles highly sensitive personal and financial information. Therefore, its adherence to the new DPDP Act, 2023 is crucial.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
PhonePe’s policy states that using its platform implies consent. This means consent is often bundled with service terms, making it a “take it or leave it” situation for users.
What the policy says: “By visiting, downloading, using PhonePe Platform, and/or, providing your information or availing our product/services, you expressly agree to be bound by this Privacy Policy…” and “We process your Personal Information with consent.”
DPDP requirement: Consent must be free, specific, informed, and unconditional. It should be easy for a Data Principal (the individual whose data is being collected) to understand what they’re agreeing to and for what specific purpose. It cannot be forced.
The problem: PhonePe collects various types of data for many purposes (including marketing and personalization). A single blanket agreement for all these purposes likely does not meet the DPDP Act’s standard for “freely given” consent, even though it asks for “explicit consent” for specific features like SMS or camera access.
Section 7 — Certain Legitimate Uses ⚠️
PhonePe lists several purposes for processing data, including “marketing, presenting advertising, and offering tailored products and offers.” While some uses (like processing transactions) are legitimate, others require specific consent under DPDP.
What the policy says: Purposes include “…customizing and improving your experience by marketing, presenting advertising, and offering tailored products and offers…”
DPDP requirement: The Act defines “certain legitimate uses” very narrowly (e.g., voluntary provision by the Data Principal, state functions, medical emergencies, employment). General marketing or personalization typically falls outside these without explicit, specific consent.
The problem: Several of PhonePe’s stated legitimate interests for data processing (especially those related to marketing and personalization) would likely require specific, granular consent under the DPDP Act, rather than being claimed under general legitimate use.
Section 8 — Obligations of Data Fiduciary ✅
PhonePe describes robust security measures to protect user data.
What the policy says: “PhonePe has deployed administrative, technical, and physical security measures to safeguard user’s Personal Information…” It mentions “encryption or controls for both data in motion and data at rest,” firewalls, password protection, and access limits.
DPDP requirement: A Data Fiduciary must implement “reasonable security safeguards” to prevent data breaches.
Strength: PhonePe provides a detailed overview of its security practices, referencing encryption, firewalls, and access controls, aligning well with the Act’s requirements.
Section 9 — Data Retention 🔴
This is a major gap. PhonePe uses generic language regarding how long it keeps user data.
What the policy says: “we… retain it in accordance with applicable laws and for a period no longer than it is required for the purpose for which it was collected.”
DPDP requirement (Section 9): Data Fiduciaries must erase data when its purpose is fulfilled, or consent is withdrawn, within a reasonable period. The Act emphasizes purpose limitation and retention limitation, requiring clear timelines.
The problem: The policy lacks specific data retention timelines. Users have no clear idea how long PhonePe holds onto their transaction history, KYC documents, or other sensitive financial data once their service use ends or consent is withdrawn.
Section 11 — Rights of Data Principal ⚠️
PhonePe acknowledges some rights of the Data Principal (like access and correction) but falls short on the full scope defined by DPDP.
What the policy says: “You can access and review your Personal Information… In case you wish to delete your account or Personal Information, please use the ‘Help’ section of the PhonePe Platform.”
DPDP requirement: Data Principals have rights including:
- Right to access information about their data.
- Right to correct, complete, or update data.
- Right to erasure of data.
- Right to grievance redressal.
- Right to nominate another person to exercise rights in case of death or incapacity (Section 14).
The problem: While access, correction, and deletion are mentioned (with caveats for deletion), PhonePe’s policy does not address the “right to nominate” a person to act on a Data Principal’s behalf, which is a key provision under DPDP Section 14.
Section 12 — Right of Grievance Redressal ⚠️
PhonePe provides a way to contact its Privacy Officer, but the process isn’t fully aligned with DPDP.
What the policy says: “In case you have any questions, concerns, or complaints… you may write to PhonePe’s Privacy Officer using this link https://support.phonepe.com”
DPDP requirement: A Data Principal has the right to grievance redressal. While Data Fiduciaries must appoint a Grievance Officer, the Act also establishes the Data Protection Board of India as a higher escalation authority if internal grievances aren’t resolved.
The problem: PhonePe’s policy does not mention the Data Protection Board of India as an escalation path. It also doesn’t specify a clear timeframe for grievance resolution, beyond “reasonable time.”
Section 16 — Cross-Border Data Transfer ⚠️
PhonePe explicitly states it stores most personal information within India. However, it hints at exceptions.
What the policy says: “To the extent applicable, we store Personal Information within India…” but also mentions “agencies appointed by PhonePe for investigation purposes located within or outside the Indian jurisdiction.”
DPDP requirement (Section 16): Transfer of personal data outside India is only permitted to countries that the Central Government specifically notifies as having adequate data protection safeguards.
The problem: While core data is stated to be stored in India, the clause about “investigation purposes located within or outside the Indian jurisdiction” suggests potential cross-border transfers. The policy lacks specificity on which countries data might be transferred to, or what safeguards apply, which is crucial under DPDP.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP |
| Consent compliance | High | Bundled consent invalidation for numerous processing activities |
| Data retention | Critical | Undefined retention periods for sensitive financial data |
| Data principal rights | Medium | Incomplete rights framework, missing nomination rights |
| Grievance redressal | Medium | Lack of DPB escalation path could lead to direct complaints |
| Cross-border transfer | Medium | Ambiguity regarding international data movement |
Recommendations
- Update Policy Reference: Explicitly state compliance with the DPDP Act, 2023 and map policy sections to its provisions.
- Implement Granular Consent: Introduce clear, separate consent options for different data processing activities (e.g., payments, marketing, analytics, third-party sharing).
- Define Retention Timelines: Provide specific periods for different categories of personal data, rather than vague “as long as necessary.”
- Add DPB Escalation: Clearly outline the process for escalating unresolved grievances to the Data Protection Board of India.
- Address Nomination Rights: Include information about the Data Principal’s right to nominate another individual to exercise their rights.
- Specify Cross-Border Transfers: If data is transferred outside India for any purpose, name the countries and the safeguards applied, aligning with notified jurisdictions.