Continuing their pursuit to push for local storage of payment system data, Paytm and other domestic e-commerce/payment firms have said that 6 months is ‘practical’ enough for companies to adhere to the Reserve Bank of India’s guidelines, according to a report by the Times of India. While several ‘stake holders’ were of the view that it would take at least a minimum of two years to transfer user data of Indians to servers located in the country, domestic e-commerce companies felt that the move wouldn’t require more than six months, as directed by the RBI, the report added. Last week, Paytm asked the central government to push for storage of payment system data within the country and not allow mirroring of the data overseas.
The central bank, in April, has mandated all payments system operators working in India to ensure that data related to payment systems operated by them is stored in the country. The move would have come into effect from October 15 this year, according to a report by the Economic Times. However, there is uncertainty over the implementation of the central bank’s directive as, the Data Protection Bill, 2018, a draft of which was submitted to the government last week, overrides all sectorial regulators and therefore all their directives. The bill requires all data fiduciaries to store a copy of users’ personal data in India and more worryingly, the bill also requires mandatory storage of ‘critical personal data’ within India only. The bill, however, failed to state explicitly the definition of ‘critical data’.
Foreign firms fretting over data localisation
Implementing data localisation would come as a strong blow for foreign companies operating in the country because, not only would it cost exponentially for these companies to set up local data centres, but regulations in their home countries would have not permitted them to do so. They also feared that the RBI’s move could also set a precedent for other countries to implement similar rules at a time when there is heightened scrutiny of how companies globally handle their customers’ data. Industry representatives cited that storing the data only in India would also be a security risk, as in the event of a natural disaster, no one would have access to it if it was all stored in one place.
As such, many of these international companies have made multiple representations to the central government as well as the banking regulator through the US-India Business Council, a lobby group for US businesses in India. Furthermore, The Payments Council of India (PCI), which has around 100 payments firms as its members, has sought a meeting with the RBI to suggest “alternative solutions which can meet the RBI requirements of unfettered access”, according to a report.
Fintech companies seek further clarity on draft data bill norms
Fintech startups, which deal with crucial financial information (arguably crucial user data) of users are growing anxious over the draft bill and seeking more clarity on the same, according to another report by the Economic Times. Sameer Nigam, CEO of PhonePe told ET, “We are looking for more clarity on two major points: one is the definition of the critical personal data that the bill proposes, and we need to understand who will define which data is critical. Second is the new bill should ensure that differences in guidelines and differences in interpretations of rules between multiple government entities go away and we have a fixed track to follow.” According to the report, while he advocated the storage of financial information in India, he also called for saving a copy of the data abroad.
Many Fintech players also called for wider consultations of the bill in the industry as its implementation could have major ramifications on these companies. For instance, fintech players keep track of potential customers who could take a loan for a holiday one day, but might need a vehicle loan after two years, or a home loan after five years. To do this, these companies need to retain and analyse user data over a substantial period of time. However, all this could be halted if the draft law is implemented as it mandates data fiduciaries to retain personal data only till as long as it is required to satisfy the purpose for which it was collected.
Further, digital lending companies — which create financial profiles of users (by collecting their data very often) to decide their credit worthiness or their investment appetite — will need to have user consent from their customers many a times to update their profiles and that could hamper user experience.