Offering a ‘potential solution’ to the ongoing saga over the data localisation norms, India’s Economic Affairs Secretary S.C Garg has said that international payment firms operating in India could keep copies of user data in the country while retaining offshore storage operations, according to a report by Reuters. Garg, during a meeting with officials from the Reserve Bank of India and executives from the payment firms, conceded that the central will have the final say on the matter. However, he also pointed out that by keeping mirror images of the data in the country, all customer information would be available to the local authorities, as mandated by the RBI’s directive, the report said. This comes weeks after the publication reported that the country’s finance ministry has proposed to ease the central bank’s guidelines on storage of payment system data.
The central bank, in April, has mandated all payments system operators working in India to ensure that data related to payment systems operated by them is stored in the country. The move would have come into effect from October 15 this year, according to a report by the Economic Times. However, there is uncertainty over the implementation of the central bank’s directive as, the Data Protection Bill, 2018, a draft of which was submitted to the government last week, overrides all sectorial regulators and therefore all their directives. The bill requires all data fiduciaries to store a copy of users’ personal data in India and more worryingly, the bill also requires mandatory storage of ‘critical personal data’ within India only. The bill, however, failed to explicitly define ‘critical data’.
Trying to find consensus in a divided industry
The report also quoted Garg as saying that the government was trying to find a consensus over data localisation at a time when companies across the global are under intense scrutiny over how they handle their customers’ data. Garg said, “What we do is we listen to different stakeholders, what they say, what their stance is and where can we can find a landing zone … That is the reason why it was suggested to have mirror copies,” according to the report. However, it may be impossible for the government to reach a consensus given that the position adapted by the International payment firms on the issue stands polar opposite to position taken by Indian firms. While foreign firms have been lobbying intensely to ease the central bank’s regulation, their domestic counterparts, most notably Paytm, have been pushing the government for implementation of the said norms and not even allow mirroring of the data overseas.
Implementing the RBI’s directive would be a strong blow for foreign companies operating in India including Visa, Mastercard and American Express because, not only would it cost exponentially for these companies to set up local data centres, but regulations in their home countries would not have permitted them to do so. They also feared that the central bank’s move could also set a precedent for other countries to implement similar rules. Industry representatives cited that storing the data only in India would also be a security risk, as in the event of a natural disaster, no one would have access to it if it was all stored in one place. Further, experts claimed that there was little clarity on the type of data that needed to be stored and therefore, on the time needed to implement the said rules
Mastercard division president (South Asia) Porush Singh said that by having user data located only in India, measures to contain cross-border fraud will be diluted as the analytical software which identifies suspect transactions will not be able to match fraudulent incidents in one part of the world with transactions elsewhere.
As such, many of these companies have made multiple representations to the central government as well as the banking regulator through the US-India Business Council, a lobby group for US businesses in India. Furthermore, The Payments Council of India (PCI), which has around 100 payments firms as its members, has sought a meeting with the RBI to suggest “alternative solutions which can meet the RBI requirements of unfettered access”, according to a report.
On the other hand, Paytm has been vocal in its support for implementing the central bank’s norms and recently said that 6 months is ‘practical’ enough for companies to adhere to the Reserve Bank of India’s guidelines. The company went on to also say that mirroring of data is not the solution and many countries have disallowed companies from doing so.