Earlier in April this year, the RBI passed a directive that all payment providers operating in India have to store payments related data in India. The regulator gave a hard 6-month deadline for the companies to comply and store all payments-related data locally. The Draft Personal Data Protection Bill, 2018, was released in July, with its own requirements for data localisation, compounding the confusion.
MediaNama held a round-table discussion on localisation of fintech data on 23rd November in Mumbai. What follows are the main arguments made around issues surrounding the policy. The discussion was held under the Chatham House Rule, therefore, quotes have not been attributed to persons, and their affiliations or organisations have been withheld. This is the first part of the discussion. Read the second part here.
Quotes are not verbatim, have been edited for clarity and brevity, emphasis has been added. Each point was made by a different person.
The origin of localisation
- Localisation has been around since 3-10 years, it began with the creation of the NPCI, on the premise that India should have its own local schemes for data being generated in the country. Companies like Visa and Mastercard were providing service for Indians using data analytics on this data. With the formation of the NPCI, came in the idea that payment data should reside locally in India.
- People in the RBI will tell you that the purpose of forming NPCI was access to data, this was at a time when data was going to Visa and Mastercard, whose systems are in the US and they have access to all our data. NPCI came from a nationalist oeuvre; when RuPay was setup, there was a fundamental shift of the government toward data localisation.
- RBI’s thinking comes from the fact that every time a Western power issues sanctions, India is badly hit. For instance, US’s sanctions on Iran. Another contributing factor is the school of thought that an alternate world financial structure should be grounded in the BRICS countries. These are nationalist, protectionist fervours — in the right direction, of course — and localisation is a derivative.
- Today, banks using Mastercard and Visa are much larger than those on RuPay. These companies are making noise because they have wide usage, and because the issuance of RuPay cards is increasing. The number of transactions passing via their switch has been impacted.
Economic costs of localisation
- One of the articles you shared says Visa and Mastercard process transactions worth up to Rs 90,000 crore, while NPCI (RuPay) processes transactions worth Rs 40,000 crore. Visa and Mastercard saying it is difficult to move transactions to India is absolute bullshit; it’s only a matter of moving servers or data here.
- The argument of economic and environmental issues of localisation is absolute bogey. Nobody wants to going through trouble of putting up [infrastructure] here. No Indian company is talking about localising in the US or in Russia or anywhere else in the world. Why is a foreign company talking about not localising here when they’re doing business here?
The regulators haven’t undertaken any study to estimate the economic costs the Indian economy will have to bear. Even if you establish the required data centres, 24×7 power supply and a temperature for the data server are still basic issues.
- If the regulator believes localisation is better for the country, create an incentive structure for bringing data over here, for building better data centres.
Issues around law enforcement access to data
- Data integrity: An algorithm does not change the data or its location during processing. Law enforcement, the ED or SFIO care about the integrity of data in cases the want to investigate; the fact that data has not moved from the original server it was stored in or processed in.
- Making provision for law enforcement access: If a foreign entity is storing their data locally, the laws of India will apply to them. In that case, you can make provisions for them for genuine legal purposes. They can share data with the local authorities or law enforcement for those purposes.
- Blackberry cited Canadian government regulation and said they cannot share any data because they have their own encryption algorithms. The Indian government had to forcefully intervene, for them to open up their algorithm itself. Any company can cite their corporate or country requirements and get away with things… simply by saying that the origin country doesn’t permit them to disclose data or algorithms. They could get away with murder.
Data for investigative purposes can also be integrated in international treaties, either via MLATS or new ways. The current approach comes with economic and environmental costs, it is like bolting down the house and not allowing anything to go out. The RBI directive will have significant economic costs to companies, as well as to consumer. The amount of infrastructure and logistics requirements need to be satisfied.
- The original location where data is stored is what is considered by the law to be the place of integrity. When you’re copying, things can change, dates can change, so the original hard drive or server where it was stored has significant value in law.
Privacy law and localisation
- Absence of a privacy law: India currently doesn’t have a privacy law. The privacy provision in the IT Act is insufficient. In this scenario, I prefer that my data is stored in a country with stronger privacy laws.
- Consumer protection: The consumer protection regulation needs to be strengthened, companies need to ensure what they’re doing with your data, how they’re storing it, what if your data is compromised, that it won’t get into the wrong hands, that they’re playing with data analytics of your data.
Surveillance reform is required before data localisation is implemented; our intelligence agencies exist without an act of parliament, without any oversight. The government has unfettered access to all data.
- Government access to data: Even Justice Srikrishna identified that Indian privacy law is simply not up to a global standard to mediate access to data, we follow a privacy standard that we have not reformed since 1885. Giving unfettered access to data to the government, without any judicial oversight, is a colonial standard.
- On which financial data is to be localised: For example, Uber is now collecting payments for Uber rides in India. The RBI has not issued clarifications, but the view is that if you’re a merchant, then the expectation is that Uber wouldn’t localise, Uber’s payments provider, whoever that is, would localise. But if you’re collecting payments on behalf of others; Amazon, for example collects payments on behalf of third parties, that would be done locally.
- Why restrict localisation to data pertaining to financial transactions, which is a small piece of the total dataset? Data means data irrelevant of the context.
- If data becomes available to anybody apart from the owner and end user, it is a cause for concern. Say for instance, when the data crosses the border, in a scenario where there are no uniform data privacy or enforceability controls across the globe, you could make bilateral arrangements, but they will always be bilateral. On the internet world, you cannot fulfil or identify where the data has eventually landed.
- Each datacenter that is set up in India will employ over 1000 people. Let’s not demean ourselves by saying we don’t have the technology. There is a data breach reported in the US every hour of every day; you can count the number of breaches here.
- An overprotective regulation: Once something becomes valuable, the government wants to control it, and usually frames a reactionary, overprotective policy because of fear of the unknown.
- Most of us currently using Visa or Mastercard; each time you put a card into a PoS machine, it goes through the Visa network, and then comes back to the issuing bank. It would require a considerable amount of effort to route via RuPay since each bank has their own APIs and different message specs. The whole cost of technology shifting is humongous.
- On the regulator’s jurisdiction: RBI has the requisite authority to pass this policy, since they relied on the statutory provisions under the Payments and Settlement Act. The MHA may not have much statutory power to pass such a regulation that concerns financial data. I don’t know what kind of deliberations that went behind this directive, since none is available outside for us to review.
- Access vs. physical location of storage: Localisation give me physical storage, but access it more important. If data stored here is encrypted and the controlling corporation is outside of India, what am I going to do with the data?
(Note: Images in this article are not from the reported event. No images were taken at this event, abiding by the Chatham House Rule.)