Visa’s global president Ryan McInerney has said the company is “extremely committed” to abide by the RBI’s data localisation mandate and also denied reports that global companies initially seemed averse to the mandate in an interview to the Economic Times “Since our commitment to India is long term, measured in decades, we want to work in a way the RBI feels is the right way to work,” he told the newspaper. Last September, a month before the RBI’s rules on data localisation came into effect, T R Ramachandran, Visa’s group country manager for India and south Asia, said the central bank had asked payment companies to send it fortnightly updates on their progress in storing payment data in India. The RBI’s mandate, passed last year, requires all payments-related data generated in India to be stored within the country.
Zuckerberg ‘highly concerned’ about data localisation but WhatsApp working to comply
In an earnings call with investors last week, Mark Zuckerberg said that Facebook won’t store sensitive data in countries where it might be improperly accessed because of weak rule of law or governments that can forcibly get access to your data. He reiterated his stance against data localisation, without mentioning any country specifically. “More countries following the approach of authoritarian regimes adopting strict data localisation policies where governments can more easily access people’s data, and I’m highly concerned about that future,” Zuckerberg said. But earlier this month WhatsApp said it was working to comply with the RBI’s data localisation rules. The messaging platform has been operating its payments service WhatsApp Pay in beta mode for one million users since February 2018 but has run into trouble for not complying with data localisation rules.
Earlier this month the United States Trade Representative (USTR) criticised India’s restrictions on cross-border data flows and its “onerous” data localisation requirements, and said they were a barrier to digital trade. “In 2018, India published a number of measures that would restrict the cross-border flow of data and create onerous data localisation requirements. In October, one such measure was implemented, requiring payment service suppliers to store all information related to electronic payments by Indian citizens within India”, said USTR.
RBI’s localisation mandate for payments data: a timeline
- April 6, 2018: The RBI told all payments system operators in India to ensure that payments-related data was stored within the country and gave the companies six months to comply. The RBI wanted data stored locally “to have unfettered access to all payment data for supervisory purposes”.
- July 12: The Finance Ministry eased the RBI’s directive for foreign payment firms, saying that mirroring a copy of the data in India would be sufficient. Payments companies were relieved, assuming that the Finance Ministry’s directive stood and that it would be okay to mirror user data in India. The companies were awaiting a circular from the central bank to this effect. However, the RBI’s did not issue any such circular.
- July 27: The long-awaited draft Data Protection Bill 2018 was submitted to the government. It added an another layer of confusion to the matter. The bill reportedly overrode all sectoral regulators and therefore all their directives. It mandated that all data fiduciaries store a copy of users’ personal data in India. Worryingly, it also required mandatory storage of ‘critical personal data’ within India only. The bill, however, failed to explicitly define ‘critical data’.
September 6: The RBI asked payment companies to send it fortnightly updates about their progress on local storage of payments data.
- October 15: The RBI’s circular on localisation of payments data came into effect.
- February 2019: The Department for Promotion of Industry and Internal Trade released India’s Draft Ecommerce Policy, which included strategies for regulating access to data, mandating data storage requirements, and controlling cross-border data flows.