About $350 million of the $1 billion that Mastercard plans to invest in India over the next five years will be used to set up a local payments processing centre to comply with the RBI’s data localisation directive, the Economic Times reported. The processing centre is expected to open in the next 18 months, most likely in Pune, and will be Mastercard’s first outside the US. It is expected to handle tasks such as circuit switching for ATMs; and prepaid, point-of-sale, and ecommerce transactions; and offer associated services such as fraud mitigation, tokenisation and authentication, the report said. Last April the RBI said that all payments system operators working in India must ensure that data related to payment systems operated by them is stored in the country, and gave companies until October 15, 2018 to comply. Mastercard had previously invested $1 billion in India over the past five years, through which it made several acquisitions, increased employment, and improved its technology development capabilities, per The Hindu. According to the RBI, there were 990.6 million cards (46 million credit cards and 945 million debit cards) in India at the end of February.
Mastercard’s concerns about data localisation
In July, Mastercard called for the RBI to relax its data localisation rules, saying it hoped that payment companies would be allowed to transfer or store user data outside India to help prevent fraud. But in December, the company submitted the timeline for complying with the RBI’s rules. It told the central bank that it would start deleting the data of Indian cardholders from its global servers, while warning that the global data deletion could weaken security over time. It said that as of October 6, all new transactions were being stored at its technology centre in Pune. It did not specify when it would begin deleting the data. Singh had also told PTI at the time:
- MasterCard operates in more than 200 countries, none of which have asked it to delete data from global servers.
- All the data, including card number and transaction details, would be deleted from everywhere except India.
- The data would be stored only in India.
- The date of data deletion from global servers was not yet decided. MasterCard had proposed a date from which it would start deleting the data regularly but was awaiting confirmation from the RBI.
- Deleting the data would not be easy as it involved several players and stakeholders.
Visa ‘extremely committed’ to complying with RBI’s rules
In April, Visa’s global president Ryan McInerney said the company was “extremely committed” to abiding by the RBI’s data localisation rules and denied reports that global companies initially seemed averse to the mandate. “Since our commitment to India is long term, measured in decades, we want to work in a way the RBI feels is the right way to work,” he told the Economic Times. Last September, a month before the RBI’s rules on data localisation came into effect, T R Ramachandran, Visa’s group country manager for India and south Asia, said the central bank had asked payment companies to send it fortnightly updates on their progress in storing payment data in India.
Arguments from MediaNama’s discussion on data localisation
MediaNama held a round-table discussion on localisation of payments data in November. Here are some arguments that were made on issues surrounding the policy. The discussion was held under the Chatham House Rule; quotes are not attributed and are verbatim.
Origins of data localisation
- People in the RBI will tell you that the purpose of forming NPCI (National Payments Corporation of India) was access to data. This was at a time when data was going to Visa and Mastercard, whose systems are in the US and which have access to all our data. NPCI came from a nationalist oeuvre; when RuPay was set up, there was a fundamental shift of the government toward data localisation.
- RBI’s thinking comes from the fact that every time a Western power issues sanctions, India is badly hit. For instance, US’s sanctions on Iran. Another contributing factor is the school of thought that an alternative global financial structure should be grounded in the BRICS countries. These are nationalist, protectionist ideas — in the right direction, of course — and localisation is a derivative.
- Today, banks using Mastercard and Visa cards are much larger than those on RuPay. These companies are making noise because they have wide usage, and because the issuance of RuPay cards is increasing. The number of transactions passing via their switch has been affected.
- One of the articles you shared says Visa and Mastercard process transactions worth up to Rs 90,000 crore, while NPCI (RuPay) processes transactions worth Rs 40,000 crore. Visa and Mastercard saying it is difficult to move transactions to India is absolute bullsh*t; it’s only a matter of moving servers or data here.
- The regulators haven’t undertaken any study to estimate the costs the Indian economy will have to bear. Even if you establish the required data centres, 24×7 power supply and temperature control for the data server are still basic issues.
- If the regulator believes localisation is better for the country, it should create an incentive structure for bringing data over here and for building better data centres.
- Making provision for law enforcement access: If a foreign entity is storing their data locally, the laws of India will apply to them. In that case, you can make provisions for them for genuine legal purposes. They can share data with the local authorities or law enforcement for those purposes.
- The original location where data is stored is what is considered by the law to be the place of integrity. When you’re copying, things can change, dates can change, so the original hard drive or server where it was stored has significant value in law.
- If we store payments data only in India, it will make the country a target for those who commit financial crimes. Secondly, what happens to BCP? If this copy of business continuity planning fails, what is the Indian user going to do? Under the RBI directive, you can’t keep a copy anywhere else, so you’re creating a single point of failure. This is almost like a solution looking for a problem.
Consumer protection and privacy
- Absence of a privacy law: India currently doesn’t have a privacy law. The privacy provision in the IT Act is insufficient. In this scenario, I prefer that my data is stored in a country with stronger privacy laws.
- Consumer protection: The consumer protection regulation needs to be strengthened, companies need to ensure what they’re doing with your data, how they’re storing it, what if your data is compromised, that it won’t get into the wrong hands, that they’re playing with data analytics of your data.
- Surveillance reform is required before data localisation is implemented; our intelligence agencies exist without an act of parliament, without any oversight. The government has unfettered access to all data.
- Government access to data: Even Justice Srikrishna identified that Indian privacy law is simply not up to a global standard to mediate access to data. We follow a privacy standard that we have not reformed since 1885.