Chinese companies will follow India’s rules around data localisation, Chen Benrong, Deputy Director of Guizhou Provincial Cyberspace Administration, told the Economic Times. Data localisation is a key feature of India’s draft Data Protection Bill and the Reserve Bank of India’s guidelines on payments-related data. Interestingly, the US has raised objections to India’s data localisation plans, saying that it is a goal for the US to eliminate such barriers, which weaken data security and increase the cost of doing business, and sees the proposal a major trade issue.

Data mirroring/localisation in the Data Protection bill

The localisation requirement in the Srikrishna Committee’s final bill is among the legislation’s most contentious features. The bill requires all data fiduciaries to store a copy of users’ personal data in India. However, it doesn’t clarify what constitutes personal data in different contexts. Here’s what it says about restrictions on cross-border transfer of personal data:

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under subsection (1) on the grounds of necessity or strategic interests of the State.
(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

RBI on localisation of payments data

Seperately, last April, the Reserve Bank of India mandated all payments system operators working in India to ensure that people’s payments data was stored only in India, and gave the companies six months to comply. Data localisation was also featured in India’s draft e-commerce policy. However, the Finance Ministry suggested last month that provisions relating to data protection be excluded from the e-commerce policy, on the grounds that the issue was best handled by MeitY.

How have countries and firms reacted to data localisation?

Here is how the US government, payment companies and big tech firm have reacted to India’s proposed data localisation requirements:

What the US government said

The US Trade Representative’s 2019 National Trade Estimate Report criticised India’s data localisation norms and draft e-commerce policy, terming certain proposals as “most discriminatory and trade-distortive”. It said these requirements raised costs for suppliers of data-intensive services by forcing the construction of unnecessary, redundant data centres and prevent local firms from taking advantage of the best global services available. The report also said the proposals of India’s draft national e-commerce policy such as data localisation requirements and restrictions on cross-border data flows were “discriminatory”.

What payment companies said

  • MasterCard CEO Ajay Banga said the challenge with localisation is not the expense, but that the data loses its predictive power once it is balkanised, compared to data that is shared across countries. MasterCard was among the first foreign payment companies that called for relaxation of the RBI’s localisation directive.
  • Visa’s global president Ryan McInerney said the company was “extremely committed” to abiding by the RBI’s data localisation mandate and also denied reports that global companies initially seemed averse to it.
  • WhatsApp announced that it had built a system to store payments-related data locally in India even before RBI’s mandate. However, as of April, WhatsApp was working to comply with Reserve Bank of India (RBI) regulations on the local storage of payment-related data, and had delayed compliance owing to some pending engineering work.
  • In contrast, Paytm and other domestic e-commerce/payment firms welcomed data localisation and said that 6 months was enough for companies to adhere to the RBI’s guidelines.

What big tech companies said

  • Facebook’s Mark Zuckerberg said that Facebook wouldn’t store sensitive data in countries where it could be improperly accessed because of weak rule of law or governments that could forcibly get access to data. He reiterated his stance against data localisation, without naming any particular country.
  • Chinese phone manufacturer Xiaomi was one of the first firms to announce it was migrating its Indian data to “highly secure” Amazon Web Services (AWS) and Microsoft Azure servers in India, from its current servers in the US and Singapore. The company said that the migration would be across Xiaomi’s services — its e-commerce platform, Mi TV, Mi Coud, MIUI and Mi Community. It had said that since last July, all new Indian user data was already being stored on servers within India, and all existing data would be fully migrated by mid-September 2018.