We missed this earlier.
Google Pay is currently in the “midst of” complying with the Reserve Bank of India’s data localisation norms, but will “100%” comply with it, according to news agency PTI. But, there is not much clarity on how much time it would take for it to store payments data in systems located within India. MediaNama has reached out to Google for comment. It’s worth noting that the RBI’s localisation mandate came into effect in October 2018, meaning that Google Pay is yet to comply with the localisation mandate a year since it’s been in effect.
The RBI, in April 2018, issued a directive that all payments system operators in India to ensure that data related to payment systems, such as customer data, payment sensitive data, payment credentials and transaction data, be mandatorily stored in India.
In India, Google Pay, previously Google Tez, launched in September 2017, and claims to have 67 million monthly active users (MAUs) as of September 2019, while its competitors, Paytm and PhonePe reported 140 million and 55 million monthly active users in the country, respectively. Paytm’s active users are for both its payments bank and UPI, while Google Pay and PhonePe are UPI-only platforms.
In April 2019, the Delhi High Court had asked RBI and Google India as to how Google Pay was operating in India without its approval, after a petition claimed that it didn’t feature in RBI’s list of authorised ‘payment systems operators’. At the time, the platform had said that it is a “technology solutions provider” to partner banks, and also said that its efforts to comply with RBI’s localisation mandate were “underway”. Google has the approval of the National Payments Corporation of India (NPCI), which runs UPI and approves and monitors all payment services in India. It is on the NPCI’s list of approved third-party apps.
It is worth noting that, RBI has directed the NPCI to not allow full-scale launch of WhatsApp Pay on UPI as the platform does not comply with data localisation norms. WhatsApp began testing payment services in India in January 2018, and Indian authorities have also in the past raised concern that the platform might share user data with Facebook and Instagram.
A timeline of the RBI’s localisation mandate for payments data
- April 2018: the localisation circular surfaces: The RBI told all payments system operators in India to ensure that payments-related data was stored within the country and gave the companies six months to comply. The RBI wanted data stored locally “to have unfettered access to all payment data for supervisory purposes”.
- July 2018, Finance ministry tries to step in: The Finance Ministry eased the RBI’s directive for foreign payment firms, saying that mirroring a copy of the data in India would be sufficient. Payments companies were relieved, assuming that the Finance Ministry’s directive stood and that it would be okay to mirror user data in India. The companies were awaiting a circular from the central bank to this effect. However, the RBI’s did not issue any such circular.
- Also in July, the Data Protection Bill mandated localisation : The long-awaited draft Data Protection Bill 2018 was submitted to the government, adding to the confusion. The bill overrode all sectoral regulators and therefore all their directives. It mandated that all data fiduciaries store a copy of users’ personal data in India. Worryingly, it also required mandatory storage of ‘critical personal data’ within India only. The bill, however, failed to explicitly define ‘critical data’.
- September 2018, RBI asks for updates on local storage: The RBI asked payment companies to send it fortnightly updates about their progress on local storage of payments data.
- October 2018, RBI circular comes into effect: The RBI’s circular on localisation of payments data came into effect.
- February 2019: The Department for Promotion of Industry and Internal Trade released a Draft E-commerce Policy, which included strategies for regulating access to data, mandating data storage requirements, and controlling cross-border data flows. Data localisation may now be left out of the e-commerce policy, and left to the jurisdiction of the Data Protection Bill.