Global Card Payment Companies Adapting to RBI’s Data Localization Norms
Major global card payment companies like Visa and MasterCard have made a move towards aligning with the Reserve Bank of India’s (RBI) regulations concerning data localization. The RBI had set a timeline of October 15 for fintech firms worldwide to stick to their data localization norms in India and facilitate storing Indian users’ transaction data within the country.
In April 2018, an RBI circular stipulated that all system providers must ensure comprehensive payment data related to the systems they operate is stored exclusively within India. This requirement applies to not just card payment services like Visa and MasterCard, but also extends to businesses such as Paytm, WhatsApp and Google which provide digital or electronic payment services. This data encompasses complete end-to-end transaction details processed as part of the message/payment instruction.
The draft data protection law recommended by the Srikrishna committee followed RBI’s directives.
Understanding Data Localisation
Data localization refers to the practice of storing data on any device physically within the borders of the country generating the data. Currently, a large volume of this data is cloud-stored outside India. Localization mandates dictate that companies gathering critical consumer data must process and store it within the geographical limits of the country.
Importance of Data Localisation
The primary purpose behind data localization is safeguarding citizens’ and residents’ personal and financial data from foreign surveillance, such as the alleged Facebook-Cambridge Analytica incident. It grants jurisdiction to local governments and regulators for accessing the data when necessary.
This aspect became significantly important after a series of lynchings linked to WhatsApp rumors stirred controversy across states. According to the RBI, unhindered access to data stored by system providers and third-party vendors in the payments ecosystem can bolster monitoring. Additionally, data localization is quintessential to maintaining national security.
In cases where data is not localized, agencies rely on mutual legal assistance treaties (MLATs) for access, which results in investigative delays. Bringing global data on-shore might also generate domestic jobs and skill-building opportunities in data storage and analytics.
Global service providers like Facebook and Google gather enormous amounts of consumer data. Hence, it’s imperative to ensure stricter accountability from these firms regarding data end-use. India’s one billion-strong consumer market could serve as a strong negotiating tool for pushing data localization.
Issues with Data Localisation
Maintaining multiple local data centres could translate into substantial infrastructure investment and increased costs for global companies. While it’s argued that localisation enhances data security, service providers storing data at multiple locations can boost their data security in case of a breach at one site.
The impact of data localization on data-driven innovation and the economy is likely to be profoundly negative. According to an ECIPE 2014 study, GDP loss could reach 0.8%, growth reduction by 20%, and a decrease in FDI by 1.9%.
Although India’s share in global data trade is a mere $175 billion, it has potential for growth considering world GDP grew by 10.1% due to the trade of $7.8 trillion in 2016, including data flows accounting for $2.8 trillion (Mckinsey Study 2016).
Preserving security measures for small organizations could be challenging given the high costs and associated risks. Consequently, norms should encourage the fact that India, being a global hub for IT/BPM industry, is home to such data processing.
Way Forward
Though data localization might not entirely prevent incidents like Facebook-Cambridge Analytica, it can potentially enable domestic law enforcement to respond more effectively to similar situations. It’s suggested that data localization can help mitigate the vulnerabilities of relying on the fiber optic cable network.
According to the Cyber Security Report 2017 released by Telstra, Indian businesses are most vulnerable to cybersecurity attacks. Therefore, mandatory border control provision may not be the ideal solution to avoid security breach incidents. Instead, using superior encryption and adopting robust security measures could help prevent security breaches.
The recommendation by the Justice Srikrishna Committee Report and the Personal Data Protection Bill, 2018 (Data Protection Bill) states:
– All personal data subject to the law should have at least one serving copy stored in India.
– Personal data that is critical to national interest must only be stored and processed in India.
– The Centre should have the power to exempt transfers based on strategic or practical considerations.
Overview of Data Localization Facts
| Facts | Details |
|---|---|
| Data Trade Share of India | $175 billion |
| Potential GDP Loss due to Data Localization | 0.8% |
| Potential Reduction in Growth due to Data Localisation | 20% |
| Potential Decrease in FDI due to Data Localization | 1.9% |
