How RBI's hard stand on data localisation will impact key players

The deadline for global online payment firms and service providers to transfer customer data to Indian servers came to an end on Monday. Nikhat Hetavkar discusses the implications of the RBI’s hard stand on the issue of data localisation and its impact on key players.

What is the debate on data localisation all about? 

In April, the Reserve Bank of India (RBI) gave six months to global payment companies to store transaction data of Indian customers within India. Local data storage would not only allow the RBI to have unfettered access to the data but would also enable it to monitor payment systems better. The rapid growth in digital payments and the number of players in the fray was one of the reasons for the RBI’s to seek access to that data. An immediate trigger was the difficulty in acquiring data from global companies, not subject to local jurisdiction, if and when there is a financial crime like fraud or data theft. 

What is data mirroring and how did it become a bone of contention between the RBI and global firms? 

Data mirroring allows companies to store copies of a particular database at multiple locations. The RBI’s April directive states that data would be stored only in India, which means that payment companies cannot store copies of Indian consumer-related data outside the country. In other words, there is no scope for data mirroring. A large number of global players advocate free flow of data across borders and insist that data localisation hampers innovation and security. US senates have warned that Indian data localisation laws could hamper trade relations between the two nations and have pushed for a softer stance. However, despite a suggestion from the finance ministry to allow data mirroring, the RBI refused to accept it. The RBI’s hard stance on data localisation might find reflection in the upcoming data protection law. 

What does local data storage entail for payment companies — both local and global? 

Local data storage would require every payment company to have a data centre or a cloud hosted within the country. While most local players and some global players already have data centres in India, those who don't would now have to set up such services, which is costly and is a time consuming affair. As a general practice, most global companies process their data in a common cloud or data centre outside India, even if they have a data centre within the country. Various processes — such as security management, fraud prevention as well as data analytics — have been built by these firms to process data emanating from different geographies. Data localisation would force them to perform all these processes, both transactional and supervisory, separately for Indian customers. This would require global payment players to increase their investments in the country, both on infrastructure and on timely execution. Separate processes for various geographies would not only entail the incremental cost of transferring all their previous data but also undermine the benefits accruing from economies of scale, they contend.

How do India’s data protection laws compare with those in other countries? 

The condition of exclusive data storage makes India’s data localisation laws among the strictest in the world. Experts say that it brings India on par with countries like Russia and China even as these countries have reasons to be restrictive because of their economic and geopolitical policies. Even in countries like Russia and China, specific data can be transferred but only after storing it onshore first. The RBI has not specified any such allowances till date. The UK and Sweden are in favour of free flow of data, whereas countries such as Germany and France strongly oppose it. Some countries also mandate data localisation for specific sectors — such as Australia for health records and Canada for public service providers.

What is the level of compliance with the RBI directive at the moment? What could be the likely impact since many have missed the October 15 deadline?

Of the 80 companies that the RBI instructed to store data locally, 85 per cent became fully compliant before the deadline. All local payments players are fully compliant with the RBI’s local data storage norms. A few days before the RBI’s October 15 deadline got over, global behemoths Google, Facebook (with its subsidiary WhatsApp), Amazon, and Alibaba announced they were fully compliant with the country’s regulation. Credit card issuers such as Mastercard, Visa and American Express missed the RBI deadline for full compliance, but are working towards meeting the requirements. Sources said that stern action from the RBI is unlikely in the near term. Card services offered by these players would function as usual, since both the RBI and the payment companies don’t want customers to be inconvenienced. Observers say depending on their progress towards compliance, these companies might attract RBI censure/action over time.