The negatives of data localisation

Mandating that Indian citizens' payment data should be stored within the country may be counter-productive

The Reserve Bank of India (RBI) recently mandated that payment companies physically store Indian citizens’ payment data in India. Companies will have six months to comply. The RBI's aim is to protect the sensitive financial information of Indian citizens.
 
Local Indian players are hailing the move as it would give them a time advantage while global players re-organise their data storage to comply with regulations. However, it is worthwhile for payment operators to consider the impact on the industry as a whole.
 
Impact on payment industry
 
India’s digital payment market is expected to hit $1 trillion by 2023 and contribute 15 per cent of the country’s GDP, according to a Credit Suisse report. This boom in the financial services industry is driven by global entrants such as WhatsApp, Google’s Tez and Amazon Pay. Paytm, FreeCharge (now owned by Axis Bank) and Bajaj Finance are fierce local competitors. UPI transactions are fast catching up with the amount of credit and debit card usage in the country.  
 
In this digital age, data is an incredibly valuable asset traded between borders. A 2016 McKinsey report indicates that cross-border data-sharing accounts for a greater share of the increase in global GDP than the global trade in physical goods. India, being the world’s biggest data processing centre, has benefited greatly.
 
India’s IT-BPM (business process management) sector is worth $173-178 billion and constitutes 55 per cent of the world's outsourcing market. Forty-one per cent of IT exports come from the BFSI sector alone. The IT-BPM sector accounts for about eight per cent of India’s GDP, and it is one of the largest private sector employers, employing about four million people. These numbers showcase the importance of unhindered data flows to India’s economic progress, and the pivotal role the country plays in the global marketplace.
 
Impact on small business
 
Micro, small and medium enterprises (MSMEs) contribute 37 per cent of India’s GDP. This contribution could increase to 48 per cent through increased digitisation and these businesses benefit from cross-border data flows. Cloud-based computing is cost-effective for small businesses and consumers, enabling significantly reduced IT costs while being competitive in the global market against bigger players. Mandating that data be physically stored in India could drastically increase costs for MSMEs in particular, hindering the Digital India mission.
 
Therefore, any policy boosting this industry greatly contributes to our growing GDP and the opposite could hamper growth rates.
 
Impact on infrastructure
 
With more customers preferring digital payments, the volume of data handled by payment operators is increasing exponentially. Large data centres will have to be physically located in India. Fundamental requirements for running these data centres are power, cooling, and sophisticated security measures.
 
The biggest data centres consume an enormous amount of power — sometimes equivalent to a city of a million people. To protect data from damage or corruption, data centres require a large amount of cooling. Global players are migrating their data to Nordic countries to reduce the power required to cool their centres. Asian data centres however, require an incredible amount of power to handle their load. Failure to provide sustained cooling with uninterrupted power supply can result in irreversible data corruption and damage.
 
Almost 32 million homes in India have no electricity. A proliferation of local data centres may negatively impact the initiative of providing electricity to all rural areas, as well as power consumption in urban centres.
 

India’s digital payment market is projected to touch $1 trillion by 2023, contributing 15 per cent of the country’s GDP

Impact on the environment
 
India pledged its commitment to the 2016 Paris Climate Agreement and has successfully begun lowering emissions, experiencing only a two per cent rise in emissions in 2017 over 2016. Government initiatives leveraging solar power, as well as a slowing economy, have contributed to these lowered emission rates. Emissions from industry — particularly carbon dioxide — trap heat and radiation within the earth’s atmosphere, causing global warming, weather changes, increased pollution and health risks.
 
Data centres consume up to three per cent of all global electricity production and produce 200 million tonnes of carbon dioxide, according to the National Resources Defence Council (NRDC). Companies with data as the main commodity have some of the highest carbon footprints, owing to their data centres. Carbon emissions from Bangalore’s Tulip data centre are as high as 900 grams per kilowatt-hour, due to the amount of power required to cool data centres in warmer countries.
 
While India is on track to obtaining 10 per cent of its year-round power from renewable energy sources by 2019, the power generated will still be too low to sustain large data centre operations.
 
Minimising the number of electricity-guzzling data centres in India might be an environmental advantage for India.
 
Recommendations
 
Consumers and businesses would welcome measures to tighten security around sensitive data. But a high level of data protection can be achieved by incentivising businesses to implement tighter security measures and protocols. 
 
Sensitive data is often encrypted and legal justification is required prior to obtaining encryption keys. The physical location alone does not guarantee access to the data. Storing data in different jurisdictions mitigates the risk of damage due to natural disasters and ensures business continuity.
 
India can leverage Mutual Legal Assistance in Trade Matters (MLATs), which enables data-sharing between countries in the event of fraud or security concerns. There are data privacy frameworks such as the APEC Privacy Framework and the Global Privacy Enforcement Network, which permit free trade while providing the necessary structure for interoperability and cooperation.
 
The United States recently passed the CLOUD Act, which encourages bilateral agreements between the US and other countries to efficiently access data when required by the law, irrespective of where the data is stored.
 
The policy-heavy European Union’s GDPR (Global Data Privacy Regulation) attempts to protect their citizens' information beyond the limitations of physical boundaries. Their jurisdiction extends to any organisation that works with their citizens’ data, regardless of where it is stored — around the globe or the cloud.
 
Empowering authorities with greater bilateral understanding between countries will help prevent fraud while securing India’s position as a top player in global markets.  
 
The writer is Honorary Fellow, IET (London).
 
The views are personal. Chandana Bala provided research inputs for this article