US Hypocrisy On Data Localisation Is Obvious: Non-Compliance Should Mean Penalties From Day 1

The Reserve Bank of India (RBI) has done well by refusing to be intimidated by powerful lobbies of US politicians and financial interests demanding a dilution of its data localisation policy.

The deadline for data localisation ended on 15 October, and those who did not comply without giving good reason ought to be penalised. While the RBI has made it clear that it will not penalise customers by disrupting the flow of services from non-compliant payment companies, there is no reason why it should not fine them for not even submitting a reasonable plan that they will execute within a reasonable timeframe. If the entire intent was to use strong-arm lobbying power to avoid data localisation altogether, they must be penalised even harder.

The penalties must start today for those who did not even present a plan for data localisation till the deadline expired, and from the day the RBI agrees as the final deadline for implementation in the case of the rest.

We saw last-ditch efforts by two US Senators, John Corbyn and Mark Warner, co-chairs of the Senate’s India Caucus, to stymie the RBI. They wrote to the Prime Minister demanding that we adopt a “light touch” regulatory framework that would allow data to flow freely across borders. They also claimed that data localisation would constitute a key “trade barrier” between the two countries.

One has to appreciate the gall of these senators in being so blatantly hypocritical. When the US adopts a Sarbanes-Oxley Act to make companies more accountable for compliance with various regulations, and this imposes a significant cost on domestic and foreign companies, then there is no need for a “light touch”. When the US imposes quotas on H1B visas and hikes the fees on them arbitrarily, these don’t constitute significant barriers to bilateral trade in IT services. When the US imposes Foreign Account Tax Compliance Act (FATCA) compliance norms on Indian banks and financial institutions, that is light touch. But when we demand data localisation for our own regulatory and sovereign purposes, we are imposing both barriers to trade and heavy-handed regulation.

An even more ham-handed effort to pressure the RBI happened recently, when the US-India Strategic Partnership Forum (USISPF) met the RBI for talks on data localisation, and objected to the presence of iSpirit (Indian Software Products Industry Round-Table) representatives at the meeting since this apparently constituted a conflict of interest. Reason: iSpirit represents some homegrown tech firms, including Paytm, PhonePe and Ola, among others.

One wonders why when a US lobbying arm like USISPF can meet the RBI on its own terms, the latter cannot invite iSpirit for the talks and also solicit its advice. Surely, USISPF cannot demand to do a separate deal with the RBI which iSpirit is not aware of.

USISPF, which is batting on behalf of global payments players like Visa, Mastercard and American Express to avoid data localisation, has no leg to stand on. In an ET Now panel discussion on Monday, Mukesh Aghi, president and chief executive officer of USISPF, had this to say: “we need to have a consultative process. That is not there. Our request is give us more time. When you balkanise data in a globalised world, you have cybersecurity issues. You have to ensure customers are protected. Having cross-border data is beneficial to both US and India.”

This is largely a load of bull. One wonders why the six months granted for data localisation was not used for consultations and clarifications with the RBI. One wonders why mere data localisation should lead to cyber security problems when the entities guarding the data are the same. One wonders why cross-border flows of data – when they flow only one way – are not an infringement of the sovereignty of India. Can Indian data kept in the US be denied to American regulators, when the data simply does not belong to them? Data localisation means not only subjecting Indian customer data to Indian law, but also denying US courts rights over our data. In what way does free cross-border movement of data controlled by entities who are headquartered in the US benefit India when the regulation is here and not there?

Aghi is talking balderdash, and he should know it. If the companies and groups he represent have not made clear their intentions to comply in the shortest possible time, they should be made to pay for it. And this should include WhatsApp, which has offered data mirroring, but not full data localisation. Data mirroring is not data localisation. It means full compliance with Indian laws, in letter and spirit, and no jurisdiction for US courts over our data without the permission of our customers, or our courts.

It’s as simple as that.