As Tenure Of Parliamentary Panel On Data Protection Comes To End, Here's Where The Debate On The Issue Stands As Of Now

Reserve Bank of India (RBI) has barred MasterCard from on-boarding new customers on its network from 22 July 2021 due to non-compliance of payment data storage norms in India.

In a first such action, RBI had barred American Express and Diners Club, which conduct credit card business in India, from on-boarding new credit card customers in India from 1 May 2021 citing non-compliance with norms that require storing transaction data locally.

Both AmEx and Diners Club offer credit card services to affluent and high-net-worth clientele. These entities have been found non-compliant with the directions on storage of payment system data. However, this does not impact their existing customers.

Current Position

The RBI had introduced the data localisation norms in April 2018 which were to come into effect from October 2018. This mandated data localisation requirements on all information relating to payment systems including complete transaction data in India.

The data to be stored only in India includes “full end-to-end transaction details/ information collected/carried/ processed as part of the message/payment instruction”.

The norms required entities to store domestic customer transaction data in servers located in India and certify compliance through a system audit report submitted to the RBI.

For a foreign leg of a transaction (if any), the data can also be stored in a foreign country, if required. While there is no bar on the processing of payment transactions outside India, the PSOs had to ensure that the data is stored in India after the processing. The data stored in India can be accessed for handling customer disputes, whenever required.

This covered banks, NPCI, card networks such as Visa and MasterCard, Big Tech such as WhatsApp, Google and TPSPs which offer electronic or digital payment services etc. Multiple international payments firms such as MasterCard and Visa had sought extensions. Many companies are yet to comply with this rule.

In case of breach of the directive, as in the case of breach of other directives and regulations issued by the RBI, the central bank has discretionary power to impose fines or even imprisonment in certain cases.

Draft Personal Data Protection Bill, 2019

Data localisation and data nationalisation is a very pertinent subject within the Draft Personal Data Protection Bill, 2019 (PDP), based on the Justice Srikrishna Committee Report. The idea of the PDP is to balance the fundamental right of the individual to data privacy and autonomy as well as the need to foster a data and digital economy.

Data localisation is the act of storing data on any device physically present within the borders of a country. While India may be a poor country in terms of per capita income, it is rich in data creation, and the data must be mined within India for the country’s benefit to help government form better domestic policies for its citizens.

Given the presence of foreign players in digital payments such as Google Pay, Amazon Pay, WhatsApp Pay and card networks Visa, MasterCard, American Express, localisation of data is a key development.

Under the PDP, the committee has recommended local storage and processing of personal data by classifying data into different categories. Personal data determined to be ‘critical’ will be subject to the requirement to be processed only in India.

Other types of ‘sensitive’ personal data (non-critical) will be subject to the requirement to store at least one serving copy in India. Cross border data transfers of such ‘sensitive’(non-critical) will be through model contract clauses containing key obligations with the ‘transferor’ being liable for harms caused to the principal due to any violations committee by the ‘transferee’.

Cloud Service Providers

Cloud computing, with its easy on-boarding and secure hosting services, has been a driver of FinTech growth in India. Cross-border cloud services pose issues even under the PDP bill. The PDP bill does envisage the applicability of its provisions to processing of personal data by foreign CSPs if they provide services to users in India.

China, Russia and European Union (EU) all have data localisation laws in place. In the global context, the European Court of Justice in a recent judgement popularly known as Schrems II, has held that data transfers from EU to a CSP outside the EU may be illegal if the CSP is unable to comply with EU data protection and privacy standards for any reason.

This may prompt non-EU CSPs to either exit the EU market or be forced to invest in localising user data within the EU. If other countries adopt this stance as well, then it may trigger an unprecedented localisation of the cloud industry.

Discussion

There are different views on data localisation.There are views that India must not mandate strict data storage within the country, but allow it to be stored in any jurisdiction approved by the government that permits lawful access to the government of India under defined exceptional circumstances.

The view is that unless we allow data to flow out, a lot of industrial activity will be curtailed. The counter-argument is that is the reason for the categorisation of data into sensitive and critical data, in order to decide which data can be allowed to go outside. However, this categorisation may be costly to execute.

Maintaining multiple local data centres may entail significant investments in infrastructure and higher costs for global companies. As per some reports, India needs to ramp up its data centre capacity by at least 15 times in next seven to eight years to be able to handle the massive amount of data influx that will enter its borders because of data localisation.

If one was to compare the cost of manpower, real estate and bandwidth, India is much cheaper than the US or Singapore. These savings will ultimately go to the customers looking for rack space. Bengaluru, Hyderabad, Pune, Gurugram can become the hub of innovation and data processing. On-shoring global data could also create domestic jobs and skills in data storage and analytics too. But we must ensure the security of the data centres, making them nuclear bombproof, earthquake-proof etc.

Data localisation is essential to national security. Localisation of data is needed as once the data is transferred to foreign jurisdictions, Indian authorities may not be able to access that data even for statutory purposes, such as intelligence activities. Indian authorities may have to route their data access requests through complicated procedures with the recipient country, delaying investigations.

The bill, which is meant to ensure that citizens have control of their personal data, is being analysed by a joint parliamentary committee in consultation with experts and stakeholders.