Harish Puppala | Rakesh Sharma
The RBI's deadline of 15 October for all payment system operators to comply with the central bank’s data localisation norms just went by. Companies like Visa, American Express, Facebook, PayPal, Mastercard, Google and WhatsApp are required, as per the Reserve Bank’s directive, to ensure that the "entire data relating to payment systems operated by them are stored in a system only in India."
Data localisation, according to the website Techopedia.com, is the act of storing data on any device that is physically present within the borders of a specific country where the data was generated.
The website also noted that the free flow of digital data, especially data which could impact government operations or operations in a region, are restricted by some governments. Many attempts to protect and promote security across borders, and therefore encourage data localisation.
Moneycontrol reported that the directive caused consternation among large technology players — Google, Amazon, Facebook etc. All these companies have built digital payment apps that are gaining in popularity among Indians. Manpreet Singh Anand, Senior VP at Albright Stonebridge Group, and Nikhil Sud, a Regulatory Affairs Specialist with ASG, wrote in The Diplomat that, “As India builds its data protection regime and contemplates the vast range of issues involved, one issue has emerged in the spotlight: data localisation...The Ministry of Electronics and Information Technology wants it; the Reserve Bank...wants it; the Ministry of Commerce wants it...It’s not clear, however, whether India needs it.”
That is a good summation of the situation. In this episode of Digging Deeper, we'll, dive into this topic to figure out what this new issue is, which the RBI is getting all confrontational about. And why organisations mentioned are dragging their feet.
To each his own
Back in April of this year, Reserve Bank of India announced that all India-related payments data should be stored within India’s borders to ensure better monitoring. It instructed all system providers to ensure systems were in place within six months. The only exemption would be for the foreign component of overseas transactions.
The April 6 circular said, “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction.”
Many foreign firms entered the Indian payments business in recent years. India’s payments market is expected to reach $1 trillion in value by 2023, a massive leap from the current $200 billion, according to Credit Suisse Group AG.
Regulators in Russia and China had passed similar orders. While that may sound like not the best company to be in, as the Financial Times noted last month, “There are entirely legitimate reasons for restricting the free movement of data, chief among them being concerns about privacy.” It argued that while some of the toughest restrictions on data movement are in surveillance states, like Russia and China, some European Union nations have also implemented data localisation measures for safeguarding privacy. Germany has been particularly sensitive to concerns regarding data privacy.
The Trump administration too abdicated any leadership position the US held on this front. Trump pulled the United States out of the 12-nation Trans-Pacific Partnership trade deal, which had substantive provisions on data flow. The EU, while particularly finicky on consumer privacy, removed itself from battles on data governance. As the Financial Times noted in the same article, “Rather than reciprocal trade deals, it relies on unilateral ‘adequacy agreements’ allowing information exchange with authorised countries or companies.” The newspaper said “Such deals are uncomfortably fragile, being subject to unilateral revocation and vulnerable to legal challenge.”
While some argue for data that knows no borders, 2013’s Edward Snowden incident changed things considerably. Snowden, a former contractor with CIA, leaked the details of extensive internet and phone surveillance by the National Security Agency (NSA), an American intelligence agency tasked with “global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes.” That case led to governments putting renewed emphasis on border control provisions across the internet.
In effect, India is merely following the lead of the economic leaders when it comes to data governance.
Data security and localisation
A recent report issued by the Committee of Experts under the chairmanship of Justice BN Srikrishna and the Personal Data Protection Bill, 2018 have stirred up debate once again. The Data Protection Bill proposes all personal data that comes under the law must have at least one serving copy stored in India. Secondly, bearing in mind that nebulous thing we know as national interest, companies are mandated to store and process such personal data only in India such that no transfer abroad is permitted. The bill also says, "The Central Government will be vested with the power to exempt transfers on the basis of strategic or practical considerations."
Ashi Bhat and Suneeth Katarki wrote in Mondaq.com, "Due to the transient and pervasive nature of data on the internet, its security is constantly threatened and indeed been breached at several instances….A requirement to store personal data locally would boost law enforcement agencies' efforts to access information required for the detection of crime as well as in gathering evidence for prosecution. This is because it would be easier for law enforcement agencies to access information within their jurisdiction as compared to waiting for responses to requests made to foreign entities which store data."
The two also observe that data localisation can also prove counterintuitive. Their argument goes something like this: "...restricting service providers to use the infrastructure within a limited geographical territory increases threats to data security. This is because the internet enables centralized data storage and processing, taking advantage of economies of scale and a seamless, global internet. If web service providers are unable to draw on the infrastructural architecture across the world, the argument of data security, and by extension data enforcement, is undermined. Creating check-posts and border controls on transmission of data splinters the internet - the core of which is interconnectedness - into several clusters of networks. This balkanization of the net weakens the data security measures considerably."
They argue that access to data depends on who has custody, control and possession of the actual data. It may not necessarily be with the entity that provides the local hosting facility. Further, while those who are pro data localisation argue that undersea cables, the lifelines of global data, are publicly known and hence vulnerable. On the other hand, data localisation is no guarantee of data security. Bhat and Katarki cite a 2011 study by the Leviathan Security Group where a slow water drip in an office building in Calgary in Canada set off an explosion which caused days of computer outages for hospitals, ambulances, radio stations, taxis, and criminal justice facilities all over the province of Alberta.
Another popular argument in favor of data localisation seems to be with regard to espionage. Critical state interests could be drawn up for exclusive processing within India. The bill proposes that all other types of data must remain freely transferable, subject to certain conditions. Therefore, to prevent foreign surveillance, critical data should be exclusively processed within the territory of India. The argument against this is playing out before our eyes in the news:
Many foreign governments reportedly use very sophisticated malware for data surveillance. Physical access to data storage or processing facilities is not technically necessary in order to conduct surveillance activities.
India’s approach to data governance
Meanwhile, some hope India will not insist on data localisation. The Financial Times wrote, “It would seem perverse for an emerging economy desperate for growth and profits deliberately to damage one of its most successful export sectors. But India, where the threat of self-destructive protectionism never quite goes away, is shaping up to do exactly that.”
Well, that was a bit condescending, but they may have a point in some part. FT explains, “...the moves have been egged on by domestic companies, including data centre and digital payments groups, trying to keep out foreign competition. This is short-sighted. India has benefited mightily from its IT industry engaging with the world economy. A boost for a few Indian companies will be outweighed by lower efficiency from using relatively expensive domestic data storage, and by the loss of foreign processing business.”
FT advocates for a system with “clearly defined safeguards” but that idea hits the brick walls of American and European reservations regarding data governance.
On the other hand, some American lawmakers also hope India will go easy on this front. Reuters reported that Senators John Cornyn and Mark Warner - co-chairs of the Senate’s India caucus that comprises over 30 senators - wrote a letter to Prime Minister Narendra Modi urging India to “adopt a ‘light touch’ regulatory framework that would allow data to flow freely across borders.”
They added , “We see this (data localisation) as a fundamental issue to the further development of digital trade and one that is crucial to our economic partnership.” Considering the blow hot, blow cold nature of Indo-US relations under Senor Trump, it’s anybody’s guess how much headway the senators’ request could make. Meanwhile, other reports quoted a senior Trump administration official who claimed the US wants to prohibit data localisation to ensure free flow of information across borders. Dennis Shea, deputy US Trade Representative and US Ambassador to the WTO, said last week, “We want to have prohibitions on data localisation to ensure free flow of information, free flow of data across borders, disciplines around countries requiring companies to give up their source code, permanent ban on taxation or duties on digital transmissions... South Africa and India want to rethink the current moratorium on those duties.”
Andy Surabian, a Republican strategist and a political adviser to Donald Trump Jr, wrote in BreitBart News, “If implemented, this policy will put an unnecessary burden on American companies and hurt consumers, who will endure higher costs and increased cybersecurity risks.”
This confrontational turn is one that Nasscom has warned about, and hopes to avoid. Nasscom’s Senior Director Ashish Aggarwal told the Economic Times that imposition of conditions that are perceived "onerous and unnecessary" could trigger retaliatory measures from other countries. And we know the Trump administration tends to take all prodding and provocation seriously.
Reuters reported that Shamika Ravi, a member of the PM’s economic advisory council, had said the moves were in the long-term strategic and economic interest of the country. The agency also claimed that government sources said stringent data localisation measures were essential for gaining easier access to data during investigations.
Anand and Sud of ASG strike a rather warning note. They claim data localisation could cause reductions in investment and innovation in India’s vibrant digital economy. They say lawmakers in India do not directly tackle the issue - neither in the Ministry of Electronics and Information Technology’s recent 300-page draft data protection bill, nor in the RBI’s circular with the October 15 deadline.
The main thrust of Anand’s and Sud’s arguments are two fold: elevated costs, and deterioration in the quality of the services that consumers in India get in the name of data security. They claim that data security is equally robust, if not more, outside India than only within. Consider, for instance, MLATs or mutual legal assistance treaties. The US enacted the CLOUD Act, which allows the US government to cooperate with other governments to ensure foreign law enforcement agencies can request data directly from American companies.
Second, they recommend lawmakers focus on the development of sophisticated legal and technological requirements for data protection and also articulate them clearly, instead of depending on localisation as a remedy for security concerns. The ministry’s current bill is too broad and vague. It says the government must identify categories of data that can be classed as critical on grounds of grounds of “necessity or strategic interests of the State.” See what I mean by vague? When addressing sensitive personal data, the bill considers a range of low-risk financial data as sensitive. Anand and Sud say this sets a risky precedent for what data the government can identify as “critical.”
The situation on the ground
But what exactly is happening on the ground? The Wire reported that 80 percent of payment operators were ready to comply with the deadline. Out of the 80 payments services providers that were instructed to store data locally, and not mirror it outside India, 64 firms said they were ready. Google, Facebook, WhatsApp, Amazon and Alibaba are some of the big names who were ready with local data storage. India is WhatsApp’s biggest market, with around 230 million active users. No wonder then that parent company facebook wasted no time getting ready for the deadline so that its new payments service does not suffer any disruptions. A WhatsApp spokesperson told Livemint, “...We’ve built a system that stores payments-related data locally in India. WhatsApp Payments is useful for people in their daily lives and we hope to expand the feature to all of India soon so we can contribute to the country’s financial inclusion goals.”
That is a shift in position from WhatsApp. Back in August, the Supreme Court asked WhatsApp to respond to a plea that alleged the company had failed to comply with the provision of appointing a grievance officer and other laws in India. The petition claimed WhatsApp is a foreign company with no office or servers in India, and is obliged to have its office and payments in India to run a local payments service.
In September, WhatsApp appointed Komal Lahiri as the grievance officer for India. It also listed out a process for users to flag concerns and complaints.
Some reports suggest that Google, too, has moved to comply with RBI’s norms. In August, IT minister Ravi Shankar Prasad met with the company’s CEO, Sundar Pichai, at Google’s headquarters in Mountain View, California. A government source reportedly told the media that Google had sought time until the end of the year to put the necessary systems in place. However, a company spokesperson was reported by Moneycontrol as saying, “We maintain that cross-border data flows today are ubiquitous and an essential phenomenon for global economic activity and universal access to information. Soaring data flows generate more economic value and hence the socio-economic impact of restricting data flows must be thoroughly considered while framing any policy. There is a need to find practical and contemporary solutions to policy issues in line with global best practices. we have nothing to add at this point of time.”
Alibaba, an investor in Paytm as well as other companies in India, stated that it supports data localisation. Alibaba’s cloud service, Alibaba Cloud - yes, that’s what it is named - is also looking to expand in India, and has launched its first data centre in the country. Alibaba Cloud president Simon Hu told the Economic Times the company is keen on data localisation in every country in order to promote data security. He said candidly that building trust in Chinese cloud technology is a challenge. Hu said, “We need to respect laws on data security and privacy. It is the most fundamental one. We insist on localisation of data. Indian data should be stored in India. That is our principle.”
Alibaba’s Indian partner PayTM pulled no punches on the issue. A spokesperson for PayTM said, “We have complied to this mandate since day one and have welcomed this initiative right from the beginning. It is important that we do not become mere internet colonies for global companies.” Pretty strident tone from PayTM there.
Close to 16 of the 80 payments services firms who are still holding out requested more time to comply.This list includes international payment companies like American Express, Visa and Mastercard. The credit card companies asked for an extension of the deadline and a relaxation of the rules. They cited operational difficulties and security concerns. A source to the Hindu Business Line, “Card networks account for more than 70 percent of the payment network and they will not want to lose the business. It is understood that they will comply by October 31.”
RBI data shows that Mastercard, Visa and Amex dominate the payment ecosystem, with transactions worth Rs 94,199 crore as of June 2018, with UPI at Rs 40,834 crore and wallets at Rs 14,632 crore.
The Reserve Bank seemed willing this week to accommodate these organizations, provided they submit a schedule for adhering to the new rules. ET reported that Finance Minister Arun Jaitley recently met RBI Deputy Governor BP Kanungo to discuss this issue.
Vivek Belgavi, India FinTech Leader at PwC India, said, “This is the new global normal. Data privacy and data sovereignity are here to stay. Eventually you will see global majors being open to...(data localisation)." Be that as it may, some believe the RBI is pushing too hard. Sanchit Gogia, founder and CEO of Greyhound Research, said, “The RBI seems to have rushed the matter. Global companies should have been given at least a 12-month horizon with clarity on …how much to store, what to store...the tenure etc. It is not about putting a hardware somewhere , it is also about processes and it takes time.”