RBI Mandates Data Localisation For Payment Services: The Only Solution To Protect Data Privacy?

Data privacy and protection has become a major concern for authorities around the world. And with the booming ecosystem of online payment services in India, the Reserve Bank of India (RBI) has taken a step to ensure data localisation to gain ‘unfettered supervision’ powers.

The RBI Notification

RBI has mandated that all payment system providers and their intermediaries, third party vendors, service providers etc. must store all their data in India only (except in case of a foreign leg of a transaction which can be stored in a foreign country, if required) within 6 months and thereafter submit a compliance report to RBI. This data should include the full end-to-end transaction details and information collected/carried/processed as part of the message/payment instruction.

Justification for Unfettered Supervision

RBI has issued this directive under Section 10(2) of the Payments and Settlement Systems Act, 2007 as a necessary requirement for safety and security measures, as most payment services, especially those backed by foreign funds, have their data stored in international servers governed by foreign laws, thereby restricting the RBI’s access to the data. The purpose behind this, RBI says, is “to ensure better monitoring, it is important to have unfettered supervisory access to data stored”.

Local v. Global

While some of the domestic payment services such as Airtel, Paytm and PhonePe have welcomed the move, the others, especially the US-based companies such as MasterCard, Facebook, Amazon etc., have lobbied against this move. They have urged the the Trump administration to intervene and create a negotiable dialogue with the Indian Government to soften the tough stand taken by the RBI.

The US-based Centre of Information Privacy leadership (CIPL) has suggested to create ‘data mirroring’ options vis-à-vis data localisation and creating of ‘multilateral and bilateral instruments’ for data sharing. They claim this move acts as a trade barrier and only spoils the ‘Digital India’ initiative.

Is Unfettered Supervision the only solution?

In my previous article, I had written about the draft e-commerce FDI policy, which has a wide ranging requirement of exclusive local storage of personal data (community data) collected by Internet of Things devices in public space and data generated by users in India from various sources including e-commerce platforms, social media, search engines, etc.

Furthermore, even the the draft e-pharmacy regulations stipulate that the data generated by e-pharmacy portals be stored only locally. The Personal Data Protection Bill, 2018, based on the recommendations of the Justice Srikrishna Committee, has justified that data must be stored locally for ‘effective enforcement’ and to ‘avoid foreign surveillance of data stored in India’.

Now the astute minds may ponder as to why the entities engaged with India cannot be compelled by law to give access to non-local data? The answer to that could be because of jurisdictional issues. Data which is locally stored can be easily accessed by authorities if mandated by law.

Such privilege may be deprived with international legislation, geopolitics and where cross-border laws exist. The banking laws of the tax havens are an exemplar to this.

Is storing data locally the best effective solution?

Fraud investigation experts state that data chains and integrity are far more important than having physical access to hard drives. Thus, storing the data locally to have access for investigative purposes may not hold solid ground.

The US and the UK, as history has shown, have often indulged in extraterritorial surveillance (Edward Snowden’s case on NSA). Thus, this move may enhance and secure surveillance on data by Indian authorities, but it will in no away help avoid surveillance by foreign countries, as reasoned by the Srikrishna Committee. It may not lead to enforcement of data protection, unless heavy data encryption and a strong IT infrastructure is put in place.

The US lobbyists have urged the usage of multilateral instruments for data sharing which, in my opinion, is ineffective and a sheer waste of time; the Justice Srikrishna Committee has concurred with the same. However, the US introduced the Clouds Act, 2018, which empowers law enforcement agencies to access foreign stored data in addition to granting access to foreign agencies to US stored data.

Now, an act like that would certainly help India in its stride towards data protection and supervision, and hence the defensive stand of RBI against such lobbying appears to be correct. Any sort of bilateral or multilateral talks of data sharing may turn out to be futile, ill-conceived and ineffective towards the goal of data protection.

Conclusion

There may be alternatives to protect data and have regulated surveillance of the same. Currently, data localisation may be the best solution to safeguard against any future contingencies that could result in misuse, data breaches or violation of laws. With the rise of cryptocurrency and online payment services, wallets etc. it would be foolish to not assume impending chaos due an unregulated environment.

The RBI’s mandate certainly ensures continuous monitoring to reduce future risks. However, this should not come at the cost of free flow of economy and business. With such powers of ‘unfettered surveillance’, RBI needs to draw a fine line between doing its job and indulging in intrusive micromanagement. Ensuring effective formulation and implementation of privacy laws should be a concern of the Central government, as we still remain significantly weak on this aspect. – Bar And Bench