The Right Move

The Reserve Bank of India must be commended for sticking to its stand on data localisation rules for payment companies, despite massive pressure from American companies and their lobby groups. The central bank should now send a stronger signal by imposing stiff penalties on all payment companies that have not complied with the order directing them to store financial data of Indian users within the country by October 15. Under data localisation rules, companies that collect and process data from citizens or entities within a nation are required to store that data within the geographical boundaries of that country. This is not a new concept but has picked up pace after 2013 when National Security Agency contractor Edward Snowden leaked classified documents showing how the US government had accessed data to conduct surveillance on foreign allies. Since then countries like Germany have taken steps to ensure that sensitive data stay within their borders. Many other countries like Russia and China have very stringent laws around data localisation. This is being largely driven by the fear of losing critical data located in servers in international locations to hackers and spy networks of rival countries, as well as systemic risks during times of conflict.

While national security concerns are genuine, the arguments against imposing data localisation across all areas is valid. Any move to restrict all cross-border data flows and making it mandatory to store all personal data within a country, could be counterproductive as it could become a trade barrier. It could also break up the Internet if every country in the world insists on keeping data within its territory. For example, India’s Business Processing industry could come to a grinding halt if US applies data localisation rules across the board. In this context, India should be careful in imposing data localisation across all sectors as proposed by the Expert Committee chaired by Retd. Justice BN Srikrishna in the The Personal Data Protection Bill, 2018. There is no justification in insisting on data localisation in areas like e-commerce and cloud computing. But there may be a case for adopting data localisation in few sensitive sectors like financial services. India could learn from countries like Australia and Canada where data localisation rules are applied only to specific sectors like healthcare, telecom and finance.

The RBI’s stance should therefore be seen in this light. Data related to financial transactions of citizens are valuable and the regulator has the right to ensure that they do not fall into the wrong hands. But at the same time, policy makers should ensure that privacy of law abiding citizens is not violated. Multinational companies, on their part, should take a more proactive role in following local rules. For far too long, some foreign companies have escaped local laws stating that they are answerable only to lawmakers in their country. The RBI has done the right thing by insisting on compliance with local requirements. – The Hindu Business Line