The RBI’s mandate to payment systems providers that they store ‘the entire data relating to payments systems operated by them… in a system only in India’ expires today.
But you already knew that.
Two US senators, John Cornyn and Mark Warner, co-chairs of the US Senate’s India caucus, we are told, have jumped into the fray alongside Indian payment systems providers such as PayTM (who are campaigning to have this rule enforced as strictly as possible) and non-India-based payment and settlement systems providers such as MasterCard and Visa (who are campaigning for the data localisation rules to be relaxed).
(In case you’re wondering, the US senators are siding with the non-India-based campaigners.)
The ‘Mirroring’ Proposition…
While we have not had a chance to speak with the two US Senators (nor are we likely to have such a chance in our lifetime!), or the representatives of any payment systems providers, we have met and spoken with a number of entrepreneurs over the past few weeks, who all seem to have the same question about the RBI’s data localisation directive:
“OK, so the RBI wants data localisation so they can seize / inspect records / data whenever they have to – that’s fine – but why don’t they at least allow data mirroring?!!”
If you’re one of these entrepreneurs, your frustration is understandable: after all, the RBI’s Notification of April 6, 2018, which directed payment systems providers to ensure data localisation by October 15, 2018 states:
“In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem.“
Given this, it’s easy to understand why you think data mirroring can take care of everyone’s concerns. Yet, the RBI refuses to allow data mirroring either. Why, you ask, oh why?
…and Why it Won’t Work
The reason for this lies behind a thicket of legislation, draft legislative material, committee recommendations, and regulatory pronouncements. That sounds like the stuff of yawns and dozes, but we’ll try and make it as simple as possible:
- Talking about why the RBI is taking such a strict stance on data localisation, the Business Standard says “Sources say the central bank is preparing the ground for a stringent Data Protection Bill, a draft of which was released by the Justice Srikrishna Committee in August.” While a newspaper isn’t a regulator, in this case their article may be helpful in understanding the RBI’s motivations.
- The Draft Personal Data Protection Bill (the “DPDPB”) does have stringent requirements on data localisation – while these do not apply to all data, there are various provisions relating to the storage of ‘critical personal data’ in India exclusively. We’ll carry another post on what the Bill says in a few days, but for the moment, let’s stay focused on the issue at hand.
- The DPDPB was framed by a Committee of Experts headed by Justice Srikrishna, a retired judge of the Supreme Court of India. In its report, titled A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, (the “Expert Committee Report”) the Committee provides various arguments and analyses for its recommendations, which we assume have resulted in the published form of the DPDPB.
- The Expert Committee Report has an entire Chapter discussing Data Localisation. (If you’d like to read the Export Committee Report, or any of the other sources mentioned in this post, head on below to the ‘Additional Resources’ section at the bottom of this post.) A close reading of this Chapter will help you understand the regulatory reasoning and, possibly, policy direction on data localisation.
- Let’s leave aside the discussion on data localisation norms in other jurisdictions in the Expert Committee Report and focus on the ‘benefits’ the Committee says would come with localisation of data – aside from ease of search and seizure and law enforcement (which your ‘mirroring’ argument may well address), these are: (i) Avoiding resultant vulnerabilities of relying on fibre optic cable network, (ii) Building an AI ecosystem, and (iii) Preventing foreign surveillance.
- Citing fears of terrorist attacks and other natural and non-natural calamities that may strike undersea cables used to route data across borders, the Committee of Experts says:
“From this, it may be argued that data critical to Indian national interest should be processed in India as this will minimise the vulnerability of relying solely on undersea cables. Critical data, in this context will include all kinds of data necessary for the wheels of the economy and the nation-state to keep turning… This may even extend beyond the scope of personal data, regarding which an appropriate call may have to be taken by the Government of India. The objective will be served if even a single live, serving copy of such critical personal data is stored in India. However, the processing of such data exclusively within India may be necessary for other benefits as discussed below.“
- The AI buzz hasn’t failed to cause a flutter in the Committee of Experts either. They say “In the coming years AI is expected to become pervasive in all aspects of life that are currently affected by technology and is touted to be a major driver of economic growth.” Going on to argue that data localisation and local processing are critical to ensure the healthy growth of an AI industry in India, the Committee states:
“The growth of AI is heavily dependent on harnessing data, which underscores the relevance of policies that would ensure the processing of data within the country using local infrastructure built for that purpose… Azmeh and Foster in their 2016 study, point out the benefits that developing countries can derive from a policy of data localisation. These include: first, higher foreign direct investment in digital infrastructure and second, the positive impact of server localisation on creation of digital infrastructure and digital industry through enhanced connectivity and presence of skilled professionals. Creation of digital industry and digital infrastructure are essential for developments in AI and other emerging technologies, therefore highlighting the significance of a policy of requiring either data to be exclusively processed or stored in India. This benefit can be captured in a limited manner by ensuring that at least one copy of personal data is stored in India. Further, a requirement to process critical data only in India would create a greater benefit insofar as it extends beyond mere storage.“
- And finally, of course, there is the spectre of snooping: the Committee recognises the threat of surveillance by governmental and non-governmental actors (though why this latter set of actors would pose a greater threat overseas than in India, we’re not sure). Recognising that a completely walled-off ‘Indian Internet’ would be counter-productive to India’s global economic aspirations, the Expert Committee Report says:
“In order to strike a balance, it is essential to enquire into the kinds of surveillance activities that are most detrimental to national interest. In the context of personal data, this would pertain to such critical data as those relating to Aadhaar number, genetic data, biometric data, health data, etc. Only such data relating to critical state interests must be drawn up for exclusive processing in India and any such obligations should be limited to it. All other kinds of data should remain freely transferable (subject to the conditions for cross-border transfer mentioned above) in recognition of the fact that any potential fear of foreign surveillance is overridden by the need for access to information. Thus, for prevention of foreign surveillance critical personal data should be exclusively processed within the territory of India.“
So there you go. What you may have heard on ‘the street’ or regular rumour mills is probably a second- or third-hand version of a hapless regulatory official trying to decode all this and communicate it in a way that they think makes sense.
If you’re campaigning against data localisation, your arguments need to go beyond a simple ‘Arre mirroring kar denge na, sir!’ to take on the entire gamut of reasons that the Expert Committee provides in favour of data localisation.
We will, of course, write more in the coming days on what the DPDPB says about data localisation and what your data collection / processing business may have to do to comply with it. In the meantime though, do let us know what you thought about this article – whether it was helpful or not, and what you would like us to write about next. Our email address appear below, and we’d love to hear from you!
Here’s how you can reach us:
Bhavin Patel (firstname.lastname@example.org)
Hemant Krishna (email@example.com)
- The RBI’s Notification RBI/2017-18/153 DPSS.CO.OD No. 2785/06.08.005/2017-2018 dated 6 April 2018 (the “Data Localisation Notification”)
- The Report of the Committee of Experts on Data Protection
- The Draft Personal Data Protection Bill, 2018
- It would also be helpful to read the provisions of the Payment and Settlement Systems Act, 2007, and in particular, the following sections, closely: (i) S. 2(1)(i) (definition of ‘payment system’), (ii) S. 10 (‘Power to determine standards’), and (iii) S. 18 (‘Power of Reserve Bank to give directions generally’).
Disclaimers (we’re lawyers, after all!):
- This blog and its contents are not intended to, nor do they purport to, provide legal advice in any manner whatsoever. If you have a concern or query relating to any matter discussed in this blog, we advise that you seek independent professional legal advice in the specific context of the facts and circumstances relating to your query.
- The rules of the Bar Council of India forbid lawyers from soliciting work or advertising in any manner. This blog is intended for informational and educative purposes only, and is not intended to solicit clients or act as an advertisement for our professional services.