Importance of localising data in payments ecosystem

What is data localisation?

In a landmark circular in April last year, the Reserve Bank of India, to have greater control over the country’s payments data, issued a set of norms to be followed by every foreign payment company parking local-data abroad. The regulator’s data localisation norms mandate all “critical data” shipped off by foreign payments companies to be stored within a server physically present in India. Since then, the government has drafted a similar policy for foreign e-commerce players as well.



Why is it important?

The RBI argued that this step would help achieve greater power over the data it is generating and prevent any possible misuse. “In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers, intermediaries, third party vendors and other entities in the payment ecosystem,” RBI said. Such a law falls under the broader ambit of cyber-sovereignty, which refers to a county’s right to govern its own cyberspace in its best interest.

Why the backlash?

Many large tech companies have expressed their dissatisfaction with RBI’s norms. Google has been among the major critics. “Mechanisms allowing for crossborder data flows are critical to the modern economy. Countries should adopt an integrated framework of privacy regulations, avoiding overlapping or inconsistent rules whenever possible,” Google chief privacy officer Keith Enright had said. The US, in its National Trade Estimate Paper, also criticised the move, deeming it a deterrent to ease-of-doing business.

Have the companies complied?

While most of the major payments companies such as Mastercard and Visa have reported compliance, a few others remain on the edge. WhatsApp Pay, which has been working on beta-mode with about 10 lakh users, is reported to have agreed to the compliance norms to the National Payments Corporation of India (NPCI) for full-scale launch of their payments feature on the app.

Which are the other countries that have implemented similar rules?

A considerable number of countries such as China, Russia, Thailand, Nigeria and France have their own cyber-legislation norms. The European Union, under its data-protection legislature, allows cross-border transfers but only if the other country has an acceptable data-privacy law. China, on the other hand, has taken a much more severe approach, with law giving complete control of its cyberspace to the state. The Chinese government doesn’t allow its netizens to operate either facebook or whatsapp declaring complete sovereignty over internet and cyber-data, citing national security interest.