Will RBI's Local Data Storage Mandate Be Relaxed?Experts Weigh In on the Impact of Financial Minister's Proposal
The finance ministry has proposed relaxing a directive from the Reserve Bank of India, the nation's central bank, that requires certain foreign payment-related firms to store local data in India.
Although an alternative plan has not been formally announced, the government has reportedly suggested that foreign payment firms keep a backup of Indians' data in the country.
The ministry's proposal to relax the RBI mandate came after lobbying by U.S. companies and trade bodies. The announcement comes at a time when the government in India is pushing for a shift to digital payments to help crack down on "black money" tax evasion.
RBI's mandate, announced in April, is applicable to licensed entities, such as wallet issuers, as well as payment gateways and intermediaries. The mandate had surprised many industry players who were taken aback by the directive.
If RBI eases the rules, it would be a relief for such firms as MasterCard, Visa and American Express. Executives at these companies met in May with the Payments Council of India, which has about 100 payments firms as members, to put forth their concerns on local data storage. They argued that India's data onshoring move could cost them millions of dollars and set a precedent for other major governments to implement similar rules at a time when there is heightened scrutiny of how companies globally handle their customers' data (see: RBI Mandate for Domestic Data Storage Proves Controversial)
But some security practitioners who have been advocating stricter privacy and data protection laws in India have expressed displeasure about the finance ministry's proposal, especially because India-based payments firms must store data locally.
"This is a shameful sale off of national interest. How is a foreign entity different from an Indian firm in the face of Indian laws? It is sad to see we are giving into foreign pressure and lobbying so easily," says Dinesh O. Bareja, COO at Open Security Alliance, a cybersecurity firm.
Debate Over the Mandate
U.S. companies have been lobbying hard for a reversal of the RBI mandate. They expressed concerns about the lack of clarity on the type of data that needed to be stored and the timeline to implement the rules.
Reuters had reported in May that RBI had initially resisted a joint lobbying effort by the foreign payment companies, asking them to comply, not complain.
India's finance ministry, in a meeting held in June with RBI officials and executives from payment firms, said that a possible solution could be that companies would be allowed to store data offshore as long as a copy was kept in India, Reuters reports.
The central bank of India, in its notification to payment firms in April, had said: "It is observed that at present only certain payment system operators and their outsourcing partners store the payment system data either partly or completely in the country. In order to have unfettered access to all payment data for supervisory purposes, it has been decided that all payment system operators will ensure that data related to payment systems operated by them are stored only inside the country within a period of six months."
Data Protection Movement
The government's proposal to relax the rules has come as a surprise because the debate on privacy and data protection is at its peak not only in India but globally as well.
For instance, Vietnam in June passed a law that would require Facebook, Google and other global technology firms to store locally important personal data on users in Vietnam. The move came despite many protestors taking to the streets to deride the cybersecurity bill, which they argued could cause economic harm and stifle online dissent.
"Vietnam didn't bend its rules despite companies from U.S. and Canada lobbying hard with the government. The global companies here held public protests on streets, but the local government was stern on their stand and passed the bill," says Vijay Nair, manager, forensics technology at KPMG Vietnam. "It's a shame that India couldn't hold onto this [local data storage requirement], especially when the skill and infrastructure is already available."
A Reasonable Compromise?
Some security experts and cyber lawyers argue that at least requiring data backups in India for local citizens' data would make matters easier in forensic investigations.
"Payment companies may only need to create a backup in India for the stored data, provided the ministry makes a formal announcement," says Na. Vijayashankar, a cyber law expert. "So far, the argument in favor of data sovereignty has been that when data is required for law enforcement purposes, the storage controller should cooperate. This can be, to a large extent, achieved if backup is kept in India."
Vaishali Bhagwat, advocate and practicing cyber lawyer, notes: "Obviously, the government's decision will impact data sovereignty. But one needs to understand that RBI's mandate for storing data locally might encourage other industries to demand the same. It might not be a practical thing to expect in era of globalization."