BY SHEIKH NISSAR AHMAD
Reserve Bank of India (RBI) has asked lenders to put in place the business continuity plan after it banned Mastercard, American Express (AmEx) and Diners Club International from onboarding new customers in India for not complying with data localization norms, prescribed by the country’s Apex Bank in year 2018. The supervisory action has been taken in exercise of powers vested in RBI under Section 17 of the PSS Act (Payment and Settlement Systems Act, 2017). American Express and Diners Club international were barred on May 1 for not complying with data localization norms while ban on Mastercard came into effect from 22 July, 2021. Mastercard ban is in limelight because of its popularity among common folks as it accounts 33% of card payments in India, second only to Visa, which had 45% share. In light of the ban, US-based Mastercard, the payment processing giant has ceased to issue new debit/credit cards, albeit the ban will not impact existing users. According to financial experts, the ban is expected to be felt in for a few next months because the banks that have exclusive tie-ups with Mastercard have to forge partnerships with other networks, which may take few months. It is also forecasted, Visa may keep onboarding new customers, as Visa have compiled with data localization norms. A good opportunity has risen for indigenous RuPay Card also to garner its market. After facing a catastrophic ban, American Express is set to partially resume its business in India post 7 August, 2021, which is a sigh of relief for its users.
What is data localization? Data localization refers to various policy measures that restrict data flows by limiting physical storage and processing of data within a given jurisdiction. Number of countries have adopted data localization policies to restrict free flow of data. In 2018, RBI prescribed data localization norms, where Government of India asked all payment processing systems to store sensitive data within the borders of India. Yet, it isn’t clearly defined which data will be called sensitive or crucial. The regulator bank, in its draft, asked payment processing system to store full end-to-end transaction details and the information collected and processed in India within a period of six months. Most of payment operators opposed data localization norms and argued that they have to incur substantial cost to build required digital infrastructure to store data locally. But regulator bank stuck to its stand, mandating all payment system operators to adhere to the October 2018 deadline. However, in 2019, overseas data processing was allowed, provided it is stored locally and processed data to be deleted within 24 hours, RBI mandated
Why Data Localization is needed? With data being borderless and accessible, India has followed European Union’s General Data Protection Bill (GDPR) in allowing global digital companies to conduct business under certain conditions. Data localization has gained momentum after the revelation of social media giant facebook was found guiltily of sharing user data with Cambridge Analytica, which is alleged to have influenced voting outcomes. It has been suggested that the information this data yielded was used to affect people’s voting in events such as the UK’s Brexit referendum and the election of Donald Trump to the presidency of the US. Yes, the main intent behind the data localization is to protect the personal and financial information from foreign surveillance and give local governments and regulators the jurisdiction to call for the data when required. In a breach to personal privacy, the processing of data beyond the borders with in 24 hours has been diluted the core agenda of Draft Data Protection Bill.
Recommendation of Justice Srikrishna Committee on data protection: In year 2018, Justice Krishna Committee submitted its reports on data protection to IT ministry, along with a Draft Data Protection Bill, titled ‘A Free and Fair Digital Economy—Protecting Privacy, Empowering Indians.’ The Committee was formed by Union Government in 2017, to deliberate on data protection framework. The bill effectively allowed flow of data across borders as long as the data is not termed as sensitive or critical. The draft law is a comprehensive piece of legislation that seeks to give individuals greater control over how their personal data is collected, stored and used. Srikrishna, who headed the committee, in 2018, said, “the line between right to privacy of an individual and the right of the state to access data is a fine one and the data protection law should guarantee that data collected is only to the extent to which it is required.”
With cyberweapons becoming the weapons of choice, India must be prepared for, and guard against, a new epoch of cyber challenges. Keeping in view Pegasus like spywares, the country runs the risk of being a honeypot of personal data susceptible to data security and threats. We should understand, data localization doesn’t mean data privacy. In order to build a strong storing and monitoring framework, it need sophisticated infrastructure, that would cost India a massive amount of money, which GoI wouldn’t hesitate to disburse. Though, it would be hurdle for foreign companies already operating in India to bear extra expanses, meanwhile, it would bolster indigenous RuPay Card to replace foreign payment majors, which will directly affect foreign direct investments (FDI) in India. We cannot deny it, Indian companies as well as government have poor record of protecting data, therefore, data localization mandate is unlikely to meet the policy of data safety.
Sheikh Nissar can be reached at firstname.lastname@example.org