Data localization: What India can dictate, and what she can’t

While some of concerns, forwarded by lawyers and those who represent multinational companies, seem genuine, people are possibly confusing the many types of data, the many ways it ought to be stored and mirrored.

The Reserve Bank of India (RBI), this week, provided clarifications on an earlier circular on data localisation. In April 2018, the central bank had first advised all system providers to ensure that data relating to payment systems operated by them be stored in India.

In some quarters, these clarifications have raised further doubts. While some of concerns, forwarded by lawyers and those who represent multinational companies, seem genuine, people are possibly confusing the many types of data, the many ways it ought to be stored and mirrored. There is personal data, data held by e-commerce companies and cab aggregators. Then, there is payments data.

Business Today spoke to policy experts, strategic experts, and lawyers to make sense of some of the RBI clarifications, and the way forward. Here are some of them:  

• The Personal Data Protection Bill of 2018 states that “every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies”. This means that when it comes to personal data, the ‘golden copy’ (the master version of a record of data) abroad must have a ‘silver copy’ (the mirrored version) in India. For instance, if Google offers a service from abroad, the golden copy of the data could be sitting out of servers in the US, but since the company is serving Indian customers, a silver copy must be in India too.
• RBI is saying the opposite when it comes to payments data. In a transaction where both parties are domestic, the transaction record must be stored in India without having recourse to a foreign server. Why is this important? Strategic experts are worried about the weaponisation of the payments system, especially after the US-Turkey dispute. Turkey was an ally of the US.
• What happens to cross-border transactions where there are two legs, one of them abroad? The RBI clarification: “For cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required”.
• RBI next states that “in cases where the processing of payments is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India”. This is where it gets tricky. It is difficult to track whether data has been deleted or still stored. Deletion is cross-jurisdictional in nature – overtime, cross-border protocols got to emerge. Supratim Chakraborty, Partner, Khaitan & Co. says that a foreign regulator may not be amenable to a proposition that data, which was processed in their country, is made available to them after receiving approvals from the RBI. “Any data reaching foreign soil may also get governed by law of that country. We cannot simply dictate deletion deadline”.  

• It isn’t clear how financial data stored in India will be accessed by the government. More clarifications are awaited here. The Government must define a process for data access as a lack of surveillance laws along with no data protection law would expose citizen’s privacy, Kazim Rizvi, Founding Editor of The Dialogue, a think tank, says. “What would be the recourse mechanism if payments data is wrongly accessed or financial privacy of citizens is breached? What would be the conditions under which such ‘unfettered access’ is sought? Can a court adjudicate on the same? Would Parliament be kept in confidence? These are fundamental issues, and now that payments data will be localised, we must seek a framework through which financial data is accessed by the government,” he adds.