April 13, 2018
Digital Privacy: First Step Towards Data Localization
- All payment system data to be only in India. Data of a foreign leg in a transaction can be stored in the foreign country.
- Applicable to all payment system operators in India, including MNCs operating in India. Six months for payment system operators to comply.
- Types of data to be localized and meaning of a ‘foreign leg of a transaction’ unclear.
India’s central bank, i.e. the Reserve Bank of India (“RBI”) has issued a notification1 directing all payment system2 providers to ensure that the entire data relating to the payment system operated by them are stored in a system only in India (“Notification”).
The RBI via the Notification observed the recent growth in the Indian digital payment ecosystem for which security measures on a continuous basis were necessary. This move appears to be one of the steps to be implemented by the RBI towards that goal.
- The Notification directs all digital payment system providers to ensure that the entire data relating to payment systems operated by them are stored in a system only in India.
- The data to be stored only in India includes “full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction.”
- For a foreign leg of a transaction (if any), the data could also be stored in the foreign country if required.
- Payment system providers need to comply with the Notification by October 15, 2018 and a compliance report to be submitted to the RBI by the end of the year.
Although the intent of the RBI appears to be clear in the Notification, there are a few issues and ambiguities that may arise in complying with the Notification.
‘Data stored in a system only in India’:
An issue which may result on a plain reading of the Notification pertains to the requirement on data having to be stored in a system ‘only’ in India. While it is not apparent from the language of the Notification, the RBI has not clarified whether this requirement operates as a prohibition to also store copies of the data elsewhere (where there is no foreign leg to a transaction). With several international companies operating in India, this creates an ambiguity on whether copies of such data could be transferred overseas.
‘Foreign Leg of the transaction’:
The Notification has provided an exemption to the localisation requirement, i.e. data of a foreign leg of a transaction can be stored in the foreign country. However, the term ‘foreign leg of a transaction’ has not been clearly defined and this may create interpretation issues in what actually may constitute a ‘foreign leg of a transaction’ and what data could relate to such foreign leg.
One interpretations of the term could mean that international payment systems providers could store the entire data of a transaction overseas claiming that since they are foreign companies, the entire set of data pertains to a ‘foreign leg’. On the other hand, the RBI could go to the extent of saying that the ‘foreign leg’ is restricted to merely the name of the foreign party to whom the payment is being made and the amount of such payment, thus not permitting other types of data in the transaction to be stored overseas.
Meaning of ‘data’:
The term ‘data’ has not been defined in the Notification. The Notification provides that “data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction.” It may not be clear as to what may constitutes ‘end to end’ data. It may also mean that ‘personal data’ of an individual within a particular transaction could be included in the meaning above and if so, such personal data of the individual would need to be stored only in India and cannot be transferred overseas.
Concerns for multi-national companies (MNCs):
MNCs may have to comply with numerous international compliance requirements across various jurisdictions, especially for anti-money laundering / countering financing of terrorism and to detect tax evasion. In the absence of the ability to export the payment system data from India, compliance with these requirements may be seriously affected. This may also result in contradiction of Indian law against foreign law requirements applicable to such MNCs.
Keeping in line with recent global concerns on data security and data sovereignty, the Notification is a bold attempt by Indian regulators to keep data within Indian borders. However, in the absence of clear definitions, the applicability of the localization requirements will be tested, especially as far as multi-national payment processors and card networks are concerned. Also, given the fact that the Indian Government is in the process of framing a new data protection law for the country, it would be interesting to see if the Government is persuaded to implement such data localization requirements for other types of information and in other industries.
1 Notification on Storage of Payment System Data, dated April 6, 2018. Available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0. Last accessed: April 12, 2018
2 Section 2 of the Payments and Settlement Systems Act, 2007 defines ‘payment system’ as a “system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange; Explanation — For the purposes of this clause, "payment system" includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.”