The Reserve Bank of India’s (RBI’s) insistence that all payment companies shift India-specific data and data-processing activity to servers located within India by October 15 can certainly be justified on various grounds. The RBI wants unfettered supervisory access to payment data and that is unobjectionable. It is also possible to justify data localisation on the grounds of data sovereignty. For instance, it is possible, if slightly far-fetched, that data could be indicted if it is stored on American servers and India faces US sanctions. However, such concerns of supervisory access and data sovereignty could be easily addressed by "mirroring" — that is, storing real-time data copies in India, while continuing to process transactions externally. But the RBI has refused to allow the mirroring option, which commercial entities would have preferred. In essence, the RBI wants data to be stored and processed only in India.
For their part, commercial entities are unhappy about this for several reasons. Global players such as banks, e-commerce majors, fin-tech service providers and credit card companies prefer to do all their storage and processing at one or two global centres. Moving processes implies higher costs and disruption. New teams must be hired and trained, and security procedures have to be reviewed and modified. Local infrastructure, too, suffers from severe deficiencies. Indian data-transmission speeds are slow by global standards. Server capacity is low and costs are high and likely to rise as demand is artificially boosted. The RBI’s insistence may lead to a situation where smaller payment companies stop offering services in India. It will also impose higher costs on the start-up ecosystem since any Indian start-up will pay higher costs to include payment options.
To be sure, there are other concerns as well. For instance, India does not have a data protection
law and, given the current political situation, there may well not be any such law until after the general election of 2019. The Srikrishna Committee recommendations on data protection
are currently open for public feedback and unlikely to be presented in Parliament as a draft Bill until areas of contention, including proposals for data localisation (where there was a note of dissent), have been clarified. Nor does India have adequate security standards in practice. There have been massive leaks and hacks of sensitive information, including payment records and credit card data, on multiple occasions. Surveillance by government agencies is another grey area. Law and order departments and security agencies currently operate in a legal vacuum, where they can search and survey all sorts of digital data without any checks or balances. Indeed, there is evidence that foreign intelligence agencies also collect a massive amount of Indian data and meta-data. For example, Edward Snowden's leaks included the information that America's National Security Agency collected 12.6 billion instances of data and metadata from India every month.
The push towards data localisation has been justified by high-minded appeals on the grounds of data sovereignty. But it must be backed up by the fast passage of a strong data protection
law that clearly defines and limits the powers of surveillance. It also needs to be buttressed by a policy that encourages the creation of higher server capacity and enables cheaper and faster data transmission.