The Reserve Bank
of India’s (RBI’s) directive on data localisation
has led to a furore in India’s digital payments industry. In its notification, the central bank
has mandated all payments companies, global and local, to set up data storage facilities within India
by October. The RBI
has said this is required to gain “unfettered supervisory access” to such data for better monitoring and regulation, which is essential for reducing risks from data breaches. It is not surprising that in the wake of the Cambridge Analytica
data leak, there is growing concern among regulators and policymakers about the fate of Indian data. Some countries are already insisting on this: For example, China
has introduced a host of laws to ensure that all kinds of personal data of its citizens are stored on local servers. In Russia, any company collecting data of citizens has to keep it within the domestic boundaries. The existing regimes in the US and Europe
are less restrictive, although a rethink is under way.
On the face of it, the intent behind the RBI
directive is unexceptionable; after all, it is aimed at better security of Indian data. But the assumption behind the RBI
directive is that data stored locally will be easily accessible to the regulator and also be less susceptible to theft. There are many questions about this assumption. Apart from the time and cost aspect that such a directive imposes on companies, several fintech companies, especially those in the payment ecosystem, are also quite unhappy about the stiff deadline. Shifting existing data to Indian servers will involve substantial costs as India
does not have adequate infrastructure. India
lags far behind most countries in variables such as the amount of cloud space and internet speeds.
As against the US or European countries, or indeed, even Singapore, storing data in India
is likely to be more costly and inefficient. These costs will go up further as all future data generated is required to be stored within India.
Hence, it is highly unlikely that India
will be able to create the required capacities within the next six months. In essence, the additional costs will be passed on to consumers, and that is just one of the unintended consequences of the rushed directive.
should also know that data localisation
per se does not guarantee data security.
It also requires putting in place a strong data protection law, which is missing in India’s case. Local storage is also not necessary if access is what the regulator wants. One can access data from far off, provided it is built into the legal framework. There are also some concerns about unhindered access to authorities and questions of surveillance. The other issue that the RBI
has ignored is that the payments industry requires some kind of data replication. Globally, it is a standard practice to have backup data centres in another location for disaster recovery and to ensure business continuity in case of catastrophes. Clearly, the regulator needs to think through its diktat on data localisation.