Data localisation blues

The Reserve Bank of India’s (RBI’s) directive on data localisation has led to a furore in India’s digital payments industry. In its notification, the central bank has mandated all payments companies, global and local, to set up data storage facilities within India by October. The RBI has said this is required to gain “unfettered supervisory access” to such data for better monitoring and regulation, which is essential for reducing risks from data breaches. It is not surprising that in the wake of the Cambridge Analytica data leak, there is growing concern among regulators and policymakers about the fate of Indian data. Some countries are already insisting on this: For example, China has introduced a host of laws to ensure that all kinds of personal data of its citizens are stored on local servers. In Russia, any company collecting data of citizens has to keep it within the domestic boundaries. The existing regimes in the US and Europe are less restrictive, although a rethink is under way. 

On the face of it, the intent behind the RBI directive is unexceptionable; after all, it is aimed at better security of Indian data. But the assumption behind the RBI directive is that data stored locally will be easily accessible to the regulator and also be less susceptible to theft. There are many questions about this assumption. Apart from the time and cost aspect that such a directive imposes on companies, several fintech companies, especially those in the payment ecosystem, are also quite unhappy about the stiff deadline. Shifting existing data to Indian servers will involve substantial costs as India does not have adequate infrastructure. India lags far behind most countries in variables such as the amount of cloud space and internet speeds. As against the US or European countries, or indeed, even Singapore, storing data in India is likely to be more costly and inefficient. These costs will go up further as all future data generated is required to be stored within India. Hence, it is highly unlikely that India will be able to create the required capacities within the next six months. In essence, the additional costs will be passed on to consumers, and that is just one of the unintended consequences of the rushed directive. 

The RBI should also know that data localisation per se does not guarantee data security. It also requires putting in place a strong data protection law, which is missing in India’s case. Local storage is also not necessary if access is what the regulator wants. One can access data from far off, provided it is built into the legal framework. There are also some concerns about unhindered access to authorities and questions of surveillance. The other issue that the RBI has ignored is that the payments industry requires some kind of data replication. Globally, it is a standard practice to have backup data centres in another location for disaster recovery and to ensure business continuity in case of catastrophes. Clearly, the regulator needs to think through its diktat on data localisation.