Unpacking RBI's Quest to Have All Payment Data Stored Within India's National Boundaries

The central bank's data localisation mandate is a function of both its quest for legitimacy and the regulatory state. Both should be accounted for.

In April 2018, the Reserve Bank of India cracked the whip on payment service providers, mandating all entities to store payments systems data related to user transactions only within India’s national boundaries.

The aim of this ‘data localisation’ move is, as the directive explains, to ensure “better monitoring” and “unfettered supervisory access” to data stored with payment system providers.

India’s central bank has framed the need for localisation in a well-known but still utterly false premise: ‘security of data is dependent on the location of data’. Consequently, the directive creates obligations for payment processors to maintain ‘full end-to-end transaction details’, ‘payment instructions’ and other information collected, processed, carried in India within the country.

The diktat reiterates that the Indian government is of the view that if data is stored outside the sovereign boundaries of the country, the RBI’s ability to “monitor payments activity” is curtailed.

This claim overlooks the fact that the central bank retains access by requiring payment processors to store a superset of all transactions data processed by them which is at all times available to RBI. This is equally true for both a centralised domestic payment network like Unified Payments Interface (UPI) used by PhonePe and PayTm, and foreign card networks or banks in India, like Visa, Mastercard and American Express.

Moreover, when data is held in other jurisdictions, officials rely on the mutual legal assistance treaties (MLATs) processes to obtain access. The MLAT process was envisaged as a cooperation mechanism criminal investigations by law enforcement agencies (LEAs) in exceptional circumstances. Over time, MLATs have proven to be ill-suited to handle large number of requests or provide immediate or time-bound access to critical information.

India’s law enforcement agencies security agencies are backing the RBI’s push for data localisation.

Citing difficulties in carrying out cross-border probes, investigative and intelligence agencies’ are of the firm view that “the practice of what they referred to as colonisation of Indian data has to end due to national security concerns that are getting sharpened amid the government’s growing push for Digital India”.

Also read: Payments Majors Visa, Mastercard, American Express Miss RBI’s Data Localisation Deadline

Rise of the regulatory state

Countries like Vietnam and Indonesia have used slow-moving MLAT process to justify maintaining data on in-country servers. Arguably, there are advantages that localised data hosting have over existing MLAT treaties. Localisation enables LEAs to negotiate or set protocols with local data centre operators, network and service providers so as to gain access to data timely manner.

However, the sovereign control that the government seeks over data may not be best facilitated through localisation. Localisation of data grants the government physical access to the data centre within the jurisdiction of a country, but does not entitle LEAs to have better access to data held by such centres. Meaningful access for data depends on who has custody, control and possession of the actual data – and that may not necessarily be with the entity that provides the local hosting facility or may lie with software provider.

Further, by requiring all payments data only be stored in India, the RBI is limiting accountability towards data to storage within the territorial borders of India. The central bank directive forecloses other avenues to prioritise and reduce time taken to respond to requests for regulatory access. For example, Apple is working on an online tool for law enforcement officials to make and track requests.

As an alternative to forced localisation, US payments firms have suggested data mirroring or maintaining local copies of data which is stored abroad to enable faster access to LEAs. For now, the RBI appears to be in no mood to compromise.

Does localisation improve protection of data?

The RBI’s directions claim localisation is necessary in order to retain regulatory oversight and ‘control of data’. Concerns about the lack of control over collection of personal data and its processing and storage in jurisdictions with autocratic governments, a weak rule of law, or surveillance programmes have led governments to enforce data localisation as a legitimate reason to limit transfer of data.

Often, data localisation policies are justified as a way to guarantee citizens’ rights over their data and improve information security. In fact, data localisation policies can have the opposite effect on security and individual rights. Centralising data in local servers, whether operated by domestic or foreign companies, can also make those data more accessible to domestic surveillance programmes.

In India, surveillance capacities of the government has grown unchecked and activities are carried out with little oversight. By facilitating access to data for intelligence and law enforcement purposes, forced localisation can make data about minority groups, journalists, and activists at risk more accessible to repressive authorities.

In a country where a satirical comment posted on social media leads to arrest in a matter of hours, we need to be careful before seeking empowerment of LEAs without any checks and balances. In environments where legal frameworks are inadequate and provide weak protections for citizens, data localisation is likely to increase the risk of human rights infringements.

Also read: Year Old Tweet on the Origin of the Rasgolla Gets Analyst 14-Day Judicial Custody in Odisha

Countries mandate data localisation to ensure that they are able to enforce their domestic data protection standards over that data. There is no agreement on where to draw the line between data protection-based restrictions on data flows that are protectionist and against trade and liberalisation and those that are necessary to guarantee the rights of citizens.

Privacy experts have argued that data protection is qualitatively different from forced localization, and that the issue of data localisation for data protection would disappear if nations implemented stronger uniform privacy laws or adopted baseline best practices. Rather than a comprehensive legal protection for personal data, India has only a patchwork of sector-specific laws that fail to adequately protect data. The new rules only add to the confusing melee of sectoral frameworks that apply to personal data.

Importantly, the RBI directions come even a data protection framework is in the pipeline. The recent report issued by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna and the Personal Data Protection Bill, 2018 calls for one copy of all personal data of Indians to be stored in India.

The committee has further recommended storing and processing certain categories of personal data that are critical to the nation’s interests only in India and that the central government should be vested with the power to exempt data transfers on the basis of strategic or practical considerations.

Also read: Can the Aadhaar Act and a Data Protection Act Coexist?

Data localisation does not automatically increase data protection. On the other hand, the impact of the RBI circular goes beyond governance of financial data held by corporates. Localisation mandates shape data collection and management  practices which, not only have economic effect but also impact other rights and interests such as individual privacy.

The timing and scope of the RBI directive suggest that the mandate could be an attempt by the central bank to carve out and retain control over subset of personal data. Notwithstanding the contestations that may arise from such moves with the data protection authority proposed by the Srikrishna Committee, regulatory capacity of the RBI in general, is a huge concern.

Countries mandate data localisation to ensure that they are able to enforce their domestic data protection standards over that data. Credit: Pixabay

Payments regulation over the last few years has largely been focused on: Know-Your-Customer and linking to Aadhaar. Despite two large scale breaches, one perpetuated by Hitachi ATMs, and more recently the attack on Cosmos Bank, no card network operator or bank has been fined. While Airtel Payments Bank was fined in the subsidy diversion scam, the operator of payments system NPCI was let scott free.

Citizens continue face issues with subsidy delivery running from pillar to post. RBI does not have data related to the grievances in payments across entities it regulates. Clearly RBI needs to demonstrate better regulatory capacity to ensure consumer protection, before making claims on data localisation will enable it to protect consumers.

Lack of consultative dialogue

On October 15, the deadline set by RBI for complying with the mandate expired. While there was no official word on the status of compliance from the RBI, reports suggest that most of the 78 payment companies operating in the digital payments space, have either complied with or submitted a timeline for compliance.

Loathe to lose access to Indian markets some US firms have agreed to localise payments data while others have made changes to their systems even though data continues to be processed outside India. Of the 15 companies that are yet to comply with the localisation mandate, four international players – American Express, Mastercard, PayPal and Visa – have shown intent to and submitted a roadmap on how and when they will comply.

Some companies have been seeking a one-year extension to meet the deadline claiming that replicating global systems at the local level pushes up costs and throws up several practical challenges that need longer than six months to be resolved. It remains unclear if or what penalties will be imposed on companies that have defaulted on the deadline, although it is unlikely that the RBI will stop services because of the inconvenience to users.

Global firms have also called out the lack of transparency and the RBI pushing through the diktat by force. The danger with developing localisation mandates without adopting open and transparent decision-making process, is that, it can lead to policies without an understanding of potential consequences. In the absence of consultative dialogue seeking inputs from payment service operators, it is unclear if a cost-benefit analysis has been undertaken by the government or the RBI prior to issuing the circular.

Impact on global trade and free flow of data

US-based companies have been organising their dissent, channelling lobbying efforts both through domestic and international routes. Editorials penned by the bosses of various payment firms have asserted that by imposing localisation India would be cut-off from global anti-fraud mechanisms.

Such systems enable operators and third-party processors to share datasets related to hacks, breaches, fraud, and coordinate action where necessary. The fragmentation of data enabled by localisation would make payments transactions less, not more secure. US Senators have written letters to the Prime Minister’s Office to provide regulatory backing to lobbying efforts.

The intervention from US senators seeking a softer stance on data localisation is significant, as it indicates that localisation may end up impacting the huge amount of American financial data that’s processed in India. India’s huge IT services industry, relies heavily on the transfer of data to India from foreign countries.

According to IT industry lobby NASSCOM, 62% of India’s tech services exports in 2017-18, was to the USA, and 41% of the total was in the financial services area. Data localisation measures should be seen in terms of broader trade relations with the US and other major economies.

Recent reports suggest that after negotiating a trade pact with Mexico and Canada, President Donald Trump is keen to start trade negotiations with India. Movement on US trade policy with India has been stuck over tariffs on a range of products. India, which did not receive a waiver from Trump’s steel and aluminium tariffs, has deferred retaliatory tariffs until November 2, 2018. Restrictions on foreign companies’s activities in the Indian market could provide a useful trade negotiation tool.

Nevertheless, localisation is a dangerous game to play because of retaliatory moves by the US. The government may pursue localisation as a strategy to “incentivise domestic data storage in India” but the mandate maybe also be viewed as a non-tariff barrier to trade by global financial institutions. Amidst the backdrop of global trade developments and mounting US pressure, the Narendra Modi government must walk the tightrope of enabling open trade and domestic economic growth while reigning in protectionist tendencies.

Rising protectionism and centralisation of data

A leaked draft of the government’s e-commerce policy recommended localisation for “community data [and] data generated by users in India from various sources including e-commerce platforms, social media, search engines”.

De facto, however, this means that India is not only considering localisation strategies to aid cybercrime investigation but also, because it sees strategic value in leveraging the data being generated in the burgeoning digital economy. Because American companies dominate the payment ecosystem, the central bank directive could be seen as an attempt to raise the costs of cross-border flows in order to create a level-playing field for domestic players.

Over the years, the RBI has mostly stepped back in its role of retail payments operator and clearinghouse. Banks have instead migrated to the systems managed by the National Payments Corporation of India (NPCI), a not for profit private company, collaboratively owned by multiple banks. NPCI calls itself as “umbrella organisation under the aegis of RBI” also has significant blessing from the state, and the regulator as it is seen as a state entity. In reality, NPCI operates as a private entity, and has sought and obtained exclusion from public accountability frameworks like the Right to Information Act.

The payments corporation operates launched payment processors such as PayU, Billdesk and card networks such RuPay. These homegrown alternatives backed by the government have emerged as strong contenders to the dominance of US payment companies in India. It is also important to note, NPCI has been carrying out continuous centralisation of payments data under the guise of optimising costs of operating settlement systems. The payments operator with more than 60 crore Aadhaar and bank account linkages, probably operates the second largest Aadhaar database after UIDAI.

A screengrab of an advertisement for Aadhaar. Credit: YouTube

The NPCI also operates the largest ATM network, processes most cheques by individuals, operates both IMPS, UPI – the mobile based instant payment system. NPCI is a monopoly on most of its offerings, facing competition only in cards processing. The RBI’s payments data localisation mandate aside from imposing additional cost to its card network competitors VISA and Mastercard. It is imperative that the RBI base any decision on data localisation against the backdrop of these conflict of interests.

The mandate also brings data stored in other jurisdictions under the purview of data protection authority of India. Establishing jurisdiction over data is a critical first-step needed before future mandates requiring data portability can be contemplated. Such moves are not entirely unexpected as the RBI has been pushing for interoperability of wallets through UPI. The central bank has mandated third party bill payments be mandatorily processed through the centralised bill payments platform Bharat Bill Payment System (BPPS) operated by the NPCI. NPCI also operates National Electronic Toll Collection/FASTag, a centralised toll collection platform and has plans to extend its control over the operations of the National Common Mobility Card for urban transit payments.

The US India Strategic Partnership Forum (USISPF) in a letter to Finance Minister Arun Jaitley has alleged regulatory bias on the part of the RBI. The forum has accused the central bank of favouring Indian startups and in particular introducing policies that favour software lobby Indian Software Products Industry RoundTable (iSpirt). USISPF calling out iSpirt’s undue influence, is an important development as the organisation has been pushing Aadhaar as a mandatory identity for financial services. Nandan Nilekani and multiple iSpirt volunteers advice NPCI and the organisation has developed / evangelised payment systems like Unified Payments Interface (UPI), BBPS operated by NPCI.

Nandan Nilekani. Credit: PTI

Nandan Nilekani and multiple iSpirt volunteers advice NPCI and the organisation has developed / evangelised payment systems like Unified Payments Interface, BBPS operated by NPCI. Credit: PTI

iSpirt has been at the forefront of commodification of data and  has its own interest in data economy. Apart from pushing Aadhaar as a solution for  identity management, the organisation has been evangelising digital records repository, and cashless payments. The Goods and Services Tax Network (GSTN) a non-government, private platform has been set up to provide IT infrastructure and services to central and state governments. However the use of these GSTN goes beyond facilitating tax payment as lending to small and medium businesses, is going to be tied to the data captured by the platform.

Account Aggregator is another iSpirt evangelised technology platform for enabling data trade through the consent architecture, a system which will allow users to digitally share their data with service providers in exchange for easier access to credit, insurance and other services. RBI seeks to regulate entities that will enable financial data commodification not just in banking, but insurance, mutual fund and equity investments, pensions through Non Banking Financial Company – Account Aggregator (NBFC-AA) licenses.

The spate of regulatory mandates that have led to a centralisation of personal and transactional data in the digital economy needs an immediate review to evaluate cyber security risk. Besides individual privacy and cyber security risks, the derived data from centralised platforms of electronic tolls, utility bills, transit payments provide crucial data and economic indicators for investors on public infrastructure such as highways, power, water and urban transit. By shaping regulations around such critical data at the behest of a private entity, unaccountable to public is a great risk to economic security of the country as it enables private economic surveillance.

Data localisation makes commodification of data cheaper as economics of scale will improve.

Masquerading localisation as national security or “public interest” issue that is aimed at protecting citizens, does not address concerns around violation of privacy, and compromised security of not just individuals, but the state as well. It is therefore critical that a larger debate on effective, fair regulation of digital payments, costs, both monetary and rights cost and benefits of data localisation for consumers and business, citizen and the state.

Such discussions and analysis must happen in a transparent manner with full disclosures and must not be trivialised into data localisation debate where business lobbies having commercial interests fighting with each other hijack the discourse compromising citizen, consumer and the state.

The payments data localisation debate comes at a point when payments regulation is also proposed to a separate body outside of RBI. Be it the dissent note by its former deputy governor in Watal Committee report on promoting digital payments in 2017 or more recently, the draft Payments & Settlement Systems Bill 2018 which seeks to setup an independent regulator with RBI having representation in it, the RBI has consistently asserted its role in regulating payments.

Some of the responses of RBI in data localisation debate should be interpreted as emanating from its need to project itself as a strong regulator, as it is undergoing an existential crisis as payments regulator in the country.

Towards a balanced approach 

Data localisation rules are not motivated by a single national or private interest. Various simultaneous factors contribute to national strategies on restricting cross-border data flows or establishing controls for transfer of information.

Mandating data localisation to improve regulatory access is intended to force big tech companies to comply but it also raises the burden for small and medium businesses that may not have similar resources.

The economic rationale is often not the main reason why some governments attempt restricting data flows. For developing and developed countries alike, leadership in the global digital economy is linked to establishing their claims of technological sovereignty.

Technological sovereignty goes beyond the idea of economic competition and builds on the idea that advancements in the technological capacity of one nation threaten the national sovereignty of another. This stems from the growing perception that nations that are able to localise technological development and control data flows will fare better in the Internet governance order.

Localisation measures can also influence public opinion of governments in power, and those seeking re-election. As the Indian government’s stance demonstrates, the geopolitics of data flows influence localization policies in different ways.

While restricting data flows is publicly justified as an economic strategy, such measures can also have political and social implications because they affect public opinion and power. In this larger context, whether data localization is enforced as a form of taxation, or to increase competition, or is viewed as a trade barrier may be a secondary consideration for the government imposing such measures.

Data localisation or restrictions on movement of data are primarily understood in terms of their economic value or as a geopolitical strategy that helps nations consolidating information security and sovereignty online. However, it is equally important to think about the consequences of such policies on democracy and human rights particularly in this time of growing public debate about the use and commercialisation of individual data.

Jyoti Panday is a researcher at IIT CoE, IIM-A. Srikanth Lakshmanan is a software professional with interests in digital payments, FOSS and open data.