The Reserve Bank of India (RBI), recently, issued clarifications to its 6 April 2018 directive on localization of payment data. The directive mandated payment system operators (PSO) to store their entire data relating to payment systems only in India.
The clarifications have come at a time when India has abstained from signing the Osaka Declaration on Digital Economy, or the Osaka track, which seeks to foster policy discussions on cross-border data flow at a global level.
Issued in the form of frequently asked questions (FAQs), the clarifications set out certain exceptions to the directive’s data localization mandate. They state that, 1) in case of payment data involving domestic and foreign components, a copy of the domestic component can be stored outside India, 2) payment transactions can be processed outside India, but payment data must be deleted from systems located outside India within one business day or 24 hours of the processing and the data must be stored only in India, and 3) activities undertaken following payment processing, such as settlement processing, must be done on a near real-time basis.
As one would expect, the directive has raised the cost of operating as a PSO in India. For example, Mastercard is in the process of setting up a processing centre in India, which will be its first processing centre outside the US, at an estimated cost of around US$350 million. Such high costs are likely to act as entry barriers in a sector that is on the cusp of an innovation-led revolution.
Although the clarification puts to rest the confusion over whether payment data is to be processed in India only, it does not touch upon technical feasibility issues such as those relating to deletion of data within one business day or 24 hours if the payment processing is done outside India.
Further, in the absence of mandatory security and technical standards, there is no assurance that processing and storage of payment data in India would be more secure. On the contrary, storing data only in India runs the risk of irretrievable data loss in critical or emergency situations.
Then there is the question of whether the directive and clarifications would protect privacy rights of individuals. The directive unequivocally states that it is premised on the need to have “unfettered supervisory access” and “better monitoring”. This premise is antithetical to a claim that the directive and clarifications would preserve individuals’ right to privacy, given that India lacks a robust data protection regime. The directive looks to be an enabler for law enforcement purposes, that is to ensure ease of access to data. Data stored on servers outside India are typically accessed under the framework set out under Mutual Legal Assistance Treaties, which tend to be long-drawn and cumbersome.
The clarifications seemingly go beyond the scope of the directive, and specify that payment data stored in India can be shared with overseas regulators only with the approval of the RBI. This mandate is not only excessive, but also goes against the comity of nations. It is also likely to create serious compliance issues for PSOs that operate in multiple jurisdictions. Aside from the above stated concerns, the constitutional legitimacy of the directive and clarifications is also likely to be examined and debated. Essentially, the RBI has attempted to fill a legislative void through the directive.
Regulation-making powers cannot be used to bring in substantive rights or obligations that are not contemplated in the parent enactment. In other words, subordinate legislation must be linked to the nature, purpose and objective of the enabling enactment.
On the face of it, there does not appear to be any correlation between localization of payment data and regulation of payment systems in India. But this issue may be irrelevant in view of the fact that the Supreme Court has admitted a petition concerning non-compliance of RBI’s data localization mandate by WhatsApp, without examining if the directive is within constitutional limitations.
Although touted to have been premised on the need to safeguard civil liberties, there is nothing in the directive or clarifications, which puts reasonable checks on the “unfettered supervisory access” that the RBI has conferred upon itself. This raises the question of whether the RBI’s data localization norms are a step, or, rather, a misstep towards the problems that it seeks to resolve.
Lagna Panda is a senior associate at Chandhiok & Mahajan.
Chandhiok & Mahajan
C-524, Defence Colony
New Delhi – 110 024
Mumbai | Bengaluru
Tel: +91 11 4163 0033
Fax: +91 11 2433 9075