Times of India’s Edit Page team comprises senior journalists with wide-ranging interests who debate and opine on the news and issues of the day.
Almost three years after the deadline, RBI’s finally cracked the whip on data localisation. Mastercard Asia has been ordered to refrain from taking on new customers as it failed to fulfil its obligations under the local data storage rules. This development foregrounds two issues. Of narrower interest is the impact it will have on the payments market. The bigger issue is how will this fit in with data localisation requirements under India’s Personal Data Protection Bill (PDP) that was introduced in the Parliament 19 months ago.
India’s retail payments landscape has transitioned to contactless payments, and cards are slowly losing relevance. In 2020-21, the value of retail payments was Rs 415.12 lakh crore, and NEFT accounted for 61% of it. However, it’s UPI that’s fast gaining market share at 10% and RBI is talking to other jurisdictions to enable its usage in cross-border transactions. Cards have a 3% market share and Mastercard is estimated to account for around one-third of those transactions. Therefore, RBI’s move, especially since renewal of existing Mastercards are not affected, won’t be really market disruptive.
As for PDP, this is supposed to be the umbrella law guiding the use of personal data. This includes government when it acts as a data fiduciary, the entity that determines the purpose of processing data. The bill was referred to a joint parliamentary committee headed by BJP’s Meenakshi Lekhi. It’s been busy – it had 66 sittings last year – but Lekhi and some other members have been made ministers in last week’s reshuffle. The committee’s report however is still under preparation. BJP needs to move fast and ensure a report is submitted in the coming Parliament session.
The original bill covered localisation and stated that some critical data shall be processed only in India. PDP cannot exist in isolation. India has globally competitive firms in data processing and PDP’s contours will have a ripple effect on them. A benchmark could be the EU’s GDPR which allows transfer of data to non-EU-based firms provided they follow the same standards. What’s clear is that everyone, RBI included, has to be governed by PDP’s standards, which can look at the big picture.
This piece appeared as an editorial opinion in the print edition of The Times of India.