Regulators need to define the objectives of the policies and periodically analyse their impact before taking any decisions
With effect from July 22, Reserve Bank of India indefinitely barred Mastercard Inc. from issuing new debit or credit cards to Indian customers for violating local data storage rules.
While there is no bar in processing payment abroad, the data must be remitted to Indian data centres and the copies abroad must be erased post processing.
PSOs with global operations appear to be resisting the move, citing costs, security risk, lack of clarity, timeline, and the possibility of data localisation demand from other countries.
RBI’s concerns seem to stem from rapid growth of the digital payments ecosystem in India coupled with data breaches. But, data localisation is not a novel concept. As early as 1993, the Public Records Act prohibited the transfer of any ‘public records’ outside India.
Lately, however, there is an increased fervour about data localisation with the FDI Policy requiring entities in the broadcasting sector to ensure local storage and processing of subscriber data, and the insurance regulations requiring local storage of the original policyholder records.
Indian data localisation proposals almost always seem to have a variation of four objectives. First is preventing foreign surveillance, second is enforcement of data protection laws, third to secure faster and better access to data for law enforcement, and last is increase economic growth. The bigger picture is about protecting and accessing all digital data generated by Indians.
National security and prevention of foreign snooping may be the rationale behind the tough stand of the regulators on data localisation. Data can be weaponised and Indians, especially State officials, could become vulnerable if Indian regulators were not in total control of all the locally generated data. A person’s debit card history, for example, can be a valuable tool in social engineering and honey-trapping.
But it is hare-brained to equate local data storage with data security. If Pegasus revelations have taught us anything, persons determined to access such information would do so through mechanisms that make data localisation redundant. This is because spyware typically works by intercepting communication between the device and the internet, or by transferring data stored locally on the device, and neither of these methods depend on the location of the server.
It remains to be seen how data localisation aids in enforcing data protection laws. This is because localisation does not alter the regulation on data protection; it only changes the location of the data centre. Hence, enforcement of data protection law is better ensured through local incorporation and establishment requirements rather than requirements to locate physical infrastructure in India. Officers of entities in breach of the data protection obligations can be held accountable; bare data centres of the entity cannot.
We are likely to see an increased use of this strategy by the government, as is evident from the 2021 Intermediary Rules that require major social media companies to appoint resident officers.
It is quite compelling an argument that law enforcement agencies (LEAs) face major constraints in getting access to data in time. The data sought may be stored in another country, leading to a conflict of legal systems. At present, LEAs use mutual legal assistance treaties (MLATs) to access this data. However, this process is considered onerous and it takes many months to gain access in this way because of the diplomatic red tape.
Recognising this, the US passed the CLOUD Act to compel companies like Microsoft and Google, which have foreign data centres, to provide access if US LEAs request. CLOUD Act also enables easier access to foreign law enforcement agencies to data stored in the US as long as they fulfil certain procedural and rule-of-law checks.
Hence, localisation does help to an extent as summons to the holder of data would usually suffice to gain access. However, it assumes that companies will actually comply with localisation requirements. It is implausible that all the foreign services that Indians provide their data to will establish a data centre in India. Rather, a foreseeable course is that many services will find these requirements laborious and opt to block users from India.
Final justification for data localisation is economic growth. Multiplier effect of the investment itself in data centres is not significant. A $1 billion data centre built by Apple in 2011, for example, created only 50 full-time and 250 support jobs in security and maintenance. Bigger benefit seems to be that localisation may ensure that MNCs come within the Indian tax regime for, among other things, services sold to Indian citizens. Tech MNCs offer services without having a presence in India and generally it’s difficult to collect tax from such transactions. Mandatory local storage of data will mean that companies may need to set up captive data centres in the long run, as it is generally cheaper than consistently paying third party data centres.
However, this move may have the unintentional consequence of constricting Indian companies. Barriers to the free flow of data may hurt businesses by increasing delays and higher costs of collaborative research or partnerships outside India. Entities would need multiple separate processing centres if they serve consumers both within India and outside when a single centre would suffice.
Moreover, to adhere to the requirements, firms may be compelled to spend more on compliance activities such as hiring data-protection officers or maintaining systems to get the government approvals to transfer data. A study for example, found that Brazil’s data localisation proposal would have increased storage cost per gigabyte by an average of whopping 54 per cent for Brazilian companies.
India’s data localisation policies, much like most other policies and regulations, provide no justification in the policy document. Even the ones that rarely do fall short of providing elaborate reasoning. Hence, one is left guessing as to what is sought to be achieved and whether the regulation takes account of adverse impacts.
While the likes of Mastercard have the means to comply with data localisations requirements, smaller players are disproportionately impacted when they need to redesign their network architectures and data processing in order to comply. It may be useful for Indian regulators to define objectives of data localisation policies and periodically analyse their impact, before resorting to brute force of penalties.
(The authors are Managing Partner and Associate, respectively at Advaya Legal, a law firm)