Data localization norms

Data Localization Norms by Reserve Bank of India

The digital payment ecosystem in India has been growing with leaps and bounds. With the Covid
scenario providing a further nudge, it is expected to grow exponentially in the near future. While
there are multitudinous pros to it, it also entails the risk of a data security breach. The worldwide
concern for data leakage and privacy encroachments and the insufficiency of the existing data
protection laws drove the RBI to introduce Data Localization Norms to safeguard India from the
threat. Such measures prove to be more important when we take a sneak-peek into the past trends
and future expectations with regard to the digital payment ecosystem in India:

Estimates of value of Digital Transactions in

India until FY 2025
238
Amount (in trillion INR)

250
199
200 163
150 132
92 101
100 69
50
0
FY 2019 FY 2020 FY 2021 FY 2022 FY 2023 FY 2024 FY 2025
Years

What are Data Localisation Norms?

Data localisation implies restricting the flow of data by confining its storage and processing to a
particular jurisdiction. A number of countries including India have enacted laws for data
localisation. Here we go for a sneak-peek into the nitty-gritty of the data localisation policies
introduced by the RBI in India:

1) There is no restriction on the processing of payment abroad, but after processing, the data has to
be removed from the foreign systems and has to come back to India within one business day or 24
hours from the processing of the payment, whichever is earlier. The data has to be stored in India
only.

2) If there is any subsequent activity that has to take place post the processing of payment such as
settlement processing, it can be done outside India but it has to be carried out on a real-time basis
such that the data is stored only in India.

3) If data is required for any other processing-related activity, the data can be accessed from India
where it is stored.
4) In case payment system data is to be shared with overseas regulators, prior approval of RBI must
be obtained.The banks and digital payment firms operating in India must strictly adhere to the
storage norms.

5) In exceptional cases, the foreign leg of a particular transaction is allowed to store the banking data
outside India. But all domestic payment transactions should remain in India only.

6) For those cross-border transactions which have a domestic and a foreign component, a copy of
the domestic component may be stored abroad, if there is a requirement.

After the introduction of these norms, a period of six months was given to the system providers
to comply with the norms and submit a board-approved system audit report [conducted by a
Computer Emergency Response Team – India (CERT-IN)] to the RBI.

Advantages of Data Localisation:

1) Data localisation helps in ensuring that the citizen’s data is safe and secured. It provides data
privacy and sovereignty from foreign surveillance.

2) In case of any dispute, it would give the local government and regulators, the authority and
jurisdiction to call for the data as and when required. This will minimize the conflict of jurisdiction
due to cross-border data sharing and would ensure fair justice in the cases arising due to data
breaches and privacy suits.

3) Over the past few years, data warehousing has become a large-sized business and as a result, data
localisation would help in boosting the data center industry in India and would thus provide
employment opportunities.

Challenges for the implementation of Data Localisation:

1) The main challenge for foreign payment operators is setting up and maintenance of data centers
as it is a highly expensive and technology-driven business.

2) Indian start-up ecosystem faces tough challenges shifting to cheap and cost-effective technical
and cloud services. Data Localisation policy will prohibit these start-ups from opting for these
services from global cloud service providers which offer cost effective solutions and thus lead to
high operational costs.

Forced data localisation will lead to businesses increasing the cost of service which in turn would
impact customers who will have to bear the burden of the additional cost. Additionally, even if
the data is stored in the country, national agencies might still not be able to access it due to
encryption protocols.
 Laws Introduced by RBI in furtherance to Data Localisation:

Top leading companies such as Amazon, Google, Microsoft, Facebook, and American Express met
the RBI and Government officials to raise concerns regarding the stringent nature of this policy. As
a result, the Indian government took few corrective steps to determine the category of data to be
stored locally in such a way that it is not misused. The Personal Data Protection Bill applies to the
companies registered in India, foreign companies dealing with personal data of individuals in India
and categorizes the collected data into three categories:

1) Personal data
2) Sensitive personal data
3) Critical personal data

Sensitive personal data and critical personal data have to be compulsorily stored in India.
However, the bill permits the processing of sensitive personal data to be transferred outside of
India in certain cases provided that at least a copy of that data continues to be stored in India.

Recent Happenings:

1) RBI barred three foreign card payment firms Mastercard, American Express, and Diners Club from
onboarding new customers over not complying with its guidelines. Consequently, Visa and home-
grown RuPay which complied with the norms will have a greater advantage in gaining market
share.

2) Reiterating its stand on data privacy, the RBI issued a circular stating that from April 1, 2021, all
payment system operators need to submit a compliance certificate duly signed by their CEOs or
Managing Directors on a half-yearly basis.

Way Forward:

1) With the introduction of data localization norms, it has become prudent for impacted payment
service providers to devise an apt strategy and take immediate action to ensure compliance. Here
are some options that might be considered by them:
1. Setting-up an own data center
2. Hosting in a Multi-Tenant setup
3. Hosting On-cloud

2) Data localisation in a few sectors like financial services is absolutely valid and policy measures to
enable higher server capacity and enabling cheaper and faster data transmission is essential and
looked forward to.

3) One of the major tasks is now to ensure that data localisation norms are met in a timely manner
while at the same time making sure that there is no restriction to data flows and innovation in the
 digital payment ecosystem.

4) Given the intricacies of laws like Data Localization, India needs a more effective mechanism for
law enforcement. It needs to move from a slow and ineffective Mutual Legal Assistance Treaty
(MLAT) to a system based on bilateral treaties on data transfers with the EU, UK and the US.

Conclusion:

Data localisation is not just India’s problem. There are various concerns around the free flow of data
globally and with the advancements in the digital economy, data security is a must for the
country’s growth and development and in such a scenario, the guidelines issued by RBI is a step in
the right direction as it will improve governance of payment-related data.
 References:

1) https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244

2) https://medium.com/m2p-yap-fintech/decrypting-rbi-data-localization-policy-for-payment-
companies-
65af865fb67a#:~:text=As%20per%20the%20RBI's%20Data,payment%20processing%2C%20whic
h ever%20is%20earlier

3) https://www.thehindu.com/opinion/op-ed/the-issues-around-
data- localisation/article30906488.ece

4) https://www.iasparliament.com/current-affairs/rbi-curbs-on-foreign-card-firms-data-localisation