Sebi likely to is­sue norms, fears a coun­try can block ac­cess in case of data war

Business Standard - - FRONT PAGE - ASH­LEY COUTINHO

The Se­cu­ri­ties and Ex­change Board of In­dia (Sebi) may soon come up with guide­lines that man­date for­eign en­ti­ties to store data per­tain­ing to In­dia lo­cally.

Sev­eral for­eign brokerages and cus­to­di­ans typ­i­cally store data dig­i­tally in re­gional cen­tres such as Hong Kong and Sin­ga­pore.

The reg­u­la­tor is con­cerned that ac­cess to such data could be blocked by an­other coun­try in the event of a data war. It wants all such data to be stored on servers in In­dia or a real-time backup to be cre­ated, en­abling ac­cess from within the coun­try.

“For­eign brokerages ac­cess servers in Sin­ga­pore and Hong Kong for their daily trans­ac­tions. Now, what hap­pens if a coun­try like China cuts off ac­cess to that server in Hong Kong? It may seem like an ex­treme sit­u­a­tion but we can po­ten­tially be­come a data colony of some other coun­try,” said a se­nior in­dus­try of­fi­cial, on con­di­tion of anonymity.

Fi­nan­cial in­sti­tu­tions such as Citi, JP Mor­gan, HSBC and Deutsche Bank op­er­ate brokerages and cus­to­dian ser­vices in In­dia.

The reg­u­la­tor is ex­pected to take a call on the mat­ter soon based on the rec­om­men­da­tions of a panel led by Ashok Jhun­jhun­wala, a pro­fes­sor at In­dian In­sti­tute of Tech­nol­ogy (IIT) Madras. The guide­lines will ap­ply to all Sebi-reg­u­lated en­ti­ties.

Here’s an ex­am­ple of how data ends up over­seas. Let’s as­sume a buy or­der for shares is placed with a for­eign bro­ker. The bro­ker puts the or­der on the do­mes­tic ex­change. After the trans­ac­tion goes through, the bro­ker is­sues an elec­tronic con­tract note. While the copy of that trans­ac­tion is on the ex­change plat­form, the en­try into the sys­tem at the bro­ker’s end is stored on a server that is not in In­dia.

Sebi’s con­cern as­sumes sig­nif­i­cance in the light of the Re­serve Bank of In­dia’s dik­tat in April last year ask­ing global pay­ment com­pa­nies to store trans­ac­tion data of In­dian cus­tomers within the coun­try. The RBI’s stance on data lo­cal­i­sa­tion is a re­sult of the rapid growth in dig­i­tal pay­ments and the in­creas­ing in­stances of fraud and data theft, ac­cord­ing to ex­perts.

Data lo­cal­i­sa­tion is a con­cept that dic­tates that the data of a coun­try’s res­i­dents should be phys­i­cally present within the bor­ders of the coun­try where data was gen­er­ated.

“The gov­ern­ment is con­cerned that for­eign reg­u­la­tors can ac­cess data, es­pe­cially that per­tain­ing to the fi­nan­cial ser­vices sec­tor. There is also a mis­placed view that law en­force­ment au­thor­i­ties in In­dia will have bet­ter ac­cess to data if the data re­sides in In­dia," said Sha­hana Chat­terji,

part­ner, Shardul Amarc­hand Man­gal­das.

“The reg­u­la­tor’s con­cern is jus­ti­fied if data is stored at cer­tain spe­cific lo­ca­tions within Asia. But if it is kept with global providers such as Drop­box or Mi­crosoft, then we are at same risk as any other coun­try,” added Vi­raj Kulka­rni, founder & CEO, Pivot Man­age­ment Con­sult­ing.

The RBI’s April di­rec­tive states that data would be stored only in In­dia, mean­ing pay­ment com­pa­nies can­not store copies of In­dian con­sumer-re­lated data out­side the coun­try. This elim­i­nates the scope for data mir­ror­ing, a prac­tice which al­lows com­pa­nies to store copies of a par­tic­u­lar data­base at mul­ti­ple lo­ca­tions.

Sebi, on the other hand, is of the view that if ex­clu­sive data servers can­not be set up in In­dia, the for­eign en­ti­ties should en­sure that there is a real-time data backup set up here.

Both these ar­range­ments could be chal­leng­ing and sig­nif­i­cantly jack up costs for the for­eign play­ers. “The RBI wants data per­tain­ing to trans­ac­tions in In­dia to be kept in In­dia. This in­volves a huge in­vest­ment in terms of in­fra­struc­ture, tech­ni­cians, main­te­nance and space. Sebi is say­ing that if you can’t set up a server in In­dia, cre­ate a real-time

backup of the data, a task al­most as chal­leng­ing,” said the first per­son quoted above.

Dig­i­tal data in In­dia stood at about 40,000 petabytes (1 petabyte is 1,000 ter­abytes or 1 mil­lion gi­ga­bytes) in 2010 and is pro­jected to climb to 2.3 mil­lion petabytes by 2020, twice as fast as the world­wide rate, ac­cord­ing to a blog posted by Cush­man & Wake­field. In its Bud­get last year, the gov­ern­ment em­pha­sised the im­por­tance of cre­at­ing a cloud ware­house that will safely store dig­i­tal data in In­dia.

Glob­ally, there have been an in­creas­ing num­ber of cases of iden­tity theft, and reg­u­la­tors and gov­ern­ments are do­ing their bit to pro­tect per­sonal data. Europe, for in­stance, has in­tro­duced the Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR), which deals with pri­vacy for all in­di­vid­u­als within the Euro­pean Union (EU) and the Euro­pean Eco­nomic Area (EEA).

The GDPR aims to give con­trol to cit­i­zens and res­i­dents over their per­sonal data and sim­pli­fies the reg­u­la­tory en­vi­ron­ment for in­ter­na­tional busi­ness by uni­fy­ing the reg­u­la­tion within the EU. It also ad­dresses the ex­port of per­sonal data out­side the EU and the EEA.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.