Miss­ing The Big Pic­ture:

The new data localisation norms ap­pear to fo­cus more on phys­i­cal lo­ca­tion of data rather than se­cur­ing it with foolproof sys­tems.

India Business Journal - - CONTENTS - IBJ BU­REAU

The new data localisation norms ap­pear to fo­cus more on phys­i­cal lo­ca­tion of data rather than se­cur­ing it with foolproof sys­tems.

It is a lit­tle over a month since the dead­line of data localisation for pay­ment gate­ways has come into force. For­tu­nately, it is busi­ness as usual, with no dis­rup­tion of dig­i­tal pay­ments in the coun­try. Even as dig­i­tal trans­ac­tions con­tinue un­abated, there are heated de­bates be­tween those sup­port­ing and op­pos­ing the move.

In April, the Re­serve Bank of In­dia (RBI) had is­sued a cir­cu­lar, in­struct­ing all pay­ment sys­tem providers in the coun­try to en­sure that data re­lat­ing to sys­tems op­er­ated by them is stored only in In­dia. Be­sides, the cen­tral bank had set the dead­line of Oc­to­ber 15 to com­ply with the new data localisation norms.

Data localisation refers to the process of stor­ing data within the bor­ders of a par­tic­u­lar coun­try where the data is gen­er­ated. Ac­cord­ing to peo­ple in the know of the de­vel­op­ments, 78 com­pa­nies come un­der the am­bit of the new data norms. Of these, some 62 com­pa­nies have al­ready be­gun com­ply­ing with the new rules, while the re­main­ing en­ti­ties are in var­i­ous stages of com­pli­ance.

Rag­ing de­bate

Mean­while, the cen­tral bank's data localisation pol­icy has elicited mixed re­sponse from the pay­ment ser­vices in­dus­try. Some of the prom­i­nent do­mes­tic pay­ment com­pa­nies, like Paytm and PhonePe, have been sup­port­ive of the localisation norms. How­ever, global play­ers - like Google, which of­fers Google Pay - have ar­gued for free move­ment of data. Some in­ter­na­tional play­ers have ap­pealed for more time for com­pli­ance and also asked that they be al­lowed to mir­ror the data.

Paytm, which has vo­cif­er­ously sup­ported data localisation, stresses that crit­i­cal data must not be al­lowed to go out of the coun­try, not even for pro­cess­ing. "We have com­plied with this man­date since day one and have wel­comed this ini­tia­tive right from the be­gin­ning. It is im­por­tant that we do not be­come mere in­ter­net colonies for global com­pa­nies and make ev­ery or­gan­i­sa­tion ac­count­able to­wards the se­cu­rity and pri­vacy of data of our fel­low coun­try­men," a Paytm spokesper­son has said. Dig­i­tal pay­ments plat­form PhonePe has also in­formed the RBI of its full com­pli­ance with the data localisation man­date.

Sev­eral for­eign en­ti­ties too are fall­ing in line to im­ple­ment the RBI's new data rules. US-based mes­sag­ing plat­form What­sApp has re­vealed that it has de­vel­oped a sys­tem to store pay­ments-re­lated data in In­dia. "In re­sponse to In­dia's pay­ments data cir­cu­lar, we have built a sys­tem that stores pay­ments-re­lated data lo­cally in In­dia," a What­sApp spokesper­son has added. An Ama­zon spokesper­son too notes: "Com­pli­ance with lo­cal laws and reg­u­la­tion is a top pri­or­ity for us in all the coun­tries we op­er­ate in. We con­tinue to work closely with the reg­u­la­tors to­wards this".

Google too has agreed to fol­low the RBI's lo­cal data stor­age norm for pay­ment ser­vices. How­ever, the USbased tech­nol­ogy com­pany has asked for time un­til De­cem­ber to en­sure com­pli­ance. In Septem­ber, Google CEO Sun­dar Pichai had writ­ten to IT Min­is­ter Ravi Shankar Prasad, ad­vo­cat­ing free flow of data across bor­ders as such a step would en­cour­age global com­pa­nies to con­trib­ute to In­dia's dig­i­tal econ­omy.

Mr Pichai had also added that the

"It is im­por­tant that we do not be­come mere in­ter­net colonies for global com­pa­nies and make ev­ery or­gan­i­sa­tion ac­count­able to­wards the se­cu­rity and pri­vacy of data of our fel­low coun­try­men."

free flow of data across bor­ders would ben­e­fit In­dian start-ups look­ing to ex­pand glob­ally. "Free flow of data across bor­ders - with a fo­cus on user pri­vacy and se­cu­rity - will en­cour­age start-ups to in­no­vate and ex­pand glob­ally and en­cour­age global com­pa­nies to con­trib­ute to In­dia's dig­i­tal econ­omy," the Google CEO had writ­ten.

In­ter­est­ingly, for­eign pay­ment ser­vice providers have found sup­port from the most un­ex­pected quar­ter - the Con­fed­er­a­tion of All In­dia Traders (CAIT). The do­mes­tic traders' body, which is of­ten in the fore­front of tar­get­ing for­eign com­pa­nies, has asked the au­thor­i­ties not to push forthe data norms for pay­ment ser­vice providers. In a let­ter to Prime Min­is­ter Naren­dra Modi re­cently, CAIT has sought ex­emp­tion of pay­ment gate­ways from manda­tory data localisation norms.

Al­though, the traders' body ap­pre­ci­ates the move to safe­guard data pri­vacy, it has noted that there must be a dis­tinc­tion be­tween com­pa­nies that have per­sonal data and pay­ment firms that have fi­nan­cial data and mostly card num­bers. "The CAIT has sought in­ter­ven­tion of the prime min­is­ter to make dis­tinc­tion be­tween such com­pa­nies or in­sti­tu­tions that have re­al­time data and oth­ers who use pri­mary data for mak­ing trans­ac­tions hap­pen," a CAIT state­ment has urged.

CAIT has fur­ther ar­gued that dig­i­tal plat­forms, like Face­book, Ama­zon, Google, and banks have ac­cess to per­sonal con­sumer data, such as name, ad­dress and con­tact de­tails. Such data should nec­es­sar­ily be stored in In­dia to pre­vent any mis­use, in­clud­ing for po­lit­i­cal pur­poses. "On the other hand, pay­ment tech­nol­ogy com­pa­nies, like Visa, Master­card and RuPay, only have a 16-digit card num­ber which is stored with them, and it is not per­son­ally-iden­ti­fi­able data. So, such data should not be forced to be stored in In­dia as it does not serve any pur­pose with re­gard to law en­force­ment or its mis­use," CAIT has pointed out.

Wrong pri­or­i­ties

As the de­bate over data localisation norms rages, there is a mas­sive ex­plo­sion in data be­ing gen­er­ated by con­nected in­ter­net users in In­dia. Ac­cord­ing to a re­port by real es­tate and in­fra­struc­ture con­sul­tancy Cush­man and Wake­field, the size of the dig­i­tal pop­u­la­tion in In­dia presents a huge po­ten­tial de­mand for data cen­tre in­fra­struc­ture.

How­ever, the large amount of data and its leakage have raised con­cern over data se­cu­rity, not just in In­dia but the world over. Many coun­tries have framed strin­gent norms to se­cure their data. The Eu­ro­pean Union's Gen­eral Data Pro­tec­tion Reg­u­la­tion, by far a sweep­ing reg­u­la­tion on data se­cu­rity, does not re­strict cross-bor­der move­ment of data. It al­lows trans­fer of data to only those coun­tries that have strin­gent rules to se­cure in­for­ma­tion.

Crit­ics of data localisation ar­gue that the move will have neg­a­tive ef­fects on the abil­ity of com­pa­nies to do busi­ness in In­dia. "Ac­cess can be pro­vided even if the data is stored out­side In­dia. It is not clear how this (data localisation man­date) ties in with the over­all ob­jec­tive of en­sur­ing data safety en­force­ment," won­ders Ashish Ag­gar­wal, a se­nior di­rec­tor and head of pub­lic pol­icy of NASSCOM, the coun­try's lead­ing as­so­ci­a­tion of soft­ware ser­vice providers. Mr Ag­gar­wal fur­ther adds that NASSCOM favours free flow of data and points out that im­po­si­tion of con­di­tions that are "oner­ous and un­nec­es­sary" may trig­ger re­tal­ia­tory mea­sures from other coun­tries.

Tech­nol­ogy ex­pert Prashant Prad­han, the vice-pres­i­dent and CTO (Asia-Pa­cific) of IBM, ar­gues that the phys­i­cal lo­ca­tion of data is ir­rel­e­vant. "Your data can be ac­cessed from a server in Ben­galuru or Bos­ton just as eas­ily. In fact, hav­ing a mir­ror of your data in In­dia may ac­tu­ally in­crease the cost of op­er­a­tion and com­pli­ance. What's more im­por­tant is the qual­ity, rather than sheer quan­tity. While terms such as big data were in vogue pre­vi­ously, what com­pa­nies may be more in­ter­ested in now is the qual­ity of data they can se­cure and store," em­pha­sises Mr Prad­han.

The IBM ex­ec­u­tive's ar­gu­ment ap­pears to be bang on tar­get. The need of the hour is wa­ter­tight laws and sys­tems to en­sure data se­cu­rity. In to­day's tech­no­log­i­cally-pro­gressed world, tar­get­ing lo­ca­tion of data seems to be rather anachro­nis­tic. The stress should be more on how data, which may be lo­cated any­where in the world, can be se­cured.

"Free flow of data across bor­ders - with a fo­cus on user pri­vacy and se­cu­rity will en­cour­age start-ups to in­no­vate and ex­pand glob­ally and en­cour­age global com­pa­nies to con­trib­ute to In­dia's dig­i­tal econ­omy."

SUN­DAR PICHAI

CEO, Google

"Your data can be ac­cessed from a server in Ben­galuru or Bos­ton just as eas­ily. In fact, hav­ing a mir­ror of your data in In­dia may ac­tu­ally in­crease the cost of op­er­a­tion and com­pli­ance."

PRASHANT PRAD­HAN

Vice-Pres­i­dent, IBM

Of the 78 com­pa­nies that come un­der new data norms, 62 have be­gun com­ply­ing with the new rules.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.