Reserve Bank of India’s Data Localization Policy

Titiksha SethLaw

RBI's Data Localization Policy

We are living in the times when the Internet supports a predominant part of commerce and the online payments ecosystem has attained a new stature. The Reserve Bank of India (RBI) issued a notification to mandate the storage of all end-to-end transaction data within India on April 8, 2018. RBI, the central banking institution, controlling monetary policies in India, requires unrestricted supervisory access to all the payment data and hence this mandate. Data Localization can be referred to as a government policy for storing the user data collected within its jurisdiction on the servers located within the country.

Amazon, American Express, and Microsoft are the among the companies that oppose this policy and have urged the government to slacken these restrictions. If these US origin companies resist in obeying the law, it could severely hamper the trade relations between the two countries. 

Essence of the RBI Policy

The Statement on Development and Regulatory Policies under the head “Storage of Payment System Data” notifies that stringent security measures needed to be adopted for better monitoring of payment data.
The directive requires the service providers to store all the transactional data in a system situated only in India. Transactional data includes full end-to-end transaction details, information collected, carried, processed as part of the message and payment instruction. In case of any foreign leg in the transaction, the data can also be stored in the foreign nation as well.
The system providers shall complete compliance within 6 months and report compliance till October 15, 2018. Thereafter, the system providers are required to duly submit the System Audit Report (SAR), audited by CERT-IN emplaned auditors, before December 31, 2018.

RBI's Data Localization Policy

RBI’s Data Localization Policy


Data Localization Laws in other countries

Data Localization laws which are enforced as a security measure by a nation, pose to be a threat to various MNCs who will have to invest in infrastructure and bear further costs of compliance. These restrictions imposed by countries follow two divergent paths, first being the forced laws while the other being industry-specific laws. The forced localization requires a broad spectrum of industries to keep the data housed within the boundaries of the sovereign, for example, China, Russia, Indonesia, Kazakhstan, Nigeria and more. The industry-specific as the name suggests requires only a certain type of user data (such as medical data, financial data, telecommunications data etc.) within the sovereign, for example, Australia, Venezuela, Ukraine, Canada and more.

China emphasizes on government control and protection of data, which has been reinforced in China’s Cybersecurity Law. China not only seeks to control data within its territory but also control Chinese language and media external to its borders. China has blocked many U.S based internet companies to assist local competitors to expand hence increasing China’s influence on the internet and data.

Russia shares with China similar interest in cyber sovereignty. In 2015, Russia enacted the Federal Law No. 242-FZ which requires all the personal information of Russian citizens to be stored and processed on the servers located in the country. Russia enforced the data localization policy for all websites, LinkedIn, a popular international professional networking site refused to co-operate with the new regulations and hence was blocked in Russia. They also instructed Apple and Google to remove the LinkedIn application from the mobile stores. Russia had also blocked the Chinese social media app, WeChat in May 2017 because it failed to provide its contact details.

In 2016, the Republic of Kazakhstan with an amendment to the Law No. 94-V on Personal Data and Protection 2013 mandated the need to store all the personal data by the owner or operator or a third party on databases located in the country.

Canada does not have a federal data localization regulation but provinces such as British Columbia and Nova Scotia have laws which restrict data transfer outside the borders of the country. Personal Information International Disclosure Protection Act in Nova Scotia renders the storage of information by public bodies and municipalities outside Canada as illegal. In British Columbia, Freedom of Information and Protection of Privacy Act directs to store and access the personal information obtained or controlled by a public body, in Canada only.

Australian My Health Records Act, formerly called Personally Controlled Electronic Health Records Act prohibits the transfer of personal health data outside the country.

Turkey enforced the law on Payment and Security Reconciliation Systems, Payment Services, and Electronic Money Institutions, against the payment service providers, requiring them to process all the data locally. PayPal has lost its license to do business in Turkey because it failed to comply with the policy.

Data Localization: friend or foe?
One of the major duties of the government is to protect its citizens, which in this period clearly includes their personal information. Data localization acts as the first brick in the wall, for better surveillance and management of the data belonging to a country’s citizens.
The mandate of storing data locally gives the domestic companies an edge over the industry giants. Also, the companies will be persuaded to set up offices in the country, hence increasing local investment and perhaps more jobs for the residents. Data localization policy leads to capital flow into the country. 
The downside of the data localization is economic isolation and curbed growth. The companies operating internationally, which have been doing business in the country for decades will have to modify their structure and establish a fresh data flow and processing model. The industries might also be concerned with ‘RBI’s unfettered supervisory access’ to their data. Data localization laws are often viewed as protectionist and hence seem to violate the Competition Law. The authoritarian localization of data is against the original characteristic of the internet.

India is one of the largest markets for companies in the world, and I believe our stand in protecting our data, will not affect the economy much. Countries around the globe have been adopting such policies; its high time India makes such essential changes in the existing cyber regimes to protect the data of Indian citizens.