The Reserve Bank of India’s (RBI) deadline to payment systems providers for storing their ‘entire data relating to payments systems operated by them in a system only in India’ expires today.
We have met and spoken with a number of entrepreneurs over the past few weeks, all of whom seem to have the same question about the RBI’s data localisation directive: why won’t the RBI at least allow data mirroring?
The RBI’s notification of April 6, 2018, which directed payment systems providers to ensure data localisation by October 15, 2018 states, “In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers/intermediaries/third party vendors and other entities in the payment ecosystem.“
Given this, it’s easy to understand why you think data mirroring can take care of everyone’s concerns. Yet, the RBI refuses to allow data mirroring either.
The reason for this lies behind a thicket of legislation, draft legislative material, committee recommendations, and regulatory pronouncements.
Business Standard report said, “Sources say the central bank is preparing the ground for a stringent Data Protection Bill, a draft of which was released by the Justice Srikrishna Committee in August.”
The Draft Personal Data Protection Bill (DPDPB) does have stringent requirements on data localisation – while these do not apply to all data, there are various provisions relating to the storage of ‘critical personal data’ in India exclusively. The DPDPB was framed by a committee of experts headed by Justice Srikrishna, a retired judge of the Supreme Court.
In its report, titled A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, the committee provided various arguments and analyses for its recommendations, which we assume have resulted in the published form of the DPDPB.Let’s focus on the ‘benefits’ the committee says would come with localisation of data – aside from ease of search and seizure and law enforcement, these are:
Avoiding resultant vulnerabilities of relying on fibre optic cable network. Building an artificial intelligence (AI) ecosystem. Preventing foreign surveillance.
Citing fears of terrorist attacks and other natural and non-natural calamities that may strike undersea cables used to route data across borders, the committee of experts says:
“From this, it may be argued that data critical to Indian national interest should be processed in India as this will minimise the vulnerability of relying solely on undersea cables. Critical data, in this context will include all kinds of data necessary for the wheels of the economy and the nation-state to keep turning… This may even extend beyond the scope of personal data, regarding which an appropriate call may have to be taken by the Government of India. The objective will be served if even a single live, serving copy of such critical personal data is stored in India. However, the processing of such data exclusively within India may be necessary for other benefits as discussed below.”
The AI hasn’t failed to cause a flutter in the committee of experts either. They say, “In the coming years AI is expected to become pervasive in all aspects of life that are currently affected by technology and is touted to be a major driver of economic growth.” Going on to argue that data localisation and local processing are critical to ensure the healthy growth of an AI industry in India, the committee states:
“The growth of AI is heavily dependent on harnessing data, which underscores the relevance of policies that would ensure the processing of data within the country using local infrastructure built for that purpose… Azmeh and Foster in their 2016 study, point out the benefits that developing countries can derive from a policy of data localisation. These include: first, higher foreign direct investment in digital infrastructure and second, the positive impact of server localisation on creation of digital infrastructure and digital industry through enhanced connectivity and presence of skilled professionals. Creation of digital industry and digital infrastructure are essential for developments in AI and other emerging technologies, therefore highlighting the significance of a policy of requiring either data to be exclusively processed or stored in India. This benefit can be captured in a limited manner by ensuring that at least one copy of personal data is stored in India. Further, a requirement to process critical data only in India would create a greater benefit insofar as it extends beyond mere storage.“
And finally, the committee recognises the threat of surveillance by governmental and non-governmental actors. Recognising that a completely walled-off ‘Indian Internet’ would be counter-productive to India’s global economic aspirations, the expert committee report says:
“In order to strike a balance, it is essential to enquire into the kinds of surveillance activities that are most detrimental to national interest. In the context of personal data, this would pertain to such critical data as those relating to Aadhaar number, genetic data, biometric data, health data, etc. Only such data relating to critical state interests must be drawn up for exclusive processing in India and any such obligations should be limited to it. All other kinds of data should remain freely transferable (subject to the conditions for cross-border transfer mentioned above) in recognition of the fact that any potential fear of foreign surveillance is overridden by the need for access to information. Thus, for prevention of foreign surveillance critical personal data should be exclusively processed within the territory of India.”
If one is campaigning against data localisation, the arguments need to go beyond a mirroring to the entire gamut of reasons that the expert committee provides in favour of data localisation.
Bhavin Patel has legal advisory experience spanning over 16 years and advises clients on data protection issues and specialises in privacy laws. He can be reached at firstname.lastname@example.org. Hemant Krishna is a corporate and commercial lawyer with nine years of experience specialising in mergers and acquisitions, joint ventures, private equity investments and fund-raising. He can be reached at