RBI data localisation norms: A step in the right direction, but shouldn't harm innovation

The increase of economic activities has leaped exponentially in the digital space over the last decade than it has ever been before. A dire need for formulation of a comprehensive policy to regulate these activities has been the top agenda of any nation’s prime regulator, the **RBI** being in our instance. Data is the new commodity that has taken the centre stage as an immediate by-product of these economic activities and the need of the hour seems to seek measures to regulate this. The humungous data generated from the **e-commerce** and mobile applications is susceptible to multiple threats if there are no set guidelines in place for regulation. However, the extent of regulation is being perceived as to whether it defines a fine line between being an intrusive state or whether it takes up a laissez-faire approach. [caption id=“attachment_4544911” align=“alignnone” width=“1024”] Representational Image.[/caption] The recent RBI’s diktat to ensure that all the data related to payments system to be stored in a system located only in India in order to have “unfettered supervisory access” has ruffled a lot of feathers with the online payment service providers who have not been accustomed to such micromanagement and interference from the state to levy guidelines for data security. The local laws and mandates pertaining to commerce and trade, taxation, subsidies et al have been the forte of the regulator. Hence the resentment, when data security and privacy issues are being dictated which so far has been the prerogative of the individual payments service provider. The directive is being viewed as a ‘Big Brother’ approach and pressure points are being applied through active lobbying on all possible fronts to desist the RBI from taking such a rigid stand and be more inclined towards undertaking a more flexible regime. There is also the concern that the insufficient timeline mandated by the RBI isn’t fair and enough to ensure a systematic implementation of the requirement and is rather rushed. A longer horizon and a clarity on guidelines would have been appreciated. The RBI on its part has taken a more defensive stance as a measure to safeguard against any future contingencies that could result in misuse, data breaches or violation of laws. Their counter to ensure the safety and security of payment systems data by adoption of the best global standards and their continuous monitoring and surveillance to reduce the risks is a nudge in the right direction and ensure that the data is stored only within the country. [caption id=“attachment_4762651” align=“alignnone” width=“1280”] People look at data on their mobiles. Image: Reuters[/caption] There are laws in the country that facilitate and regulate the traditional brick and mortar approach of doing business. They have the systems developed in place after all the trials and errors which have now culminated into the tried and tested standard practices to conduct trade and commerce. The implementation of various acts to this effect are privy to the fact of ensuring a smooth functioning and conduct of the business. Then why should e-commerce not be subjected to laws that ensure such smooth functioning? Although the regulations are still at an infancy stage, there is a need for an evolution in its formulation and functioning a la the traditional businesses. It is inevitable that the e-commerce will be devoid of any malpractices by its participants which may have the propensity to being exploited more in a relaxed regime. Then there is also the aspect of jurisdiction. Data which is stored and located within the country will face the consequence of being accessed by authorities if mandated by the highest courts of order. Such privilege may be deprived with international legislation, geopolitics and where cross-border laws exist. The banking and secrecy laws of the tax havens are an exemplar to this fact when information is sought at the domestic levels but is denied over international waters. The arbitration could get prolonged over a normal duration which would not have been the case if jurisdiction were within the territorial waters. The last decade has seen an advent of many new inventions, and rendered a quick pace towards obsolescence. With the new innovations thrown at us at a furious speed like E-commerce, M-commerce, mobile applications, **Bitcoins** , Internet of Things, cloud computing and of course the payment system, which mark the dynamic nature of the millennial generation, it is only justified on the part of the regulator to formulate new laws and legislate it to ensure a smooth functioning of the economy. It would be foolhardy not to assume that chaos can easily prevail in an unregulated environment as could be seen in the recent gyrations witnessed in the **crypto-currency** space. However, this regulation should not come at the cost of stymieing new business ideas and their implementation. The regulator needs to draw a fine line between doing its job or indulging in intrusive micromanagement. It is this stand that shall lay the foundation towards a utopian or a dystopian society. Else it won’t be long before we become the subjects from George Orwell’s ‘1984’!