Asheeta RegidiSep 07, 2018 14:03:56 IST
The RBI announcement mandating data localization for payment data in April had met with wide objections from the industry, on account of the major changes to the processes as well as costs to companies in setting up payment services in India. The effect of the rule can be seen now, with multiple payment services coming to a halt. Recent news of Apple Pay being put on hold on account of, among other things, the RBI’s data localization mandate, indicates the hurdles being faced by such companies in setting up payment services in India.
A similar situation was seen recently for Whatsapp in relation to its payment service, as well as Amazon for its UPI based service, Amazon Pay. Ambiguity in the data localization requirements, under both the RBI notification and the proposed data protection law, are among the primary concerns of such companies.
Ambiguous nature of RBI’s data localization mandate
Of the hurdles faced by these companies, the primary one is of the RBI imposed mandate for storing payment data within India. This was via a Circular issued in April this year, which requires all ‘payment system providers’ to store all data relating to the payment systems in India only.
Several ambiguities arise, first being of which players are subject to this requirement. A ‘payment service provider’ as specified under the Circular, is any person who operates an authorized payment system, or a system that enables a payment between two persons, as per the provisions of the Payment and Settlement Systems Act, 2007.
The applicability of this requirement, thus, includes credit card and debit card operations impacting companies like MasterCard and Visa, mobile wallets and the payment services founded on the technology of the National Payments Corporation of India, such as UPI. However, there is ambiguity as to whether the requirement applies equally to payment aggregators and payment gateways. The requirement does not apply to other players, for instance, to the banking system.
Identifying data subject to the requirement
Further, the Circular specifies that the data subject to this requirement includes end-to-end transaction details and any information collected or carried as a part of the message or payment instruction. However, there is still a lack of clarity as to how to identify the data that is subject to the requirement of the law. For instance, is user related data independent of the core transaction data itself also subject to the requirement?
Similarly, the Circular allows only data in relation to the ‘foreign leg’ of the transaction to be stored outside. This, again, is ambiguous. The normal interpretation would be if the transaction involves an overseas player in some form, such as when the transaction is acquired by an overseas bank, then this would be the foreign leg. However, there is ambiguity as to what data would be a part of the foreign leg of the transaction, if the payment service provider itself is a foreign or a global player, such as Google.
The data in relation to such transactions is often used by such companies for various purposes including processing and data analysis, which includes financial profiling and credit scoring. This data is later used, be it for further innovation of new products, targeted advertising or offering of loans. The data localization requirements will imply major changes in the way companies work, requiring a shift of such processing activities to India, as opposed to the offshore servers where they are currently located.
Objections to the data localization mandate
On the one hand, companies like PayTM have come out in support of the RBI’s requirements. Some payment systems already have local servers, including PayTM, Ezetap and RazorPay (see here), thus indicating that the biggest impact will be seen on global payment system players, which often have offshore data storage systems.
The announcement of the data localization norms in April thus, on the other hand, also led to widespread objections in the industry, in particular due to the ambiguity of the requirements of the notice, the cost implications for the companies, and the security risk due to the inability to maintain a backup of the data in another location, which is often done for purposes like disaster recovery and business continuity.
‘Critical personal data’ under the data protection law
The ambiguity in the law is only furthered with the draft Personal Data Protection Bill, 2018, which also requires the storage of ‘critical personal data’ within India. This term is so far undefined, thus making it unclear what data cannot be taken outside India. A key consideration here also, will be on how to separate the ‘critical personal data’ from other categories of data that are not subject to these requirements.
Setting up a local entity in India
While data localization is the primary issue, other factors are contributing to the issues faced by these companies. WhatsApp, for instance, was asked recently by the Union IT and Law Minister Ravi Shankar Prasad to set up a local entity in India in order to be able to provide payment services. As per the NPCI’s Procedural Guidelines for UPI, in fact, a payment service provider is required to be an entity regulated by the RBI. Many RBI regulated entities, including payment banks and pre-paid payment instruments (mobile wallets), are required to be companies incorporated in India. Similar requirements, thus, are being imposed on UPI related services as well.
Resolving the two-factor authentication issue
Another issue reported to be faced by Apple is in relation to the two-factor authentication requirement for a UPI related payment service. As per the NPCI guidelines, the device fingerprint serves as the first factor of authentication, while the second factor of authentication (additional factor of authentication or AFA) may be either a PIN or biometrics.
Apple’s payment service, in other countries, uses Touch ID, which involves the local storage of the biometrics in the device, which is then used to authenticate transactions. The same system, however, cannot be used in India, since the NPCI guidelines permit UIDAI validated biometric authentication only. In fact, the guidelines specifically note that locally stored biometrics will not be supported under this mechanism.
Thus, the introduction of payment services by these companies thus additionally involve changes to their technical processes in order to comply with India’s payment norms. In countries like the US, an AFA for payments is not mandatory. The RBI has shown some flexibility in relation to the AFA, through a relaxation for small value transactions below Rs.2000/-, when made offline using an NFC contactless card, or when made through the card network provided authentication solution introduced in 2016, which allows small value payments to be made with the login credentials used for the solution to be the AFA, as opposed to a PIN. Requirements for UPI, however, are defined by the NPCI and not the RBI, and so far there has been no relaxation of the AFA requirement for payments via UPI.
Increasing data localization requirements globally
Despite these issues, the primary issue faced by such companies remains data localization. Data localization norms are becoming common in various jurisdictions and can be found across China, Russia, Nigeria, Indonesia, Malaysia, Kazakhstan, Greece and so on. Some jurisdictions include sector-specific data localization requirements, such as in relation to financial data or health data, whereas others like the EU allow data transfers subject to adequacy or cross-border data transfer requirements.
There are indications of the growing popularity of data localization laws globally, and India’s new laws on the subject will certainly give an added impetus to it. Concerns have been voiced that the short-term gains, in terms of increased local control, a boost to the local economy, as well as job creation, will drive more jurisdictions to go the data localization way. However, in the long-term, this might impede innovation, a free flow of information, as well as the global nature of the business.
What is the motivation behind the data localization requirement?
An important factor is that there is a lack of adequate understanding as to the motives behind the introduction of data localization, be it by the RBI or under the draft data protection law. Further, there is no clarity as to what alternatives were considered before deciding on data localization as a means to fulfil those motives, or on why payment service providers were singled out by the RBI for this requirement.
For instance, the Circular mentions the need for continuous access. Some companies have suggested that if lack of access was a concern, a data mirroring requirement would suffice, without requiring the data to be restricted to India ‘only’. The Finance Ministry, in fact, suggested that the requirement will be relaxed to a data mirroring requirement instead of a localization requirement, but official rules have not been released on this as yet. Similarly, if privacy and foreign surveillance is an issue, can a robust data protection law or stringent security requirements offer a better solution.
The government needs to firstly, clarify its motivations for imposing data localization, which needs to be followed up with consultations on the best way to achieve those motives. A clearer understanding will help in assessing if data localization is the only solution, or if alternatives are available. Given the consequences of data localization, such a discussion is necessary.
The author is a lawyer specializing in technology, privacy and cyber laws.
Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.