The Reserve Bank of India’s (RBI’s) proposal that digital payment companies store all user data in India by October is both unnecessary and misguided. If the RBI’s underlying concern relates to ensuring the Indian government’s access to data for regulatory oversight, that’s simply no justification for such a data localization policy. Firms can readily use the convenience of modern information technologies (such as cloud computing) to facilitate such access with the click of a button. Where the data is stored is irrelevant in this scenario.
If the RBI persists with its proposed requirement that firms store data locally (or even store a copy of the data locally, a concept known as data mirroring), it reveals that concerns about regulatory oversight are simply cover for protectionism.
It’s completely understandable for the RBI to review whether its regulatory arrangements reflect best practices in the era of digital technologies and fast-growing payment services. However, the first question should be: What is the actual problem that the RBI is trying to address?
If the concern is having access to transaction data for regulatory purposes, then that is where the RBI should focus its attention. As part of any review, if the RBI reports that it is having issues with payment services firms not providing timely access to data, it should publicize these cases and pursue legal remedies against these firms, whether this involves revoking operating licences or imposing fines.
If these remedies have proven insufficient, then this should also be part of any policy revision to ensure firms comply in the future. If firms are not providing the RBI with access to data due to privacy rules or due to other countries themselves enacting some form of data localization (creating a “Catch 22” situation for companies caught in the middle), then this also deserves to be highlighted as it will be of broader interest to policymakers and other financial regulatory agencies.
Moreover, if the RBI enacts this data localization requirement, it will create a trade barrier and present another issue of contention in its trade relationship with the US, the European Union, and others. Forced data localization discriminates against firms (whether domestic or foreign multinationals) that use foreign data services, as it forces them to use or set up local services when they otherwise would not.
This adds a duplicative cost that makes these firms and their services less competitive compared to local firms, which may only use domestic data services. Data localization also stops these firms from exporting data from India, which affects the services these firms are able to provide, such as fraud detection and prevention, and their ability to use data from India to create innovative new service offerings.
Unfortunately, the RBI is not alone in misguidedly thinking that data localization is the only way to enforce data-handling requirements of these firms that use foreign data services. While any country can demand extraterritorial application of its laws, it isn’t always going be able to enforce them. In such cases, what’s critical is whether a firm has a local presence in a country, such as office and foreign workers, that makes it feasible for a country to enforce its laws.
What this means is that most of these firms that use foreign data services can’t avoid regulatory enforcement in India by simply transferring data out of the country. Given the size and importance of India’s payment services market, the large foreign payment services firms, such as Visa and Mastercard, would have a tangible presence in India for authorities to target if they do not abide by regulatory oversight.
There’s the possibility that the data localization proposal will never materialize as it may have been based upon political posturing in the run-up to local elections. Or it may simply reflect the views of a particular part of the Indian government that will be subsequently overruled by other agencies and private sector stakeholders. However, the earnest debate that the proposal has initiated points toward a genuine desire among certain Indian policymakers to use data-related policies to give local firms an unfair advantage over their foreign competitors.
Indicative of this preference for digital protectionism is the fact that data localization is a part of India’s National Telecom Machine-to-Machine road map and been raised as an idea in the debate around India’s draft privacy framework. In essence, this approach resembles the application of tried-and-failed infant industry support programmes for local and inefficient manufacturing sectors in the 20th century, but applied to 21st-century digital services.
The fact that India’s largest digital payment providers, Paytm and PhonePe, want data localization reflects that there’s support in India’s private sector to get the government to embrace digital protectionism as an industrial development strategy. Yet, such support is rather short-sighted, especially if either of these (and other) local firms harbour global ambitions, as they’ll soon realize how the spread of such policies would place them at a disadvantage to local firms in other markets, never mind the impact that the spread of such data localization policies would have on India’s export-focused services sector.
Instead, these firms and the Indian government should focus on any underlying policy issues around regulatory access to data and on the broader issues that need to be addressed in order to improve access and use of digital payment services in the country.
Nigel Cory is an associate director covering trade policy at the Information Technology and Innovation Foundation.
Comments are welcome at theirview@livemint.com