The regulatory problem is access to data for lawful needs. Data localization is one of the many possible solutions. Alternative solutions should be evaluated based on them being in consumers’ interest and enabling a competitive market.
In the early part of the last decade, I was advising a small country on pension reforms. They decided to invest the public money in hydel power projects.
This solved the problem of “where to invest” as there was no securities market to speak of and the power projects “needed funding”.
Investing in the state airline was the second idea. It took a while to agree that investing hard-earned pension money in unviable hydel projects was a poor idea and the entire pension portfolio could crash if a plane did.
The policy makers were not thinking “what would be in the best interest of the consumers?” Instead, they were thinking “how to solve multiple problems” at once.
The broader push around data localization is perhaps an attempt to solve too many objectives, i.e. easy enforcement, data sovereignty as “data is the new oil” and promoting data centres in India.
It risks solving neither. In the case of the Reserve Bank of India, the situation became more challenging as the policy debate began after the solution was notified. From an industry perspective, in many cases, including this one, there is no “one industry view” as the impact varies based on the firms’ business models.
The real problem is around objectives and process.
Firms which might benefit in one policy are likely to suffer on another.
The regulator too can lose flexibility—risk being labelled as obstinate or as buckling under pressure. The consumer protection objective can get relegated to the back. Therefore, there is a need for clear objectives and robust processes which seem to be somewhat lacking in the case of RBI’s notification. In contrast, the personal data protection Bill is going through a fairly detailed consultative process.
It can be difficult at this stage to take a step back to review the scale of the problem and efficacy of alternative solutions.
That is exactly what might be needed. Say, out of total 100 transactions, the RBI needed to access data in 10 instances and it faced problems in five instances. Does that require this notification? If such cases were, say 20, it would seem to be a wider problem to solve. Here again, penal actions, even cancellation of authorization, could be effective.
If some countries refuse to permit sharing of data by the firms storing data of Indians in their country, these countries could be blacklisted even as efforts are made to improve bilateral mechanisms. Even in an extreme scenario, mandating data storage only in India might need to be further studied, as a copy might serve well.
In the absence of regulatory guidance in the primary law around the regulatory objectives and robust consultation process, we might continue to solve for the symptoms.
In this context, the recent draft bill to amend the Payment and Settlement Systems Act, 2007, makes a good beginning.
Ashish Aggarwal is senior director and head (public policy) at Nasscom.