New Delhi: The Reserve Bank of India (RBI) will examine concerns around its strict data localisation rules that require storing of customer data exclusively in India without creating mirror sites overseas, the government said Tuesday.
In April last year, the RBI asked payment firms to ensure their data are stored exclusively on local servers, setting a tight six-month deadline for compliance. That deadline was said to have been missed by some foreign firms including credit card giants Visa and Mastercard.
Commerce and Industry Minister Piyush Goyal on Monday held extensive consultations with e-commerce and tech industries on data protection and privacy in India, a statement by his ministry said.
“All the companies who were represented in this meeting put forth their concerns related to RBI data storage requirements and processing related guidelines issued by the RBI. Deputy Governor of RBI, BP Kanungo, assured the industry representatives that the Reserve Bank of India will look into this,” it said.
Consequently, the RBI in April 2018 put out a circular requiring that all “data relating to payment systems” are “stored in a system only in India” within six months.
International giants usually store data on global servers, and the requirement to store data locally would require them to make an additional investment. Policymakers in India, however, believe storing data locally would help monitor and conduct investigations if the need arises.
Also read: How Can India Get Better Data Processing Laws?
Besides the RBI rule, concern was also expressed at the meeting about a draft e-commerce policy that requires exclusive local storage and processing of data generated by users in India from various sources including e-commerce platforms, social media and search engines.
While domestic companies such as Reliance Jio have spoken up in support the government’s data localisation efforts, others like Facebook, Amazon, Microsoft, and Mastercard have led the way in opposing it.
“The e-commerce industry representatives also put forth their concerns before the Commerce Minister about the e-commerce draft policy which they felt was not adequately consultative,” the statement said adding Goyal assured them that each concern of the industry would be addressed provided e-commerce representatives send their concerns in writing within ten days.
On a draft data protection bill released in July 2018 that proposes a requirement for data localisation as a remedy to concerns about protection of personal data, industry representatives told the Minister that though the consultations on it were satisfactory, a lot of time had elapsed, and they were not sure about the final shape of the Bill.
“Secretary Ministry of Electronics and Information Technology (MeitY), Ajay Prakash Sawhney, assured the e-commerce companies that the Bill would reflect all the consultations that had taken place with the industry during the formulation of the Bill,” the statement said.
Also read: India’s Proposed Data Protection Measures Don’t Do Enough to Protect Data or Privacy
The statement said principles of data protection and privacy were discussed at length in Monday’s meeting and industry representatives requested Goyal to ensure that the Bill will have more clarity around the classification of data and the manner of cross border flow of data.
“Commerce Minister assured that MeitY will address this concern too,” it said.
E-commerce and tech companies also informed him that the data free flow discussed in the recent G20 Ministerial Meeting on Trade and Digital Economy was a positive development for India in principle and the country must participate in the discussions on digital trade. Issues of concern for the country must be taken up as and when they arise during the G20 discussions.
The commerce minister responded that MeitY and National Association of Software and Services Companies (NASSCOM) may deal with the concerns of companies who build products in India and store their data in the country and the Bill must reflect this.
E-commerce and tech companies across all segments, foreign MNCs participated in the meeting that was called to “understand their concerns and take their suggestions towards building a robust data protection framework that will achieve the dual purpose of privacy and innovation and strengthen India’s position as a global tech leader with focus on trust and innovation,” the statement said.
NASSCOM President Debjani Ghosh underlined the need for harmony across all policies of all ministries and the RBI which deal with digital trade, the statement added. The meeting was attended by Secretary Department for Promotion of Industry and Internal Trade (DPIIT), Secretary Department of Commerce, Secretary MeitY, deputy governor of RBI, senior officials from Ministry of External Affairs and Mastercard CEO Ajay Banga.
Furthermore, sources said the participants were informed that if data generated in India is sent abroad for processing, it has to be brought back within 24 hours.
Also read: The Good, Bad and Ugly on India’s Template for How Your Data Will be Protected
“It was told that India will not allow multi-brand retailing by foreign companies, and they e-retail firms can only be an agnostic platform. It was also informed that the government can incentivise IT and e-commerce firms to set up base in India,” they said.
Companies that participated in the meeting include Reliance Jio Infocomm, Vishal Mega Mart, UrbanClap, Etsy India, OLA, Makemytrip, Infibeam, Shopclues, Yatra, Snapdeal, Medikabazaar, Paytm, Infosys, Wipro, Tech Mahindra, Quatrro, Cognizant, Genpact, e-bay, Facebook, Dell, Amazon, SAP, Google, Paypal, IBM, VISA, Flipkart, Microsoft, and American Express.
(PTI)