Reserve Bank of India's Clarifications to Data Localisation Order: Addressing Controversies and Concerns

By Gayatri Kasibhatta

The Reserve Bank of India (RBI) recently issued clarifications to its Data Localisation Order (the Order), a move that has generated significant discussion and debate. The Order requires all data related to payment systems to be stored in India, a measure that has been viewed by many as a controversial move by the central bank. The Order has been in place since April 2018, when the RBI mandated that all payment system providers in India must ensure that payment transaction data is stored in India. The Order was seen as a measure to boost cybersecurity and protect consumer data. It was applicable to all payment system providers, including banks, payment gateways, and payment aggregators. However, it generated controversy almost immediately, with many stakeholders in the payment system industry, including multinational companies, expressing concern that the requirement to store data in India would add unnecessary costs, create data duplication, and reduce efficiency. In addition, there were concerns that the Order would create barriers to entry for foreign companies looking to enter the Indian market.

​In response to these concerns, the RBI issued clarifications to the Order in June 2019. The clarifications aim to address some of the concerns that have been raised, while maintaining the overall goal of protecting consumer data. The RBI’s clarifications provide more detail on the requirements for data storage in India. Specifically, the RBI has clarified that payment system providers are required to store the entire data related to payment systems in a system that is located only in India. This means that payment system providers must ensure that the primary data storage systems, as well as any backup systems, are located in India. The RBI has also clarified that payment system providers are allowed to store a copy of the data outside of India, for the purposes of business continuity or disaster recovery. However, the RBI has emphasized that the copy of the data stored outside of India must be encrypted, and that the data must be deleted from the offshore location as soon as it is no longer required.
 
Another important clarification made by the RBI is with respect to data storage arrangements between payment system providers and third-party service providers. The RBI has clarified that payment system providers must ensure that all data related to payment systems is stored only in India, even if the storage is done by a third-party service provider. In other words, payment system providers cannot outsource data storage to a service provider located outside of India. These clarifications address some of the concerns raised by stakeholders in the payment system industry. For example, the RBI’s clarification on the use of backup systems located outside of India will help reduce concerns about data duplication and redundancy. The clarification on data storage arrangements with third-party service providers will help ensure that all payment system providers are held to the same standards, regardless of whether they use a third-party service provider. However, there are still some concerns about the Order that have not been addressed by the RBI’s clarifications. For example, some critics argue that the Order is a protectionist measure that will create barriers to entry for foreign companies looking to enter the Indian market. Others argue that it will lead to unnecessary costs and reduced efficiency for payment system providers.
 
Despite these concerns, the RBI claims that the Order is necessary to ensure the security of consumer data. The RBI has pointed to several recent data breaches in India, including the breach of the Aadhaar database, which contained the personal information of over 1.1 billion Indians. The RBI argues that the Order will help prevent similar breaches from occurring in the future. The RBI’s clarifications to the Order have been welcomed by some in the payment system industry, who see them as a step towards reducing uncertainty and clarifying the requirements for compliance. However, others argue that the clarifications do not go far enough in addressing the concerns of the industry and may still pose challenges for payment system providers.
 
For example, the cost of complying with the Order may be significant, particularly for smaller payment system providers. In addition, the requirement to store data only in India may create operational challenges, particularly for multinational companies that operate in multiple jurisdictions. These challenges may lead to reduced efficiency and increased costs for payment system providers. Furthermore, some experts argue that the Order may not be effective in achieving its stated goal of protecting consumer data. They argue that data breaches can occur regardless of where data is stored, and that the most effective way to protect data is to implement strong cybersecurity measures and best practices.
 
In summary, the RBI’s clarifications to the Data Localisation Order have provided more detail on the requirements for data storage in India, which has been welcomed by some in the payment system industry. However, concerns about the cost and operational challenges of complying with the Order, as well as doubts about its effectiveness in protecting consumer data, continue to be raised. As the industry adapts to the new requirements, it remains to be seen how the Data Localisation Order will impact the payment system industry in India, and whether it will achieve its intended goals of improving cybersecurity and protecting consumer data.