The e-commerce industry drives entrepreneurship; thus, it is an integral part of our growing economy. According to the Digital Trade report, the export value of virtual goods and services could grow from the current value of $58 billion to $197 billion by 2030 with the use of digital trading tools like e-commerce. However, there are some concerns about transparency in data management. Indian businesses are still facing challenges concerning the infrastructure, such as research on international market demands, digital promotions of their products, and building global networks.
India is anticipating regulations for data protection. With a massive increase in data generation by connected internet users, there is a need for data center infrastructure in India. The Reserve Bank of India (RBI) had issued a directive on April 6, 2018, advising all system providers to store all data related to payment systems operated by them in India.
The central bank included the following guidelines:
- There is no bar on the processing of payment transactions outside India, but once the processing is complete, the data should be deleted from the systems abroad. The data should be brought back to India not later than one day or 24 hours from the time of payment processing.
- The payment system data may be shared with overseas regulators with prior approval from the Reserve Bank of India.
- The data storage norms will apply to all banks operating in India, with some exceptions, like foreign banks that are permitted to store their banking data abroad.
- The domestic payment transactions are to be stored in India along with end-to-end transaction details and information related to payment and settlement transactions. These may include customer name, mobile number, e-mail address, Aadhar card number or PAN, beneficiary details, and payment credentials like One Time Password (OTP), PIN, and passwords.
- For cross-border transactions that include data with a foreign component and a domestic component, a copy of the domestic component may be stored abroad, if required.
- System providers are to ensure compliance of the directive within six months and report it to the Reserve Bank of India.
These regulations have affected Payment System Operators (PSO). Companies like Mastercard, Visa, American Express, Amazon, Facebook, Microsoft, and PayPal have been impacted deeply. Indian firms like Paytm and PhonePe have endorsed data localization as it would allow better monitoring of businesses and restrict any malpractices from foreign companies.
From the perspective of several Fin-tech companies, the physical location of data may be immaterial. These MNCs operate in multiple geographical locations. Restricting the free flow of data may be unproductive for them. Localization of data just for the transactions done from and within Indian may increase the cost of operation and compliance. Another concern, according to the report titled “Digital Technology Policy for India’s USD 5 Trillion Economy”, is that storing all the critical data at one place could increase the risk of data loss owing to cyber-attacks, foreign surveillance, and other threats. It may also affect the Indian economy adversely.
However, India is converging towards data protection by formulating necessary laws and regulations. In his speech at the 48th World Economic Forum, Davos, our Prime Minister, Mr. Narendra Modi, said, “Today, data is real wealth, and it is being said that whoever acquires and controls the data will have hegemony in the future. The global flow of data is creating big opportunities as well as challenges”.
In June 2019, India refused to sign the Osaka Track, a framework for cross-border data flow, at the G-20 summit stating that it would undermine the principles of the World Trade Organization (WTO).
Efforts are being made for a smooth transition of data localization. Recently, a meeting was held between the Fin-tech companies and the Commerce and Industry minister Piyush Goyal. Extensive consultation was held to discuss their concerns and take suggestions for building a robust data protection framework. It was also conveyed at the meeting that India will not allow multi-brand retailing by foreign companies. The government was ready to incentivize IT and e-commerce firms to set up base in India.
Given these progressive steps, with the limitations that need to be worked through, data security in India is exploring newer horizons, and data localization are gaining momentum.