Tech Giants Agree to Store Data LocallyComplying With RBI's Mandate for Domestic Storage of Payment Data
Google, Facebook, Amazon and Microsoft. along with major payment firms, have indicated they plan to comply with the Reserve Bank of India's payment data localization mandate and meet the Oct. 15 deadline (see: Cloud Data Storage Localization: Key Concerns) .
These companies had originally protested the mandate that all payments-related transactional data of Indian consumers be stored in India, saying that would require a substantial investments in ramping up their data storage centers in India.
But local payments processing companies, including Paytm, MobiKwik and PhonePe, voiced support for the mandate.
Other international companies doing business in India also could soon face new data storage requirements. The draft of a data protection bill, to be considered by Parliament, would require a copy of all Indians' data be stored domestically (see: Data Localization Proposal Needs Refinement).
But some security experts question whether the domestic data storage mandates will actually help bolster security, arguing that a better strategy would be to mandate data storage meet international data security and encryption standards.
Storing Data Locally
The Consultative Group to Assist Poor, or CGAP, a World Bank group, says over two dozen countries are mandating local storage of at least certain data. Earlier this year, India joined Russia, China, Indonesia, Vietnam, Kenya, Rwanda, Pakistan and Nigeria, among others, in issuing a mandate.
The RBI and the government of India say that storing payment-related data in India makes it easier to monitor transactions and to have better access control on the data to reduce the risks from data breaches (see: RBI Mandated Domestic Storage of Payments Data).
The goal is to make it easier to conduct investigations of fraud and crime that involve the the misuse of data.
Complying with Data Storage Mandate
Recently, e-commerce giant Amazon formed a team in India to establish a mechanism for local storage. And it has agreed to share customers' payment-related data with the Indian government when required for criminal investigations, Sputnik reports.
During a recent meeting of Google CEO Sundar Pichai and IT minister Ravi Shankar Prasad at Google's headquarters in Mountain View, Google agreed to comply with the payment data storage mandate, seeking an extension until December to comply, a senior government official told Livemint. Later, Google agreed to abide by the regulator's deadline.
Google Pay, the digital wallet Google's developed, has access to the financial data of Indians.
Impact of the Storage Shift
Many payment companies use global cloud service providers that could be storing data outside India. Compliance will greatly impact Google and WhatsApp, because they are both launching payment services through Unified Payments Interface, a real-time payment system developed by National Payments Corporation of India.
"Obviously, their servers are in the U.S.," says the vice president of a data center in India, who requested anonymity. "They must relook at their policy, but infrastructural issues shouldn't be a problem. RBI's deadline's good enough."
In an interview with Economic Times, Rajan Anandan, vice president, Google India and South East Asia said, "We follow local laws and local legislation; we will comply with whatever India decides."
RBI says that currently, only a handful of payment companies in India and their outsourcing partners store user data, partially or completely, domestically.
China's Jack Ma-led Yun, executive chairman of Alibaba Group, which has invested in home-grown online payments leader Paytm as well as startups, including Zomato and BigBasket, has supported the Indian government's decision to mandate the storage of payment data in India.
Ensuring Security Locally
Some security experts contend that storing payment data in India won't improve security. They argue that what's important is how data is governed for compliance and security, not where it's stored.
"Financial services providers in many developing countries lack the cybersecurity skills and technologies to fend off sophisticated attackers and cannot afford investing in them," says Silvia Baur-Yazbeck, financial sector analyst, policy, at CGAP.
She argues that rather than mandating local storage of data, governments are better off requiring compliance with data security and encryption standards.
In a blog post, PhonePe, the financial technology company in India, says data localization will make India's digital payments ecosystem much more resilient to foreign attacks and global politics. It argues it also will allow for better regulatory oversight and plug business jurisdiction-related loopholes that some foreign companies have long exploited to evade paying fair taxes in India.
Rajesh Maurya, regional vice president for India and SAARC at Fortinet, says that storing data locally can help ensure better visibility and control.