Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/library/functions/custom_functions.php on line 702

Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/library/functions/custom_functions.php on line 702
Technology Law + Regulatory Hotline: Digital Privacy: First Step Towards Data Localization

Technology Law + Regulatory Hotline: Digital Privacy: First Step Towards Data Localization

Posted by By at 13 April, at 18 : 24 PM Print


Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/single_blog.php on line 46

Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/single_blog.php on line 52
April 13, 2018

DIGITAL PRIVACY: FIRST STEP TOWARDS DATA LOCALIZATION


  • All payment system data to be only in India. Data of a foreign leg in a transaction can be stored in the foreign country.
  • Applicable to all payment system operators in India, including MNCs operating in India. Six months for payment system operators to comply.
  • Types of data to be localized and meaning of a ‘foreign leg of a transaction’ unclear.

BACKGROUND

India’s central bank, i.e. the Reserve Bank of India (“RBI”) has issued a notification1 directing all payment system2 providers to ensure that the entire data relating to the payment system operated by them are stored in a system only in India (“Notification”).

The RBI via the Notification observed the recent growth in the Indian digital payment ecosystem for which security measures on a continuous basis were necessary. This move appears to be one of the steps to be implemented by the RBI towards that goal.

NOTIFICATION

  1. The Notification directs all digital payment system providers to ensure that the entire data relating to payment systems operated by them are stored in a system only in India.
  2. The data to be stored only in India includes “full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction.”
  3. For a foreign leg of a transaction (if any), the data could also be stored in the foreign country if required.
  4. Payment system providers need to comply with the Notification by October 15, 2018 and a compliance report to be submitted to the RBI by the end of the year.

ANALYSIS

Although the intent of the RBI appears to be clear in the Notification, there are a few issues and ambiguities that may arise in complying with the Notification.

  1. ‘Data stored in a system only in India’:

    An issue which may result on a plain reading of the Notification pertains to the requirement on data having to be stored in a system ‘only’ in India. While it is not apparent from the language of the Notification, the RBI has not clarified whether this requirement operates as a prohibition to also store copies of the data elsewhere (where there is no foreign leg to a transaction). With several international companies operating in India, this creates an ambiguity on whether copies of such data could be transferred overseas.

  2. ‘Foreign Leg of the transaction’:

    The Notification has provided an exemption to the localisation requirement, i.e. data of a foreign leg of a transaction can be stored in the foreign country. However, the term ‘foreign leg of a transaction’ has not been clearly defined and this may create interpretation issues in what actually may constitute a ‘foreign leg of a transaction’ and what data could relate to such foreign leg.

    One interpretations of the term could mean that international payment systems providers could store the entire data of a transaction overseas claiming that since they are foreign companies, the entire set of data pertains to a ‘foreign leg’. On the other hand, the RBI could go to the extent of saying that the ‘foreign leg’ is restricted to merely the name of the foreign party to whom the payment is being made and the amount of such payment, thus not permitting other types of data in the transaction to be stored overseas.

  3. Meaning of ‘data’:

    The term ‘data’ has not been defined in the Notification. The Notification provides that “data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction.” It may not be clear as to what may constitutes ‘end to end’ data. It may also mean that ‘personal data’ of an individual within a particular transaction could be included in the meaning above and if so, such personal data of the individual would need to be stored only in India and cannot be transferred overseas.

  4. Concerns for multi-national companies (MNCs):

    MNCs may have to comply with numerous international compliance requirements across various jurisdictions, especially for anti-money laundering / countering financing of terrorism and to detect tax evasion. In the absence of the ability to export the payment system data from India, compliance with these requirements may be seriously affected. This may also result in contradiction of Indian law against foreign law requirements applicable to such MNCs.

CONCLUSION

Keeping in line with recent global concerns on data security and data sovereignty, the Notification is a bold attempt by Indian regulators to keep data within Indian borders. However, in the absence of clear definitions, the applicability of the localization requirements will be tested, especially as far as multi-national payment processors and card networks are concerned. Also, given the fact that the Indian Government is in the process of framing a new data protection law for the country, it would be interesting to see if the Government is persuaded to implement such data localization requirements for other types of information and in other industries.

– Arvind RavindranathAaron Kamath & Huzefa TavawallaYou can direct your queries or comments to the authors


Notification on Storage of Payment System Data, dated April 6, 2018. Available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0. Last accessed: April 12, 2018

Section 2 of the Payments and Settlement Systems Act, 2007 defines ‘payment system’ as a “system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange; Explanation — For the purposes of this clause, “payment system” includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.”


Legal 500 Asia Pacific : Ranked in Tier 1 for Technology-Media-Telecom (TMT) practices in 2011, 2012, 2013, 2014, 2015, 2016 and 2017.

Ranked in Tier 1 for Investment Funds and International Taxation

IFLR 1000 Asia Pacific 2017: Ranked in Tier 1 for TMT, Private Equity

Chambers and Partners 2017: Ranked in Tier 1 for TMT

The Most Innovative Law Firm in Asia-Pacific


DISCLAIMER

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements.

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender’s contact information, which this mail does. In case this mail doesn’t concern you, please unsubscribe from mailing list.

Hotline

Related Posts

Post Your Comment

You must be logged in to post a comment.

About Us

Nishith Desai Associates (NDA) is a research based international law firm with offices in Mumbai, Bangalore, Silicon Valley, Singapore, New Delhi, Munich and New York.

Links

Mobile App

.