General Studies IIIBankingEconomyRBI

RBI barred three foreign card payment network firms

Context:

Recently, the Reserve Bank of India (RBI) has barred three foreign card payment network firms – Mastercard, American Express and Diners Club — from taking new customers on board over the issue of storing data in India.

Key Highlights:

  • As many as five private sector banks, including Axis Bank, Yes Bank, and IndusInd Bank, are to be impacted by the RBI’s decision.
  • The Personal Data Protection Bill also has provisions pertaining to ‘data localisation’.
  • Mastercard is the third card network to be barred by RBI this year, after American Express and Diners Club were similarly prohibited from onboarding new customers in April.
  • This leaves just Visa and Rupay as the only card networks allowed to take in new customers.
  • The RBI had also prohibited private sector lender HDFC Bank from adding new credit card customers and launching digital businesses in December last year.
  • The action was taken after HDFC Bank’s digital payment services were hit by a series of technical outages.
  • The RBI order will not affect existing customers of Mastercard.
  • Also, a majority of banks are not expected to be affected as they often have relations with multiple networks and thus could continue to issue debit and credit cards using Visa or Rupay networks.

RBI Data Localisation Norms

  • Data localisation is storing of data on a device physically present within the borders of the country where the data was generated.
  • RBI, in April, 2018, gave 6 months time to global payment companies to store transaction data of Indian customers within India.
  • The data should include the full end-to-end transaction details, information collected/carried/processed as part of the message/payment instruction.
  • The requirements apply as those mentioned in the draft data protection bill and draft national e-commerce policy framework.

Reason of Non- Compliance given by Card Payment Network Firms:

High Cost:

Payment firms like Visa and Mastercard, which currently store and process Indian transactions outside the country, have said their systems are centralised and expressed the fear that transferring the data storage to India will cost them millions of dollars.

Localization Demands from Other Countries:

Once it happens in India, there could be similar demands from other countries, upsetting their plans.

Lack of Clarity:

While the Finance Ministry had suggested some easing of norms in transferring the data, the RBI has refused to change, stating that the payment systems need closer monitoring in the wake of the rising use of digital transactions.

What is RBI’s rationale?

  • The move was to ensure better monitoring of payment service operators.
  • Data localisation would offer supervisory access to data stored with these system providers.
  • It also gives access to data stored by their service providers/ intermediaries/third party vendors and other entities in the payment ecosystem.
  • National security and data sovereignty are other reasons for data localisation rules.
  • As, it is possible that data could be indicted if it is stored on American servers and India faced US sanctions.

Importance of Data localization

  • The main intent behind data localisation is to protect the personal and financial information of the country’s citizens and residents from foreign surveillance and give local governments and regulators the jurisdiction to call for the data when required. Revelations of social media giant Facebook sharing user data with Cambridge Analytica, which is alleged to have influenced voting outcomes, have led to a global clamour by governments for data localisation.
  • For national security: Storing of data locally is expected to help law-enforcement agencies to access information that is needed for the detection of a crime or to gather evidence. Where data is not localised, the agencies need to rely on mutual legal assistance treaties (MLATs) to obtain access, delaying investigations.
  • On-shoring global data could also create domestic jobs and skills in data storage and analytics too.
  • According to Justice Srikrishna Committee reportdata localisation is critical for law enforcement. Access to data by Indian law agencies, in case of a breach or threat, cannot be dependent on the whims and fancies, nor on lengthy legal processes of another nation that hosts data generated in India.
  • Technology playfields are not even. A developing country such as India may be playing catch-up with a developed nation, which may be willing to
  • offer liberal laws. It may not be wise for India to have the liberal rules as other nations would.

 Limitations to data localization

  • Global players like banks, e-commerce majors, fin-tech service providers and credit card companies prefer to store and process data at one or two global centres.
  • So moving processes implies higher costs and disruption for them.
  • New teams must be hired and trained, and security procedures have to be reviewed and modified.
  • Local infrastructure in India suffers from severe deficiencies.
  • Indian data-transmission speeds are slow by global standards.
  • Server capacity is low and costs are high, and likely to rise as demand is artificially boosted.
  • So RBI’s insistence may lead to a situation where smaller payment companies stop offering services in India.
  • It will also impose higher costs on the start-up ecosystem since any Indian start-up will pay higher costs to include payment options.

  • Legal – The Srikrishna Committee recommendations on data protection are now only open for public feedback.
  • So as of now, India neither has a functioning data protection law nor adequate security standards in practice.
  • Evidently, there have been instances of massive leaks and hacks of sensitive information, including payment records.
  • Surveillance – Law and order departments and security agencies currently operate in a legal vacuum, making surveillance another grey area.
  • They can search and survey all sorts of digital data without any checks or balances.
  • Indeed, there is evidence that foreign intelligence agencies also collect a massive amount of Indian data and meta-data.

B N Srikrishna Committee report on data protection

  • The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
  • Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
  • The law will not have retrospective application and it will come into force in a structured and phased manner.
  • The Aadhaar Act needs to be amended to bolster data protection.
  • An independent regulatory body called Data Protection Authority(DPA) will be responsible for the enforcement and effective implementation of the law.
  • The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA.
  • Penalties may be imposed for violations of the data protection law.
  • The state can process data without consent of the user on ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and Reasonable purpose.
  • The law will cover the processing of personal data by both public and private entities.
  • Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
  • Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses.

Way Forward

  • It is necessary for all entities to comply with the RBI’s localisation mandate. At the same time, however, it’s true that hard localization may impact India’s payments ecosystem.
  • To have a more effective mechanism for law enforcement, India needs to move beyond MLAT (Mutual Legal Assistance Treaty), which is slow and ineffective, to a system based on bilateral treaties on data transfers with the European Union, UK and the US.
  • The idea must be to ensure that Indian law enforcement requirements of access to data are met in a timely manner while at the same time allowing data flows to foster innovation and trade in the tech ecosystem.

Source: The Hindu

You can find many articles on ECONOMY (part of GS III) in our website. Go through these articles share with your friends and post your views in comment section.

Leave a Reply