Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Data localisation in the payment ecosystem

    Home Data Governance Data localisation in the payment ecosystem
    NextPrevious

    Data localisation in the payment ecosystem

    By Ikigai Law | Data Governance | 0 comment | 4 July, 2018 | 5

     

    On 6th April, 2018, the Reserve Bank of India (RBI) issued a notification (Notification) mandating that all data related to payment systems be locally stored only in India (Data Localisation Mandate).[1] System providers were required to comply within 6 months, and report such compliance to the RBI by 15th October, 2018.

    System providers must also submit a System Audit Report to the RBI, by auditors empaneled with Indian Computer Emergency Response Team (CERT-IN), by 31st December, 2018.

     

    I. Who is affected by the RBI Circular?

    a. The Notification was issued under the Payments and Settlements Act, 2007 (Act). It applies to system providers. A system provider has been defined under the Act to be “a person who operates an authorized payment system.”[2] System providers include all entities that operate payment systems.[3] Therefore, banks and other financial service providers that operate payment systems are obligated by the Notification to store all the data “relating to payment systems” only in India.

     

    II. What is data “relating to payment systems”?

    a. The Notification defines data “relating to payment systems” broadly to include  “end-to-end transaction details” and information that is either collected or shared or processed as a component of payment instruction[4] within a payment system.

     

    III. Does the Notification apply to foreign data?

    a. Data of the “foreign leg of the transaction” may be stored in another country.

    b. However, the requirement to store all the data “relating to payment systems” only in India under the Data Localisation Mandate prohibits even copies of such data from being stored outside India.

    c. The Notification does not address the conflict between the Data Localisation Mandate and applicable data localisation requirements of another country, if any.

    d. The failure to address such a conflict of laws may be a result of the absence of statutory authority of the RBI to regulate data in the “foreign leg of the transaction” under the Act. The statutory provision that allowed the RBI to issue the Notification empowers the RBI to lay down policies for the regulation of payment systems with regard to domestic transactions only.[5]

     

    IV. Other Instances of Data Localisation.

    Some other instances of data storage and localisation requirements in the context of financial investments and financial service providers are as follows:

    a. Master Direction on Issuance and Operation of Prepaid Payment Instruments, 2017[6]: Issuers of Prepaid Payment Instruments (PPI) are required to localize data of all PPI transactions for ten years.

    This direction also mandates PPI issuers to comply with the operative regulatory frameworks in relation to cross border flow of data out of India and location of infrastructure.[7]

    b. Foreign Direct Investment Policy, 2017:

    Under the Foreign Direct Investment Policy, 2017 (FDI Policy), foreign investment in specified broadcasting carriage services is subject to localisation of “subscribers databases” by the beneficiary company in India, unless permitted otherwise.[8] In addition, such beneficiary companies are also required to provide “traceable identity of their subscribers.”[9]

     

    V. What reasons has the RBI given for mandating data localization?

    In the Notification, the RBI identifies two main reasons for requiring data localization:

    a. Surveillance and Monitoring

    Unrestricted surveillance of the data within the payment ecosystem is one of the reasons provided for the Data Localisation Mandate. The Statement on Development and Regulatory Policies of the First Bi-monthly Monetary Policy Statement for 2018-19 (Statement) referred to continuous surveillance as an essential component to address data protection concerns.[10]

    b. Exclusive Control of Data

    The Statement also referred to the necessity for “unfettered access to all payment data for supervisory purposes”.[11] Further, recognising the need for robust safeguards in payment systems, the Notification cited the need for effective monitoring through “unfettered supervisory access” to data available with the system providers and their intermediaries in the payment ecosystem.[12]

    Reading the two together, it may be inferred that the Statement and the Notification frame the Data Localisation Mandate in context of the ability of the RBI to retain exclusive control over the data within the payment ecosystem for effective monitoring.

     

    [This post is authored by Pushan Dwivedi, Associate, with inputs from Nehaa Chaudhari, Public Policy Lead, TRA.]

     

     

     

    [1] ¶2, Storage of Payment System Data (6th April, 2018) available at  https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0.

    [2] S. 2(q), Payments and Settlements Act, 2007:

    “a person who operates an authorised payment system.”

    [3] S. 2(1)(i), Payments and Settlements Act, 2007:

    “a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange;

    Explanation.- For the purposes of this clause, “payment system” includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.”

    [4] S. 2(1)(g), Payments and Settlements Act, 2007:

    ““payment instruction” means any instrument, authorisation or order in any form, including electronic means, to effect a payment,

    (i) by a person to a system participant; or

    (ii) by a system participant to another system participant.”

    [5] S. 18, Payments and Settlements Act, 2007:

    “Without prejudice to the provisions of the foregoing, the Reserve Bank may, if it is satisfied that for the purpose of enabling it to regulate the payment systems or in the interest of management or operation of any of the payment systems or in public interest, it is necessary so to do, lay down policies relating to the regulation of payment systems including electronic, non-electronic, domestic and international payment systems affecting domestic transactions and give such directions in writing as it may consider necessary to system providers or the system participants or any other person either generally or to any such agency and in particular, pertaining to the conduct of business relating to payment systems”.

    [6] ¶6.3, Master Direction on Issuance and Operation of Prepaid Payment Instruments, 2017.

    [7] ¶17.4.e.(iii), Master Direction on Issuance and Operation of Prepaid Payment Instruments, 2017:

    “PPI issuers shall adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders.”

    [8] ¶1.3.(ix), Annexure 7, Foreign Direct Investment Policy, 2017:

    “The Company shall not transfer the subscribers’ databases to any person/place outside India unless permitted by relevant law.”

    [9] ¶1.3.(x), Annexure 7, Foreign Direct Investment Policy, 2017:

    “The Company must provide traceable identity of their subscribers.”

    [10] ¶4, Storage of Payment System Data, Statement on Development and Regulatory Policies, Reserve Bank of India (5th April, 2018) available at https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=43574.

    [11] ¶4, Storage of Payment System Data, Statement on Development and Regulatory Policies, Reserve Bank of India (5th April, 2018) available at https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=43574.

    [12] ¶2, Storage of Payment System Data (6th April, 2018) available at  https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0.

    Data Localization, Ikigai Law, Payment Ecosystem, Payment Instruction, Payment Systems, Payments and Settlements, Prepaid Payment Instruments, Reserve Bank of India, Surveillance and Monitoring, System Providers, TRA, TRALaw, Unfettered Access

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • The Data Localization Debate in International Trade Law

      By Ikigai Law | 0 comment

      Background In recent years, proponents of data globalization have been at loggerheads with the proponents of data localization. The former have been promoting free and open flow of data across borders, while the latter haveRead more

    • Going Crypto in Nigeria: A Comparative Approach to the Regulation of Digital Currencies

      By Ikigai Law | 0 comment

      Cryptocurrencies, or digital currencies secured using encryption techniques, have seized the imagination of a motley crew of anti-capitalists, financial experts and computer scientists. At the same time, cryptocurrencies operate outside the purview of central banksRead more

    • Stakeholders’ responses to the White Paper on a data protection framework in India

      By Ikigai Law | 0 comment

      In a 4 part series, we have mapped the publicly accessible opinions of 27 stakeholders on the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27th November, 2017Read more

    • Stakeholders’ responses to the TRAI privacy consultation paper

      By Ikigai Law | 0 comment

      In a 12 part series, we have mapped stakeholders’ comments to the Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector by Telecom Regulatory Authority of India (TRAI). In order toRead more

    • Mapping comments to the Srikrishna Committee on data protection (Part IV): Grounds of processing

      By Ikigai Law | 0 comment

      This note maps the opinions of some stakeholders to the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27th November, 2017 (“White Paper”). While all responses toRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Digital Lending Drones E-Commerce Facebook Fintech Government healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    2nd Floor, 44 Regal Building,
    Outer Circle, Connaught Place, New Delhi, Delhi - 110001

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law