The failure of Mastercard to store data of card transactions done in India within the country itself is in direct violation of India’s Personal Data Protection Bill
International payments service provider Mastercard has fallen foul of the Reserve Bank of India (RBI) over non-compliance with a three-year-old order that had asked for data of card transactions done in India to be stored within the country itself instead of at overseas data centres. The order fits in with the Personal Data Protection Bill that is being examined by the Parliament with data now being regarded as a valuable commodity that countries are increasingly loath to share with others. Here’s a look at why Mastercard was penalised and what could be the situation going forward.
What was the RBI circular?
In April 2018, the central bank had in a circular asked all payments systems providers operating in the country to “ensure that the entire data relating to payment systems operated by them are stored in a system only in India”. RBI had noted the “considerable growth in the payment ecosystem in the country”, but found that “not all system providers store the payments data in India”.
Observing that such “highly technology dependent” systems need “adoption of safety and security measures, which are best in class, on a continuous basis”, RBI had said the data to be stored in India “should include the full end-to-end transaction details/ information collected/ carried/ processed as part of the message/payment instruction.
With an eye on ensuring better monitoring, RBI had said it is “important to have unfettered supervisory access to data stored with these system providers as also with their service providers/ intermediaries/ third party vendors and other entities in the payment ecosystem”. It had clarified though that for overseas transactions, the “foreign leg of the transaction… the data can also be stored in the foreign country, if required”.
It had set a six-month deadline, till 15 October, 2018, for the relevant payments service providers to comply with the order. Mastercard has been pulled up for not implementing the instructions, as were American Express and Diners Club before it.
What does India’s Personal Data Protection Bill say?
In end-2019, the Centre tabled the Personal Data Protection (PDP) Bill in Parliament that seeks to regulate the processing of personal data by the government, companies incorporated in India, and foreign firms dealing with the personal data of Indians. The Bill, which is being examined by a joint parliamentary committee, proposes the setting up of a data protection authority to oversee India’s data regulations.
The Bill, which says that financial information will be treated as “sensitive personal data”, lays down that while such data may be transferred outside India, it “shall continue to be stored in India”.
As for the transfer of sensitive personal data outside India, the Bill says it may be done only “for the purpose of processing” but should involve the “explicit consent” of the owner of the data. But permission to transfer such data, the Bill says, can only be given when provisions are made for the “effective protection of the rights of the data principal under this Act” and liability of the actors using the data “for harm caused due to non-compliance of the provisions” governing such transfer.
What other countries are doing
“Data is the new oil” is how the aphorism goes, showing how countries and organisations have come to realise that access to the data of citizens or consumers is a prime advantage in the era of the digital revolution in business and administration. No wonder then that many countries have adopted strict data protection laws to regulate use and access of data and ensure the rights of the “data principal”, or the person who has generated, or can be identified via the information.
Thus, the likes of Russia, China, Germany, France, Indonesia, and Vietnam, among others, have come up with laws requiring that their citizens’ data be stored on physical servers within that country’s borders.
One of the most prominent laws on data is the General Data Protection Rules that was introduced by the European Union (EU) in 2018. The GDPR says that all data on the citizens of EU member countries shall either be stored within EU, where it will be subject to European privacy laws or, if it is being transferred outside, then the non-EU jurisdiction in question should have similar data protection laws as EU.
A 2019 report in the Harvard Business Review noted that India’s digital economy was set to touch $1 trillion by 2022 and, hence, data compliance will be key for players who want to cash in on the country’s expanding digital landscape. The report noted that “India has followed the EU’s GDPR in allowing global digital companies to conduct business under certain conditions, instead of following the isolationist framework of Chinese regulation”.
Which countries have the highest number of data centres?
The US, where three of the biggest cloud service providers — Amazon, Microsoft, Google — are located is the runaway leader in the number of data centres that operate from its soil. According to a 2021 report, the country has 2,670 data centres, more than that in the next five countries combined. The UK is a distant second on the list with 452 data centres followed by Germany with 443 of these. India was 14th on the list with 123 data centres.