Data Localization: Why the RBI isn’t listening to ‘Mirroring’ arguement

The ‘Mirroring’ Proposition…

OK, so the RBI wants data localization so they can seize / inspect records / data whenever they have to – that’s fine – but why don’t they at least allow data mirroring?!!

If you’re an entrepreneur affected by this, your frustration is understandable. After all, the RBI’s Notification of April 6, 2018, which directed payment systems providers to ensure data localisation by October 15, 2018 states:

“In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem.“

Given this, it’s easy to understand why you think data mirroring can take care of everyone’s concerns. Yet, the RBI refuses to allow data mirroring either.

Why is the RBI against data mirroring?

The reason for this lies behind a thicket of legislation, draft legislative material, committee recommendations, and regulatory pronouncements. That sounds like the stuff of yawns and dozes, but we’ll try and make it as simple as possible:

• Talking about why the RBI is taking such a strict stance on data localization, the Business Standard says “Sources say the central bank is preparing the ground for a stringent Data Protection Bill, a draft of which was released by the Justice Srikrishna Committee in August.” While a newspaper isn’t a regulator, in this case their article may be helpful in understanding the RBI’s motivations.

• The Draft Personal Data Protection Bill (the “DPDPB”) does have stringent requirements on data localisation – while these do not apply to all data, there are various provisions relating to the storage of ‘critical personal data’ in India exclusively.

• The DPDPB was framed by a Committee of Experts headed by Justice Srikrishna, a retired judge of the Supreme Court of India. In its report, titled A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, (the “Expert Committee Report”) the Committee provides various arguments and analyses for its recommendations, which we assume have resulted in the published form of the DPDPB.

• The Expert Committee Report has an entire Chapter discussing Data Localisation. (If you’d like to read the Export Committee Report, or any of the other sources mentioned in this post, head on below to the ‘Additional Resources’ section at the bottom of this post.) A close reading of this Chapter will help you understand the regulatory reasoning and, possibly, policy direction on data localisation.

• Let’s leave aside the discussion on data localization norms in other jurisdictions in the Expert Committee Report and focus on the ‘benefits’ the Committee says would come with localisation of data – aside from ease of search and seizure and law enforcement (which your ‘mirroring’ argument may well address), these are: (i) Avoiding resultant vulnerabilities of relying on fibre optic cable network, (ii) Building an AI ecosystem, and (iii) Preventing foreign surveillance.

• Citing fears of terrorist attacks and other natural and non-natural calamities that may strike undersea cables used to route data across borders, the Committee of Experts says:

“From this, it may be argued that data critical to Indian national interest should be processed in India as this will minimise the vulnerability of relying solely on undersea cables. Critical data, in this context will include all kinds of data necessary for the wheels of the economy and the nation-state to keep turning… This may even extend beyond the scope of personal data, regarding which an appropriate call may have to be taken by the Government of India. The objective will be served if even a single live, serving copy of such critical personal data is stored in India. However, the processing of such data exclusively within India may be necessary for other benefits as discussed below.“

• The AI buzz hasn’t failed to cause a flutter in the Committee of Experts either. They say “In the coming years AI is expected to become pervasive in all aspects of life that are currently affected by technology and is touted to be a major driver of economic growth.” Going on to argue that data localisation and local processing are critical to ensure the healthy growth of an AI industry in India, the Committee states:

“The growth of AI is heavily dependent on harnessing data, which underscores the relevance of policies that would ensure the processing of data within the country using local infrastructure built for that purpose… Azmeh and Foster in their 2016 study, point out the benefits that developing countries can derive from a policy of data localization. These include: first, higher foreign direct investment in digital infrastructure and second, the positive impact of server localisation on creation of digital infrastructure and digital industry through enhanced connectivity and presence of skilled professionals. Creation of digital industry and digital infrastructure are essential for developments in AI and other emerging technologies, therefore highlighting the significance of a policy of requiring either data to be exclusively processed or stored in India. This benefit can be captured in a limited manner by ensuring that at least one copy of personal data is stored in India. Further, a requirement to process critical data only in India would create a greater benefit insofar as it extends beyond mere storage.“

• And finally, of course, there is the spectre of snooping: the Committee recognises the threat of surveillance by governmental and non-governmental actors (though why this latter set of actors would pose a greater threat overseas than in India, we’re not sure). Recognising that a completely walled-off ‘Indian Internet’ would be counter-productive to India’s global economic aspirations, the Expert Committee Report says:

“In order to strike a balance, it is essential to enquire into the kinds of surveillance activities that are most detrimental to national interest. In the context of personal data, this would pertain to such critical data as those relating to Aadhaar number, genetic data, biometric data, health data, etc. Only such data relating to critical state interests must be drawn up for exclusive processing in India and any such obligations should be limited to it. All other kinds of data should remain freely transferable (subject to the conditions for cross-border transfer mentioned above) in recognition of the fact that any potential fear of foreign surveillance is overridden by the need for access to information. Thus, for prevention of foreign surveillance critical personal data should be exclusively processed within the territory of India.“

So there you go. What you may have heard on ‘the street’ or regular rumour mills is probably a second- or third-hand version of a hapless regulatory official trying to decode all this and communicate it in a way that they think makes sense.

If you’re campaigning against data localisation, your arguments need to go beyond a simple ‘Arre mirroring kar denge na, sir!’ to take on the entire gamut of reasons that the Expert Committee provides in favour of data localisation.

Also read: RBI Data Localisation Directive: Here’s all you need to know

Written by Bhavin Patel and Hemant Krishna, of Bayside Advisors, which has a practice speciality in privacy and profiling laws, and KYC, AML, and CFT-related aspects thereof, as well as corporate laws generally.

They are external legal counsel to IDfy.

They can be reached on:

Bhavin: bhavin@baysideadvisors.in and on LinkedIn here

Hemant: hemant@baysideadvisors.in and on LinkedIn here.

Additional Resources:

• The RBI’s Notification RBI/2017-18/153 DPSS.CO.OD No. 2785/06.08.005/2017-2018 dated 6 April 2018 (the “Data Localization Notification”)
• The Report of the Committee of Experts on Data Protection
• The Draft Personal Data Protection Bill, 2018
• It would also be helpful to read the provisions of the Payment and Settlement Systems Act, 2007, and in particular, the following sections, closely: (i) S. 2(1)(i) (definition of ‘payment system’), (ii) S. 10 (‘Power to determine standards’), and (iii) S. 18 (‘Power of Reserve Bank to give directions generally’).

[This article first appeared on thedata.lawyer, a new blog on Indian privacy and profiling law, from privacy to KYC, via AML and CFT]

Read: Fighting Life Insurance Fraud. Click here to download ebook