SUMMARY
The company says it will share data with the government for the purpose of verification, investigation, or prevention of cyber incidents
The development comes at a time when India is drafting its own data privacy bill
In the US, Amazon publishes data on the government’s request and also makes a transparency report
Ecommerce company Amazon has stated that it may share payment data of its users with the Indian government’s enforcement agencies.
The privacy policy page on the company’s website states: “We may be required to share the aforesaid information with government authorities, regulators and/or agencies for the purposes of verification of identity or for prevention, detection, investigation including cyber incidents, prosecution and punishment of offences.”
Once the user agrees to these mentioned terms and conditions and chooses to avail the payments service locally, the company can share payment details, personal details, and also certain sensitive data with the government if the necessity arises.
“This is in keeping with the regulatory requirements under the licence granted by the RBI to Amazon Pay. Compliance with local laws and regulation is top priority for us in all the countries we operate in,” a media report cited an Amazon India spokesperson as saying.
The company’s digital payment arm, Amazon Pay, is responsible for its e-wallet and payments business.
In the US, Amazon, in addition to disclosing user data to the government, also makes a transparency report, which includes data on how many of requests were completely or partially answered by the government, along with queries it refused to answer legally.
The company, however, does not have any such similar setup in India as of yet.
The Tale Of Data Localisation And Privacy In India
Earlier, in August 2018, the Indian government had asked Amazon to “urgently” start working on setting up local data servers in the country. The retail giant, which operates multiple product and service platforms in India, was asked to check unbridled cross-border migration of data without the consent of users.
India is at present seeing ongoing debates on the draft Personal Data Protection Bill which makes it mandatory for data fiduciaries (entities collecting or processing the data) to inform their users about what data they wish to collect, the purpose of collection that data, if it will be transferred to third parties or outside the country, how it will be stored, for how long it will be retained, and so on.
The draft PDP Bill mandates live data mirroring or localisation (meaning that at least one copy of all personal user data must be stored in India), which will drive up costs for companies. Startups will be required to conduct periodic reviews of their security practices and data protection impact assessments.
With the probability of data localisation mandate becoming a reality once the Bill is passed in Parliament, Xiaomi India is at present moving all its data back to its India-based servers. The company has reportedly started saving its new data in servers in the country.
Meanwhile, in the wake of the RBI’s directive to companies to host customer payment data locally, search giant Google has reportedly sought “a couple of months” more in order to comply with the new rule.
Multinationals such as WhatsApp Payments and Amazon Pay who want to launch their payments services in India with their own inter-bank fund transfer service UPIs are waiting for more clarity on data storage from the RBI. Now, with the draft Personal Data Protection Bill also being put out for consultation, these players have to wait for the final decision.
In April, the RBI had mandated all payments companies to store their data within India and had given companies six months to comply with the norm.
The finance ministry has suggested that a possible solution could be that companies would be allowed to store their data offshore, as long as a copy was kept in India.
Digital payments giant Paytm, however, supports the data localisation mandate and has urged the government to push for storage of customer data within the country and not allow mirroring of data overseas.
The RBI directive came in the wake of the Facebook-Cambridge Analytica data breach, with the RBI had asked all payment system operators in India to store their data within India in order to ensure that user details remain secure against privacy breaches.
[The development was reported by ETRetail and TOI]
