SUMMARY
We will comply with data localisation norms fully, says top official
Operators should store data relating to payment systems within India, according to RBI
Google Pay’s UPI transactions have grown 60x in last 24 months
Google’s digital payments service Google Pay has agreed to comply with the Reserve Bank Of India’s data localisation norms and is in the process of making requisite changes. The RBI had, in April 2018, issued a circular on `Storage of Payment System Data’ regulations, which said that payments system operators (PSOs) should store the entire data relating to payment systems within India.
The Indian government has also taken an uncompromising stand on country’s data sovereignty till now in spite of opposition from many quarters including ecommerce companies, foreign portfolio investors and social media giants.
“We are in the midst of it… and we will comply with it 100 percent,” said managing director and business head of Google Pay and Next Billion Users initiatives, Sajith Sivanandan on Thursday (November 7) at the rollout of the ‘Google Pay for Business’ app in Hyderabad. However, he didn’t reveal the time the compliance process would take.
With Google Pay’s monthly active user base going up three times to hit 67 Mn in September, complying with the RBI norms may not be an easy task. “UPI transactions have grown 60 times in last 24 months. UPI has outpaced all other digital payment modes (by clocking) over a billion transactions that happened in October alone,” he said.
Here Is What The RBI’s Circular Says
The RBI circular on `Storage of Payment System Data’ regulations, issued in April 2018, said that within a period of six months the entire data relating to payment systems operated by system providers should be stored in a system only in India. Later in June 2019, the RBI issued clarifications sought by PSOs on the circular regarding implementation issues.
According to the clarification, there is no bar on the processing of payment transactions outside India. However, it said that PSOs have to ensure data is stored only in India after processing. In cases, where transactions are done outside the country, data should be deleted from the systems in the respective country and brought back to India within 24 hours from payment processing or no later than one business day, whichever is earlier.
The data storage norms is also applicable to banks in India. The data stored within country by PSOs and banks should have end-to-end details related to payment including, name, mobile number, aadhaar number, PAN number among others.
Indian Government’s Stance On Data Sovereignty
The draft data protection bill from July 2018 remains under consultation with the central government and the ministry of electronics and information technology (MeitY). The bill states that “every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies”. This means that when it comes to personal data, the master version of the data abroad should have another copy in India.
Initially, ecommerce and social media companies expressed disapproval over certain aspects of the proposed bill. They had claimed that they might have to change their entire business model to adopt to the new bill. However, the bill is slowly finding takers across sectors.
