Data Localization — Why this Kolaveri Di?

Context: On April 6th 2018, the Reserve Bank of India issued a circular, which mandates all payment ecosystem players operating in India to store all data related to user transactions within national boundaries only. The deadline to comply with this circular is October 15, 2018.

It’s worth noting that the RBI circular pertains only to payments-related data storage, not all types of consumer data. The Indian government is separately framing a comprehensive Consumer Data Protection Act. The Justice Srikrishna committee was tasked with this exercise and presented its draft Data Protection Bill, 2018 in July 2018.

In this blog, we limit our attention to the RBI Data Storage circular only, and its implications on the digital payments ecosystem of India, of which we are an integral part today.

Our Core Beliefs:

1. We believe that FDI is important for rapidly scaling the Indian fintech sector. PhonePe itself is majority-owned by a foreign company today.
2. We strongly believe that Data Localization is critical for the long-term security of any country’s financial services sector. For the record, PhonePe processes all payment transactions in India. We also store all our data on India servers only.
3. We see no policy contradiction in terms of India having a liberal FDI policy, and having a strong data localization policy. Both policies can and should co-exist. FDI helps grow the market faster and allows foreign investors to participate in this growth, while data localization aims to protect the interests of our consumers.
4. We strongly believe in level playing fields in an open market. This means that all payments companies (whether domestically owned, FDI-funded or 100% foreign cos) — doing business in India must:

a. Abide by the law of the land in India

b. Protect our citizen’s financial data

c. Pay fair taxes on income earned in India

Why we believe digital payments data should be ‘processed’ AND ‘stored’ only in India:

There are two major implications of RBI’s Data Storage localization policy. One, it will make India’s digital payments ecosystem much more resilient to foreign attacks and global politics. Two, it will allow for better regulatory oversight and plug business-jurisdiction related loopholes that some foreign companies have long exploited to evade paying fair taxes in India.

1. “National Safety & Security” — Financial Services is one of the most sensitive and critical sectors of any economy worldwide. Therefore, as India rapidly shifts towards becoming a less-cash society, it must shore up its digital payments infrastructure equally fast so the country can:

a) Survive hostile attacks by foreign state & non-state actors alike.

b) Insulate our payment systems against foreign sanctions and politics.

In India, this responsibility lies with the RBI. Ordinary Indian citizens place immense trust in the RBI to do so because it’s proven to been a pillar of strength of the economy for many decades, and does so by laying down regulatory policies that ensure undisrupted, safe and secure access to financial services for all Indians.

So why is the RBI pushing for payments data localization? Here’s a few reasons we can think of:

1. Can RBI monitor digital payments activity if all the transactions are processed abroad & data is stored abroad outside the sovereign boundaries of the country. The answer is NO.
2. Does RBI have adequate legal powers and resources to effectively audit or regulate foreign payment companies’ activities at offshore data centers. The answer is NO.
3. Can RBI prevent foreign actors from spying on Indians’ financial data, or thwart cyber warfare attacks if the payments systems are hosted abroad? The answer is NO.
4. Can RBI guarantee continuity of critical payments services to hundreds of millions of Indians, if a foreign government suddenly imposes sanctions on India? If the data processing and storage is happening abroad, again the answer is NO.

Therefore, in order to improve the national security of our digital payment systems, it makes perfect sense for the RBI to require payment companies, doing business in India, to process and store our consumer’s transaction data within India. This mandate forces all players to be compliant with Indian laws, and minimizes the overall exposure of our payment services getting crippled due to external events.

On this front, we believe Google needs to clarify its stand more crisply. Is Google confirming that it will a) process and b) store all payment transactions related data ONLY within Indian boundaries. Or is Google simply doing data mirroring, but keeping all their processing systems and primary data storage abroad. If processing and primary storage resides outside India, then all the systemic risks mentioned above continue to exist.

Finally, it’s worth noting that India isn’t taking an isolated position on Data Localization. Many foreign governments across the world, such as Australia, Canada, China, Russia etc (see here), have already passed their own versions of Data Localization laws to protect their national interests.

2. “National Wealth Creation” — If “data is the new oil”, then “payments data is the new gold mine”. For a large number of Internet companies whose core business model revolves around monetizing user data, payments transaction data is a very precious data signal indeed.

Today most governments around the world recognize financial data as a massive source of national wealth creation, and are actively plugging regulatory loopholes that would allow foreign companies to exploit local market data without paying fair taxes.

India should be no different in this regards. We offer access to the largest open Internet market on the planet today. We are home to 500Mn smartphone users. We are the world’s #1 consumer of Internet data. We also have one of the most dynamic, competitive and fastest growing digital payments sectors in the world. As a market, it simply doesn’t get more attractive than this today.

Which begs the next question…

Why are so many global payment behemoths fiercely lobbying against this mandate?

1. It’s definitely not about customer experience. 99.9999% of the time, Indians will make digital payments to other Indian consumers & merchants while being physically present in India. So it makes great product sense to process payment transactions locally because it will reduce network latencies and improve overall consumer experience.
2. It’s not about India’s DC capacity either. This is 2018 people. MNCs like Amazon, Microsoft and Google are building/managing massive data centers in India, and selling cloud services with geofencing capabilities to other local Indian startups today. These companies are in no real position to claim that DC infra is the problem.
3. It’s unlikely that these MNCs are fretting the upfront cost either. Investing a few tens of million dollars on domestic processing & storage capacity is well worth it, if it buys you unfettered access to the multi-billion dollar Indian payments market. The long-term ROI is still very very attractive.
4. It not about the migration effort either. Tez launched its UPI services barely 10 months ago, and WhatsApp is still in beta mode. Much older & larger domestic payment companies, with much more complex tech stacks and much larger data archives, have already complied with the RBI circular.

The ‘only’ issue that’s at the heart of the problem

Most of the protests by Internet companies are related to the fact that RBI’s is forcing them to process and store payments data only in India. This word “only” is at the root of the issue, because it also kills most facetious tax evasion arguments in play today. This is most likely an unintended side benefit of RBI’s mandate, but it’s a brilliant outcome as far as levelling the playing field for domestic Internet companies is concerned.

Think about it… If WhatsApp Pay & Google Pay (Tez) are forced to process digital payments transactions only in India, then FB and Google:

1. Cannot claim that the revenues generated from these apps fall under foreign jurisdiction, just because their data servers are abroad. Indian tax jurisdiction gets very clearly established now.
2. Cannot share Indian user’s financial data with their ‘foreign’ platforms like Adwords and Facebook Ads. This means India’s payment data cannot be used to sharpen user targeting engines of the companies, who have other products/apps spanning sectors like Search, Maps, Social Networks, App Stores etc.

Today we have a peculiar situation, wherein apps like Google Pay (Tez) — built exclusively for the Indian consumer — are owned and operated by foreign entities like ‘Google LLC’ and the data is stored on their foreign servers. Tez, for eg, was launched in partnership with the four largest Indian banks. Each of those four banks is required by law to store their customer data exclusively in India, then why should Tez be allowed to share the same payments data with Google’s global monetization platforms for free?

As for global payment networks such as Visa and Mastercard, or global remittance companies, there is a case to be made for allowing mirroring the payments transaction data to their foreign DCs as well, so they can provide uninterrupted services to Indian consumers wherever they use their physical cards globally. But the primary processing and storage should be in India, and mirroring should be from India to their global DCs, not the other way around. The RBI has already clarified that data records pertaining to the foreign leg of transactions can be stored abroad. This seems to be the only part of the circular where further clarity might be useful in this context.