Data Localisation Spelled Out Of E-Commerce Policy, Commerce Minister Piyush Goyal Clarifies
On June 24, in a meeting with 25 major e-commerce companies, Commerce Minister Piyush Goyal decided to scrap Data Localisation norms from the final policy, putting it under the purview of data protection legislation. The bill is yet to be cleared by the Cabinet. It is listed to be tabled in the Parliament during the ongoing Budget session.
Goyal Meets Industry Stakeholders
“The meeting was held by Piyush Goyal in order to understand their concerns and take their suggestions towards building a robust data protection framework that will achieve the dual purpose of privacy and innovation and strengthen India’s position as a global tech leader with focus on trust and innovation,” the Commerce Ministry said in a statement.
Goyal informed in the meeting that data protection would now be managed by the nodal Ministry Of Electronics and Information Technology(MeitY), which is currently operating on a data protection bill.
The meeting was attended by both Indian and foreign e-commerce companies including Amazon, Flipkart, Urbanclap, Make My Trip, Medicabazaar, Yatra, Shopclues, Snapdeal, Grofers, Swiggy and Udaan, on Monday, discussed ways to bring about the convergence of interests of e-Commerce platforms and small retailers.
Companies such as Amazon, American Express and Microsoft, have opposed India’s attempt to store data domestically and that the issue could further affect or spoil economic relations between India and the US. They have argued that the data should be shared only for law and investigation purposes.
Payment firms also have to follow the regulations given by the government and RBI.
What Is At Stake?
Data localisation is the storing data on any device physically present within the borders of a country.
There’s a massive explosion in data generated in India. As of now, most of these data are stored outside India.
According to a report by real estate and infrastructure consultancy Cushman and Wakefield, the size of the digital population in India demands a huge data centre infrastructure.
Digital data in India was about 40,000 petabytes in 2010 and is likely to go up to 2.3 million petabytes by 2020 — twice at the global rate. If India stores all this data, it has been anticipated that India will become the fifth-largest data centre market by 2050.
Data Protection Bill
An expert group consisting of 10 members, headed by former Supreme Court Judge BN Srikrishna, submitted the draft Personal Data Protection Bill in 2018 to MeitY. It suggested formulating a data protection authority and putting restrictions on the cross-border flow of data.
The bill highlighted the storage of one copy of all personal data within the country.
This also gave power to the government to classify any sensitive personal data as critical data and mandate its storage and processing exclusively.
By storing a copy of the data domestically, the government aims at national security and preventing foreign surveillance and monitoring.
The RBI had put out a circular on April 6, 2018, mandating that payment related data collected by payment providers must be stored domestically setting an October 15 deadline for compliance.
This included card payment services by Visa and MasterCard and also digital payment services of Paytm, WhatsApp and Google. Many companies are yet to comply with this rule.
This regulation of storing data domestically will be applicable to all banks operating in India as they are a part of the payments system such as RTGS, NEFT, NPCI and card schemes.
The RBI put out a notification, stating, “In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India.”
Conditions For Storage
However, in the case of domestic payment transactions, the data shall only be stored domestically. For cross border payment transactions, the data may also be stored internationally.
The data stored domestically must consist of the end-to-end transaction details and information about payment or settlement transaction collected. This may include information such as customer name, mobile number, email, Aadhaar number, PAN number; payment sensitive data such as customer and beneficiary account details; payment credentials such as OTP, PIN, Passwords, among others
For cross-border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component can be stored abroad, if required.