Local Data Storage is India’s Sovereign, Legal Requirement - Expert

The Reserve Bank of India (RBI) continues to stand firm in its argument that digital global payment companies should store customer data in India. The global payment companies fear the Indian Reserve Bank's stance may trigger similar moves from other countries, according to The Economic Times.
Sputnik

New Delhi (Sputnik) — Dr. Rakesh Goyal, the director general of the Centre for Research and Prevention of Computer Crimes, told Sputnik that international companies, corporations and banks do not fully cooperate with Indian regulators and law enforcement agencies during investigations and hence the financial regulator has been resisting US global lobbying for easing local data storage norms. 

READ MORE: India Seeks Written Commitment From Facebook That It Won't Leak Voters' Data

Sputnik: Why is India insisting on the local storage of consumer and client data?!

Dr. Rakesh Goyal: The genesis of keeping data within Indian legal jurisdiction is the challenge RBI and Indian LEAs (law enforcement agencies) faced when investigating a fraud that happened in a European bank somewhere around 2012. The data was kept in Europe. The bank management in Europe had not cooperated as required. Then RBI enforced somewhere in 2012-13 that all Indian banking data has to be kept within geographic territorial boundaries of India and it has to be subject to Indian legal jurisdiction. I believe that this is a valid sovereign and legal requirement. This has now extended to insurance, telecom, payment services, digital signatures, etc.

India Reiterates it will Not Allow Data Mining for Political Purposes
Sputnik: What prompted India to initiate the move?

Dr. Rakesh Goyal: These international companies, corporations and banks do not fully cooperate with Indian regulators and LEAs for various investigations. This includes not only banking but free email providers, social media companies, cryptocurrency, etc.

Thus, if these companies, corporations and banks want to do business in India, they must be exposed to the Indian legal and regulatory system. Take it or leave it. It is a very valid requirement. They do it under Chinese and European (under GDPR and other regulations) jurisdictions, so why crib in India?

Sputnik: Does this localization move completely address the concerns of the Indian side on the data storage issue?

Walmart-Flipkart Deal Triggers Concerns Over Crucial Data of Indian Consumers
Dr. Rakesh Goyal: India still has some concern — the residual concern. As per Indian acts/regulations, all financial data must be considered confidential and personal; and must not be shared with any third party in any form. This includes, and is not limited to, analysis of banking/spending habits. India does not have any separate Data Protection Law as of now, but as per notification ref G.S.R. 313(E) dated 11 April 2011 by the Ministry of Communication and Information Technology, all financial information is defined as SPDI (Sensitive Personal Data and Information). This SPDI needs to be protected. The Data Protection Law is in the making in India and a committee of a retired Supreme Court Judge — Justice Srikrishna — is working on it.

READ MORE: India Serves Second Notice to Cambridge Analytica, Facebook on Data Leak Issue

Sputnik: Is there a possibility that these companies may keep a mirror data with them abroad?

Dr. Rakesh Goyal: If these companies, corporations and banks have any concern about the above then their intention may be questionable. If they keep mirror data out of India for their records/ regulatory requirements/analysis, it will not be possible to force them to abide by Indian SPDI and other concerns.

The views and opinions expressed by Dr. Rakesh Goyal in this article are those of the speaker and do not necessarily reflect the position of Sputnik.

Discuss