Financial Times: Mumbai: Sunday, September 09,
2018.
India has entered the global battle over
data security, as US companies rail against tough new regulations while Indian
IT groups worry about a backlash in Washington.
A recent draft Indian government policy
on ecommerce, circulated among sector companies, included a prohibition of the
international transfer of data generated by Indian ecommerce users. US payment
card companies have also been lobbying against a similar order from the Reserve
Bank of India, the country’s central bank, requiring a halt to overseas data
transfers by October.
In contrast with China, India has long
allowed foreign technology groups a relatively open field, speeding the
development of its digital market but increasing competition for homegrown
groups.
Analysts say Mumbai is now taking a
tougher line, aimed at helping Indian start-ups and boosting the national
presence in data storage and processing.
The RBI’s prohibition of data offshoring
“is something that we haven’t really seen anywhere else”, said Porush Singh,
south Asia president at Mastercard.
Brazil proposed rules last year against
banks’ use of offshore cloud computing services, but backtracked after protests
from lobbyists. Meanwhile new data sovereignty laws that sometimes include
requirements to keep data onshore are being proposed throughout Aisa, but in
many instances are still in the drafting phase.
But the issue is coming to a head in
India. In letters seen by the Financial Times, lobby groups including the
US-India Business Council (USIBC) urged the central bank to reconsider its
policy. They argued the proposed rules would make Indian card users less secure
by preventing the card companies from analysing their data in their global
risk-assessment hubs.
“The localisation requirement . . . may
in fact undermine the ability of industry stakeholders to detect, prevent and
mitigate financial crime, frauds and breaches thereby increasing the cyber
vulnerability,” said one letter from the USIBC.
Setting up large data centres in India
would prove expensive for the groups given the country’s high power prices and
substandard broadband connectivity, warned a recent report by rating agency
Fitch. Noting reports that the cloud computing sector could be hit by similar
rules, it said authorities appeared to have adopted an “increasingly
protectionist stance to boost local spending on tech”.
The sector-specific moves have come
alongside a government push to develop overall data security policy, amid
widespread concern about the safety of information taken from nearly every
Indian as part of a new biometric identification system.
This month a government-appointed
committee issued a report on data security, calling for personal data rights
along similar lines to the EU’s recently implemented General Data Protection
Regulation. Some critics worried such measures could be abused by corrupt
officials trying to conceal misdeeds eroding the force of India’s landmark
Right to Information law.
“This is an area where we need to be
careful,” said Parminder Singh, executive of IT For Change, a non-profit group.
“Currently it’s not very clear, between the RTI act and the new law, which
would be stronger.”
Among the most prominent backers of the
push to keep data local has been Paytm, an Indian digital payments group that
is trying to take on Amazon and Flipkart in ecommerce with financial backing
from China’s Alibaba and SoftBank of Japan. Unlike its foreign rivals in
payments and ecommerce, Paytm already processes data in India, meaning it would
benefit from the policy drive.
Paytm’s stance is driven by objective
concerns around data security, said Madhur Deora, chief financial officer.
Onshore data processing “can be done without being impractical, without it
being prohibitively expensive”, he added. “If there are a lot of people doing
that then costs will just keep coming down.”
But India’s vast IT services sector is
worried the data localisation drive may backfire US clients account for the
bulk of revenue at well-known groups such as Infosys. In a recent letter to the
Reserve Bank, Nasscom, an Indian industry body for the business process
management sector, expressed concern that the data localisation mandate could
become a trade barrier, with “key markets” imposing similar barriers against
data flow to India.
“Some people don’t realise that the
country handling the most American data is India,” says a person with direct
knowledge of US companies’ drive against the localisation moves. “If India’s
going to say its data has to stay in India, it’s possible you’ll have the
president of the US issuing a tweet saying we’ll keep all our data in America.”