The RBI’s data-related provisions through FAQs appear faulty

Two points stand out in the Reserve Bank of India’s clarifications to its circular of April 6, 2018, issued in the form of FAQs (frequently asked questions) on June 26, 2019 - the possible reversal of its stringent stand on localising all payment systems data end-to-end in India and the possible payback through the necessity for RBI’s prior permission for sharing such data with overseas regulators.

RBI’s April 2018 circular mandating localisation of data pertaining to end-to-end payment systems data which not only bound over Payment Systems Operators (PSO) but also included banks and other entities offering payment instruments was perceived as a pre-emptive strike before the Srikrishna Committee’s submission of its data protection report and draft Personal Data Protection Bill. The strong posturing was not backed by punitive action against the errant multinational PSOs, who accounted for a substantial chunk of the payment transactions. But there was still no cause to assume that RBI will do a volte face on its stance on financial data localisation. The clarifications, therefore, come as a big surprise and as with any dispensation, while Indians may not have valued their data much to begin with, they are certainly not happy with this reversal of RBI’s position. Equally concerned are PSOs which are subject to multiple jurisdictions. RBI’s mandate for prior permission before sharing is bound to land them in regulatory troubles in their jurisdictions of origin or functioning.

Before we assume the implications of these additions it may be wise to evaluate their legality. The 2018 RBI circular limited itself to mandating storage of payment systems data only in India. It was silent on the processing of such data. The focus of the RBI circular being “unfettered supervisory access” and not protection of Indian residents’ data by necessitating localisation, it is no surprise that it was silent on the processing aspect.

The clarifications appear to have utilised this loophole to build in a process for allowing processing and thereby external flow of data and a purported claw back through reversal of such data for storage within India within a period of one business day or 24 hours, whichever is earlier.

The addition of the need for RBI’s prior permission before any such data that is purportedly stored within India with overseas regulators is clearly a shot from the hip. It is possible that this is the trade-off for the permission to process outside India or a mere afterthought. One could also assume that such permission restrictions are a master stroke giving India a much-needed trump card to seek equal dispensations on data-sharing, especially from the United States of America.

Either way, both of the above additions and for that matter anything that is not inherently part of the circular do not carry the weight of the law. FAQs are merely elucidations or explanations of regulatory pronouncements. They cannot and will not stand on the same footing as the regulations themselves. Hence to include provisions through FAQs, when it was very much open to RBI to issue a further circular with respect to both additions appears suspect. One possibility is that RBI is testing the waters through a process which is non-binding. If RBI does intend to enforce these two provisions, it would have to issue them as a circular or any other form of enforceable mechanism and not merely as clarifications, which clearly go beyond the limited provisions forming part of the circular.

RBI would be well advised to hit pause before it gives the above proposals the regulatory stamp of approval. Its first step warranting local storage remains to be enforced. Absence of sanctions behind its mandate will apply equally to external processing or the need for RBI’s prior approval for data sharing with overseas regulators. If multinationals have blatantly flouted the local storage mandate for over eight months without consequences, there is no reason to presume that they would act otherwise with respect to the 24-hour or lesser deadline for moving all data for storage in India or for that matter on the issue of sharing data with overseas regulators.

If RBI is merely looking to secure “unfettered access”, as is the stated purpose in its 2018 circular, it may be appeased with just a mirror image of all data being stored within India and may turn a blind eye to non-compliance. This, however, does not protect the data subject or his rights and may also negate RBI’s attempt at absolute control over financial data to the exclusion of overseas regulators -- unless it deems otherwise.

The Personal Data Protection (PDP) Bill, 2018, which awaits parliamentary approval provides a category of “critical data” which would have to be held only in India. If financial data is notified as critical data and the bill becomes law, there is a clear conflict between the PDP bill and RBI’s relaxed localisation. Whilst RBI’s focus may be merely unfettered access, the stated purpose of the PDP bill is upholding privacy and the rights of Indian residents. Considering the larger issues at hand, it would be expedient for RBI to pause and review before taking any further action on either of its googlies, one of which affects individual rights and on the other that of the industry.

NS Nappinai is a Supreme Court advocate specialising in cyber laws

The views expressed are personal