India’s proposed data localisation law is sending jitters across IT, ITes and startup ecosystems. The draft data protection bill is likely to significantly impact on how companies use customer data for businesses.
In essence, the law would require data generated in a country to be stored on servers within the boundaries of that country. That would mean, internet giants like Google, Facebook, and Microsoft among others should save their users’ data in India and process on servers physically located in India.
There is a multi-forked move by various agencies in the country. While the government has drafted a data bill which is open for discussions, India’s apex bank, Reserve Bank of India, has issued a circular mandating all payment companies in India to store all user data in the country. A similar requirement was sought in the draft policy on e-commerce by the ministry of commerce and trade after a government committee proposed authorising the State to access critical user data without the consent of the users for public welfare.
The push has already delayed the launch of payment services of technology companies like Apple and WhatsApp (owned by Facebook) in India. US trade groups, representing companies such as Amazon, American Express and Microsoft, have however opposed the move saying it will undermine the growth ambitions of India.
Although Google agreed to comply with the RBI’s guidelines, its CEO Sundar Pichai wrote a letter to Union IT minister Ravi Shankar Prasad proposing a free flow of data across borders.
"Free flow of data across borders - with a focus on user privacy and security - will encourage startups to innovate and expand globally and encourage global companies to contribute to India's digital economy," the letter reportedly reads.
Meanwhile, on Monday, Amazon sought clarity on the domestic payments circular issued by the RBI for its payment wallet Amazon Pay service.
Amazon Pay’s India head Mahendra Nerurkar told a section of media that ‘multiple’ solutions can be explored for storing payments data locally, and the company is not clear about the critical payments data to be stored in India 'only' norm mandated by RBI.
But, IT veteran Mohandas Pai questioned the companies that are protesting India’s data storage law.
“They keep all the European data in Europe. Similarly, why can’t they keep (Indian users’) data here? So far, all the big companies like Google and Facebook have been freely using our data without our knowledge,” he said.
Pai reasoned that the companies were protesting out of fear of losing free access to data.
“Now all that (access to free data) will go away, they will not be able to use our data freely and that is why they are protesting,” he added.
The likes of Facebook, PayPal, Google, among others are likely to be impacted by the regulations.
“India is a very big market for WhatsApp, Facebook and Google. If they don’t want to keep the data – let them go. It will be a significant loss for their businesses,” Pai said.
An estimate says that Facebook had 241 million users in India in 2017, a million more than users at home in the US.
“Facebook will lose 25-30% business (if they don’t store data locally). Facebook is making a big data centre in Singapore, the population of which is only 5 million. If they can come up with a data centre there, why not in India?” Pai wondered.
Flipkart-owned UPI payment and wallet app PhonePe said they support data localisation. They believe the law will prohibit companies such as WhatsApp Pay & Google Pay (Tez) from sharing Indian user data with their ‘foreign’ ad platforms.
“If these companies are forced to process digital payments transactions only in India, Facebook and Google cannot claim that the revenues generated from these apps fall under foreign jurisdiction, just because their data servers are abroad. Indian tax jurisdiction gets very clearly established now,” PhonePe said in a statement.
Not just India, other countries too have data localisation laws
While countries such as China, Germany, Russia, Vietnam, Indonesia, among others already have data localisation laws in place, there is an increasing push from other countries as well to implement such a law.
Countries marked in red indicates data localisaiton laws already exist/proposed.
The rationale behind the push is that in the event of a criminal investigation, it becomes very difficult for a government to obtain data from servers located in another country.
The number of incidents of data thefts and cyber-attacks has been on the rise, both globally as well as in India. According to government data, over 22,000 Indian websites, including 114 government portals, were hacked between April 2017 and January 2018.
PhonePe asserts that mandating foreign player to store data in India will create a level playing field for domestic internet companies.
The company added that if** data is the new oil, then payments data is the new gold mine. “**For a large number of internet companies whose core business model revolves around monetising user data, payments data is very precious indeed.”
It opined that RBI policy will make India’s digital payments ecosystem much more resilient to foreign attacks and global politics.
“Investing a few tens of million dollars on domestic processing and storage capacity is well worth it if it buys you unfettered access to the multi-billion-dollar Indian payments market. The long-term ROI is still very attractive,” reads the PhonePe statement.
Chinese startups have an edge
Among other foreign internet companies, the Chinese players are the keenest about Indian market. Owing to the similarities in Asian markets, they have an edge over other players.
The Passage has reported earlier that Chinese companies like TanTan, ShareIt, Mobike, Kwai, Kika Tech, Helo, Qianli Technologies- to name a few, are eager to penetrate India’s internet population, which is the second largest in the world after China.
Santosh Pai, a partner at Link Legal India Law Services, which advises Chinese companies in India, said storing data locally will not be an issue for Chinese companies.
“China has similar laws, so Chinese companies will appreciate and understand such legal requirements. It’s the large American companies like Visa and MasterCard which have objections to data localisation,” he said.
According to Santosh, these laws would initially increase the cost of having data servers in India.
“However, most Chinese investors are investing in Indian technology companies which might already have domestic servers so there might not be an additional cost. A good example is Paytm in which Alibaba has invested,” he added.
Santosh expects that Indian government will allow sufficient time for all companies to comply with regulations.
“Since India does not have significant data storage facilities, a lot of new investment and capacity building will be required. In fact, this will also be an investment opportunity for Chinese companies in India. In provinces like Guizhou the Chinese have built massive data storage capacities within 2-3 years. They can replicate this in India,” he added.
However, Mohandas Pai believes that the cost of installing data centres in India can actually be lower than in other parts of the world.
"The resources necessary for setting up data centres in India can be either same or lower than in other parts of the world. The centres can also be set up outside cities where real estate price is not very high,” he explained.
Do Indian startups need to worry?
Analysts believe that the Indian startups might have to bear the biggest brunt of the law.
Internet and Mobile Association of India, an industry body of digital businesses, raised concerns about the possible impact of the Data Protection Bill on the tech startup sector in India.
The association said that the new data storage regime may have a negative impact on mid-sized startups with ambitions to expand in overseas markets as they fear that their plans may be scuttled by the provisions of data localisation.
“Other countries where they are expanding may retaliate by demanding reciprocal data localisation, and the regime will force Indian startups to look for more expensive and inefficient local solutions,” IAMAI said in a statement.
Bala Parthasarathy, CEO and co-founder of lending app MoneyTap said that the push will increase the cost for companies that are not running on cloud servers. However, he said that the migration of data over cloud servers is cheaper than setting up servers or creating data centres.
He, however, emphasised that data privacy laws and localisation should both be done. “It is not an either-or situation. The policy should be implemented, but the government should allow some time for the companies to migrate their data centres,” he explained.
He said that even though MoneyTap is not affected by any law yet, it is planning to migrate its data to Indian services.
MoneyTap uses Amazon servers, and they have a data centre in India. “So, it’ll be a seamless migration process that won’t have any impact on our users and it will practically be the same for us as well,” he clarified.