Keeping Data (Mostly) Local

India relaxes data retention rules.

The Reserve Bank of India (RBI) in June cut international payments companies in India a break by relaxing data rules on cross-border transactions. The clarification applies to transactions originating in India and completed abroad.

It “does not water down the stringent Indian data localization requirements,” says Dr. Vaneet Bhatia, assistant professor at the Jindal School of Banking and Finance. “Instead, it provides some relief to international firms by allowing them to process data outside.” Payments data that companies like Visa and Mastercard send abroad for processing must be brought back to India and deleted from overseas systems “not later than one business day or 24 hours from payment processing,” the RBI clarified.

A circular issued in April last year directed all payments providers to store all their data in India, irrespective of whether transactions are domestic or foreign. Providers were given six months to comply, but none met the deadline. Local storage regulations are supported by domestic companies but opposed by international payments providers like Visa because they require new infrastructure. “Obviously, technology giants intensified their lobbying efforts,” says Bhatia.

India isn’t the first country to pursue data localization. Germany and China, among others, have laws restricting storage of personal data abroad. China has the most comprehensive laws covering all aspects of data localization.