At midnight on Tuesday, nearly every American payments company offering services in India was breaking the law every time Indians used their banking cards. A new regulation, issued in April and in effect starting today, requires companies such as Visa and Mastercard to store all transactional information involving Indian citizens on machines in India.
Despite protests from companies that six months was not enough time to redesign their data processing systems—currently distributed on computers around the world—Delhi would not budge. The nation’s banking regulator, the Reserve Bank of India (R.B.I.), even warned that it would impose fines if companies missed the data regulation deadline.
Storing information in its country of origin, known as “data localization,” is part of a bigger trend to curb the power of technology companies. As American tech giants attempt to capitalize on the market in India, the fastest-growing market for Internet users, Delhi is imposing rules that allow domestic firms like Reliance Jio and Paytm to compete. Ironically, however, India’s own companies depend on the flow of data across borders to grow their services.
Curbing foreign competition is not the only goal of the regulation. According to the R.B.I, restricting international companies’ ability to analyze and capitalize on data from Indian citizens also helps the Indian government maintain their citizens’ privacy. Data localization will “ensure better monitoring” and allow authorities to have “unfettered supervisory access to data stored within these system providers.” However, it is unclear how the new regulation will improve consumer safety if companies have not had enough time to redesign data storage systems for maximum security.
What is clear is that as India deliberates further changes to the country’s e-commerce and privacy laws, technology companies will increasingly come into conflict with Delhi when both sides desire increased control over the data they collect.
U.S. Credit Card Giants Flout India’s New Law on Personal Data
MUMBAI, India — When the clock struck midnight in Delhi at the end of Monday, Visa, Mastercard and American Express were suddenly in violation of the law every time an Indian swiped a credit or debit card.
They also became unwilling warriors in a budding conflict between America’s technology giants and the Indian government, which wants more control over the data they collect on India’s 1.3 billion residents.
The spark for the current fight is a new regulation, issued in April and in effect starting Tuesday, that requires payments companies to store all information about transactions involving Indians solely on computers in the country. The rule and the hubbub over it are part of a debate over a concept known as “data localization,” in which a country places restrictions on data as a way to gain better control over it and potentially curb the power of international companies. American firms have lobbied hard against data localization rules around the world.
In India, Visa, Mastercard and American Express, as well as other financial players like Amazon and PayPal, said they needed more time to comply with the order by the country’s banking regulator, the Reserve Bank of India.
The companies told the R.B.I. that their fraud detection and other data processing systems were distributed on machines across the world and could not be quickly redesigned to work in India alone. As an alternative, they offered to store copies of the Indian data in the country for easy access by regulators, tax authorities and law enforcement.
But the R.B.I. would have none of it. In recent phone calls to the top Indian executives of the major payments companies and in letters to the companies last week, the banking regulator warned that it would take action, including imposing fines, if they missed the Monday night deadline.
Mukesh Aghi, the chief executive of the U.S.-India Strategic Partnership Forum, said the payments companies were frustrated with the regulators. “They refuse to sit down and have a discussion,” said Dr. Aghi, whose policy group counts the head of Mastercard on its board.
Spokesmen for Visa and American Express declined to comment on their response to the local storage rule. Representatives of Mastercard and the R.B.I. did not respond to multiple requests for comment.
Amazon, which operates an India-only payments service that uses elements of its global technology platform, said in a statement: “Compliance with local laws and regulation is a top priority for us in all the countries we operate in. We continue to work closely with the regulator towards this.”
The R.B.I., an agency akin to the Federal Reserve in the United States, has said little about why it decided that Indian financial data must be stored only in India. In its April order, it said, “In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers.”
Its policy changed as other arms of the Indian government — spurred by both a privacy ruling from the Supreme Court and India-first nationalists in the governing Bharatiya Janata Party — had begun deliberating over much bigger changes to the country’s data, e-commerce and privacy laws.
Those broader proposals, which are unlikely to be passed until after India’s national elections in May, are intended to curb the ability of American tech titans to collect, analyze and make money from data they collect inside the country, which is the world’s fastest-growing market for new internet users. The rules would also give a leg up to domestic firms like Reliance Jio, a leading telecom provider, and Paytm, a payments company, which are seeking government help as they try to compete with the likes of Google, Facebook, Amazon and Mastercard.
India’s prime minister, Narendra Modi, has portrayed himself abroad as a pro-business leader who welcomes foreign investment. At the same time, the right wing of his party has pushed him to adopt more protectionist, India-first policies to appeal to voters, and law enforcement officials have urged him to make sure they can easily get data on residents when they need it.
The Trump administration and the bipartisan India caucus of the United States Senate have both urged India to reconsider its data localization campaign, in part because India’s own outsourcing companies depend on moving data across borders to offer their services.
On Friday, the co-chairmen of the India caucus, Senators John Cornyn, Republican of Texas, and Mark Warner, Democrat of Virginia, wrote to Mr. Modi warning that data localization “will have negative impacts on the ability of companies to do business in India, may undermine your own economic goals and will likely not improve the security of Indian citizens’ data.”
The same day, Dennis Shea, a deputy United States trade representative and the ambassador to the World Trade Organization, told a Washington audience, “We want to have prohibitions on data localization, disciplines to ensure this free flow of data across borders.”
Dr. Aghi, who has helped American financial firms press their case with the Indian government, said top executives of the big payments companies were summoned to a meeting on Wednesday with B. P. Kanungo, who oversees regulation of payments at the R.B.I.
At that meeting, the payments companies asked for 12 more months to fully localize Indian financial data. But R.B.I. officials insisted that the companies meet the Monday night deadline.
In a follow-up letter to India’s finance minister, Arun Jaitley, Dr. Aghi said the R.B.I. had improperly suggested that the foreign financial firms seek assistance from iSpirt, a technology think tank in Bangalore with close ties to the government and Indian financial-services players.
The only major American company that said it was ready to comply by midnight was Facebook’s WhatsApp messaging service. WhatsApp has been testing an India-only payments service but has yet to receive government approval to offer it to all 250 million of its Indian users.