The Reserve Bank of India (RBI) on Friday asked card companies American Express and Diners Club International not to get new domestic customers onboard from May 1 as they did not adhere to the guidelines on local data storage.
“These entities have been found non-compliant with the directions on storage of payment system data. This order will not impact existing customers,” the RBI said in a notification on its website.
Reacting to the development, American Express in a statement said: “We have been in regular dialogue with the Reserve Bank of India about data localisation requirements and have demonstrated our progress towards complying with the regulation. While we’re disappointed that the RBI has taken this course of action, we are working with them to resolve their concerns as quickly as possible. This does not impact the services that we offer to our existing customers in India, and our customers can continue to use and accept our cards as normal.”
At the end of February, American Express had credit cards outstanding of 1.56 million and was the seventh-largest credit card issuer in the country. Its cards were used for transactions worth Rs 2,325 crore, according to the RBI data.
The Diners Club data was not separately available; it has a tie-up with HDFC Bank in India, the country’s largest card issuer. A spokesperson for HDFC Bank was not immediately available for comment, but it is understood that the share of Diners Club in the bank’s total cards portfolio is not much.
Both these cards are premium and are used widely for international travels and high value spending.
“This local data storage obligation is similar to the one proposed under the Personal Data Privacy Bill which suggested very hard data localisation obligation on entities, which were objected to by MNCs,’’ said Salman Waris, Partner – Head TMT and IP Practice at Delhi-based TechLegis Advocates & Solicitors. However, with recent mega data and cyber breaches, it might be worthwhile to have data stored on local servers so as to avoid jurisdiction and governing law and liability issues at a later date in case of such a breach, Waris said.
The central bank, in April 2018, had told all payment system providers to store their entire data in a system only in India. They were also required to report compliance to the RBI and submit a board-approved System Audit Report (SAR), prepared by a CERT-In-empaneled auditor within the timelines specified therein. The data needed to be stored in India included full end-to-end transaction details, information collected, carried and processed as part of the message and payment instruction.
The RBI had given these companies six months for compliance.
That led to a huge hue and cry and the US based companies wanted to engage the US government to pressure India and the RBI to ease rules, Business Standard had reported that time.
Companies like Visa, Mastercard, American Express, PayPal, Google, Facebook, Microsoft, and Amazon, as well as global banks, had planned to form industry-level lobby groups, opposing the RBI’s data localisation guidelines.
A few other powerful lobby groups, such as the Securities Industry and Financial Markets Association (SIFMA), the Global Financial Markets Association (GFMA), and the US-India Business Council (USIBC) were also tapped on behalf of the American companies, according to sources.
But the RBI remained firm in its approach. Following this, almost all payments companies complied with the RBI’s guidelines and stored data locally.
India does not have a specific legislation dealing with user data breach cases or penal actions relating to the same as yet. The Personal Data Protection Bill, which is proposed to deal with such cases of data breaches has been pending in the Lok Sabha since 2019.
Recent cases on data breach have brought the issue centrestage. An alleged data breach at MobiKwik affected the data of 3.5 million of its users, exposing know-your-customer documents such as addresses, phone numbers, Aadhaar card, PAN cards and so on. The size of the data was reported to be 8.2 TB. MobiKwik has denied the breach.
Earlier this month, millions of records of pizza chain Dominos’ customer data were leaked online. Facebook and LinkedIn also saw data leaks of millions of users this month, including the data of Indian users. While both admitted that customer data had been leaked, both said it wasn’t hacked from their systems, but had been scraped. This means using an application to extract valuable information from a website.