Data Localisation May Pinch Startups and Payments Firms

Synopsis:
Companies will have to store financial data here if it's notified as critical data, a move that will add to their costs.

BENGALURU: The draft Data Protection Bill is likely to have significant impact on how companies and startups use customer data, particularly as it would increase costs and make it difficult for them to take data outside the country.

The draft bill is also likely to bring more financial companies, aside from only payments companies, under the ambit of data localisation by categorising all financial data as sensitive personal data. Data localisation has been a point of contention between the Reserve Bank and payment companies.

The draft bill prescribes strict restrictions on how much personal data a company or any data fiduciary can collect and how they can use the data. It also says companies cannot make the provision of any goods or services or the quality or performance of any contract conditional on acquiring consent to process personal data not necessary for that purpose.

Experts say this will put an end to the "take it or leave it" contracts that several companies often demand from customers.

"This is basically a provision to deal with non-negotiable contracts, wherein the data controller uses its market power to force people to give up personal data," said Sunil Abraham, executive director of the Centre for Internet and Society, a think tank. "This recommendation makes it clear that 'take it or leave it' contracts can only insist on data that is necessary for the service or product being provided."

On data localisation, the draft bill states that every data fiduciary shall ensure the storage of at least one serving copy of personal data on a server or data centre located in India. While this allows for data mirroring — or the storage of data both abroad and in India — it could make it difficult for companies to take data outside the country, said Subho Ray, president of the Internet and Mobile Association of India.

This is because the draft bill states that the government can notify categories of personal data as critical personal data that can only be processed in a server or data centre located in India.

"Though there is no clarity yet on critical personal data, there is a strong chance that financial data could be classified as critical data and players dealing with financial data could be mandated to keep data within India only," said Vivek Belgavi, fintech partner at PwC.

Under the bill, all financial data, including personal data used to identify an account opened by, or card or payment instrument issued by a financial institution, or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history, has been classified as sensitive personal data.

Credit scoring, lending and insurance companies could also be impacted, said an industry member on condition of anonymity. Abraham said that while cross-border data may be allowed for certain cases, it will include liability on the entity. This move will increase costs for companies as they will have to necessarily store data within the country, as per the experts.