Photo: Priyanka Parashar/Mint
Photo: Priyanka Parashar/Mint

Data localization: Deadline over, what’s next for firms?

With govt unwilling to extend the deadline, compliance is the only option, for now

New Delhi: The government and the Reserve Bank of India (RBI) have stuck to their stance of asking payment companies to store payments data locally. The deadline for payment companies to adhere to the RBI’s data localization norms was 15 October but major international payment companies such as Visa and Mastercard are said to have missed the deadline.

The RBI and government don’t favour granting any relaxation sought by these firms asking them to permit mirroring of data.

The norms set by the central bank aim to ensure that all data relating to payment systems operated by payment system providers is stored locally to ensure better monitoring. Mint takes a look at these norms, their impact on payment firms and the privacy aspects.

The RBI suggested that all payment system providers should store data locally to ensure better monitoring and access to data. “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction," RBI said in its 6 April circular. It said for the overseas part of the transaction, the data may be stored in a foreign country. All system providers were given six months’ time from the date of issue of circular to comply with the norms and report compliance to the RBI by 15 October. Last month, RBI also told payment firms to submit fortnightly updates on the progress made on storing data in India.

All payment companies, including global digital payment firms such as Visa, American Express, Facebook, PayPal, Mastercard and Google have been impacted by the regulations. Till now, more than 60 companies have complied with the RBI directive. However, some of the big global entities operating in India including Visa and Mastercard have missed the deadline, a Reuters report said. Most of these companies had sought an extension of the deadline and a relaxation of the rules, citing operational difficulties and security concerns.

Besides Visa, American Express, Facebook, PayPal, Mastercard, Google and WhatsApp were also mandated to store data locally for their payments-related businesses. WhatsApp was the first to officially comply with these norms. In September, a senior government official told Mint that Google has also agreed to store data locally but has sought an extension of deadline. Google is yet to confirm the development.


The draft Personal Data Protection Bill, 2018 also suggested that critical personal data, which the bill leaves to the centre to define, must be stored and processed only in India. The onus on storing and processing data in India might lead to a surveillance state with government and RBI having access to all personal information of people, said a privacy expert who did not wish to be named.

The deadline has lapsed and there are many firms still struggling to comply with the norms. “With the government and RBI not willing to extend the deadline, these companies have no other option but to comply with the norms," said an industry expert who did wish to be named. The most appropriate way to go about this would be to seek grace period to put appropriate infrastructure in place or submit an undertaking to RBI to comply with the norms within a specified date, added the person.