A week after the Minister of Commerce and Industry, Piyush Goyal asked companies to submit their concerns over data protection policies in India, the Reserve Bank of India (RBI) said that all payments related data was to be stored within systems operated in the country. Further, in cases where the data is processed outside the country, it needs to be brought into India's jurisdiction within 24 hours.
In its 'Frequently Asked Questions,' the central bank clarified its stance on the data localisation policy issued in 2018. It also said that the rules apply to banks operating in India as well.
"The entire payment data shall be stored in systems located only in India," RBI said. "There is no bar on processing of payments transactions outside India if so desired by the payment system operators (PSOs). However, the data shall be stored only in India after the processing," RBI said in a note released on Wednesday.
"The data should be deleted from the systems abroad and brought back to India not later than one business day or 24 hours from the payment processing, whichever is earlier," it added.
This provides clarification on whether the data needs to be only stored or processed as well in India. It also clarifies that foreign banks could continue storing data outside, however, data on domestic payments have to remain in India.
As for cross-border transactions, the data related to the domestic component of the payment can be stored abroad but a copy needs to be maintained in India.
On 18 June, a meeting was held between Goyal and industry representatives where principles of data protection and privacy were discussed at length. It was assured during the meeting that the concerns over classification of data and the manner of cross border flow of data would be addressed.
RBI's decision to compulsorily store payments data within India, (issued in April 2018) has affected large multinational payments companies like Visa, Mastercard, American Express, Amazon Pay and Google Pay.