Cloud data may have to be stored in India but payment firms may get a breather

A panel working on the Indian government’s cloud computing policy wants data generated in India to be stored within the country, according to its draft report seen by Reuters, a proposal that could deal a blow to global technology giants such as Amazon and Microsoft who offer such services.

It could not only raise their costs because they will need to ramp up the number and size of data storage centers in India, where power costs remain high, but at least some of those increases are likely to be passed onto customers who include everyone from small start-ups to large Indian corporations.

The policy will be the latest in a series of proposals that seek to spur data localization in India, as the government finalizes an overarching data protection law. Local data storage requirements for digital payments and e-commerce sectors are also being planned.

The authorities want the information stored locally so that they can more easily get access to it when conducting investigations.

India’s push for localization comes at a time of heightened global scrutiny of how companies store user data. In July, India said its federal police had begun probing Cambridge Analytica’s misuse of Facebook user data, which New Delhi suspects included information on Indian users.

Report to be submitted soon
The draft report of the cloud policy panel, which is headed by the co-founder of Indian tech giant Infosys, Kris Gopalakrishnan, said a “forward looking” data protection regime was needed as India’s IT laws framework was “not sufficient” for cloud computing.

“We recommend localization of cloud data and any data that is stored about Indian entities or data generated in India,” it said, adding this data “must be available for investigative agencies and national security agencies.”

Gopalakrishnan declined to comment on the draft report, but said he hopes to submit it to the information technology ministry before month-end, or at least by September 15. A spokesman for the IT ministry said the department would review the report once it’s submitted but won’t comment before that.

Cloud computing refers to the provision of software, storage and other services to customers from remote data centers. It allows companies to use programs at lower operational costs as programs and data are not stored at the customer’s own data centers, or on their desktops.

Industry executives said many Indian businesses store their data on cloud servers located outside the country and a localization mandate could force them to migrate data to India.

Payments data

Foreign payment firms could keep copies of customer data in India while retaining offshore storage operations, the government said, as a way to resolve a row with MasterCard, Visa and American Express over the localisation of such information.

A decision by India’s central bank in April that all payments data should, within six months, be stored only in the country for “unfettered supervisory access” has led to furious lobbying by global firms that worry it would cost them millions of dollars.

India’s Economic Affairs Secretary S.C. Garg said that keeping data copies in the country had emerged as a possible solution during a meeting with officials from the Reserve Bank of India and executives from the payment firms.

“One of the options which emerged in that meeting was maybe mirror copies might be a potential solution,” Garg told Reuters in an interview on Saturday.

He said the Reserve Bank of India had to take a final decision on the matter but keeping mirror images of the data in India would mean all the customer information would be available to local authorities.

The RBI’s directive comes as more people in India are switching to plastic, partly driven by Prime Minister Narendra Modi government’s decision to replace high-value currency notes in November 2016, since when the government has aggressively discouraged cash transactions.

In March, Indians clocked up transactions worth $52 billion using their 900 million credit and debit cards, nearly double the amount recorded in November 2016, data from the RBI showed.

But rising fraud is a concern too. The RBI in April said the payment ecosystem in India had expanded considerably, making it necessary to ensure the safety and security of data.

Garg said the government was trying to find a consensus over data localisation at a time of heightened scrutiny of how companies globally handle their customers’ data.

“What we do is we listen to different stakeholders, what they say, what their stance is and where can we can find a landing zone ... That is the reason why it was suggested to have mirror copies,” he said.

Reuters previously reported that India’s finance ministry has proposed relaxing the RBI’s directive following weeks of intense lobbying by U.S. companies and trade bodies.

During the June meeting, representatives from U.S. lobby group U.S.-India Business Council (USIBC) said that storing the data exclusively in India would be a security risk, as in the event of a natural disaster no-one would have access to it if it was all stored in one place.

A stronger economy
Garg said India’s strong economic and fiscal performance warranted a sovereign rating upgrade by leading rating agencies, including Standard & Poor’s, and reiterated that the economy was on course to achieve its 3.3 percent fiscal deficit target for 2018/19.

“Of course we would want an upgrade. There is no question. Everything (economically) is strong,” he said adding that S&P might assess India’s sovereign rating next month.

In November last year, S&P affirmed India’s sovereign rating at “BBB minus” along with a stable outlook. S&P has kept India at the lowest investment grade since 2007 while Moody’s Investors Services has upgraded India’s credit rating to “Baa2”, a notch higher than S&P’s rating.