Plugging loopholes: e-commerce firms like Amazon, Flipkart asked to store payments data in India

Electronics & IT ministry asks DIPP to incorporate storage norms in e-commerce policy

New Delhi

Updated: January 15, 2019 07:19 IST

MeitY wants to plug the loophole which exists after the Reserve Bank of India (RBI) made it mandatory for all payment firms like American Express, Mastercard, Visa, etc to store all payments data within the country.

The ministry of electronics and information technology (MeitY) wants e-commerce platforms like Amazon and Flipkart to store all consumer payments data within the country.

Sources told FE that MeitY has written to the department of industrial policy and promotion (DIPP), which is responsible for making policies and issuing directives to e-commerce firms, to bring these players under local data storage norms in its
e-commerce policy.

Apparently, MeitY wants to plug the loophole which exists after the Reserve Bank of India (RBI) made it mandatory for all payment firms like American Express, Mastercard, Visa, etc to store all payments data within the country. This meant that a consumer’s payment data through these gateways cannot be stored in servers abroad. However, the problem was, as pointed out by experts that if the payment was made on an e-commerce site even if the payments data gets stored within the country, the data will go outside if the e-commerce firm’s server is abroad.

READ ALSO: Flipkart’s Sachin Bansal books $21 million ride in Ola

“Access to data is more important than storage and the RBI has not said anything regarding who can and who cannot access the data,” SN Gupta, an independent regulatory expert and former adviser to Telecom Regulatory Authority of India (Trai), said.

For instance, if one uses a Mastercard to shop anything on an e-commerce site the data goes to the e-commerce player also. In such cases even if Mastercard is storing data locally the e-commerce player may be storing data overseas and the basic purpose of data not going outside the country gets defeated.

READ ALSO: CPI inflation falls to 18-month low; declines to 2.19% in December

This issue has been raised by MeitY with regard to WhatsApp’s payment system. Though WhatsApp has created local data storage facility it has not clarified whether it shares data with any third party, particularly its parent firm Facebook.

Sources said that MeitY wants this loophole to be plugged and therefore has written to the DIPP to come out with a directive similar to RBI’s asking e-commerce firms to store data locally. The RBI had given the deadline of October 15, 2018 to all the payment firms to store data locally and while some have complied, others are in the process.

As is known, the Justice Srikrishna committee, which has drafted the Data Protection Bill has not recommended a blanket local data storage clause but has identified circumstances under which data has to be mandatorily stored in the country and cases where it can be stored with mirroring provisions. It has, however said that critical data has to be stored only in the country.

READ ALSO: Reality check: 10% quota for economically weaker section, but govt job vacancies shrinking, shows DoPT data

It has said that personal data determined to be critical will be required to be stored only in India and there will no cross border transfer of such data.

Most global companies present in India who deal with data have been opposing data localisation and have voiced their concerns.

This article was first uploaded on January fifteen, twenty nineteen, at twenty-nine minutes past five in the morning.