September 24, 2018, Mumbai
CUTS International, a Jaipur headquartered civil society organisation, in association with the law firm Nishith Desai Associates, organised a conference in Mumbai on theme of “Consumer Welfare in Emerging Regulatory Landscape in Data Economy” in Mumbai. The conference comprised round table discussions on some of contentious regulations in data economy, which relate to the cross border flow of data and digital payments. In this regard, key aspects of the recently released Draft Personal Data Protection Bill, 2018 and Draft Payments and Settlement Systems Bill, 2018 were discussed. With respect to the former, the focus was on data localisation issues and with respect to the latter, the focus was on managing concentration risk in retail payments.
Several key stakeholders in the data economy participated in the roundtable, including former senior officials of the Securities and Exchange Board of India and Reserve Bank of India, such as Mr. Vijay Chugh, former Principal Chief General Manager, Department of Payment and Settlement Systems, RBI, representatives of industry, including co-founders of Bill Desk and Paymate, start-ups, senior officials of Mastercard, venture capitalists, legal experts, such as Nishith Desai Associates and Cyril Amarchand Mangaldas, among others.
It was pointed out that it is necessary for laws to clearly spell out rationale for its regulation, both in terms of data localisation and payments systems. For instance, it appears that the objective of data mirroring and localisation mandate is to enable access to data for law enforcement agencies. However, localisation may not necessarily achieve this objective. Conversely, such objective may be met by alternate mechanisms without restricting cross border data flows. Localisation instead may result in imposition of significant cost on businesses, particularly small and medium enterprises, both within and outside India, which may be passed on to consumers in terms of increased prices and reduced access.
In addition, localisation comes with mandates to classify data in different categories, such as personal, sensitive and critical and the distinction between such categories may not be clear at all times for stakeholders. More importantly, uncertainty increases when it comes to sector specific mandates of localisation. For instance, the Payment Data Storage Directive of the Reserve Bank of India requires exclusive storage and processing of payments data in India, without clearly defining the components of payments data.
In relation to regulation making process, it was pointed out that there is a need to broad base and institutionalise stakeholder consultation mechanism. A key suggestion was to expand the scope of the proposed Payments Regulatory Board to include representatives from industry and consumers. While the new Bill has provisions with respect to undertaking cost-benefit analysis while drafting regulation, it remains to be seen how these will be implemented.
It was also pointed out that one of the key reasons of concentration risk in the retail payments market is structure and operation of National Payments Corporation of India. It was suggested that NPCI needs to be separated into two separate entities managing payment infrastructure and payment instrument businesses respectively to avoid conflict of interests and foster innovation and competition in the sector. International experiences may provide good precedents in this regard.
The participants agreed that a more nuanced and nuanced approach is imperative to balance rights of all stakeholders in the data economy.