India’s Ban On Credit Card Companies Over Data Localization

On July 14, 2021, the Reserve Bank of India (RBI) barred MasterCard from issuing any new debit, credit, or prepaid cards to India citizens. With the ban coming to effect on July 22, RBI gave MasterCard a week’s notice to stop the acquisition of new India-based customers. This restriction will not affect any existing MasterCard customers who live in India.

How did we get here?

While MasterCard was only given a week’s notice, they have had a few years to avoid this ban. This ban stems back to a directive issued by RBI on April 06, 2018, known as the “Storage of Payment System Data.” This directive required that all providers, such as MasterCard, ensure that all data related to payment systems operated by the RBI can only be stored in a system located in India. When RBI issued this directive on April 06, 2018, they gave service providers a six-month time window to become compliant, and when the ban takes effect on July 22, thirty-nine months will have passed. MasterCard is not the first company to receive this treatment by the RBI, as American Express and Diners Club International were barred from onboarding new customers on May 01, 2021.

Why are we here?

Data privacy is the name of the game. RBI fears that user data stored in another country will become nothing more than potential commerce auctioned off to the highest bidder. By requiring that data can only be stored and processed domestically, RBI can protect Indian citizens’ personal information from unwanted sales and exposure in a way they could not if a foreign country held the user data. RBI appears to be looking out for the citizens of India by requiring this methodology, commonly known as “Data Localization.”

What is “Data Localization?”

The concept of “Data Localization” is the process of storing data within the boundaries of the country where the data was collected. For instance, any data created in India should be present and processed in India rather than a foreign country.

In recent years, there has been a movement for countries to adopt data localization, also known as data sovereignty. An article we wrote late last year, Storage Wars: The Pros and Cons of Data Localization/Nationalization, detailed that the practice of data localization can help countries ensure the cybersecurity and privacy of their citizens’ personal information (PII) from global companies and foreign governments, especially adversaries and those with insufficient data protection laws. The recent prominence of cloud storage has also led to more countries passing laws and directives to maintain sovereignty over data, which generally operates without borders. You can read more about the push towards data localization here.

Privacy & Monetization

A two-horse buggy is pulling the movement for data localization. The first horse is a need for national privacy and security; the second horse is data monetization. With large-scale data breaches filling the newsfeed, people have become concerned about their data getting into the hands of the wrong people. Data localization can help countries and companies secure and protect collected data as localization allows for easier data monitoring. The other side of the coin is commerce from data sales. Data brokers generate revenue from the sale of personal information, and data localization can be a method for countries and companies to regulate who has access to their data and prevent people from selling the data. As countries start to require data localization, companies must be mindful of the practice and how to implement it, or possibly face a ban.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.