[By Aryan Dash & Rishita Sinha]
The authors are students of National Law University Odisha.
INTRODUCTION:
In the bustling landscape of India’s financial technology sector, the crescendo of UPI transactions have reached a staggering 9.3 billion in June 2023. Projections paint a vibrant future for the Indian fintech industry, eyeing a valuation surpassing $2 trillion by 2030. The meteoric rise of UPI has not only transformed the payment ecosystem within India but has also sparked a global ripple effect. The primary purpose of the extension of UPI abroad is to boost cross-border transactions, foster financial inclusion, and reduce reliance on cash transactions. However as the National Payments Corporation of India (NPCI) extends UPI services beyond borders, a critical conversation emerges – one that delves into the implications of managing vast data under the existing data protection regulations and the recently introduced Digital Protection & Data Privacy Act 2023 (DPDP Act).
THE NPCI’S ROLE AND GLOBAL UPI EXPANSION:
In an era where global connectivity is paramount, the expansion of UPI services abroad marks a pivotal step in revolutionizing cross-border transactions. Founded in 2008 as a not-for-profit under the RBI and Indian Banks’ Association, the NPCI has been a linchpin in providing cutting-edge payment system technologies, including RuPay and UPI. In a bid to cater to Indian tourists and the diaspora abroad, NPCI’s wholly-owned subsidiary, NPCI International Payments Limited (NIPL), has embarked on an ambitious initiative to extend UPI services globally.
Agreements with countries like Singapore, France, Malaysia, South Korea, and Japan underline NPCI’s intent to facilitate cross-border transactions, enhance financial inclusion, and reduce dependence on traditional payment methods. The NPCI envisions a two-pronged approach, developing international interoperability for travellers and collaborating with central banks to fortify UPI ecosystems worldwide.
RBI’S STANCE ON DATA LOCALIZATION:
In an era dominated by digital transactions, robust data privacy regulations are imperative, especially for sensitive information like banking transactions. Safeguarding critical data ensures not only the security of individuals but also the integrity of financial systems.
Preceding the current surge in data protection concerns, in 2018, the RBI introduced the Storage of the Payment System Data circular to regulate data storage in the context of cross-border transactions.
RBI’s Guidelines for In-Country Storage with Foreign Transaction Exceptions
This circular mandates banks and payment service providers to store data within India, with exceptions for foreign components in a transaction. For foreign data processing, there is a 24-hour limit set for data storage abroad, after which it must be deleted and brought back to India.
Real-Time Settlements and In-Country Data Storage:
Regarding payment settlements, transactions settled outside India require real-time basis settlement with exclusive data storage within the country. The RBI’s circular encompasses all banks, payment system providers, and third-party applications providing UPI services, with the data stored in India being eligible for limited sharing, subject to necessary permissions.
CROSS-BORDER DATA SHARING AND THE DPDP ACT:
The DPDP Act, in its current form, introduces some shifts in data-sharing dynamics. Section 16 of the Act allows unrestricted data sharing with countries whitelisted by the government, while blacklisted countries are ineligible for such arrangements.
Undefined Territories: The Need for DPDP Rules
Presently, the DPDP Act lacks a predefined roster of countries classified as either blacklisted or whitelisted. The government aims to address this gap by formulating detailed DPDP rules. These regulations will outline the criteria for categorizing countries onto the blacklist, based on considerations the government deems necessary to safeguard the data of Indian citizens and businesses.
Consent Matters: Obligations of Data Fiduciaries
However, data fiduciaries, including third-party applications and payment service providers, are obligated to obtain valid consent from users before sharing sensitive financial data.
DPDP Act vs. RBI Circular
The Act seemingly contradicts the RBI’s circular, especially in terms of data localization and sharing. While the RBI circumscribes cross-border data transfer, the DPDP Act presents a more lenient approach, opening avenues for data sharing under consent. This creates a nuanced landscape where reconciling the differences between the two becomes imperative.
BALANCING ACT: RBI CIRCULAR VS. DPDP ACT:
In the intricate regulatory dance between the DPDP Act and the RBI’s Circular, achieving a delicate balance becomes paramount. DPDP’s Section 16, permitting global data sharing with consent, collides with the RBI’s stringent data localization directives. The DPDP Act seemingly contradicts the RBI’s data localization directive, which requires deleting processed data abroad within 24 hours.
While the RBI allows data sharing for processing outside India, the DPDP Act prohibits exporting Indian data, even for processing. Despite government assurances that RBI regulations will endure, reconciling these disparities in practice remains a challenge.
Notably, DPDP’s Section 17 introduces exceptions, aligning with the RBI’s circular, allowing data sharing for legal claims or breaches. Crafting a cohesive framework that respects user privacy, aligns with global standards, and adheres to financial data mandates is a crucial task in this evolving regulatory landscape.
EXPANSION OF UPI SERVICES: NRIS AND FOREIGN TOURISTS:
In a move to broaden UPI services, the RBI, in a circular dated 10 February 2022, greenlit the extension of UPI services to Non-Resident Indians (NRIs) and foreign tourists. NRIs can set up a UPI ID using their international numbers, linked to NRE/NRO accounts, provided they comply with KYC regulations. Similarly, foreign tourists can avail themselves of Prepaid Payment Instruments (PPIs) from banks or corporate entities, loaded using various methods, adhering to RBI’s guidelines.
The Indian government has been actively forging strategic agreements to enhance cross-border transactions and simplify fund transfers for the Indian diaspora worldwide. Under NPCI’s global UPI initiative, services have been extended for foreign remittances, exemplified by the UPI-PayNow linkage between India and Singapore. the collaboration between India and France marked a milestone, allowing Indian tourists to effortlessly make payments in INR using their UPI apps, even from the iconic Eiffel Tower.
Early on, Bhutan joined hands with India to introduce UPI-based transactions, initially limited to the BHIM app for Indian travelers and residents in the country. This move showcased the early adoption of UPI technology beyond India’s borders.
A significant leap forward occurred in 2022 when the National Payments Corporation of India (NPCI) inked a formal agreement with the Central Bank of Oman. This collaboration aimed to seamlessly integrate UPI into Oman’s payment systems, reflecting a broader commitment to extend the reach of this cutting-edge technology.
The United Arab Emirates (UAE) also embraced the BHIM UPI system within its payment infrastructure, specifically catering to the Indian community in the UAE. This integration was made possible through NEOPAY terminals, a subsidiary of Mashreq Bank. The move demonstrated the dedication of NPCI and its subsidiary, NIPL, to not only serve Indian travellers abroad but also pave the way for future services catering to foreign citizens in their respective home countries, facilitating real-time payments.
DPDP ACT AND APPLICABILITY OF DATA LOCALIZATION FOR FOREIGN CITIZENS:
The critical question arises regarding the storage of financial data for NRIs and foreign tourists. Simply put, the DPDP Act applies to both Indians and Indian businesses. Given that payment processing occurs within India through an Indian service provider, it’s plausible to assume that sensitive personal data of non-Indian travelers is stored in India. Nevertheless, the absence of specific rules for data localization of foreign citizens introduces ambiguity.
This scenario mirrors the global approach to data protection seen in the European Union’s GDPR. Both acts extend their jurisdiction beyond borders, emphasizing the primacy of where data is processed over the nationality of individuals involved. The parallel between the DPDP Act and GDPR underscores the need for a cohesive international framework to address data protection concerns, particularly in an era where cross-border transactions are increasingly common.
OWNERSHIP OF FINANCIAL DATA:
In the intricate web of UPI transactions, pinpointing the owner of financial data becomes crucial. Given its role as the architect of the UPI interface and technology, it’s reasonable to assume NPCI owns financial transaction data. While NPCI is the architect of the UPI interface, banks, payment service providers, and third-party applications act as data fiduciaries, responsible for regulating, determining usage, and potentially sharing critical financial information. The ownership, however, doesn’t rest with NPCI but extends to Payment Service Providers (PSPs) – the entities linking bank accounts for UPI transactions.
PSPs and Third-Party Applications (TPAPs) operate under private contractual agreements with NPCI, utilizing UPI services on their platforms. These entities, acting as data fiduciaries, are in the driver’s seat when it comes to storing and managing user data. While the DPDP Act doesn’t mandate data fiduciaries to process the data, it allows for contractual relationships with Data Processors for this purpose.
CONCLUSION:
As the UPI juggernaut extends its reach globally, the regulatory landscape faces unprecedented challenges. The confluence of the RBI’s circular and the DPDP Act raises questions about data localization, sharing, and ownership. The interplay between these regulations demands nuanced interpretation, especially in the context of cross-border UPI transactions involving foreign nationals.
The grey areas in the law, particularly concerning the applicability of the DPDP Act to foreigners using Indian UPI applications, beckon the attention of policymakers. As more nations embrace UPI services, the steps taken by the government to address cross-border data sharing will shape the future of global fintech collaborations. In this evolving narrative, finding a delicate balance between facilitating international transactions and safeguarding user data remains a paramount challenge for regulators and industry stakeholders alike.
With real-time settlement in UPI, the question arises: Will the DPDP Act enforce data storage in India? Or will foreign privacy regulations apply? As nations adopt UPI, it’s intriguing to observe the government’s approach to cross-border data sharing.