With the rise in the value of data—together with high-profile instances of its misuse or theft—it is little wonder that regulators are increasingly focused on data. The growth of global data regulation is a trend that will not abate soon, affecting nearly every industry. But the payments industry in particular is one sector affected by a certain type of regulation—data localization—which increases infrastructure costs and compliance investments for the “cash-free society.”
Types of Data Localization
Data localization provisions restrict the storage, processing, and/or transfer of data within a given country. Storage and processing restrictions are generally absolute, requiring a company to store and process data locally. Transfer restrictions, however, tend to be conditional. Typically, these laws prohibit the transfer of data beyond borders unless certain requirements are satisfied. But at their extreme, data localization provisions may require data to be processed, stored, and accessed only in-country—the data can never leave.
The mandate for a company to store, process, and/or transfer data locally is in tension with the underlying architecture of the Internet, where caching and load balancing is often borderless and automatic. This is particularly an issue for those in the payments industry since any single transaction involves multiple parties with data flowing in various directions, often to and from different countries (e.g., a U.S. Mastercard holder paying for her hotel stay in Beijing). As businesses increasingly become global in reach and move toward centralizing data and related systems, data localization restrictions require investment in local infrastructure for data storage and processing solutions, which can disrupt—or at least make more difficult and expensive—the operating architecture, business plans, and hopes for further expansion.
To be fair, not all jurisdictions are imposing onerous data localization restrictions. In a clear acknowledgement of the harm such measures may cause, the European Union in November 2018 approved a legislative reform banning data localization restrictions. Regulation (EU) 2018/1807—applicable in all EU Member States in May 2019—creates a framework for the free flow of electronic non-personal data in the EU and prohibits data localization requirements put in place by EU Member States. Currently, however, the EU is clearly in the minority when it comes to prohibiting data localization.
Approaches to Data Localization
A significant challenge for payment companies is the variety of ways that countries can address data localization; there can be as many approaches as there are sovereign nations.
For example, Russia’s Federal Law No. 242-FZ, which amended Federal Law No. 152-RZ on Personal Data, requires data operators to store and process the personal data of Russian citizens within Russia. As long as companies store and process data locally, they are permitted to transfer the data outside of Russia provided they fulfill other requirements of the law.
China takes a stricter approach. Under China’s Cybersecurity Law, critical information infrastructure (CII) operators—which include financial services—must store personal and important data in China. This law is further supplemented by measures and guidelines related to the cross-border transfer of data. Such data may only be transferred outside China with prior regulatory approval based on a company’s genuine business need to transfer the data, as well as a company’s security assessment report per Art. 28 of the Cybersecurity Law.
India has one of the most restrictive regimes, including data localization requirements specifically aimed at and applicable to the payments industry. Earlier this year, the Reserve Bank of India (RBI) issued the Storage of Payment System Data circular, which requires operators of authorized payment systems to store all data in its payment systems only in India. While the circular contains a limited exclusion that allows data to be stored in and transferred to another country if required for the foreign leg of a transaction, the payments industry—including payment heavyweights such as Mastercard and American Express—struggled to comply within the tight six-month implementation period. Their entreaties to the RBI for extensions beyond the October 2018 deadline were declined.
Not only are more countries adopting data localization laws and regulations, some with existing data localization measures are expanding the scope of data that must be stored and processed locally, while limiting the data that can be transferred abroad. For instance, before the enactment of China’s Cybersecurity Law, China already required banking financial institutions—including foreign-invested commercial banks—to store, process, and analyze personal financial information in China. The net has only widened since.
Impact on the Payments Industry
FinTech and payments innovation will always be inextricably linked with data, and, as a result, the payments industry will remain keenly interested in, and impacted by, data management regulation. Payment companies from the behemoths to the upstart innovators must meticulously map data flows to deal with the practical realities of data compliance across a wide array of requirements and geographies.
Payment industry participants—whether card issuers, transaction processors, technology innovators, or merchants—must determine the who, what, where, when, and why related to data storage, processing, and transfers. They are required, for example, to determine which data involved in a transaction must be handled exclusively within the borders of the home country, and whether and to what extent any other data may cross borders. Such processes compromise efficiency and increase costs, with the net result likely constraining—at least in part—the global wave of payments innovation.
Companies also face other challenges, as data localization increases not only compliance costs but also the risk of data loss from cyberattacks, mechanical issues, or natural disasters. Data localization, for example, may prohibit backups to a geographically remote, out-of-country facility. The difficulties associated with compliance are further exacerbated by uncertainties in regulatory scrutiny and enforcement across varying legal systems. This uncertainty is exemplified in India’s Storage of Payment System Data circular, which, in a pithy one-page memo, mandated a comprehensive change to the payments industry to be implemented in just six months.
Data Localization as Economic Protectionism
Interestingly, and perhaps not coincidentally, some of the countries driving the market for mobile payments and other innovative payment methods—China and India—are also the countries with the toughest data localization regimes.
No country exemplifies the promise of payments innovation more than China, with the headline of a Jan. 4, 2018, story in The Wall Street Journal summarizing it well: “The Cashless Society Has Arrived—Only It’s in China.” For non-Chinese enterprises, entering and thriving in that market is notoriously difficult, thanks in part to its data localization regime. Seen in this light, one could conclude that data localization is the latest form of economic protectionism, albeit one limited to the new digital, information-intensive market.
Innovations in technology have contributed to the significant adoption of non-cash payments, but data localization may result in market contractions because companies along the payment supply chain must invest heavily in time, effort, and resources to comply. In the end, consumers are left with fewer choices and higher prices. With data regulation of all stripes on the rise, perhaps it will be the consumers wanting more data mobility who will reverse the data localization trend.
Richard R. Willis, Brussels-based partner in Alston & Bird’s Financial Services & Products Group, advises banking, payments and FinTech companies in cross-border transactions and new market entry strategy. Laura K. Song, also based in Brussels, is an associate in the firm’s Technology and Privacy Group.