How the Mastercard incident highlights need for regulating digital trade

Mastercard Inc has been told not to issue new cards in India. It’s a move that underscores the urgent need of a US-led digital trade pact to set global standards for what sovereign states can and cannot do to firms that obtain and process data internationally. 

The Indian central bank pulled the plug on the U.S. payments network for alleged noncompliance with its controversial local data storage rules introduced three years ago. In April, the monetary authority imposed similar restrictions on American Express Co. and Discover Financial Services’ Diners Club cards. Existing customers are going to be fine in all three cases, but the harsh penalties will still reduce competition in the market.

RBL Bank Ltd., whose shares fell Thursday following the regulator’s announcement, said it would take it up to  10 weeks to transition to Visa Inc., possibly affecting its monthly card-issuance target in the interim. Mastercard has a 33% share in India, compared with Visa’s 45%. Some other Indian banks and finance companies will also be hit, according to Nomura Research. 

Could this dislocation have been avoided? Globally, e-commerce, content and payment firms are in the crosshairs of regulatory action. While governments advance many reasons for insisting on local storage — from checking money laundering to ensuring national security — the burden of compliance falls disproportionately on international firms. Rivals that serve only one market have no trouble in meeting the requirements. That makes it a trade access issue. To plug this and several other gaps in cross-border exchange of data, President Joe Biden’s team is working on proposals for a digital trade deal with economies in the Asia-Pacific, Bloomberg News reported this week.

Decades of globalization have lowered tariffs and harmonized customs procedures in trade of goods. And although selling services like banking and insurance across borders is still messy, regional free-trade deals are at least trying to reduce the friction. When it comes to data capitalism, however, populous nation-states are increasingly aware of the value of the raw material at their disposal — and loathe to share it with others.

Localization requirements represent some of the most egregious curbs. From Russia and China to India and Indonesia, many governments are insisting on domestic data storage. Some are going further. China used a 2017 cybersecurity law to crack down on Didi Global Inc. just days after the popular ride-hailing app sold shares in the U.S. From September, things will get tighter still. Under a new data security law, Chinese firms will need the government’s permission to share any information about their mainland operations with law enforcement officials overseas.

India offers a more hospitable environment for now, but it, too, is considering legislation for safeguarding of personal data and processing of non-personal information. The compliance costs for businesses will be determined by the guidelines formulated under these new laws. As Amazon.com Inc. and Walmart Inc. are discovering, staying on the right side of idiosyncratic Indian rules can be a costly affair.

Facebook Inc.’s WhatsApp messaging service, which wanted a piece of the flourishing Indian card-less payments market, was restricted to an inordinately long beta trial. Even in that case, the showstopper was data localization. WhatsApp said it had met all the requirements, but by the time the National Payments Corporation of India and the central bank were convinced, the service had been delayed by almost three years.

The Reserve Bank of India wants data on Indian card payments to reside only on servers locally — with no copies retained elsewhere. As more countries impose such data sovereignty requirements, the economic efficiencies from centralized storage and processing will go out the window. The data center market has a heavy concentration in five markets: Northern Virginia, Singapore, London, Sydney and Silicon Valley, according to a 2021 Cushman & Wakefield Plc study of projects in active development. Decisions on where to set up shop are taken on the basis of reliable 24x7 power, legal certainty, fiber connectivity and cloud availability from the three main providers — Amazon, Microsoft Corp. and Alphabet Inc.’s Google. But localization requirements are coming in the way. Mastercard even announced a $350 million investment in a data processing center in Pune, Maharashtra — its first outside the U.S. — to comply with the Indian regulation. Yet the RBI was clearly not impressed.  

Data is unlike any other commodity. Everything else, from oil to computer software, gets its value from well-defined property rights protected by legal systems. But as Columbia Law School Professor Katharina Pistor has argued, the tech industry has simply captured data as “wild animals.” Now, if states rush into the legal vacuum, and unilaterally assert rights over individual data, it’ll lead to more chaos. What consumers everywhere want is for their governments to bat for privacy and fair dealing by tech firms.

Given the current climate of mutual mistrust, it’s doubtful that China and the U.S. can come to a shared understanding on accessing each other’s bits and bytes. For the rest of the world, a compelling digital trade deal from the Biden administration would help set norms. It would secure U.S. business interests globally and assure trading partners that letting information move freely — under strong rules — is better than trapping it in silos. The volume and granularity of data in a fully functioning 5G network will be much higher than now. Cloud computing resources will need to get more widely distributed to handle complex machines like self-driving cars.

Trying to slow things down with localization requirements will be counterproductive. The US president has his work cut out.