2018/2019 Edition of the Global Regulatory Update

Treasury and Trade Solutions 72 may be required to have data storage and processing facilities on-shore. In addition there may be restrictions on cross border data flows into regional and global and centres. There may also be limitations on the provision of IT hardware and software by foreign providers. Indonesia In Indonesia, legislation establishing requirements for on-shoring of data centres and data recovery centres was adopted in 2012 (Government Regulation No.82 on the Electronic System and Transactions) with implementation by October 2017. The ICT Minister has signalled that the Law may be revised shortly after a broad consultation across government. Three levels of data classification will be introduced with only the top-level of data, such as that impacting sovereignty, needing to remain on shore. Separately, the OJK (financial regulator) has introduced a data on-shoring regulation for financial institutions. Industry would like to see this regulation removed or amended in line with changes to the law. Vietnam On June 6, the Vietnamese National Assembly passed the Law on Cybersecurity which will take effect on 1 January 2019. This law imposes stricter local office and data localization requirements. It also introduces cross-border data restrictions whereby offshore entities, including telecommunications and Internet service providers (ISPs) must (a) maintain headquarters or representative or representative offices in Vietnam and (b) store within the country, the data of Vietnamese users and other important data collected from the use of Vietnam’s national cyber infrastructure. There are also requirements for telecommunications and ISPs which restrict transferring and storing of data outside of Vietnam. India The Reserve Bank of India (RBI) announced on April 5, 2018 that all payment system operators and their outsourcing partners will be required to locally store within India all data related to payment systems operated by them. Compliance is to be within 6 months (on or before October 15, 2018). The data subject of this directive will include full end to end transactions details, information collected, carried and processed as part of the message or payment instructions, although data relating to a foreign leg of a transaction can be stored offshore. Though localization of data storage has been a focus for Indian authorities for some time, this recent move by the RBI appears to be prompted by concerns following alleged