How data nationalism harms payments innovation

The controversial TikTok U.S. divestiture is inching toward a conclusion, but the battle over how and where data is collected has become a geopolitical barrier to international e-commerce growth that goes far beyond the Chinese video-sharing app.

Oracle on Monday confirmed that it’s part of TikTok parent ByteDance’s proposal to the U.S. Treasury Department to have Oracle serve as a trusted technology partner to TikTok. The deal, which the U.S. government still has to approve, reportedly includes a stake for Oracle in TikTok, though it’s structured more as a collaboration than a formal acquisition.

If the deal is approved, there are a lot of details for e-commerce and payment companies to worry about. The impetus for the deal was the Trump Administration’s order that ByteDance sell or spin off TikTok based on claims of national security threats. The key issue is how data is collected, claims that the data is being used for government surveillance, and potential violations of consumer privacy. That’s made consumer information part of a broader global political trend toward isolationism.

Since e-commerce relies on buyers and sellers in different countries connecting for sales and payments, restrictions that require companies to store data or process payments locally are more expensive, and require a long regulatory fight or a complex partnership or acquisition. While the China-based TikTok claims its data centers are located outside China and not subject to Chinese law or government influence, that was not enough to avoid a political outcry.

Bloomberg News

U.S. payment companies such as Visa and Mastercard have faced similar obstacles over data storage in India and China, with India requiring the card brands to store data locally; and China requiring U.S. payment companies to set up operations inside China as a condition to a final payment processing approval that has still not happened after years of attempts by the U.S. brands.

In China, U.S. firms face expensive data center construction to process payments, or partnerships with locally regulated firms — or a combination of both. India has also cited security as a grounds to mandate local data storage, along with other moves such as taking cash out of circulation.

The U.S. has traditionally not placed similar pressure on outside companies, though the Trump years have brought about an adversarial tone, resulting in a trade dispute that has pressured B2B payments. Huawei, which offers a payments app, has also faced threats from the Trump Administration.

“We’ve seen a worrisome trend of countries requiring in-country payment processing — Turkey, Russia, China, India, et al.,” said Eric Grover, a principal at Intrepid Ventures. “I fear it will get worse.”

In India, Visa and Mastercard have stored data in local centers, usually tied to the card brands’ India innovation hubs. Mastercard CEO Ajay Banga has argued local data storage hinders learning that can fuel innovation since it inhibits cross-border sharing.

TikTok’s fast growth and popularity with young consumers makes it an attractive e-commerce enhancement for Oracle and other suitors such as Microsoft — which has apparently lost in its attempt to court TikTok — and Walmart, which on Monday said it’s still interested in investing in TikTok. Oracle, for example, offers loyalty marketing and cloud hosting, which could benefit from TikTok, but could also be complicated by strict nationalist data compliance.

In-country payment processing mandates increase foreign payment networks’ and processors’ costs serving these markets. While unstated, this outcome is part of those mandates' intent, according to Grover.

“For potentially gargantuan markets like India it’s a burden major payment systems like Mastercard, Visa and PayPal can and will bear,” Grover said. “For smaller markets however, it’s more problematic. Would the world’s major payment systems put data centers in Rwanda, Bolivia, Bhutan, and Guatemala? I don’t think so.”

There are international regulations that protect data, such as GDPR, which has challenged merchants and processors that struggled to meet data transparency deadlines. Data isolationism adds a layer of expense for firms that have to meet local requirements that are announced as security or privacy measures, but are more about maintaining legacy industries.

“It appears that regulations that specify location are primarily attempts to protect the local industry more than it is about the data,” said Tim Sloane, vice president of payments innovation at Mercator Advisory Group. “GDPR doesn’t identify storage locations but does specify data protections. To validate compliance, regulators can’t just look at the data being stored and where it is stored; they need to understand how applications access, distribute and use that data to determine compliance.”