Data Localization: India’s Tryst with Data Sovereignty

On January 3, 2025, India’s Ministry of Electronics and Information Technology released a draft of the Digital Personal Data Protection Rules of 2025 (“Draft Rules”) for public consultation. After a wait of over 16 months, these rules hope to finally enforce the Digital Personal Data Protection Act of 2023 (“Data Protection Act, 2023”). The Draft Rules were anticipated to clarify several of the more unclear provisions in the Data Protection Act, 2023. Chief amongst these was the provision on restricting the processing of personal data outside Indian territories. Disappointingly, the new Draft Rules have envisaged a data localization framework with excessive executive discretion, absence of privacy and security considerations, and a trade-restrictive approach.

The rocky road to data localization

India has taken multiple approaches to data localization, culminating in the current framework under the Data Protection Act, 2023. India’s first attempt at drafting a data protection law was the Personal Data Protection Bil, 2018 proposed by the Justice Srikrishna Committee set up by the Ministry of Electronics and Information Technology. This version adopted a stringent approach to data localization mandating that a copy of all personal data must be stored in India and that data notified as critical personal data be processed only in India. Further, the cross-border transfer of both sensitive and non-sensitive personal data was subject to a litany of conditions, including but not limited to adequacy requirements and consent from the data principal.

The first version of a data protection law to be introduced before Parliament was the Personal Data Protection Bill of 2019, which allowed ‘sensitive’ personal data to be transferred outside India based on meeting adequacy requirements while simultaneously mandating that ‘critical’ personal data be processed only in India. The stringent conditions on the transfer of non-sensitive personal data were eased as compared to the 2018 version of the bill. However, the Personal Data Protection Bill 2019 was withdrawn by the government, and in November 2022, the Digital Personal Data Protection Bill of 2022 was circulated for public consultation.

The 2022 bill abandoned the classification between different types of data and instead proposed a ‘whitelist approach,’ where the Union government would notify the countries or territories to which personal data may be transferred. Apart from the whitelisted countries, there was a ban on cross-border data transfers. Finally, the Data Protection Act, 2023, flipped the whitelist approach on its head and adopted a ‘blacklist’ approach where cross-border data transfers are allowed, except to the countries which have been restricted through a Union government notification.

Apart from the data localization mandated by data protection laws, India also has sectoral laws restricting the transfer of various types of data outside Indian territories. For instance, in 2018, the Reserve Bank of India mandated that all licensed banks and payment system providers must store data relating to payment systems only in India. In 2023, India’s Securities and Exchange Board of India, as part of a framework for the adoption of cloud services, mandated all entities regulated by it to ensure that their data is stored only in India. In 2015, the insurance regulator in India required data related to policies and claim records of insurers to be stored in India.

The ‘whys and why at all’ of data localization

Flowing from the Data Protection Act, 2023, the new Draft Rules have attempted to include provisions that clarify the implementation of data localisation in India. However, the Draft Rules have left much to the imagination and discretion of the Union government. There are two areas in the Draft Rules that impose data localization: (i) general requirements for cross-border data transfers and (ii) obligation on Significant Data Fiduciaries not to transfer certain personal data.

Firstly, Rule 14 of the Draft Rules states that personal data may be transferred outside of India only upon meeting the requirements that will be prescribed by the Union government. Secondly, the Draft Rules also place an additional obligation on Significant Data Fiduciaries (class of data processors identified by the Union government) to store specified personal and traffic data related to its flow only with India. In essence, the Draft Rules give the executive free reign to determine who should localize data, what type of data is to be localized, and the conditions in which cross-border transfers may be permitted.

Considering the high levels of governmental scrutiny on cross-border data transfers, the rationale behind data localization measures is called into question. Since the Data Protection Act, 2023, as well as the new Draft Rules, lack a statement of objects and reasons or any published policy deliberations, the data localization imperative must be inferred from the 2018 report of the Committee of Experts on a Data Protection Framework for India chaired by Justice B. N. Srikrishna (“B.N. Srikrishna Report”). It is to be noted that referencing the 2018 B.N. Srikrishna Report, which was released in 2018, might not capture the current sentiments towards data localization; however, due to the lack of any other concrete recent policy explanations as well as B.N. Srikirishna’s enduring influence on India’s data protection framework, the same has been relied upon for policy reasonings.

The B.N. Srikrishna Report has identified four benefits to data localization, which are listed as follows: (i) Enforcement, i.e., allowing law enforcement agencies to have access to information held by data fiduciaries to combat terrorism, cyber-attacks, and cyber crimes; (ii) avoiding vulnerabilities resulting from transferring data over fiber optic cable networks; (iii) building an AI ecosystem by allowing harnessing of localized personal data and (iv) preventing foreign surveillance.

The report also attempted to make a case for data localization; however, none of the listed benefits point out a reasonable chain of causation between data localization and privacy/security. The first benefit of enforcement clarifies that the government intends to gain access to information held by data fiduciaries for law enforcement purposes, irrespective of whether this data has been encrypted. While the concerns surrounding state access to personal data are manifold, this benefit is redundant in the present scenario as Rule 22 of the Draft Rules allows the Union government to call for personal data held by data fiduciaries for a myriad of reasons, which includes state sovereignty, integrity, and security as well as legal enforcement purposes. Although surveillance and encryption-breaking concerns reign high, it is worth noting that requiring data localization does allow the Union government to circumvent the huge delays that occur when calling for data from other jurisdictions.

Secondly, the purported benefit of risks of transferring data is dwarfed by the data security risks that would occur when foreign data fiduciaries who have robust data centers with established security and privacy protection abroad are forced to rebuild data centers in India. Due to the heavy costs involved with data localization, it cannot be guaranteed that data will be more secure in India than it would be in its original storage locations. It is doubtful that data fiduciaries would have the incentive to replicate the level of security and protection they have in their home countries while setting up data centers in India.

Thirdly, the benefit of having access to large datasets to build AI models is, in effect, contrary to the protection of privacy as personal data would be accessed by start-ups, government entities, and researchers to build AI ecosystems. This does little else than fuel India’s ambitions in the AI race. Lastly, the benefits of reduced foreign surveillance are arguably the most reasoned. However, this ought to be compared to the high likelihood of Indian government surveillance if the data were to be localized in India. Thus, considering that data would be subject to surveillance by one entity or another, there is no furtherance of privacy or security.

Apart from not furthering privacy and security, data localization is also actively harmful on multiple levels. It is undeniably a significant deterrent to global trade in services and consequent economic gains. A 2014 study by the European Centre for International Political Economy found that imposing economy-wide data localization requirements could reduce the Indian GDP by 0.8 percent and domestic investments by 1.4 percent. The study also looked at the welfare costs of data localization on a per-worker basis and found that for India, the loss per worker would be equivalent to 11 percent of the average monthly salary. Further, the contribution of data localization to the aims of privacy or national security may be compromised to the extent that it can be shown that server localization actually compromises the security of data by preventing “sharding,” i.e., splitting a dataset into different parts or shards and increasing susceptibility to malware and other attacks.

Conclusion: Misguided attempts at data sovereignty

A common thread running through the B.N. Srikrishna Report’s reasoning for data localization is an impetus for data sovereignty. India seeks to strike down the economic and political power that having access to data has given countries like the USA. The B.N. Srikrishna Report states, “In its operation, the freedom to share personal data in the digital economy operates selectively in the interest of certain countries that have been early movers.” Through data localization, India is attempting to reverse this early mover advantage by forcing American companies to house their data in India.

In 2020, India came up with a draft policy to encourage setting up data centers in India through incentivization and eased compliance. This is to be read with India’s current AI mission, which includes a focus on data access to foster AI innovation. India is throwing its hat in the global race to dominate AI, and it hopes that data will help it get there.

While India’s ambitions for AI leadership are laudable, its identification of data sovereignty as a valid strategy is misguided. Data sovereignty, especially through localization, results in two broad harms that cannot be justified by any aims at boosting domestic industry capacities. First, it hinders the booming information economy and subjects India to the risk of huge economic losses by halting cross-border data transfers. International trade in services cannot flourish without the free flow of data. Second, India is clearly inching towards a surveillance regime where it aims to use localized data to enforce laws and protect state interests. The threat of state surveillance, already implemented through other avenues such as Rule 22 of the Draft Rules, is exacerbated by data localization. India ought to understand the thin line between data sovereignty and state surveillance.