This article explores the landscape of data localisation laws in India, examining the key regulations and their evolution over time. It highlights sector-specific requirements, business challenges, and the growing focus on national security and privacy concerns. It also delves into the practical implications for multinational companies and India’s efforts to strike a balance between data security and fostering innovation in the digital economy.
The Big ‘Data Problem’
We bet Tim Berners Lee, the inventor of the World Wide Web, did not have even the slightest idea that his invention, which was initially just a means of information-sharing between scientists, would revolutionise how individuals consume and store data in the present times. Since its advent in the early 1990s, internet traffic has grown tremendously (tera-bytdous). From carrying 100 gigabytes (‘GB’) per day, it now carries over 46.6 terabytes per second[i]. As per the latest data of 2022, the global internet traffic was 5291 Exabytes (1 exabyte = 1 billion GB).[ii]
Such rapid internet and cloud storage expansion has resulted in fundamental changes to individual behaviour. ‘It is all on the internet’ is no longer a phrase; from passwords to documents, sensitive data, and personal, medical, and financial information, it is stored online on websites, apps, or cloud services. Such centralisation of data has, in turn, resulted in the world facing the BIG (It is surely bigger than this) ‘data problem.’
However, you may wonder, what is this ‘data problem’? We will explain it to you through an example (or reality). Do not be scared—the fun has just begun!
Let us consider a scenario wherein you have signed up for a cool new (free) app by providing them with all the details, assuming they would be your ‘galaxy’s guardians'. Excitedly, you slide into your friend’s ‘DM’ (for those of you who do not understand the phrase ‘sliding into DMs’ – firstly, we acknowledge your senior citizenship, and secondly, it simply means a message) and tell them how you have been wanting the new Adidas Sambas. After a glorious exchange of wants and desires, you suddenly face reality when your boss calls! The conversation (and the dream of owning the new Sambas) dies out quickly, and (sad) life is restored. The day ends, and as the night progresses, dreams reignite and take over you because as soon as you open your phone, you see an Ad – ‘Adidas Samba – A legendry shoe;’ you smile and fall asleep.
Assured of having caught your attention with that story, we will now walk you through the war room, wherein your data might be being shared (read as – is being shared) with other companies and/or governments for research, advertisement, analytical, statistical or any other purpose, and you might not even have the slightest inkling of the same. You may ask, but what did I do to allow such information sharing? You signed up for an app. Yes, the same free app you use for messaging, sharing photos, tracking your activity, booking your cab, playing games, and making payments. Just by ‘signing up’ for the 15% discount, you have involuntarily passed your personal information to people and/or businesses you may never associate with.
The cheap availability of the internet and the ease of creating a digital identity far worsens the situation; simplifying it through an example, most of our grandparents had no digital identity for a majority of their lives; however, now, even a newborn child has a Gmail and Instagram account being run by their parents. If not for their own accounts, information pertaining to life is available on the internet as the world is being run by it. Hospital appointments are online; birth certificate registration and vaccination details are online. In the present scenario, thus, even if a child born in the present decade wants to isolate himself from data entanglement, he cannot, considering the proof of his existence is available on the world WIDE web.
Having briefed you about the BIG data problem, we shall now proceed to understand where and when such data is stored and the regulations surrounding it.
What is Data Localization?
Data is a collective resource and a national asset over which citizens have a sovereign right. Governments worldwide protect data by imposing certain restrictions and conditions on the storage and processing of data that they do not directly access.
Storing data on any device physically located within the boundaries of the nation where such data has been generated is known as ‘data localization.’ Initially, with the advent of the digital age, countries were focusing on ‘digital globalization,’ which allowed cross-border movement of data. This was in stark contradiction to the theory of data localization. However, as the web of the world wide web became wider (and thus, scarier), nations started departing from the modern ‘free flow of data for innovation’ theory and progressed to protect the nations and their citizens’ strategic interests by adopting the practice of data localization. By early 2023, close to a hundred data localisation measures across forty countries were in place, and more than half of these had emerged since 2015. Additionally, numerous Mutual Legal Assistance Treaties (‘MLATs’) and regional trade agreements (‘RTAs’) between countries govern electronic data transfer between signatories. MLATs generally provide for the sharing of data by companies of a signatory country to the law enforcement agency of the other signatory country upon a formal request (like obtaining evidence against a fugitive economic offender). In contrast, RTAs may contain specific provisions for data storage and processing between signatory countries.
Why Do Countries Prefer the Localisation of Data?
Spiderman was absolutely correct when he said, ‘with great power comes great responsibility’ because every other innovation is good unless used to achieve something bad. The fate of data was similar when it was free-flowing and not restricted by borders. Historically, consumers across the globe gained access to innovative digital products due to the free flow of data. However, with the advent of time, various security and privacy concerns emerged, which compelled governments to restrict the movement of data. Monitoring and restricting the flow of data across borders thus became essential for:
Ensuring that the privacy and security of the citizens, specifically if their personal data is stored on foreign soil.
Ensuring regulatory requirements for critical services, such as payments, are in place and well-overlooked by the government.
National Security and law enforcement concerns, as accessing evidence stored as data outside the country can become tough.
Determine and widen the tax base to include foreign entities with significant economic presence without a fixed place of business in the country.
Market concerns and economic protectionism, as countries may want businesses to invest in data storage facilities in the country and provide economic protection to local businesses.
Our country, India, has been stringent in effecting data localisation requirements. It is followed in the most stringent manner in the financial sector, particularly by the Reserve Bank of India (‘RBI’), which has time and again prohibited financial institutions from operating if and when they have violated data localisation requirements. The prohibition of American Express, Diners Club, and Mastercard are some examples.
Evolution of Data Localization in India
India, as a country, has always been scientifically and logically advanced. You may laugh when we tell you that our ancestors calculated the distance between the sun and the earth way before a white-skinned man would have even been born, but it is, in fact, the truth. Be it the zero or the regulations pertaining to data localization, we realized its potential first. Now that controversy has entangled your mind, and you cannot help but read further, we will briefly examine how the data localization law has revolutionized India.
The law relating to data localization requirements can be traced back to as early as 1993 when the government of India introduced the Public Records Act 1993. As per the said act, taking public records from India was prohibited. The advent of the internet further led to the enactment of the Information Technology Act, 2000 (‘IT Act’), which attempted to define ‘data’ as information, knowledge, facts, etc., on a computer system or network. While the IT Act and its allied rules provided a robust mechanism to protect consumer data with extra-territorial applicability, it largely proved ineffective in preventing (mis)utilization of consumer data stored and processed outside India.
As calls for the right to privacy gained momentum, various legislative and judicial interventions paved the way for the ‘right to privacy’ as it exists today. Its chronology has been briefly entailed herein below:
In 2012, an Expert Committee report chaired by Justice A.P. Shah prescribed nine national privacy principles.
In 2017, the landmark decision of the Hon’ble Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India[iii] (famously known as the Aadhar decision) recognised privacy as a fundamental right under a. 21 of the Constitution of India.
In 2018, a report by Justice B.N. Srikrishna committee titled ‘A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians’[iv] delved deep into data localisation and security, devising the first data protection legislation in India, the Personal Data Protection Bill, 2018 (‘PDP Bill’).
Though the PDP Bill was widely criticized, it was altered and amended through various rounds of parliamentary discussions, public suggestions, and stakeholder consultation. After nearly five years, the legislature enacted the Digital Personal Data Protection Act, 2023 (‘DPDP Act’), as the primary legislation to secure the personal data of Indian citizens over the internet.
Laws Governing Data Localization in India
India has long contemplated enforcing a comprehensive legislative framework for mandating data localisation across industries. However, it still needs to evolve an omnibus legislation and has rather allowed sector-specific regulations. At present, data localisation requirements in India are governed and enforced through three modes, which we can understand as variants of data localisation:
a. Sectoral localisation requirements - Certain sectors/industries prescribe their own localisation requirements for industry participants. For example, the RBI mandates that payment system operators store all payment data in India to protect citizens' sensitive financial and personal data.
b. Conditional localisation requirements - The legislature can enact comprehensive legislation to provide for data localisation for certain types of data. These conditional requirements only come into play for certain types of data, situations or categories of participants. For example, under the DPDP Act, the government can exempt certain categories of data or specific countries from localization requirements.
c. Bilateral/Multilateral Agreements - MLATs can govern the localisation and transfer of data between India and signatories for judicial purposes, similar to how extradition treaties work.
At present, India has over seven sectoral localisation requirements and over 45 MLATs signed with various countries to facilitate the storage and transfer of information/data, whenever required, for the purpose of law enforcement. Various legislations governing data localisation are discussed briefly herein below:
1. Public Records Act, 1993
Enacted due to concerns about critical public data records, it was the first legislation to introduce a local data storage requirement and prohibit the removal of public records from India.[v]
2. Information Technology Act, 2000, along with Rules and Guidelines
The IT Act does not mandate data localisation; it provides for certain practices that corporations and individuals who collect, receive, possess, store, deal with, or handle information of persons must adopt through the rules prescribed therein.
S. 67C of the IT Act provides for the preservation and retention of information by intermediaries in a manner and duration specified by the government. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’) provide for transferring sensitive personal data or information outside India as long as those countries ensure the same level of data protection and uphold confidentiality agreements[vi]. The latest in line is the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘Intermediary Guidelines 2021’), which introduce several due diligence requirements for intermediaries, including furnishing or restricting information upon receiving instructions from the government[vii]. Notably, the execution of most of these requirements may be difficult in cases where the government has no control over the information/data that is being stored in the foreign jurisdiction.
3. Digital Personal Data Protection Act, 2023
Unlike its earlier conception in the PDP Bill, the DPDP Act is more modest. The DPDP Act is the baseline for data privacy and protection in India. It provides for the obligations of data fiduciaries (for those who do not know, a data fiduciary determines what happens to your data) and data processors working on its behalf. The act is very flexible and has liberalized the rule-making power by vesting the central government with a wide discretionary power to regulate data localisation in certain cases [viii]. S. 16 of the DPDP Act provides that any sector-specific regulations which provide a higher degree of protection for personal data or a higher threshold of restriction on the transfer of such personal data by a data fiduciary would be applicable over and above the provisions of the DPDP Act. Thus, if the DPDP Act does not restrict the processing of your transaction data within India for foreign entities like PayPal, necessary RBI directives will be applicable to them since it has a higher threshold of restriction.
4. Companies Act, 2013 and allied rules
The Companies Act, 2013 (‘Companies Act’) provides certain localisation requirements for businesses, including storing records, annual statements and financial information at their registered office.
S. 94 of the Companies Act mandates companies to maintain and keep the register of members, including equity and preference shareholders, debenture holders, and other security holders (s. 88 Cos. Act) and the annual returns of a business (s. 92 Companies Act) at their registered office. Further, all relevant books and papers maintained electronically should remain accessible in India at all times as per s. 128 of the Companies Act.
5. RBI Storage of Payment System Data, 2018 (under POS Act)
The RBI Directive for Storage of Payment System Data[ix], issued under s. 10(2), read with s. 18 of the Payment and Settlement Systems Act, 2007, mandates that the entire payment data is to be stored in India by Payment System Operators (PSOs). Such data includes end-to-end transaction details and information pertaining to payment or settlement transactions, such as customer data, payment-sensitive data, payment credentials, transaction data, etc. The Directive does not impose a bar on the processing of data. However, once processed, such data must be stored only in India.
6. Framework for Adoption of Cloud Services by the SEBI Regulated Entities (REs)
The Securities and Exchange Board of India (‘SEBI’) has recently introduced a framework[x] for adopting cloud services by REs registered with SEBI. Principle 3 in the framework provides for data localisation requirements for cloud service providers (‘CSP’) hosting the application, platform and services provided to REs. Such CSPs can only store and process data of RE within data centres prescribed by the Ministry of Electronics and Information Technology and hold a valid Standardisation Testing and Quality Certification (STQC).
Challenges to Data Localization in India
There has been a significant shift in how the Indian government has been seeing and dealing with data localization lately. While initially, going by the language of the PDP Act, it was evident that the focus of the government was to make the process of data localization mandatory, especially for businesses, there has now been a significant departure in the government’s approach towards data localisation in recent years. The notifications, as envisioned under the DPDP Act, are yet to be announced, meaning that, at present, there are no restrictions on transferring personal data by a data fiduciary to a foreign jurisdiction.
Although it grants flexibility and faster response to critical situations, this 'soft localisation' approach also leaves an unregulated space in the absence of notifications by the government. Moreover, the security and law enforcement interests of the government are not singly solved by enacting legislation; rather, there needs to be comprehensive MLATs to govern data reciprocity whenever required by courts or enforcement agencies. At present, India only has 45 MLATs signed, and in the absence of any MLAT with a country, there are chances of conflict with laws of such country as the law passed in India cannot dictate how data is to be used or stored in such other country. Additionally, in the absence of a way to determine whether the data, which has been processed outside and subsequently transferred to India, is not being used by the foreign entity any further. In the absence of such technology, the risks of data being misutilized can never be negligible.
On the flip side, the requirement of data localization can potentially lead to greater cybersecurity risks by reducing the ability to share ‘threat data’ (back-end data used to identify specific types of threats, including threat data for cyber-attacks and other system vulnerabilities) with countries in the absence of MLATs. This can be counterproductive to a country’s efforts towards ensuring its security. Furthermore, businesses may be discouraged by the higher costs of data localization and reduced service offerings[xi]. There has been an increasing trend of nations specifically opting out of data localisation requirements through their trade agreements.
Conclusion and Analysis
Data are currently fueling the economy. While we may, at times, very proudly assert that ‘data is the new oil,’ we seldom remember that the so-called ‘oil’ is being extracted from us without our consent or knowledge and used by multinational organizations to store and process our personal information, preferences, and interests to further their business interests.
The mere availability of such critical details about an individual’s personal life is a cause of concern for any government. However, while strict localisation of data can be suggested, it does come without its own potential disasters. More stringent data localization requirements would presumably lead to higher demand for data centres in India and more businesses exiting under strict compliance requirements. Therefore, India’s law enforcement and national security objectives might best be served by a combination of soft localization requirements (such as data mirroring requirements that mandate the storage of a local copy in India while the data can be processed and stored globally) and bilateral and multilateral frameworks that enable India’s access to data stored outside its jurisdiction. Further, a demarcation may be created by the government, wherein in certain sectors such as defence, banking, medical sector, etc., the data localization requirements can be absolutely strict to prevent any major mishap or breach, which may affect the lives of millions of people. In conclusion, India needs to maintain a delicate balance between its commitment to data security and its encouragement to technology companies innovating in India.
End Notes
[i] WDR 2021 team calculations and Cisco Visual Networking Index: Forecast and Trends, 2017–2022.
[iii] 2019 (1) SCC 1.
[iv] Committee of Experts Under the Chairmanship of Justice B. N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (New Delhi: Indian Ministry of Electronics and InformationTechnology, 2018), https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report-comp.pdf
[v] S. 4 of Public Records Act, 1993.
[vi] R. 7 of SPDI Rules provide for the transfer of Information outside India.
[vii] R. 3(d) of Intermediary Guidelines 2021 requires an intermediary hosting information on its platform to remove the content as directed by court order or upon being notified by govt under s. 79(3)(b) of the IT Act.
[viii] S. 16 of DPDP Act – Processing of personal data outside India.
[ix] RBI/2017-18/153 (April 6, 2018).
[x] SEBI, March 06, 2023.
[xi] Del Giovane, C., J. Ferencz and J. López González (2023), ‘The Nature, Evolution and Potential Implications of Data Localisation Measures’, OECD Trade Policy Papers, No. 278, OECD Publishing, Paris, https://doi.org/10.1787/179f718a-en
Authored by Aditya Gupta, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinions.