Data Localization in India

Syllabus: GS2/Governance

Context

• The government released the Draft of Digital Personal Data Protection Rules, 2025 for public consultations, which has regulations pertaining to Data Localisation.

What is Data Localisation?

• It refers to the practice of storing and processing data within the borders of a specific country or geographic region, in compliance with that region’s laws and regulations. 
• It involves restrictions on transferring data across international borders.

Background

• In 2017, the Ministry of Electronics and Information Technology (MeitY) established the Justice B.N. Srikrishna Committee to develop a data protection framework for India. 
• The Digital Personal Data Protection Bill was passed in 2023.
  • Once notified, the Rules will enable the effective implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act).

Highlights of the Rules under the Act in line with the Data Localisation

• Data Fiduciaries: All major tech companies including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.
• Transparency: Data Fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent. 
• Restriction on flow of Data: The Union Government will specify the kind of personal data which can be processed by “significant data fiduciaries”
  • It is subject to the restriction that such personal data is not transferred outside the territory of India.
• Data Breach: In the event of a data breach, data fiduciaries will have to intimate impacted individuals without delay, including the measures implemented to mitigate risk.
  • The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

Need for Data Localisation

• India’s Growing Digital Economy: India’s digital economy is projected to reach $1 trillion by 2025, making it one of the world’s largest data generators.
  • With over 800 million internet users and growing, the volume of personal data being generated, processed, and stored is astronomical. 
  • This has attracted global technology giants, but it has also raised questions about data sovereignty and national security.
• National Security: When critical personal data of Indian citizens is stored in foreign jurisdictions, it becomes subject to foreign laws and potentially foreign surveillance, creating vulnerabilities in India’s national security framework.
• Increasing Cyber Threats: In an age where data breaches and cyber warfare are real threats, having critical data within national borders ensures better incident response and more control over security measures. 
• Economic Interests: It effectively creates a robust domestic data centre industry. This not only generates employment and technological expertise but also reduces dependency on foreign infrastructure. 
• Improved Data Management: By keeping data within the country, it can be more easily monitored and audited to prevent misuse or breaches.
• Access to Law Enforcement Agencies: It also enables faster access to data for law enforcement agencies when investigating cyber crimes or national security threats.

Challenges with Data Localisation

• Infrastructural Hurdles: India may face a shortage of adequate infrastructure to support the vast amounts of data generated across industries.
  • Building and maintaining local data centers can be expensive for businesses, especially smaller ones.
• Global Business Impact: There are concerns that strict localisation requirements could increase operational costs for businesses, potentially hampering innovation and foreign investment. 
• Compliance Burden: Businesses may face legal and regulatory complexity in adhering to multiple localization laws, especially when dealing with cross-border data transfers.

Conclusion

• India’s approach to data protection and localisation reflects both its sovereign aspirations and the practical challenges of managing its vast digital footprint. 
• In an interconnected world where data flows know no borders, India’s approach to data protection and localisation could serve as a model for other developing nations seeking to protect their digital sovereignty while fostering innovation and growth.

Source: TH