Skip to main content
Log in

Data localization in India: paradigms and processes

CSI Transactions on ICT Aims and scope Submit manuscript


This paper examines the debates around data localization in India, using the term to mean any kind of mandatory requirements of local storage or processing of data within the country. We focus on the policy motivations and challenges of data localization, mapping these arguments into three broad categories of the civil liberties perspective, the government functions perspective, and the economic perspective. This is followed by an examination of the robustness of the policy processes through which such norms are being introduced in India. We focus on three policy initiatives—the Personal Data Protection Bill, the Reserve Bank of India’s payments directive, and the localization conditions in telecommunication licenses. We find each of these processes to be lacking in terms of robustness, transparency, and deliberative policy making with the data protection discussions faring better than the other two initiatives.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions


  1. A study on data localization measures adopted by members of the European Commission also found that certain kinds of data, namely tax and accounting data, defence and security data, financial data and data held in public registries, was more commonly being subjected to localization requirements. The extent of restrictions also varied among the Member States, with most of them having only one (8 countries) or two (7 countries) types of restrictions [15].

  2. The IT Act permits permits cross-border data transfers of sensitive personal data, in certain limited contexts such as where a similar level of privacy protection is provided in the foreign jurisdiction. Further, the transfer is allowed only if necessary for the performance of a lawful contract or subject to consent. The enforcement of these requirements is however questionable.

  3. Exceptions are provided for situations where such information may need to be transferred for international roaming or billing purposes [65].

  4. Rule 3(5), Chapter IX, Companies (Accounts) Rules, 2014.

  5. The Public Records Act, 1993, prohibits the transfer of public records out of India, without the prior approval of the Central Government unless the transfer is being made for an official purpose. The governments “Meghraj” initiative to promote the use of cloud services by the government also contains a requirement for the localization of government data. The National Data Sharing and Access Policy (NDSAP) of 2012, includes localization requirements for data generated out of public funding.

  6. Of the fourteen jurisdictions whose data localization norms were studied by Chander and Le [10] only two countries—Nigeria and France—explicitly recognised ‘economic development’ as a rationale for their localization decisions.

  7. The policy therefore sees restrictions on cross-border data transfers as essential in developing the local data economy and boosting local employment opportunities.

  8. Refer for example to the Justice Srikrishna Committee’s analysis of the matter [61].

  9. Per [57], India has seen over a hundred Internet shutdowns every year since 2018, with a total of 536 shutdowns since 2012. Also see SFLC [55, 56] on scale of banning of websites and Panday [42] ,Wikipedia [66] for examples of some known incidents.

  10. This also ties in with economic arguments, that see Indian data as being used to enable progress of the Indian economy by permitting Indian corporations to gain from the data generated within India [3].

  11. Note that the recently announced Intermediaries Guidelines Rules, 2021 also contain an obligation for certain types of intermediaries to appoint local personnel as grievance and contact officials.

  12. The imbroglio between the FBI and Apple, which refused to decrypt a terrorist’s iPhone may be cited as an example in this regard as can the previously cited RIM-government of India standoff [31, 67].

  13. Notably, a Gartner study in 2015 found that India held just about 1.2 percent of the world’s data center infrastructure and 5.23 percent in the Asia-Pacific region [27].

  14. For instance, a USD 1 billion data center built by Apple in North Carolina, United States in 2011, created only 50 full-time jobs and another 250 support jobs in areas such as security and maintenance [12].

  15. May of the recent policy instruments containing localization measures specifically refer to goals such as “nurturing digital innovation” and “stimulating domestic digital economy” [14]; the Srikrishna Committee’s report refers both to the possible impact of localization on the growth of domestic industry, particularly in the AI ecosystem [61]; the 2019 draft National e-Commerce Policy bluntly states ‘Indian citizens and companies should get the economic benefits from monetisation of data.’ [13].

  16. The IT sector contributed about 7.9 percent of India’s GDP in the year 2017–18 [39]. A sizeable part of export of India’s IT services sector comes from the outsourcing / business process management industry [28].

  17. Also see Basu et al. [3] and Burman and Sharma [7].

  18. Further, two of these localization mandates are already in place while the personal data one is still being debated.

  19. The draft bill identifies three categories of data—personal data, sensitive personal data and critical personal data. It is understood that critical data would be a sub-category of ‘sensitive personal data’, which the draft bill defines to includes passwords, financial data, health data, sexual orientation, biometric data, caste or tribe, and religious or political affiliation.

  20. The dissent notes, which are annexed with the Committee’s report, were submitted by Rama Vedashree and Rishikesha T. Krishnan [61].

  21. See Sections 33 and 34, PDP Bill, 2019.

  22. This is also subject to certain exceptions like medical or other emergencies or where approved by the government based on national strategic and security interests.

  23. This includes basic customer data, like name, mobile number, Aadhaar Number, PAN number, payment sensitive data, like customer and beneficiary account details, payment credentials, like OTP, PIN, Passwords, and transaction data, like transaction reference, timestamp, and amount [51].

  24. Clause 39.23(viii), Unified License Agreement. Similar provisions also existed for other categories of telecom licenses, as seen in Clause 41.20 (viii) of the Unified Access Service License.

  25. Clause 39.23 (viii), Unified License Agreement.

  26. The law specifically enables the RBI to call for periodic information from payment system providers and gain access to their information—Sections 12 and 13, Payment and Settlement Systems Act, 2007.

  27. The meetings were held in the cities of Delhi, Hyderabad, Bengaluru and Mumbai in January, 2018.

  28. The study pertains to actions taken by the regulator during the period between January, 2014 to April 2016.

  29. But it is also one which has seen significant litigation on issues of regulatory governance, with courts often finding deficiencies in the regulatory processes. For instance, see Cellular Operators Association of India v. Telecom Regulatory Authority of India [9].


  1. Bailey R, Bhandari V, Parsheera S, Rahman F (2018) Use of personal data by intelligence and law enforcement agencies’. National Institute of Public Finance and Policy.

  2. Barik S (2019) Data localisation won’t be part of final e-commerce policy, says piyush goyal: report. Medianama.

  3. Basu A, Hickok E, Chawla AS (2019) The localisation gambit: unpacking policy measures for sovereign control of data in india. Centre for Internet and Society, India.

  4. Bauer M, Ferracane MF, van der Marel E (2016) Tracing the economic impact of regulations on the free ow of data and data localization. Centre for International Governance Innovation and Chatham House.

  5. Bauer M, Lee-Makiyama H, der Marel E. V, Verschelde B. (2014). The costs of data localisation: friendly fire on economic recovery. European Centre for International Political Economy.

  6. Bohn D (2012) Rim sets up blackberry server in mumbai, continues to offer ‘lawful access’ to indian government. The Verge.

  7. Burman A, Sharma U (2021) How would data localisation benefit india?

  8. Burman A, Zaveri B (2019) Measuring regulatory responsiveness in India: a framework for empirical assessment. William Mary Policy Rev 9(2).

  9. Cellular Operators Association of India v. Telecom Regulatory Authority of India (2016) Supreme court of India, civil appeal no. 5017 of 2016.

  10. Chander A, Le UP (2015) Data nationalism. Emory Law J 64(3).

  11. Cohen B, Hall B, Wood C (2017) Data localisation laws and their impact on privacy, data security and the global economy. Antitrust 32(1, Fall).

  12. Cory N (2017) Cross border data ows: where are the barriers and what do they cost? Information Technology and Innovation Foundation.

  13. Department of Industrial Policy and Promotion, Government of India (2019) Draft national ecommerce policy: India’s data for india’s development.

  14. e-Commerce Task Force (2018) Electronic commerce in India: draft national policy framework (non-offcial version). Medianama.

  15. EC Staff Document (2017) Commission staff working document on the free flow of data and emerging issues of the european data economy. European Commission.

  16. ET Bureau (2019) India decides to opt out of rcep, says key concerns not addressed. Economic Times.

  17. Ferracane M, Kenz J, van der Marel E (2018) Do data policy restrictions impact the productivity performance of firms and industries? ECIPE, DTE WORKING PAPER 01.

  18. Ferracane M, van der Marel E (2018) Do data policy restrictions inhibit trade in services? ECIPE.

  19. FSLRC (2013) Report of the financial sector legislative reforms commission. Ministry of Finance, Government of India

  20. Gallagher R, Greenwald G (2014) How the nsa plans to infect ’millions’ of computers with malware. The Intercept.

  21. Gopalakrishnan Committee (2020a) Report by the committee of experts on non-personal data governance framework. Ministry of Electronics and Information Technology, Government of India (revised).

  22. Gopalakrishnan Committee (2020b) Report by the committee of experts on non-personal data governance framework. Ministry of Electronics and Information Technology, Government of India.

  23. Greenwald G (2014) How the nsa tampers with us-made internet routers. The Guardian.

  24. Gurumurthy A, Chami AVN (2017) The grand myth of cross-border data ows in trade deals. IT for Change.

  25. Hetavkar N (2018) Rbi firm on data localisation; 80% of firms to comply by oct 15 deadline. Business Standard.

  26. Hill R (2017) Second contribution to the June-September 2017 open consultation of the itu cwg-internet, why should data ow freely? Association for Proper Internet Governance.

  27. IAMAI (2016) Make in India: Conducive policy and regulatory environment to incentivise data center infrastructure. Internet and Mobile Association of India

  28. IBEF (2018) It & ites industry in India. India Brand Equity Foundation.

  29. INC42 Staff (2021) RBI Bars mastercard from acquiring new customers for violating data localisation policy.

  30. Kathuria R, Kedia M, Varma G, Bagchi K (2019) Economic implications of cross-border data ows. ICRIER and IAMAI.

  31. Khamooshi A (2016) Breaking down apple’s iphone fight with the us government. The New York Times.

  32. Kovacs A, Ranganathan N (2018) Data sovereignty, of whom? Limits and suitability of sovereignty frameworks for data in India. Data Governance Network WP 03.

  33. Kuner C (2015) Data nationalism and its discontents. 64 Emory Law Journal Online 2089.

  34. Law Ministry (2014) Pre-legislative consultation policy.

  35. Leviathan (2015) Quantifying the cost of forced localization. Leviathan Security Group.

  36. Macleod J (2015) E-commerce and the wto: a developmental agenda. GEG Africa

  37. Mandavia M (2020) Activists demand jpc consult civil society on data protection bill.

  38. Manikandan A (2021) Payment companies face tighter rbi norms. Economic Times.

  39. MeITY (2018) Software and services sector. Ministry of Electronics & Information Technology.

  40. MeitY (2019) Clarification regarding a story published in the economic times on data protection bill.

  41. Ministry of Foreign Affairs, Government of Japan (2019) Osaka declaration on digital economy. Government of Japan. 01.pdf

  42. Panday J (2016) The internet has a new standard for censorship. The

  43. Parsheera S (2020) Regulatory governance under the pdp bill: a powerful ship with an unchecked captain?

  44. Parsheera S, Jha P (2020) Cross-border data access for law enforcement: what are India’s strategic options?

  45. Press Trust of India (2014) Vodafone secretly sharing data with british intelligence: home ministry. The Hindu.

  46. Puttaswamy v. Union of India (2017) 2017 (10) SCC 1, Supreme Court of India

  47. Raghavan TS (2019) India rejects rcep e-commerce chapter. The Hindu.

  48. RBI (2018a) Minutes of the meeting held with major non-compliant payments system operators.

  49. RBI (2018b) Statement on developmental and regulatory policies.

  50. RBI (2018c) Storage of payment system data.

  51. RBI (2019) Faqs on storage of payment system data.

  52. Roy S (2019) G-20 osaka summit: India refuses to sign declaration on free ow of data across borders. Indian Express.

  53. Roy S, Shah A, Srikrishna BN, Sundaresan S (2018) Building state capacity for regulation in India.

  54. Selby J (2017) Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both? Int J Law Inform Technol 25(3):213–232.

  55. SFLC (2014) Deity provides lists of sites blocked in 2013, but withholds orders! s

  56. SFLC (2015) Deity says 2341 urls were blocked in 2014; refuses to reveal more. s

  57. (2021) Internet shutdowns.

  58. Shah A (2015) The economies of cloud computing: an Indian perspective. The Leap Blog.

  59. Shah A (2016) Occam’s razor of public policy. The Leap Blog.

  60. Srikrishna Committee (2017) White paper on data protection in India.

  61. Srikrishna Committee (2018) A free and fair digital economy: protecting privacy, empowering indians. Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna.

  62. Surabhi (2021) Visa complies with rbi’s data localisation norms. Hindu Business Line.

  63. The Economist (2017) The world’s most valuable resource is no longer oil, but data.

  64. UK Better Regulation Task Force (2005) Regulation—less is more: reducing burdens, improving outcomes.

  65. Unified License (2014) License agreement for unified license. Department of Telecommunications.

  66. Wikipedia (2016) Internet censorship in India. Wikipedia.

  67. Yadron D, Ackerman S, Thielman S (2016) Inside the fbi’s encryption battle with apple. The Guardian.

Download references


We would like to thank Ajay Shah, Amba Kak, Jyoti Panday, Mansi Kedia, Mudit Kapoor, and Richard Hill for comments on an earlier version of this paper, which was released as a NIPFP Working Paper titled ‘Data localisation in India: Questioning the means and ends’ in 2018. We are also grateful to an anonymous peer reviewer for comments on this version of the paper. All errors are our own.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Smriti Parsheera.

Ethics declarations

Conflicts of interest

The authors declare that they have no conflict of interest.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bailey, R., Parsheera, S. Data localization in India: paradigms and processes. CSIT 9, 137–150 (2021).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: