Skip to main content
Log in

Data localization in India: paradigms and processes

CSI Transactions on ICT Aims and scope Submit manuscript

Abstract

This paper examines the debates around data localization in India, using the term to mean any kind of mandatory requirements of local storage or processing of data within the country. We focus on the policy motivations and challenges of data localization, mapping these arguments into three broad categories of the civil liberties perspective, the government functions perspective, and the economic perspective. This is followed by an examination of the robustness of the policy processes through which such norms are being introduced in India. We focus on three policy initiatives—the Personal Data Protection Bill, the Reserve Bank of India’s payments directive, and the localization conditions in telecommunication licenses. We find each of these processes to be lacking in terms of robustness, transparency, and deliberative policy making with the data protection discussions faring better than the other two initiatives.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Notes

  1. A study on data localization measures adopted by members of the European Commission also found that certain kinds of data, namely tax and accounting data, defence and security data, financial data and data held in public registries, was more commonly being subjected to localization requirements. The extent of restrictions also varied among the Member States, with most of them having only one (8 countries) or two (7 countries) types of restrictions [15].

  2. The IT Act permits permits cross-border data transfers of sensitive personal data, in certain limited contexts such as where a similar level of privacy protection is provided in the foreign jurisdiction. Further, the transfer is allowed only if necessary for the performance of a lawful contract or subject to consent. The enforcement of these requirements is however questionable.

  3. Exceptions are provided for situations where such information may need to be transferred for international roaming or billing purposes [65].

  4. Rule 3(5), Chapter IX, Companies (Accounts) Rules, 2014.

  5. The Public Records Act, 1993, prohibits the transfer of public records out of India, without the prior approval of the Central Government unless the transfer is being made for an official purpose. The governments “Meghraj” initiative to promote the use of cloud services by the government also contains a requirement for the localization of government data. The National Data Sharing and Access Policy (NDSAP) of 2012, includes localization requirements for data generated out of public funding.

  6. Of the fourteen jurisdictions whose data localization norms were studied by Chander and Le [10] only two countries—Nigeria and France—explicitly recognised ‘economic development’ as a rationale for their localization decisions.

  7. The policy therefore sees restrictions on cross-border data transfers as essential in developing the local data economy and boosting local employment opportunities.

  8. Refer for example to the Justice Srikrishna Committee’s analysis of the matter [61].

  9. Per SFLC.in [57], India has seen over a hundred Internet shutdowns every year since 2018, with a total of 536 shutdowns since 2012. Also see SFLC [55, 56] on scale of banning of websites and Panday [42] ,Wikipedia [66] for examples of some known incidents.

  10. This also ties in with economic arguments, that see Indian data as being used to enable progress of the Indian economy by permitting Indian corporations to gain from the data generated within India [3].

  11. Note that the recently announced Intermediaries Guidelines Rules, 2021 also contain an obligation for certain types of intermediaries to appoint local personnel as grievance and contact officials.

  12. The imbroglio between the FBI and Apple, which refused to decrypt a terrorist’s iPhone may be cited as an example in this regard as can the previously cited RIM-government of India standoff [31, 67].

  13. Notably, a Gartner study in 2015 found that India held just about 1.2 percent of the world’s data center infrastructure and 5.23 percent in the Asia-Pacific region [27].

  14. For instance, a USD 1 billion data center built by Apple in North Carolina, United States in 2011, created only 50 full-time jobs and another 250 support jobs in areas such as security and maintenance [12].

  15. May of the recent policy instruments containing localization measures specifically refer to goals such as “nurturing digital innovation” and “stimulating domestic digital economy” [14]; the Srikrishna Committee’s report refers both to the possible impact of localization on the growth of domestic industry, particularly in the AI ecosystem [61]; the 2019 draft National e-Commerce Policy bluntly states ‘Indian citizens and companies should get the economic benefits from monetisation of data.’ [13].

  16. The IT sector contributed about 7.9 percent of India’s GDP in the year 2017–18 [39]. A sizeable part of export of India’s IT services sector comes from the outsourcing / business process management industry [28].

  17. Also see Basu et al. [3] and Burman and Sharma [7].

  18. Further, two of these localization mandates are already in place while the personal data one is still being debated.

  19. The draft bill identifies three categories of data—personal data, sensitive personal data and critical personal data. It is understood that critical data would be a sub-category of ‘sensitive personal data’, which the draft bill defines to includes passwords, financial data, health data, sexual orientation, biometric data, caste or tribe, and religious or political affiliation.

  20. The dissent notes, which are annexed with the Committee’s report, were submitted by Rama Vedashree and Rishikesha T. Krishnan [61].

  21. See Sections 33 and 34, PDP Bill, 2019.

  22. This is also subject to certain exceptions like medical or other emergencies or where approved by the government based on national strategic and security interests.

  23. This includes basic customer data, like name, mobile number, Aadhaar Number, PAN number, payment sensitive data, like customer and beneficiary account details, payment credentials, like OTP, PIN, Passwords, and transaction data, like transaction reference, timestamp, and amount [51].

  24. Clause 39.23(viii), Unified License Agreement. Similar provisions also existed for other categories of telecom licenses, as seen in Clause 41.20 (viii) of the Unified Access Service License.

  25. Clause 39.23 (viii), Unified License Agreement.

  26. The law specifically enables the RBI to call for periodic information from payment system providers and gain access to their information—Sections 12 and 13, Payment and Settlement Systems Act, 2007.

  27. The meetings were held in the cities of Delhi, Hyderabad, Bengaluru and Mumbai in January, 2018.

  28. The study pertains to actions taken by the regulator during the period between January, 2014 to April 2016.

  29. But it is also one which has seen significant litigation on issues of regulatory governance, with courts often finding deficiencies in the regulatory processes. For instance, see Cellular Operators Association of India v. Telecom Regulatory Authority of India [9].

References

  1. Bailey R, Bhandari V, Parsheera S, Rahman F (2018) Use of personal data by intelligence and law enforcement agencies’. National Institute of Public Finance and Policy. http://macrofinance.nipfp.org.in/PDF/BBPR2018-Use-of-personal-data.pdf

  2. Barik S (2019) Data localisation won’t be part of final e-commerce policy, says piyush goyal: report. Medianama. https://www.medianama.com/2019/06/223-data-localisation-to-be-left-out-of-nal-e-commerce-policy-says-piyush-goyal-report/

  3. Basu A, Hickok E, Chawla AS (2019) The localisation gambit: unpacking policy measures for sovereign control of data in india. Centre for Internet and Society, India. https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf

  4. Bauer M, Ferracane MF, van der Marel E (2016) Tracing the economic impact of regulations on the free ow of data and data localization. Centre for International Governance Innovation and Chatham House. https://www.cigionline.org/sites/default/files/gcig_no30web_2.pdf

  5. Bauer M, Lee-Makiyama H, der Marel E. V, Verschelde B. (2014). The costs of data localisation: friendly fire on economic recovery. European Centre for International Political Economy. http://www.ecipe.org/app/uploads/2014/12/OCC320141.pdf

  6. Bohn D (2012) Rim sets up blackberry server in mumbai, continues to offer ‘lawful access’ to indian government. The Verge. https://www.theverge.com/2012/2/22/2818195/rim-sets-up-blackberry-server-in-mumbai-continues-to-offer-lawful

  7. Burman A, Sharma U (2021) How would data localisation benefit india? https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291

  8. Burman A, Zaveri B (2019) Measuring regulatory responsiveness in India: a framework for empirical assessment. William Mary Policy Rev 9(2). https://static1.squarespace.com/static/59c0077a9f745650903ac158/t/5cb62147104c7ba2eaf637e4/1555439944606/Burman+V2.pdf

  9. Cellular Operators Association of India v. Telecom Regulatory Authority of India (2016) Supreme court of India, civil appeal no. 5017 of 2016. https://indiankanoon.org/doc/116404795/

  10. Chander A, Le UP (2015) Data nationalism. Emory Law J 64(3). https://ssrn.com/abstract=2577947

  11. Cohen B, Hall B, Wood C (2017) Data localisation laws and their impact on privacy, data security and the global economy. Antitrust 32(1, Fall). https://www.americanbar.org/content/dam/aba/publications/antitrust_magazine/anti_fall2017_cohen.authcheckdam.pdf

  12. Cory N (2017) Cross border data ows: where are the barriers and what do they cost? Information Technology and Innovation Foundation. https://itif.org/publications/2017/05/01/cross-border-data-ows-where-are-barriers-and-what-do-they-cost

  13. Department of Industrial Policy and Promotion, Government of India (2019) Draft national ecommerce policy: India’s data for india’s development. https://dipp.gov.in/sites/default/les/DraftNational_ecommerce_Policy_23February2019.pdf

  14. e-Commerce Task Force (2018) Electronic commerce in India: draft national policy framework (non-offcial version). Medianama. https://www.medianama.com/wp-content/uploads/Draft-National-E-commerce-Policy.pdf

  15. EC Staff Document (2017) Commission staff working document on the free flow of data and emerging issues of the european data economy. European Commission. https://ec.europa.eu/digital-single-market/en/news/staff-working-document-free-ow-data-and-emerging-issues-european-data-economy

  16. ET Bureau (2019) India decides to opt out of rcep, says key concerns not addressed. Economic Times. https://economictimes.indiatimes.com/news/economy/foreign-trade/india-decides-to-opt-out-of-rcep-says-key-concerns-not-addressed/articleshow/71896848.cms

  17. Ferracane M, Kenz J, van der Marel E (2018) Do data policy restrictions impact the productivity performance of firms and industries? ECIPE, DTE WORKING PAPER 01. https://ecipe.org/wp-content/uploads/2018/10/Do-Data-Policy-Restrictions-Impact-the-Productivity-Performance-of-Firms-and-Industries-final.pdf

  18. Ferracane M, van der Marel E (2018) Do data policy restrictions inhibit trade in services? ECIPE. https://ecipe.org/publications/do-data-policy-restrictions-inhibit-trade-in-services/

  19. FSLRC (2013) Report of the financial sector legislative reforms commission. Ministry of Finance, Government of India

  20. Gallagher R, Greenwald G (2014) How the nsa plans to infect ’millions’ of computers with malware. The Intercept. https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/

  21. Gopalakrishnan Committee (2020a) Report by the committee of experts on non-personal data governance framework. Ministry of Electronics and Information Technology, Government of India (revised). https://ourgovdotin.files.wordpress.com/2020/12/revised-report-kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf

  22. Gopalakrishnan Committee (2020b) Report by the committee of experts on non-personal data governance framework. Ministry of Electronics and Information Technology, Government of India. https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf

  23. Greenwald G (2014) How the nsa tampers with us-made internet routers. The Guardian. https://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden

  24. Gurumurthy A, Chami AVN (2017) The grand myth of cross-border data ows in trade deals. IT for Change. http://itforchange.net/grand-myth-of-cross-border-data-ows-trade-deals#footnote347w9cffs

  25. Hetavkar N (2018) Rbi firm on data localisation; 80% of firms to comply by oct 15 deadline. Business Standard. https://www.business-standard.com/article/economy-policy/rbi-firm-on-data-localisation-80-of-firms-to-comply-by-oct-15-deadline-118101101302_1.html

  26. Hill R (2017) Second contribution to the June-September 2017 open consultation of the itu cwg-internet, why should data ow freely? Association for Proper Internet Governance. https://bit.ly/2QBOydj

  27. IAMAI (2016) Make in India: Conducive policy and regulatory environment to incentivise data center infrastructure. Internet and Mobile Association of India

  28. IBEF (2018) It & ites industry in India. India Brand Equity Foundation. https://www.ibef.org/industry/information-technology-india.aspx

  29. INC42 Staff (2021) RBI Bars mastercard from acquiring new customers for violating data localisation policy. Inc42.com. https://inc42.com/buzz/rbi-bars-mastercard-from-acquiring-new-customers-for-violating-data-policy/

  30. Kathuria R, Kedia M, Varma G, Bagchi K (2019) Economic implications of cross-border data ows. ICRIER and IAMAI. https://icrier.org/pdf/Economic_Implications_of_Cross-Border_Data_Flows.pdf

  31. Khamooshi A (2016) Breaking down apple’s iphone fight with the us government. The New York Times. https://www.nytimes.com/interactive/2016/03/03/technology/apple-iphone-fbi-fight-explained.html

  32. Kovacs A, Ranganathan N (2018) Data sovereignty, of whom? Limits and suitability of sovereignty frameworks for data in India. Data Governance Network WP 03. https://internetdemocracy.in/wp-content/uploads/2020/03/Data-sovereignty-of-whom-Limits-and-suitability-of-sovereignty-frameworks-for-data-in-India.pdf

  33. Kuner C (2015) Data nationalism and its discontents. 64 Emory Law Journal Online 2089. http://law.emory.edu/elj/elj-online/volume-64/responses/data-nationalism-its-discontents.html

  34. Law Ministry (2014) Pre-legislative consultation policy. https://legislative.gov.in/documents/pre-legislative-consultation-policy

  35. Leviathan (2015) Quantifying the cost of forced localization. Leviathan Security Group. https://tinyurl.com/y89q99yt

  36. Macleod J (2015) E-commerce and the wto: a developmental agenda. GEG Africa

  37. Mandavia M (2020) Activists demand jpc consult civil society on data protection bill. https://economictimes.indiatimes.com/news/politics-and-nation/activists-demand-jpc-consult-civil-society-on-data-protection-bill/articleshow/79449870.cms?from=mdr

  38. Manikandan A (2021) Payment companies face tighter rbi norms. Economic Times. https://economictimes.indiatimes.com/tech/technology/payment-companies-face-tighter-rbi-norms/articleshow/81765812.cms?from=mdr

  39. MeITY (2018) Software and services sector. Ministry of Electronics & Information Technology. http://meity.gov.in/content/software-and-services-sector

  40. MeitY (2019) Clarification regarding a story published in the economic times on data protection bill. https://bit.ly/3CNZQ6m

  41. Ministry of Foreign Affairs, Government of Japan (2019) Osaka declaration on digital economy. Government of Japan. https://www.mofa.go.jp/mofaj/gaiko/g20/osaka19/pdf/special_event/en/special_event 01.pdf

  42. Panday J (2016) The internet has a new standard for censorship. The Wire.in. https://thewire.in/politics/the-internet-has-a-new-standard-for-censorship

  43. Parsheera S (2020) Regulatory governance under the pdp bill: a powerful ship with an unchecked captain? https://www.medianama.com/2020/01/223-pdp-bill-2019-data-protection-authority/

  44. Parsheera S, Jha P (2020) Cross-border data access for law enforcement: what are India’s strategic options? https://carnegieindia.org/2020/11/23/cross-border-data-access-for-law-enforcement-what-are-india-s-strategic-options-pub-83197

  45. Press Trust of India (2014) Vodafone secretly sharing data with british intelligence: home ministry. The Hindu. https://timesofindia.indiatimes.com/india/Vodafone-secretly-sharing-data-with-British-intelligence-Home-ministry/articleshow/31797862.cms/

  46. Puttaswamy v. Union of India (2017) 2017 (10) SCC 1, Supreme Court of India

  47. Raghavan TS (2019) India rejects rcep e-commerce chapter. The Hindu. https://www.thehindu.com/business/india-rejects-rcep-e-commerce-chapter/article29659912.ece

  48. RBI (2018a) Minutes of the meeting held with major non-compliant payments system operators. https://www.cashlessconsumer.in/uploads/DataLocalisation-RBI-MoM.pdf

  49. RBI (2018b) Statement on developmental and regulatory policies. https://rbidocs.rbi.org.in/rdocs/PressRelease/PDFs/PR264270719E5CB28249D7BCE07C5B3196C904.PDF

  50. RBI (2018c) Storage of payment system data. https://www.rbi.org.in/scripts/NoticationUser.aspx?Id=11244

  51. RBI (2019) Faqs on storage of payment system data. https://m.rbi.org.in/scripts/FAQView.aspx?Id=130

  52. Roy S (2019) G-20 osaka summit: India refuses to sign declaration on free ow of data across borders. Indian Express. https://indianexpress.com/article/india/g-20-osaka-summit-narendra-mod-india-declaration-on-free-ow-of-data-across-borders-shinzo-abe-5805846/

  53. Roy S, Shah A, Srikrishna BN, Sundaresan S (2018) Building state capacity for regulation in India. https://macrofinance.nipfp.org.in/PDF/RSSSbuilding-state-capacity.pdf

  54. Selby J (2017) Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both? Int J Law Inform Technol 25(3):213–232. https://academic.oup.com/ijlit/article-abstract/25/3/213/3960261

  55. SFLC (2014) Deity provides lists of sites blocked in 2013, but withholds orders! s c.in. https://sc.in/deity-provides-list-sites-blocked-2013-withholds-orders

  56. SFLC (2015) Deity says 2341 urls were blocked in 2014; refuses to reveal more. s c.in. https://sc.in/deity-says-2341-urls-were-blocked-2014-refuses-reveal-more

  57. SFLC.in (2021) Internet shutdowns. internetshutdowns.in. https://internetshutdowns.in/

  58. Shah A (2015) The economies of cloud computing: an Indian perspective. The Leap Blog. https://blog.theleapjournal.org/2015/03/the-economics-of-cloud-computing-indian.html

  59. Shah A (2016) Occam’s razor of public policy. The Leap Blog. https://blog.theleapjournal.org/2016/01/occams-razor-of-public-policy.html

  60. Srikrishna Committee (2017) White paper on data protection in India. https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf

  61. Srikrishna Committee (2018) A free and fair digital economy: protecting privacy, empowering indians. Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna. http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

  62. Surabhi (2021) Visa complies with rbi’s data localisation norms. Hindu Business Line. https://www.thehindubusinessline.com/money-and-banking/visa-complies-with-rbis-data-localisation-norms/article35527816.ece

  63. The Economist (2017) The world’s most valuable resource is no longer oil, but data. https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

  64. UK Better Regulation Task Force (2005) Regulation—less is more: reducing burdens, improving outcomes. https://www.regulation.org.uk/library/2005_less_is_more.pdf

  65. Unified License (2014) License agreement for unified license. Department of Telecommunications. http://dot.gov.in/sites/default/files/Amended%5C%20UL%5C%20Agreement_0_1.pdf?download=1

  66. Wikipedia (2016) Internet censorship in India. Wikipedia. https://tinyurl.com/y94t5lrs

  67. Yadron D, Ackerman S, Thielman S (2016) Inside the fbi’s encryption battle with apple. The Guardian. https://www.theguardian.com/technology/2016/feb/17/inside-the-fbis-encryption-battle-with-apple

Download references

Acknowledgements

We would like to thank Ajay Shah, Amba Kak, Jyoti Panday, Mansi Kedia, Mudit Kapoor, and Richard Hill for comments on an earlier version of this paper, which was released as a NIPFP Working Paper titled ‘Data localisation in India: Questioning the means and ends’ in 2018. We are also grateful to an anonymous peer reviewer for comments on this version of the paper. All errors are our own.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Smriti Parsheera.

Ethics declarations

Conflicts of interest

The authors declare that they have no conflict of interest.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bailey, R., Parsheera, S. Data localization in India: paradigms and processes. CSIT 9, 137–150 (2021). https://doi.org/10.1007/s40012-021-00337-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s40012-021-00337-4

Keywords

Navigation