Introduction
Imagine all your digital footprints from your payment app history to your health records being stored only within India’s borders. Sounds secure, right? This is the promise of data localisation, a wave of laws requiring certain data to stay within national boundaries. India is at the forefront of this movement, but it’s part of a broader global trend driven by national security, privacy, economic interests, and more. In this blog, we explore why countries are increasingly demanding data localisation, its benefits, pitfalls, and what India’s future focus should be.
What Is Data Localisation?
Data localisation (or residency/regulatory storage) mandates that data, especially personal, financial, or "critical" data must be collected, processed, and stored within the country where it originates. In simpler terms, it means: “Your data stays home.”
This concept stems from the idea of data sovereignty where a country wants to apply its own laws to the data generated by its people, rather than letting it be governed by foreign regulations.
Localisation often applies to sensitive data, such as:
- Financial records (e.g., UPI, credit cards)
- Health data
- Personal identifiers (name, mobile, Aadhaar)
- National security-related data
Governments push for data localisation for national security, law enforcement, privacy protection, and economic self-reliance.
Why Data Localisation Laws Are on the Rise
Countries like India are increasingly adopting data localisation laws to strengthen national security, ensure privacy, and support economic growth. When data is stored locally, authorities can access it faster for investigations without relying on foreign governments. It also helps protect citizens from foreign surveillance and ensures data is handled under local privacy rules. Additionally, localisation encourages investment in data centers and cloud infrastructure, creating tech jobs and boosting the digital economy.
Globally, laws like the EU’s GDPR and China’s data transfer rules have set the trend, and India is aligning with this shift through the Digital Personal Data Protection Act, 2023. The aim is to balance user privacy, business needs, and India’s digital sovereignty.
Types of Data Localisation Mandates
Not all localisation laws are created equal. Different countries and even different sectors use varying levels of restriction. Here are the most common types:
1. Full localisation: It is the most stringent form. It mandates that all personal or sensitive data must be collected, stored, and processed exclusively within the country’s borders. No cross-border transfer is allowed under any circumstance. Countries like Russia have adopted this model, requiring all personal data of Russian citizens to be stored on servers physically located within the country. This approach is usually justified on grounds of national security and data sovereignty, though it can significantly increase infrastructure costs and compliance burdens.
2. Partial Localisation:
It offers a slightly more flexible approach. It allows organizations to transfer and process data abroad, but requires that a copy of the data be stored locally within the country. This model strikes a balance between enabling global operations and ensuring that regulators have domestic access to data when needed. A prominent example is the Reserve Bank of India’s 2018 directive on payments data, which requires all system providers to store a local copy of end-to-end transaction data even if processing occurs overseas.
3. Conditional Cross-Border Transfer:
You can send data abroad, but only to ‘trusted’ places or under certain rules is called a Conditional Cross Border Transfer. It is the most flexible model, where data can be moved outside the country, but only under specified legal conditions. These conditions often include user consent, contractual safeguards, or data transfers restricted to a list of government-notified “trusted” countries.
Both India’s Digital Personal Data Protection Act (DPDPA), 2023 and the European Union’s General Data Protection Regulation (GDPR) follow this approach. While GDPR requires that recipient countries offer an “adequate level of protection,” India’s DPDPA will allow the central government to notify specific countries where Indian personal data may be transferred.
Data Localisation Laws in India
India’s approach to data localisation has evolved over several decades, driven by regulatory, constitutional, and technological imperatives. The country has not adopted a single unified localisation law but instead relies on a combination of enacted laws, judicial decisions, and sector-specific regulations to govern where and how data must be stored.
1. Public Records Act, 1993 – The First Localisation Step
The Public Records Act, 1993 was one of the earliest pieces of legislation to introduce localisation in India. It prohibited public records, particularly government data, from being taken outside the country without prior approval. This law was designed primarily for physical records but has since been interpreted to include digital data.
2. Companies Act, 2013 – Local Storage of Corporate Records
Under Section 94 of the Companies Act, 2013 and its related rules (2014), companies are required to store specific records such as registers of members, debenture-holders, and annual returns within India. These records must be kept either at the company’s registered office or at another location in India as approved by the board. This provision ensures that key corporate data remains within Indian jurisdiction and is available for inspection.
3. Information Technology Act, 2000
The Information Technology Act, 2000, along with the 2011 rules, laid the groundwork for digital data governance in India. It introduced the concept of sensitive personal data and required organizations to implement “reasonable security practices.” However, it did not mandate that data be stored in India, allowing for offshore data processing unless restricted by a sectoral regulator. Over time, additional rules (including the 2021 Intermediary Guidelines) imposed obligations on intermediaries to retain and furnish data to the government, but without a direct localisation requirement.
4. RBI Circular, 2018 – Localisation of Payments Data
One of the most significant sector-specific mandates came from the Reserve Bank of India (RBI). In its 2018 circular, RBI required all payment system operators to store complete end-to-end transaction data including customer and merchant details exclusively in India. Foreign processing is permitted only for global transactions and even then, the data must be repatriated within 24 hours. The RBI also mandates System Audit Reports (SARs) to verify compliance, adding a compliance burden for fintech companies operating across borders.
5. DPDP Act, 2023 – Cross-Border Transfers with Safeguards
The Digital Personal Data Protection Act (DPDP), 2023 replaced the earlier draft bills and introduced a more balanced approach to data localisation. It does not mandate blanket localisation but allows personal data to be transferred to other countries, except to those restricted by the central government. This “blacklist model” empowers the government to designate trusted geographies while continuing to allow stricter requirements from sectoral regulators. The DPDPA implemented a whitelist-blacklist mechanism for cross border data transfers, allowing data flows except to countries restricted by the government.
Conclusion: India’s Way Forward on Data Localisation
India is moving toward a balanced and practical approach to data localisation. Instead of forcing all data to be stored within the country, the focus will be on keeping only sensitive or critical data like health, financial, or security-related data within India. The government will also publish a list of “trusted” countries where personal data can be safely transferred. Sectoral regulators like RBI and IRDAI will continue to set their own rules for banking and insurance data. At the same time, the government is investing in local data centers and cloud infrastructure to support compliance. India also plans to align with global data protection frameworks like GDPR to promote digital trade and trust. Privacy and consent will become more important, with strict rules on how data is collected and used. Overall, India aims to protect citizens’ privacy without harming business growth or international cooperation.
References:-
Teamleaseregtech:- https://www.teamleaseregtech.com/blogs/119/data-localization-laws-in-india/
Aspioneer:- https://aspioneer.com/why-data-localisation-laws-are-on-the-rise/
Digitalpolicyalert:- https://digitalpolicyalert.org/change/4370?utm_source=chatgpt.com
DPDPact:- https://dpdpact2023.com/rule-12
