A Brief History and Current Trends in Indian Data Localization

**Kai M. Sood

Introduction: Data and Sovereignty

As data localization regulations are enacted in India, they impact investment, business continuity, and market entry strategies. Data is an increasingly valuable commodity that is gaining prominence every day. Estimates released in 2015 stated that data would contribute $11 trillion to the global economy by 2025. Data has played a particularly important role in the expansion of the Indian economy (which, in 2024, hosted the fourth largest securities market in the world). However, Indian data regulations have become more and more stringent over the past few years.

Data localization is a form of data regulation that involves policy efforts that regulate the movement of data within and outside of a nation’s borders. Data localization policies fulfill a number of roles, including the protection of individual privacy, easing of investigations, and assertion of a nation’s sovereignty. Two categories of data tend to catch the eye of policy makers: commercial data (that is, consumer data) and government data (that is, vital records relating to health, property, e-voting, etc.). When enacted restrictively, data localization laws can hinder trade and impose overlapping compliance burdens.

Legal Foundations of Data Privacy

Following the purchase of WhatsApp (a popular social media, instant messaging, and voice-over-IP application) by Facebook Inc., WhatsApp’s user policy was altered. The new policy allowed data sharing with Facebook Inc. A case (Karmanya Singh Sareen v. Union of India) was filed at the Delhi High Court in order to challenge the new policy. A two-judge bench directed WhatsApp to delete the data of certain users by September 25th, 2016, thus affirming a person’s right to digital privacy.

In 2017, K. S. Puttaswamy v. The Union of India and Ors. established privacy as an inherent right of all citizens of the Republic of India. In its decision, the court cited Article 21 of the Constitution of India, which guarantees the “protection of life and personal liberty.” After the case concluded, the Personal Data Protection Bill (2019) was introduced. While it was never enacted, the bill mirrored future data regulation frameworks.

Although the Personal Data Protection Bill was focused on data localization, it included one notable ambiguity. Section 33 of the bill stated that “[d]ata may be transferred outside India, but such sensitive personal data shall continue to be stored in India.” Had it been enacted, personal data storage within India would have been mandated. But, non-personal data sharing outside of India may have been allowed.

The DPDP Act

Today, the pinnacle of data localization legislation in India is the Digital Personal Data Protection Act (DPDP) (2023). Section 16 of the DPDP Act introduces a major ambiguity. Section 16 authorizes (but does not require) the Central Government to restrict the transfer of data by a data fiduciary (similar to Section 33 of the Personal Data Protection Bill). Crucially, any regulations that the Central Government creates do not negate earlier sectoral regulations (see section IV).

Section 18 of the DPDP Act establishes that transfers of data outside of India are governed by the Data Protection Board of India, a perpetual body instituted by the Central Government. Section 19 of the DPDP Act defines the composition (a chairperson and central government-designated number of members) and the duties of the Board. The functions of the Board include mitigating damage after a data breach (that is, implementation of measures to contain a breach so that no further data is exposed), handling of complaints, investigation (and penalization) of consent managers, and investigation (and penalization) of individuals ‘flagged’ by the Central Government. In accordance with Section 16, the Board is also responsible for identifying acceptable nations for data transfers—a “whitelist,” if you will.

Despite its immense role, the Board has yet to be constituted by the Central Government, and there are no indications of progress. The DPDP Act has been passed by Parliament, but it is not yet in force. 

The Draft DPDP Rules were released in January 2025. While the document provides more detail on the Board’s functions—including its role as a fully digital adjudicatory office and its broader objectives under the Act—it offers limited operational guidance for data fiduciaries. The possibility of a whitelist for cross-border transfers is reaffirmed, but no specific criteria or procedures for determining adequacy are provided. Beyond a general recommendation that fiduciaries ensure sufficient information is provided for a data principal’s “informed consent,” the draft rules offer little concrete direction. As a result, the Act’s effects have yet to be defined.

First, organizations are forced to rely on anticipatory compliance—that is, making educated guesses about how to act in order to avoid penalties arising from sudden regulatory shifts. As a result, investors are unable to adequately assess the risks associated with data-reliant organizations. Second, the DPDP Act fragments compliance obligations between sectoral and general law. Since the Act does not override sector-specific regulations, it operates parallel to them—creating overlapping, and at times conflicting, compliance burdens.

Sectoral Regulations and Overlap

Sectoral data localization regulations are directives that affect specific industries. In India, many sectoral data localization measures are already in place. The Reserve Bank of India (RBI), for instance, mandated the domestic storage of Indian payment data via a circular. All payment operators were required to construct data storage facilities within India by October 2018.

Given the inextricable bond between fintech, payment innovations, and data, the impact of the RBI’s regulations were immense. As a result of the hefty investment that companies were required to make in order to comply, the regulation was pointed to as a cause of market contractions.  Non-compliant companies have faced swift penalties—most notably when the Indian government banned Mastercard in 2021 for failing to comply with data localization regulations. These pre-existing regulations will continue to apply irrespective of the DPDP Act.

The vast number of regulators within India’s financial sphere cause the impact of data localization efforts to vary. Sectoral data localization has existed in India since at least 1993 when the Public Record Act was implemented. Other sectoral mandates have impacted information technology (IT), telecom services, accounting, government-related data, nonsensitive government data, data transfers with India’s direct neighbors, payholder accounts, and payment data (that is, the RBI’s aforementioned mandates).

Enforcement Gaps and Regulatory Uncertainty

Implementation of the Digital Personal Data Protection Act is stalled by a number of practical hurdles. The Act has been passed by Parliament, but it is not yet in force. No formal timeline has been announced, meaning companies are left to guess when compliance obligations will actually take effect. Even the Draft DPDP Rules released in January 2025 fail to provide a timeline or concrete guidelines, leaving businesses without clarity. The Data Protection Board of India—the central enforcement body mandated by Sections 18 and 19—has yet to be constituted. In the absence of the Board, there is no mechanism to enforce the various facets of the Act.  Without any operational framework, the law exists only on paper.

A further challenge is that subordinate rules (including criteria for data localization exemptions) remain undefined. This leaves businesses, especially those in data-heavy sectors such as fintech and e-commerce, in a regulatory vacuum. For investors, the uncertainty is especially acute. Anticipatory compliance (the present default) carries real costs. Despite claims made in the Draft DPDP Rules, smaller firms are heavily affected by the Act, as they often lack the capital to construct domestic data-fallbacks. This makes smaller organizations less attractive investment targets. Large firms, on the other hand, must weigh the risks of building costly architecture that may not satisfy the eventual rules.

The DPDP Act—and the regulatory uncertainty it has caused—is already shaping market behavior. The Act (and the subsequent Draft Rules) introduces significant uncertainty, as the lack of a defined domestic regulatory framework makes investment in data-driven start-ups a high-risk endeavor. Until the Board is formed and rules are finalized, India’s digital economy will continue to operate in a state of uncertainty. 

Industry Impacts: Technology, AI, and More

Various industries are already required to comply with data localization measures. Organizations ensure compliance through local data mirroring (that is, retaining real-time copies of data across multiple locations) and third-party audits, among other efforts.

Consider the following. The banking industry is already subject to sweeping data localization regulations, courtesy of the RBI. Cloud and SaaS services, by comparison, are data-reliant and dependent on a future ‘whitelist.’ As a result, Cloud and SaaS services (and other data-reliant organizations) are operating in a unique grey area for planning and compliance infrastructure.

Technology companies are especially ‘in limbo’ as a result of the DPDP Act. The technology industry contributed 11.74% of India’s GDP between 2022 and 2023. Until the Board is formed and a ‘whitelist’ is released, this industry is operating blind. Furthermore, once constituted, the Board is expected to exert significant regulatory pressure on the technology sector as a whole.

Artificial Intelligence (AI), one of the fastest-growing sectors within the technology industry, will be significantly impacted by the DPDP Act. AI is a combination of data and algorithms. Some forecasts estimate AI will make up 3.5% of the global economy by 2030. India’s ability to play a meaningful role in the emergence of this technology depends, in part, on the effective implementation of the DPDP Act.

Looking Ahead

The DPDP Act is both sweeping and nuanced. Organizations are not granted an automatic right to transfer data outside of India; rather, such transfers are permitted only if the destination country is included on an official ‘whitelist.’ As a result, data residency requirements can  effectively become an entry barrier for foreign market entrants.

As a result of the DPDP Act, compliance procedures will involve an organization’s ‘best guess’ of what to do. Industries that have historically faced less sectoral regulation can take several steps to prepare for the full impact of the DPDP Act. Companies may assess data partner (country) adequacy—though this remains challenging, as the Board’s ‘whitelist’ criteria have yet to be defined—consult legal counsel, and prepare for full localization as a contingency measure.

Uncertainty caused by the DPDP Act bleeds into the investment landscape. Investors may ask a number of questions to assess risk—at least to some degree. For instance, they can examine whether a company stores Indian user data abroad. They may also consider whether the company’s partner countries (e.g., the U.S. or E.U.) are likely to be included on the ‘whitelist’—though this remains highly speculative. Regardless of the timeframe, the regulation is likely to hinder startups and smaller organizations that lack the resources to build dual-compliance architecture—that is, structuring compliance to satisfy the requirements of multiple regulatory frameworks.

Companies will be required to invest time and resources in order to comply with the DPDP Act. It would be prudent for organizations to invest in domestic data silos—that is, segregated data storage systems housed within India—to mitigate regulatory risk. If feasible, high-data-volume operations should be delayed until clarity is published.

Outside of the preemptive steps that businesses can take, the government can also take steps to diffuse the uncertainty the DPDP Act has caused. In addition to constituting the Board, the Central Government should publish transparent criteria for country adequacy and regulator approvals. Taking this step could significantly mitigate the Act’s market-disruptive effects.

All data localization regulations are enacted with the hope of protecting a nation’s sovereignty. Data—a potent tool of governance and growth—is a new source of control. Furthermore, data fuels technology (which, in many ways, is the infrastructure of power) and other industries.

Data localization has a variety of supporters and detractors both within India and abroad. Supporters cite data localization as a method to encourage growth and ensure sovereignty. Detractors claim data localization measures are limiting. During K. S. Puttaswamy v. Union of India and Ors., K. K. Venugopal asserted that privacy is not guaranteed by the Constitution of India and that it is a vague and multifaceted concept. This, of course, was eventually dismissed by the court but was nonetheless introduced and argued.

There are risks involved in the enactment of data localization. Overregulation may lead to decoupling or investor exit. In Russia, for example, measures intended to ensure ‘technological autonomy’ have been publicly emphasized by the government. In reality, these efforts have been a method of state control that has resulted in a decline in foreign investment. Data localization also creates uncertainty (as proven by the DPDP Act).

The Digital Personal Data Protection Act is an immense device that is already impacting the securities market, even without being in force. As a whole, the Act represents a pivotal moment: India must choose whether to be a data fortress or a digital hub.

**Kai M. Sood is an American student currently interning with Samvitti Capital in Mulki, Karnataka, India. He aspires to a career in business law, with a particular focus on antitrust law. The views expressed in this paper are his own and do not represent those of the organization with which he is affiliated.

**Disclaimer: The views expressed in this blog do not necessarily align with the views of the Vidhi Centre for Legal Policy.