Why localise Data?
India’s Approach to Cross-Border Data Flows

In the name of ‘Data Sovereignty’, India has begun restricting cross-border data flows and enforcing data localisation norms. But what does it mean for India's intricate relationship with cross-border data and India's diplomatic expectations from data transfer agreements?

By Shashank Reddy

Data localisation has become a contentious political and trade issue for India in recent years, with the Indian government firmly pushing for the local storage of Indian citizens’ data across all sectors of the digital economy.

This recent push by the Indian government to have data generated in India stored primarily within the country can be attributed to the idea that the free flow of data from developing countries such as India disproportionately benefits a handful of global companies housed in the West to the detriment of local citizens and economy, which has taken root amongst India’s policymakers. Two interrelated terms - ‘Data Colonialism’ & ‘Data Sovereignty’ - have often been used in this context. The first refers to the idea that given the value of data in today’s global economy, unfettered access to data from the Global South by Big Tech platforms based in the Global North leads to the monopolisation of data and inequalities in digital industrialization between the developed and developing world. The second is the belief that the citizens and government of a country are the final owners and arbiters of the data generated within the territory of that country.

Policy Imperatives for Data Localisation

Indian policymakers are also influenced by domestic imperatives, including ambitions of building globally competitive indigenous digital platforms, ensuring the economic benefits of India’s vast domestic market remain within the country, driving greater economic growth, building technological self-reliance, and gaining a competitive advantage in the development of emerging technologies such as AI. 

This philosophical stance on data localisation has increasingly influenced several domestic policies, most significantly in the sphere of payment systems and personal data. In 2018, for example, the Reserve Bank of India (RBI) issued a directive which required foreign card networks to store Indian payment data within its territorial jurisdiction. The RBI subsequently banned companies such as Mastercard, Visa and American Express from issuing new cards to customers for not complying with such data storage requirements. These restrictions however were subsequently lifted once the companies in question began storing their data locally within India.

Such policy measures have predictably led to push back from India’s trade partners and are one of the major impediments in bilateral and multilateral trade negotiations. Negotiations in the India-UK Free Trade Agreement, for instance, have hit a roadblock over India’s insistence on data localization.

Is Data Localisation Effective?

The primary criticism against data storage requirements is that they do not consider the prevailing market realities of data flows. Firstly, the ease with which data can be used for economic and social innovation is linked to the low marginal costs of gathering, storing and processing data. This low marginal cost is possible due to the ‘borderless’ nature of data flows since it is more efficient to store and process data in different geographical locations. For example, US companies find it easier to carry out data storage in the US where their servers are located, and the alternative of storing data where it is collected (for example, India) increases operational, infrastructural, and compliance costs, and is also perceived as discriminatory by foreign companies. 

Restrictions on data flows can also severely impact India’s trade prospects. An analysis by the Indian Council for Research on International Economic Relations (ICRIER) reveals that a mere 1% decrease in cross-border data flows can potentially result in a loss of 696.71 million US dollars in trade for India. 

Currently, Indian policy discussions do not clearly demonstrate how data localisation requirements would boost data availability for domestic innovation. Local storage alone doesn’t guarantee local access. Moreover, the necessity and proportionality of local storage as a measure for operationalising data sharing remain unclear. Finally, it is uncertain if India possesses the requisite physical data storage infrastructure necessary to facilitate the desired level of data localisation.

Data Localisation in the Digital Personal Data Act

India’s approach to personal data policies has evolved in response to some of these realities. At present, the Digital Personal Data Act (DPDP) 2023 governs the processing of personal data in India, establishing a fundamental stance on data localisation. Section 16 of the DPDP allows the Government the authority to potentially restrict the transfer of personal data for processing to a country or territory outside India through a notification. The sectoral laws which mandate a higher degree of restrictions on data transfers will apply wherever applicable. In essence, the DPDP allows for blacklisting, but the default position is to not prescribe any restrictions. This appears to be a softening of the government’s stand on data localisation, especially when compared to previous versions of the Act. 

While the current DPDP is less restrictive, it continues to create uncertainty regarding the criteria for blacklisting. At the same time, it vests in the Central Government a wide scope of discretionary powers, posing potential risks to privacy and innovation, and enabling arbitrary surveillance. Additionally, while the DPDP establishes a foundation for personal data localisation, it lacks a similar framework for non-personal data. Concerns also arise about the overriding nature of sectoral laws, such as in the financial space, which might render the DPDP provision superfluous.

Fundamentally, India’s policy approach to cross-border data flows is a balancing act between a perceived need to protect its citizens’ data from being exploited by non-Indian firms, and the economic reality of having to engage with other countries and global tech firms to ensure continued economic growth. And this is a balance that has not yet been achieved.