Data Privacy Newsletter – Data Localization in India : December 2024

Introduction

Data localization refers to the practice of storing data within the borders of the country where it is generated or, at a minimum, maintaining a mirror copy locally. It emphasizes that data is a valuable resource and a national asset over which citizens have sovereign rights. The practice limits the storage, processing, and cross-border movement of data to specific geographies, which may be subject to certain restrictions.

In India, data localization obligation is regulated under multiple laws and in this newsletter, we will explore key areas requiring the implementation of data localization.

Few Regulations Driving Data Localization in India

1. The Public Records Act, 1993
   The Public Records Act of 1993 was among the first to impose restrictions on transferring public records outside India, mandating local storage.
2. The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Rules)

The IT Act and Rules allow the transfer of sensitive personal data or information to a person or an organization within and outside India that ensures the same level of data protection as provided under these Rules. This transfer is subject to a contractual agreement and consent of the information provider.

3. The Digital Personal Data Protection Act, 2023 (DPDPA)

The DPDPA is a comprehensive law aimed at safeguarding personal data and regulating its processing. While the DPDPA currently permits cross-border data transfers, it empowers the government to restrict transfers to specific countries as notified by the Government of India.

4. Reserve Bank of India (RBI) Guidelines on Storage of Payment System Data

In April 2018, the RBI issued a circular titled ‘Storage of Payment System Data,’ requiring payment system providers to store all payment-related data on servers within India. This includes end-to-end transaction details, customer data, payment-sensitive data, payment credentials, and transaction data. The directive provided a six-month compliance timeline. If data processing occurs outside India, the processed data must be transferred back and stored only in India within one business day or 24 hours of processing and ensure processed data is deleted from overseas systems. By enforcing localization, the RBI seeks to ensure data security and bolster the protection of citizens sensitive payment information.

5. Unified License Agreement issued by the Department of Telecommunications

The terms of the unified telecom license agreement mandate Indian Telecom Service Providers to not transfer any accounting information relating to a subscriber (except for international roaming/billing) to any person or place outside India and user information (except about foreign subscribers using Indian Operator’s network while roaming).

6. CERT-In Directions for Cyber Security, 2022

The Indian Computer Emergency Response Team (CERT-In), the nodal authority in India to oversee and manage cyber security incidents issued Directions in 2022. The CERT-In Directions make it mandatory for all service providers such data centers, and Government organizations to mandatorily and securely maintain logs of all their ICT systems for a rolling period of 180 days and such logs or a mirror copy of the logs are to be maintained within the Indian jurisdiction.

7. The (Indian) Companies Act, 2013, and the Companies (Accounts) Rules, 2014

The Companies Act and Rules thereunder require companies to store financial information at the registered office of the company. Companies may maintain a back-up of the books of account and other books and papers in electronic mode, at a place outside India, however the company should store a copy of the same in servers physically located in India on a periodic basis.

8. IRDAI (Maintenance of Insurance Records) Regulations 2015

The IRDAI regulations require all records, including those present in an electronic format, that are related to insurance policies and claim records made in India, to be stored in data centres located and maintained in India only.

Impact On Businesses

1. Compliance Complexities across Sectors: Businesses need to navigate a variety of sector specific regulations that impose strict data localization requirements, complicating compliance, particularly in sectors with global data flows.

 

2. Challenges of Implementing Data Localization: Data localization demands significant investment in infrastructure, posing financial and operational challenges. Multinational corporations particularly face challenges of cross-jurisdiction compliance, while SMEs struggle with the high costs of local infrastructure.

 

3. Positive Implications for Indian Data Infrastructure Industries: Data localization is likely to benefit India’s data infrastructure industries, including cloud services, data centers, and IT services, as businesses will need to invest in local solutions, driving growth and innovation in these sectors. Additionally, localization measure would best help increase economic growth by benefiting Indian producers and the larger economy.

Practical Steps for Meeting Compliance

1. Developing an Internal Compliance Roadmap for Localization: This includes understanding the legal landscape, mapping out the necessary steps for consent management, data storage, processing, and access, and ensuring alignment with regulations. 

 

2. Leveraging Technology Solutions like Data Mapping and Monitoring Tools: Implementing technology solutions such as data mapping tools helps organizations understand where their data resides and how it flows across systems and borders.

 

3. Partnering with Local Cloud and Data Storage Providers: Cloud services and data storage providers that have infrastructure within India ensure that data storage, processing, and backup comply with local regulations, making it easier for organizations to meet their obligations while focusing on their core operations.

 

4. Conducting Regular Audits: Organizations should conduct regular audits of data storage and processing practices to review and update cross-border data flow mechanisms and to ensure that they align with the localization laws.

Conclusion

Data localization is a key component of India’s digital economy, driven by laws like the DPDPA, RBI guidelines, insurance and health data regulations. These regulations require businesses to store and process data within India to ensure data protection, national security, and data sovereignty. While it promotes economic growth and compliance, it also presents challenges such as operational complexity and financial costs, particularly for multinational corporations and SMEs.

Businesses should treat data localization as both a compliance necessity and a strategic opportunity. By prioritizing localization, businesses can enhance trust, comply with regulations, and leverage growth opportunities in India’s expanding digital infrastructure sector.