India's DPDP Act introduces data localisation obligations for certain categories of personal data, requiring businesses to fundamentally rethink their cloud infrastructure and cross-border transfer arrangements.
Data localization refers to the practice of storing data within the borders of the country where it is generated or, at a minimum, maintaining a mirror copy locally. It emphasizes that data is a valuable resource and a national asset over which citizens have sovereign rights. The practice limits the storage, processing, and cross-border movement of data to specific geographies, which may be subject to certain restrictions.
In India, data localization obligation is regulated under multiple laws and in this newsletter, we will explore key areas requiring the implementation of data localization.
The IT Act and Rules allow the transfer of sensitive personal data or information to a person or an organization within and outside India that ensures the same level of data protection as provided under these Rules. This transfer is subject to a contractual agreement and consent of the information provider.
The DPDPA is a comprehensive law aimed at safeguarding personal data and regulating its processing. While the DPDPA currently permits cross-border data transfers, it empowers the government to restrict transfers to specific countries as notified by the Government of India.
In April 2018, the RBI issued a circular titled ‘Storage of Payment System Data,’ requiring payment system providers to store all payment-related data on servers within India. This includes end-to-end transaction details, customer data, payment-sensitive data, payment credentials, and transaction data. The directive provided a six-month compliance timeline. If data processing occurs outside India, the processed data must be transferred back and stored only in India within one business day or 24 hours of processing and ensure processed data is deleted from overseas systems. By enforcing localization, the RBI seeks to ensure data security and bolster the protection of citizens sensitive payment information.
The terms of the unified telecom license agreement mandate Indian Telecom Service Providers to not transfer any accounting information relating to a subscriber (except for international roaming/billing) to any person or place outside India and user information (except about foreign subscribers using Indian Operator’s network while roaming).
The Indian Computer Emergency Response Team (CERT-In), the nodal authority in India to oversee and manage cyber security incidents issued Directions in 2022. The CERT-In Directions make it mandatory for all service providers such data centers, and Government organizations to mandatorily and securely maintain logs of all their ICT systems for a rolling period of 180 days and such logs or a mirror copy of the logs are to be maintained within the Indian jurisdiction.
The Companies Act and Rules thereunder require companies to store financial information at the registered office of the company. Companies may maintain a back-up of the books of account and other books and papers in electronic mode, at a place outside India, however the company should store a copy of the same in servers physically located in India on a periodic basis.
The IRDAI regulations require all records, including those present in an electronic format, that are related to insurance policies and claim records made in India, to be stored in data centres located and maintained in India only.
Data localization is a key component of India’s digital economy, driven by laws like the DPDPA, RBI guidelines, insurance and health data regulations. These regulations require businesses to store and process data within India to ensure data protection, national security, and data sovereignty. While it promotes economic growth and compliance, it also presents challenges such as operational complexity and financial costs, particularly for multinational corporations and SMEs.
Businesses should treat data localization as both a compliance necessity and a strategic opportunity. By prioritizing localization, businesses can enhance trust, comply with regulations, and leverage growth opportunities in India’s expanding digital infrastructure sector.