1. Introduction
Picture this: you open your favourite food delivery app, place an order, and pay using your UPI-linked bank account. In a matter of seconds, your name, phone number, location, payment details, and consumption habits have been captured and quite possibly stored on a server sitting in Singapore, Ireland, or the United States. For you, it was lunch. For a data company, it was gold.
This is the world we live in, a world where personal data crosses borders faster than any physical good ever could. And it is precisely this reality that has pushed governments, including India’s, to ask a fundamental question: should data generated by Indian citizens be stored in India?
The answer is complicated: legally, technically, and geopolitically. India’s journey toward data localization has been long, marked by ambitious proposals, industry pushback, and years of parliamentary debate. The landmark result is the Digital Personal Data Protection Act, 2023 (DPDPA), India’s first comprehensive data protection law. This article explains what data localization means, what Indian law says about it, who it affects, and what individuals and businesses need to know.
2. What is Data Localization?
Data localization refers to laws or regulations that require personal data to be stored, and sometimes processed, within the territory of a specific country. Think of it as a passport rule for data: your information cannot leave the country without permission, or sometimes cannot leave at all.
There are three broad models that countries adopt when designing data localization rules. The first is strict localization, under which data must be stored exclusively within national borders with no transfers permitted abroad. The second is conditional localization, which allows data to be sent overseas only to countries that meet approved privacy or security standards. The third is mirroring, which requires that a copy of the data be retained in the home country even if the original is stored elsewhere.
India has at various points considered all three models. Today, its framework leans toward conditional and sectoral localization under the DPDPA, though sector-specific rules, particularly for financial and payment data, remain considerably stricter. The result is a layered system where the applicable rules depend on what type of data is involved and which industry the organisation operates in.
3. Steps and Procedure: Compliance Under the DPDPA
Whether you are a startup, a multinational, or an individual developer handling user data, the following steps outline your obligations under India’s data localization framework.
Step 1: Identify the Type of Data You Handle
The DPDPA distinguishes between personal data, such as names, phone numbers, and email addresses, and sensitive personal data, which includes financial details, health records, and biometric information. Stricter localization and transfer rules apply to sensitive categories. A fitness app collecting step counts and workout history, for instance, handles health data, a sensitive category that will attract tighter controls once implementing rules are notified.
Step 2: Determine Whether a Cross-Border Transfer is Involved
If your servers, cloud providers, or data processors are located outside India, you are performing a cross-border transfer. Even using a third-party software-as-a-service tool hosted abroad may qualify as a transfer under the DPDPA. Organisations should map their data flows carefully to understand precisely where data travels after it is collected.
Step 3: Check the Government’s Approved Country Whitelist
Under Section 16 of the DPDPA, personal data may only be transferred to countries or territories notified by the Central Government. As of the time of writing, this whitelist has not yet been officially published. Until it is, companies should treat all cross-border transfers cautiously and document the basis for each one. Maintaining a clear record of what data is collected, where it is stored, and which third-party vendors process it will be essential once the whitelist and implementing rules are notified.
Step 4: Apply Sector-Specific Rules Where Applicable
If you operate in payments, insurance, or securities, additional localization requirements apply regardless of the DPDPA. The Reserve Bank of India mandates that all payment system data be stored exclusively in India under its April 2018 circular. The Insurance Regulatory and Development Authority of India requires certain policyholder data to be stored domestically. The Securities and Exchange Board of India’s cyber security framework similarly mandates local storage of trading and investor data. These sectoral obligations sit alongside, and in some cases go further than, the DPDPA.
Step 5: Appoint a Data Protection Officer if Required
Certain categories of data fiduciaries, meaning organisations that process large volumes of data or handle sensitive categories, must appoint a Data Protection Officer. The specific thresholds will be defined in the implementing rules. Organisations that anticipate falling into a regulated category should begin identifying and appointing a suitable officer well in advance.
Step 6: Register with the Data Protection Board Once Constituted
The DPDPA envisages a Data Protection Board of India as the primary adjudicatory authority for complaints and penalties. The Board has not yet been constituted. Once it is, data fiduciaries in notified categories will need to register and comply with its directions. Organisations should monitor government notifications closely so they are ready to act promptly.
Step 7: Implement Consent and Notice Mechanisms
The DPDPA requires that individuals, referred to as Data Principals, give free, informed, and specific consent before their data is processed. Consent notices must be written in plain language, made available in scheduled Indian languages if requested, and must clearly explain the purpose of data collection. Existing consent frameworks should be reviewed and updated to meet these standards before the Act’s provisions become fully operational.
4. Key Laws and Documents to Know
The following legal instruments and regulatory documents form the backbone of India’s data localization framework. Every practitioner, compliance officer, or informed citizen should be familiar with them.
The Digital Personal Data Protection Act, 2023, passed by Parliament in August 2023, is the primary statute governing data protection in India. It establishes the rights of Data Principals, the obligations of Data Fiduciaries, and the framework for cross-border data transfers through a government-approved whitelist system.
The Reserve Bank of India’s Circular on Storage of Payment System Data, issued in April 2018, is one of the most consequential regulatory instruments in this space. It mandates that all payment system data, including end-to-end transaction details, payment instructions, and settlement data, be stored exclusively within India. This applies to all payment system operators, including foreign companies such as Visa, Mastercard, and American Express.
The IRDAI Guidelines on Information and Cyber Security for Insurers, issued in 2017, require insurance companies to store certain categories of policyholder data within India. Similarly, the SEBI Cyber Security and Cyber Resilience Framework, introduced in 2015, imposes local data storage requirements on securities market participants.
The Justice B.N. Srikrishna Committee Report of 2018 is the foundational policy document that first formally proposed data localization as a legal requirement in India. While it has since been superseded by the DPDPA, it remains essential reading for understanding the reasoning behind India’s approach.
The Ayushman Bharat Digital Mission Operational Guidelines of 2022 govern the storage and sharing of digital health records under India’s national health digitisation initiative. As implementing rules under the DPDPA are notified, health data is expected to attract additional localization-related obligations.
5. Advantages and Disadvantages
Advantages
The most significant argument in favour of data localization is national security. Indian law enforcement agencies have long struggled to access data held by foreign companies during criminal investigations. When a suspect’s communications or financial records sit on servers abroad, investigators must rely on Mutual Legal Assistance Treaties, a process that is notoriously slow and uncertain. Storing data within India, in theory, allows authorities to access relevant information faster and more reliably.
Closely related is the principle of data sovereignty. There is a growing belief, shared across many countries, that data generated by a nation’s citizens constitutes a national resource. Just as countries seek to retain control over their natural resources, they seek to ensure that digital data generated by their populations is not managed and monetised exclusively by foreign entities beyond the reach of domestic law.
Data localization also creates genuine economic opportunity. Requiring data from Indian users to be processed and stored in India generates demand for local data centres, cloud infrastructure, and technology services. This can stimulate investment, create skilled employment, and accelerate the growth of India’s domestic technology sector, goals that align closely with the government’s broader digital economy ambitions.
Finally, localization provides a layer of protection against foreign surveillance. The disclosures made by Edward Snowden in 2013 revealed that intelligence agencies in powerful countries had accessed vast volumes of data stored by major technology companies. Keeping Indian citizens’ data within Indian jurisdiction offers some additional protection against such mass surveillance.
Disadvantages
The most immediate challenge is cost and infrastructure. Building compliant data centres in India is expensive, and smaller companies and startups may find the compliance burden prohibitive. This risks creating an uneven playing field where large corporations with substantial capital can absorb costs that would cripple smaller competitors, ultimately concentrating market power rather than distributing it.
Critics also question whether localization actually achieves its stated security goals. Cybersecurity experts point out that the physical location of a server does not determine who can access the data it contains. A server in India managed by a foreign company using foreign-controlled encryption keys may offer no greater protection than a server abroad. What matters most is governance: who holds the encryption keys, what access controls are in place, and how the data is managed day to day.
Data localization has also created real trade tensions. India’s requirements have strained relationships with trading partners, particularly the United States, which views such mandates as non-tariff trade barriers. This has complicated India’s participation in digital economy negotiations and free trade discussions, at a time when deeper global integration could benefit Indian exporters significantly.
There is also a broader concern about the architecture of the internet itself. The internet was designed as a distributed global system that optimises performance by routing data through the most efficient available pathways, which may lie outside any single country’s borders. Rigidly carving it into national data silos risks creating a fragmented, less efficient network and may slow down services for Indian users as content delivery networks lose the flexibility to route traffic globally.
6. Real-World Examples
The RBI and Payment Data (2018)
When the Reserve Bank of India issued its directive on payment data localization in April 2018, it was one of the most consequential regulatory actions in India’s digital economy. Companies like Visa and Mastercard, which had processed Indian payments through global systems, were required to store all payment data exclusively in India. The transition was not smooth. Visa reportedly failed to comply by the initial deadline and was subsequently barred from issuing new commercial cards, a significant regulatory sanction. Today, most major payment companies have established local data storage infrastructure in India, and the payment data localization mandate is widely considered a successful example of enforcement in this area.
WhatsApp Pay and NPCI Requirements
WhatsApp’s payments feature was delayed in India for several years, partly because the National Payments Corporation of India required all UPI payment data to be stored locally. As a global platform, WhatsApp had to fundamentally restructure its payment infrastructure before it could begin operating in India. The eventual phased rollout of WhatsApp Pay illustrates how data localization requirements can directly shape both the product development timeline and the competitive landscape for global technology companies entering the Indian market.
Health Data under the ABDM
The Ayushman Bharat Digital Mission is digitising India’s health records on a national scale. While no exclusive health data localization mandate currently exists under the DPDPA, health data falls within the sensitive personal data category, which is expected to attract stricter transfer restrictions once implementing rules are notified. This will have significant implications for hospitals, health-technology startups, and global medical platforms operating in India, all of whom will need to revisit their data storage and transfer arrangements.
7. Frequently Asked Questions
Q1. What is the DPDPA and does it apply to my business?
The Digital Personal Data Protection Act, 2023, is India’s primary data protection law. It applies to any entity, Indian or foreign, that processes the personal data of individuals located in India, whether for offering goods or services or for any other purpose. If your business collects data such as names, phone numbers, email addresses, or location details of Indian users, the DPDPA applies to you.
Q2. Does my startup need to store all user data in India?
Not necessarily for all categories of data. Under the DPDPA, personal data can be transferred to countries on the government’s approved whitelist. However, if you process payment data, insurance data, or securities data, sector-specific rules from the RBI, IRDAI, or SEBI require you to store that data exclusively in India. Startups in fintech, insurtech, or health-tech must pay particular attention to these sectoral obligations alongside the DPDPA.
Q3. Which countries are on India’s approved data-transfer whitelist?
As of the time of writing, the Central Government has not yet officially published the whitelist of approved countries under the DPDPA. This means businesses cannot yet determine with certainty which cross-border transfers are fully permissible. Companies are advised to document all existing international data flows and prepare compliance frameworks so they can act promptly once the whitelist is notified.
Q4. What penalties exist for non-compliance with the DPDPA?
The DPDPA provides for substantial financial penalties. For major violations, such as failure to implement reasonable security safeguards resulting in a data breach, penalties can reach up to Rs. 250 crore, approximately USD 30 million. The Data Protection Board of India, once constituted, will be the authority responsible for investigating complaints and imposing penalties on non-compliant organisations.
Q5. How does India’s data localization approach compare to the EU’s GDPR?
The EU’s General Data Protection Regulation does not mandate data localization within the European Union. Instead, it permits data transfers to countries with an adequacy decision or via standard contractual clauses. India’s DPDPA uses a comparable whitelist approach rather than a blanket localization mandate. However, India’s sectoral rules, particularly for payment data, are considerably stricter than anything in the GDPR. India has not yet received an EU adequacy decision, meaning Indian companies transferring data to the EU must still comply with GDPR transfer mechanisms independently.
8. Conclusion
Data localization, at its heart, is a question about power: who controls information, who can access it, and who benefits from it. For India, a country of 1.4 billion people generating enormous volumes of data every day, the stakes could not be higher.
The DPDPA 2023 marks a significant milestone. India now has a comprehensive data protection law that balances individual rights, business practicality, and national interests. Its flexible, whitelist-based approach to cross-border transfers is a deliberate departure from earlier, more rigid proposals. But the law is only as strong as its implementation, and many of its provisions await the notification of implementing rules.
For businesses, the priority is preparation: map your data flows now, understand your sector-specific obligations, and watch for the publication of the country whitelist and the constitution of the Data Protection Board. For citizens, data localization affects who can access your medical records, your financial history, and your digital footprint, making it one of the most consequential legal developments of the digital age.
References
- Ministry of Electronics and Information Technology (MeitY), Digital Personal Data Protection Act, 2023, Government of India.
- Justice B.N. Srikrishna Committee Report, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, 2018.
- Reserve Bank of India, Storage of Payment System Data, Circular DPSS.CO.OD No.2785/06.08.005/2017-2018, April 6, 2018.
- Personal Data Protection Bill, 2019, as introduced in Lok Sabha.
- Joint Parliamentary Committee Report on the Data Protection Bill, December 2021.
- IRDAI, Guidelines on Information and Cyber Security for Insurers, 2017.
- SEBI, Cyber Security and Cyber Resilience Framework, 2015.
- Ministry of Health and Family Welfare, Ayushman Bharat Digital Mission (ABDM) Operational Guidelines, 2022.
- Internet Freedom Foundation, Policy Brief on Cross-Border Data Transfers under the DPDPA, 2023.
- OECD, Cross-Border Data Flows: Taking Stock of Key Policies and Initiatives, OECD Digital Economy Papers, 2021.
