Data PrivacyData Localisation: A Legal Perspective

January 5, 20220


The 21st century has witnessed an unprecedented rise in the realm of the Internet and Technology. Amidst various developments and breakthroughs, data has been one of the most contentious issues. The growth of the internet and economy has also witnessed transfer and storage of data in various parts of the world.

Over the time, everyone has developed a knack for easily sharing our personal information in various forms, streaming services, at eateries, malls, and on various websites.

Although this free flow of data is pivotal for providing a homogenous and well curated user experience across borders, it also opens floodgates for the misuse of data, and a lack of legal protection further aggravates the issue. This is where the idea of ‘data localisation’ steps up.

Data localisation usually comprises requirements for the physical storage of data within a country’s national boundaries. Sometimes, the term localisation is used more broadly to mean restrictions on cross-border data flows.

Under this broader approach, data localisation may include all measures that ‘encumber the transfer of data’ across national borders, such as: preventing information from being sent outside the country, requirement to obtain individual consent before making the transfer, storage of a local copy of the data; and imposing taxes on data exports.

Data localisation can also be demarcated by its effect – strict or conditional. The former includes requirements of local storage or processing of data; in extreme cases, a complete ban on transferring the data abroad.

For conditional restrictions, the transfer of the data is made subject to the satisfaction of conditions. Conditions such as the need to obtain prior consent of the individual or entity whose data is being shared may be applicable to the entities undertaking the transfer or to the transferee country where the data is being sent.


Data localisation as an element of regulatory data protection has come to the fore globally in the past two years. The European Union’s General Data Protection Regulation (GDPR) came into force in May 2018. While GDPR does not restrict data flow, it imposes ‘adequacy’ and other tests on transfer of data abroad.

In India too, since early 2018, data localisation measures and proposals have sped up substantially. Recognition of the Right to Privacy as a fundamental right by the Supreme Court of India has further fuelled the process of data localisation and the concept of data privacy in India.

Consequently, while recognising information protection within the realms of Right to Privacy, the Supreme Court had also advised the Government to create a legal structure to preserve data privacy.

A Draft e-Commerce Policy (e-Commerce Policy) was released, purportedly addressing issues in the Indian e-commerce ecosystem. Interestingly, this e-Commerce Policy proposes data localisation measures as a means to keep data secure, derive economic benefits from it and create jobs within India.

The Reserve Bank of India (RBI) issued circular RBI/2017-18/153, dated 06.04.2018 mandating all payment system providers to store payment data locally only in India. In a recent development in relation to the same restrictions, Mastercard Inc. was indefinitely barred from issuing new debit or credit cards for violating the local data storage rules by the RBI.

Digital payment ecosystems in India have seen a boom in the last couple of years due to the rise of comparatively affordable high-speed internet and customer friendly net banking experiences. The same has also led to an increase in the number of data breaches. Even though no particular restrictions have been imposed upon processing the payment in foreign countries, the data of the users is to be stored in the country itself.


Data localisation can potentially affect the technological ecosystem in a number of ways given that the Internet is built on the principle of easy transfer of information across borders. It could affect access to transborder media and applications – particularly insofar as smaller content providers are concerned.

Besides limiting the overall generativity of the Internet, data localisation can also have a negative effect on the ability of the scientific and business community to innovate with big data solutions at a global scale, and hinder innovation based on the Internet of Things and the sharing economy.

While merely locating data in a country does not in itself (or automatically) make it vulnerable to censorship (or surveillance); data would certainly be more vulnerable if the country the data was located in had legislations that gave the State greater powers of restricting access to content, or indeed if the country the data was located in did not have the capacity or will to ensure proper oversight and accountability of its executive agencies. In case of data localisation, extra-legal measures need to be practiced in order to safeguard such locally processed and stored data.

Economic Impact

One of the primary arguments against mandatory data localisation stems from the cost that it is likely to impose on businesses and consequently, their consumers and the economy as a whole. Widespread localisation norms will mean that both foreign and domestic businesses and other users will no longer have the flexibility to choose the most cost-effective or task-specific location to store their data. These efficiency losses will ultimately be passed onto consumers in the form of higher costs of service.

Notably, the Government may impose licensing and other conditions on businesses. Accordingly, the States may legitimately impose restrictions on cross-border flows of data in the interests of public welfare, despite the apparent costs that it may impose on businesses.

While it may be difficult to demonstrate that data localisation measures would result in the violation of the rights such as freedom to practice any profession, the effects of data localisation on businesses should nevertheless be a consideration from a policy perspective. The increasingly intertwined nature of the economy with the Internet implies that curbs on online businesses would necessarily have several economic implications.

Impact on Domestic Industry

On one hand, there is a recognition that the “development of automation technology and increasingly protectionist measures globally” are resulting in changing global demands, which will have significant implications for the Indian outsourcing industry.

On the other, it remains true that despite these shifts, the sector will continue to remain relevant for India in the short to medium term.

Therefore, India’s role in furthering a global push towards increased data localisation needs to be considered more carefully, since the implementation of any data localisation measures may dramatically affect the development of this sector. This is also vital from a long-term economic perspective.

Given India’s dominant position in the business processing and outsourcing industries, implementing measures that could hamper growth of this sector would appear detrimental to its national economic interests. One should also keep in mind that as global businesses grow, they also seek to leverage domestic skill sets to service global clientele.

For instance, Cisco has established global development centres in India to take advantage of the large number of engineering students in the country. Similarly, Google houses many of its research centres in locations across the globe, including India. Broad localisation measures may impact the way such globalised business function, thereby affecting India’s developing software industry and by implication its economic interests.

Another powerful narrative that has emerged in recent times is about the need for domestic mechanisms for the creation, sharing and use of data for the development of artificial intelligence (“AI“) development.

To quote from the Srikrishna Committee’s report, The growth of AI is heavily dependent on harnessing data, which underscores the relevance of policies that would ensure the processing of data within the country using local infrastructure built for that purpose.” The Committee then goes on to note that these benefits can be achieved by ensuring that at least one copy of personal data is stored in India and that more sensitive, critical personal data is processed and stored only in India.

However, it cannot be assumed that mere storage of data in India would automatically make it accessible for all sorts of beneficial research. Assuming all the big Multi- national Corporations (MNC) do agree to localise data produced by Indians, this data would still continue to be held by foreign MNCs.

Physically locating the data in India would not really enhance the ability of Indian companies to access it.  Given that the data in question is personal and sensitive and critical personal data of individuals, its use will be governed by the protections under the proposed data protection law.

One of the arguments used in favour of data localisation is that it would provide a boost to the local computer hardware and software industry and generate local employment.


The position adopted by those who seek to include data flow related issues in trade agreements appears to be based on the notion that personal data must be treated as any other commodity. Accordingly, free flows of data must be the de facto position unless justified by overwhelming public policy concerns.

What constitutes a legitimate public policy concern would be adjudicated at the international level, under the World Trade Organisation (WTO) framework.

However, this approach has been challenged on three grounds –

  1. The rights-based argument that sees personal data as essential to a person’s autonomy and identity and therefore, as more than a mere commodity;
  2. The fact that commercial exploitation and trade in commodities of various kinds are indeed regulated or taxed; and
  3. The use of WTO mechanisms reduces democratic control over data.

The free flow of data is seen to strengthen the position of global incumbents in the digital economy – large, monopolistic Internet corporations don’t pay sufficient taxes or other dues across the world, in addition to which they make huge profits without adequately compensating the individual’s whose data these profits are built upon.

Accordingly, there is a perceived need to adjust the nature of the digital economy, through taxation, localisation measures, and the like.


The concept and implementation of data localisation is going to be evolving as it has its pros and cons. While there is a need to develop a legal safety valve to protect the data of the citizens and participants of the internet economy, the kind of restriction it has on civil rights and the economic impact on domestic business should also be taken into consideration.

With respect to privacy, it is important to provide the opportunity to the user to decide where his privacy is better off. The Government should take up the initiative to educate the citizens about various aspects of data privacy and make the users aware about their rights.

Once the data protection legislation is in place in India, such legislation shall regulate data localisation and the transfer of data across several jurisdictions.

– Team AMLEGALS assisted by Mr. Kushagra Kundan (Intern)

For any query or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.