Sovereignty, safety, localisation — data protection beyond the individual

As the world’s largest democracy and one of the fastest-growing digital economies, India’s approach to data protection and localisation reflects both its sovereign aspirations and the practical challenges of managing its vast digital footprint. The DPDPA represents India’s first comprehensive attempt to protect its citizens’ digital privacy, while simultaneously addressing the growing concerns around data sovereignty.

At its core, the Act establishes robust frameworks for personal data processing, introduces significant penalties for breaches, and implements data localisation requirements for certain categories of sensitive personal data. It also moves away from the strict requirements of previous drafts.

While the Act maintains that sensitive personal data must be stored in India, it allows its processing abroad. It introduces the concept of “trusted geographies” for data transfers, though these jurisdictions remain undefined even under the DPDPR. Large tech companies have welcomed this flexibility as earlier drafts of the law mandated local storage of all critical personal data. However, in the case of financial data, there continue to be stringent localisation requirements under separate Reserve Bank of India (RBI) regulations requiring all payment system operators to store transaction data within India. This requirement has enabled better regulatory oversight, improved fraud detection, and enhanced the security of India’s financial system.

The push for data localisation — stemming from a recognition that data sovereignty is increasingly intertwined with national sovereignty — is a strategic imperative driven by several compelling factors. First, India’s digital economy is projected to reach $1 trillion by 2025, making it one of the world’s largest data generators. With over 800 million internet users and growing, the volume of personal data being generated, processed, and stored is astronomical. This digital gold rush has attracted global technology giants, but it has also raised questions about data sovereignty and national security.

When critical personal data of Indian citizens is stored in foreign jurisdictions, it becomes subject to foreign laws and potentially foreign surveillance, creating vulnerabilities in India’s national security framework. Therefore, the draft DPDPR requires data fiduciaries processing data within India or offering goods or services to data principals in India from abroad to comply with any requirements the Union government sets with respect to making such personal data available to a foreign state or its entities.

Data localisation serves India’s economic interests. By doing so, India is effectively creating a robust domestic data centre industry. This not only generates employment and technological expertise but also reduces dependency on foreign infrastructure. For a long time, tech companies lobbied against data localisation, citing poor infrastructure in India. However, over the last decade, the government has built quality infrastructure to support a robust tech industry ecosystem. Now, major tech companies have already begun investing in local data centres. Investments in this sector are expected to cross $5 billion by the end of 2025.

Nevertheless, the path to data localisation isn’t without its challenges. There are concerns that strict localisation requirements could increase operational costs for businesses, potentially hampering innovation and foreign investment. Another challenge being flagged is the technical infrastructure required to support large-scale data localisation, including reliable power supply, robust internet connectivity, and skilled workforce availability.

Yet, these challenges must be weighed against broader strategic benefits. In an age where data breaches and cyber warfare are real threats, having critical data within national borders ensures better incident response and more control over security measures. It also enables faster access to data for law enforcement agencies when investigating cyber crimes or national security threats.

Further India’s track record in dealing with data movement and security, even in the absence of a specific law before the DPDPA was passed, has been very good. The minimal provisions under the Information Technology Act (2000) and its amended version in 2008 extensively covered the legal requirements for data processing. Additionally, many Fortune 500 companies have had successful experiences for decades, based on service level agreements, while dealing with data processing by both onshore and offshore contracted Indian IT services companies.

Like the European Union’s GDPR (General Data Protection Regulation), India’s law signals that personal data protection is not just about individual privacy. The Act’s provisions for cross-border data transfers are designed to ensure that India’s national interests are protected while maintaining its position as a global digital hub. With the real possibility of trade and tariff issues due to the incoming Trump administration’s approach towards India, data localisation could even serve as a useful negotiation tool.

In an interconnected world where data flows know no borders, India’s approach to data protection and localisation could serve as a model for other developing nations seeking to protect their digital sovereignty while fostering innovation and growth.

The writer, a defence and cyber security analyst, is former country head of General Dynamics