Introduction
Data localisation, the regulatory requirement that data concerning a country’s residents be collected, processed, or stored within its national borders, has been one of the most contested questions in the design of India’s digital economy governance framework. Over the past decade, India has oscillated between assertive sectoral mandates for strict localisation and the softer, cross-border transfer framework ultimately adopted in the Digital Personal Data Protection Act, 2023 (DPDP Act). This oscillation reflects not merely a change in domestic policy preference but the interaction of competing pressures: national security and data sovereignty concerns on one side, trade treaty commitments, economic efficiency arguments, and industry pushback on the other.
Understanding India’s data localisation trajectory requires examining the distinct regulatory universes of finance, insurance, and securities markets, where strict localisation mandates have been in force since 2018, alongside the general data protection framework, where the DPDP Act has adopted a more measured approach. It also requires grappling with the international trade architecture, where data localisation mandates have become a flashpoint in negotiations between India and its major trading partners.
Legal Framework
The Reserve Bank of India’s April 2018 circular on storage of payment system data represents the most significant and strictly enforced localisation mandate in India’s history. The circular required that all data generated by payment systems operating in India, including end-to-end transaction details and payment instructions, be stored only in India. It applied without exception to domestic and foreign payment system operators, including Visa, Mastercard, American Express, and PayPal. The mandate covers not just the final data at rest but also the processing and storage of data at every stage of the payment cycle.
Foreign payment operators initially resisted, and both Mastercard and American Express were barred by the RBI from onboarding new customers in India in 2021 for non-compliance with the circular. This demonstrated the seriousness of the RBI’s enforcement position. By contrast, Visa ultimately complied while maintaining technical architectures that allowed mirrored data to be transmitted abroad for fraud detection and global network management, representing a practical accommodation that the RBI implicitly accepted without formally endorsing.
The Insurance Regulatory and Development Authority of India (IRDAI) has imposed data localisation requirements on insurance companies, requiring that policyholder data and claims data be stored in India. The Securities and Exchange Board of India (SEBI) has issued circulars requiring market infrastructure institutions, including stock exchanges, depositories, and clearing corporations, to ensure that data generated in the Indian securities markets is stored within India. These sectoral mandates collectively create a de facto localisation requirement across the financial services sector.
The DPDP Act 2023 took a markedly different approach to cross-border data transfers. Section 16 of the Act empowers the central government to notify countries or territories to which data fiduciaries may transfer personal data of Indian data principals. The negative-list or whitelist approach (the specifics of whether it operates as a whitelist or a blacklist will depend on the rules to be notified under the Act) represents a middle ground between the hard localisation of the Srikrishna Committee’s 2018 Personal Data Protection Bill draft and the unrestricted transfer regime that industry sought. The DPDP Act does not, on its face, require any category of personal data to be stored within India; it simply restricts the countries to which transfers may be made.
The contrast with the 2019 Personal Data Protection Bill is instructive. That Bill, introduced in Parliament but subsequently withdrawn in 2022, included provisions for mirroring of personal data in India (requiring that at least one serving copy of all personal data be stored in India) and absolute localisation of critical personal data. These provisions attracted vigorous opposition from foreign governments and industry associations and were among the primary reasons cited for the Bill’s eventual withdrawal. The DPDP Act’s architects evidently learned from this episode.
Judicial Developments
There has been no direct judicial adjudication of the constitutionality or legality of India’s data localisation mandates from courts, though the RBI’s authority to impose localisation requirements on payment system operators has not been formally challenged in court proceedings. The Payment and Settlement Systems Act, 2007 gives the RBI broad regulatory authority over payment systems, and the localisation mandate has been treated as a regulatory direction within that authority.
The Supreme Court’s 2017 judgment in Justice K.S. Puttaswamy v. Union of India, recognising the right to privacy as a fundamental right, has indirect implications for data localisation debates. If Indian residents have a fundamental right to privacy in their personal data, the state has an arguable interest in ensuring that such data is subject to Indian legal jurisdiction, which is facilitated by localisation. At the same time, the Puttaswamy framework also requires that state action be proportionate and the least intrusive means of achieving its objective, potentially limiting the scope of localisation mandates that go beyond what is necessary for the identified purpose.
Contemporary Issues and Analysis
The economic case against strong data localisation is well-documented. Studies by the European Centre for International Political Economy (ECIPE) and others have estimated that data localisation requirements reduce a country’s GDP by restricting the benefits of international data flows that enable cross-border services, supply chain management, and cloud computing. For India, a country seeking to attract foreign investment in technology services and to position itself as a global services hub, aggressive localisation creates friction and increases the cost of doing business for foreign companies.
The national security case for localisation rests on several arguments. Data stored in India is subject to Indian legal process and cannot be withheld by foreign governments invoking their own laws (as the US has done historically through the CLOUD Act framework, which creates conflicts with foreign data protection regimes). Indian investigative agencies argue that data stored abroad is practically inaccessible for criminal investigations because mutual legal assistance treaties (MLATs) are slow, bureaucratic, and frequently unproductive. Localisation, in this view, is a matter of effective law enforcement as much as data sovereignty.
The Srikrishna Committee’s 2018 report articulated a sovereignty-based case for localisation, arguing that data is a resource belonging to the Indian people and that its export without adequate protection is analogous to the export of natural resources without value addition. This framing resonated politically even if it has economic weaknesses, and it explains why localisation continues to attract support across the political spectrum in India.
The DPDP Act’s whitelist approach defers the hard localisation question to executive discretion in the form of the list of permitted countries. The rules under the Act, which had not been finalised as of early 2026, will determine in practice whether the Act results in a permissive or restrictive cross-border transfer environment. The risk of regulatory uncertainty in this interim period is significant, as companies cannot make infrastructure investment decisions without knowing which jurisdictions will be deemed acceptable for data transfer.
Comparative and International Perspective
China provides the most comprehensive model of data localisation through its Data Security Law, 2021 and Personal Information Protection Law, 2021. China requires that data designated as important data be stored in China and assessed before transfer, and that critical information infrastructure operators store personal information and important data within China’s borders. The Chinese model is enforced through a comprehensive state apparatus and is widely regarded as an instrument of both data governance and political control.
India’s approach, even under its sectoral mandates, is considerably less sweeping than China’s. The RBI’s payment data localisation, while strict, is limited to a specific data category and regulatory sector. The DPDP Act’s framework is more permissive than China’s and closer in structure to the EU’s approach under the General Data Protection Regulation (GDPR), which permits cross-border transfers to countries with an adequacy decision from the European Commission or through standard contractual clauses, binding corporate rules, or other designated mechanisms.
The United States has been consistently opposed to data localisation mandates, viewing them as protectionist measures that disadvantage US technology companies and fragment the global internet. The US-India Trade Policy Forum has engaged repeatedly on data localisation, with the US seeking commitments from India to liberalise cross-border data flows as a condition for trade partnership benefits. The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the US-Mexico-Canada Agreement (USMCA) include provisions explicitly prohibiting localisation requirements, models that the US would prefer to see reflected in bilateral arrangements with India.
India’s resistance to including binding commitments on data flows in trade agreements reflects a sovereignty-first approach to digital governance, consistent with India’s broader position in WTO e-commerce negotiations, where India has opposed disciplines on cross-border data flows and has advocated for permanent termination of the moratorium on customs duties on electronic transmissions.
Practical and Policy Implications
For multinational corporations with Indian operations, the current framework creates complex compliance obligations. Companies in the financial services sector must maintain India-specific data infrastructure, which increases operational costs and may prevent the use of globally standardised cloud platforms for India-related data. Companies in other sectors operate under the DPDP Act’s cross-border transfer framework, which remains incomplete pending the notification of rules and the list of permitted countries.
The interaction of the DPDP Act framework with India’s pre-existing sectoral localisation requirements also requires careful navigation. A company that is both a payment system participant (subject to RBI localisation) and a general data processor (subject to DPDP Act) must comply with both frameworks, and any conflict between them must be resolved by reference to the lex specialis principle, under which the more specific sectoral regulation will generally prevail for data within its scope.
Suggestions and Reforms
India would benefit from a harmonised data governance framework that integrates its sectoral localisation mandates with the DPDP Act. The current patchwork, in which different regulators impose different localisation requirements with no unified oversight, creates regulatory arbitrage risks and compliance complexity that disproportionately burdens smaller businesses. A Data Governance Authority with cross-sectoral jurisdiction, envisaged in early versions of the data protection legislation but not carried forward into the DPDP Act, would be a valuable institutional mechanism.
On cross-border transfers specifically, India should publish and regularly update the list of permitted countries under Section 16 of the DPDP Act, accompanied by transparent criteria for inclusion based on the adequacy of data protection standards in the recipient jurisdiction. An adequacy-based system modelled on the EU’s approach, but adapted to India’s regulatory realities, would provide business certainty while maintaining genuine protection for Indian data principals.
India should also engage constructively in multilateral discussions on cross-border data flow governance, including the Global Cross-Border Privacy Rules Forum and the emerging G20 Data Free Flow with Trust framework, as a means of advancing Indian interests while reducing the trade tension costs of its localisation policies.
Conclusion
India’s data localisation story is one of regulatory ambition encountering the constraints of economic reality, trade diplomacy, and constitutional principle. The DPDP Act’s softer approach, compared to earlier legislative proposals, reflects a pragmatic recalibration that acknowledges the costs of hard localisation. However, the sectoral mandates in financial services demonstrate that localisation as a regulatory tool is not going away. The challenge for India is to develop a coherent, principled, and internationally sustainable framework that achieves genuine data sovereignty without sacrificing the economic benefits of global data connectivity. This requires not merely legislative drafting skill but a sophisticated appreciation of the technical, economic, and geopolitical dimensions of data governance in an increasingly fragmented digital world.