Data Localization vs. Cross-Border Flexibility – India’s Approach under the DPDP Act, 2023

Executive Summary

India’s debates on data localization have shaped its privacy law journey for nearly a decade. Early proposals sought blanket localization of all sensitive data within India, but the Digital Personal Data Protection Act, 2023 (DPDP Act) has taken a more balanced approach. Instead of mandating storage in India, the DPDP Act permits cross-border transfers by default, subject to government power to restrict transfers to notified jurisdictions.

This hybrid approach seeks to balance national security and sovereignty concerns with India’s outsourcing and IT/ITES export economy. It contrasts sharply with China’s strict localization regime and sits closer to the EU’s adequacy model, albeit with executive discretion replacing structured adequacy decisions.

Introduction: The Data Localization Debate

The question of where personal data should reside has been contentious globally. Localization advocates argue it:

• Enhances sovereignty and security.
• Aids law enforcement access.
• Promotes domestic industry development.

Opponents warn it:

• Increases costs for businesses.
• Creates data silos incompatible with global commerce.
• Reduces cloud efficiency and innovation.

India’s initial proposals leaned heavily toward localization, but the DPDP Act reflects compromise and pragmatism.

Evolution of India’s Position

1. 2017 Justice Srikrishna Committee:

• Proposed stringent localization for sensitive data.

2. 2019 PDP Bill:

• Required sensitive personal data to be mirrored in India.
• Critical personal data had to be stored only in India.

3. 2021 Joint Parliamentary Committee (JPC)

• Recommended even stricter localization, citing sovereignty.

4. 2022 Draft DPDP Bill

• Shifted to cross-border flexibility, subject to government “negative list.”

5. 2023 DPDP Act

• Final framework: default free flow of data, except to jurisdictions restricted by government notification.
• This marks a significant policy shift toward global interoperability.

DPDP Act Framework

General Rule: Personal data may be transferred outside India by fiduciaries.

Restriction Power: The Central Government may restrict transfers to specific countries or territories. No explicit requirement to store data in India.

Sectoral Carve-Outs: Sectoral regulators (e.g., RBI for payments, SEBI for market data) may impose stricter rules. DPDP does not override such sectoral mandates.

Comparison with Global Models

GDPR (EU)

• Cross-border transfers permitted only to jurisdictions with adequacy decisions, or with contractual safeguards.
• Structured, transparent process.

China

• Strict localization for critical information infrastructure and sensitive data.
• Outbound transfers require security assessments.

Singapore PDPA

• Transfers allowed if recipient ensures comparable protection.

Brazil LGPD

• Transfers allowed to countries with adequate protection or through safeguards.

India DPDP

• Default flexibility with executive power to blacklist jurisdictions.
• Simpler but more uncertain.

Sectoral Implications

Banking and Fintech

• Already subject to RBI payment data localization.
• Cross-border analytics for fraud detection may face scrutiny.

Healthcare and Health-Tech

• Hospitals using global cloud services for patient data must monitor government notifications.
• Cross-border clinical research requires careful contractual safeguards.

E-Commerce

• Platforms using foreign servers must prepare contingency plans for sudden restrictions.

IT/ITES and Outsourcing

• India’s outsourcing industry thrives on cross-border data flows.
• The DPDP framework preserves competitiveness, but blacklisting could disrupt contracts.

Telecom

• Subscriber data transfers to foreign vendors must align with TRAI guidelines and DPDP.

Hypothetical Case Illustrations

Case 1: Fintech Using U.S. Cloud Servers

• An Indian fintech stores KYC data in U.S. servers.
• If the U.S. is blacklisted by government notification, the fintech must repatriate data within a compliance window.
• Costly migration and service disruption ensue.

Case 2: Hospital Outsourcing Analytics Abroad

• A hospital sends anonymised genetic data to a European research lab.
• If EU remains unrestricted, lawful transfer continues.
• If EU is restricted, hospital must halt transfers or seek anonymisation exceptions.

Case 3: BPO Serving Global Clients

• An Indian BPO processes EU customer data.
• DPDP allows free transfer, but EU GDPR demands adequacy or safeguards.
• Dual compliance requires EU Standard Contractual Clauses + DPDP alignment.

Case 4: Telecom Vendor Restriction

• An Indian telecom uses a Chinese vendor for data analytics.
• If China is blacklisted, immediate cessation required, forcing vendor switch.

Compliance Challenges

1. Uncertainty: Businesses cannot predict which jurisdictions will be restricted.
2. Contractual Complexity: Cross-border agreements must include repatriation clauses.
3. Operational Disruption: Sudden blacklisting could force data migration within tight deadlines.
4. Sectoral Conflicts: DPDP flexibility vs. RBI/SEBI localization mandates.

Compliance Strategies

1. Data Mapping: Catalogue all cross-border transfers, destinations, and purposes.
2. Contractual Safeguards: Include clauses requiring vendors to comply with DPDP and assist in repatriation if needed.
3. Hybrid Storage Models: Store critical datasets locally while allowing analytical copies abroad.
4. Government Monitoring: Track notifications for blacklisted jurisdictions.
5. Contingency Planning: Develop exit and migration plans for critical transfers.

Risks of Non-Compliance

• Regulatory Penalties: Up to ₹250 crore for unlawful transfers.
• Contractual Breach: Failure to deliver services due to blacklisting.
• Reputational Harm: Public backlash if sensitive data sent abroad unlawfully.
• Operational Costs: Expensive, disruptive repatriation projects.

Conclusion & Key Takeaways

The DPDP Act takes a pragmatic middle path between strict localization and unfettered data free flow. By default, cross-border transfers are allowed, but government retains the power to restrict hostile or untrustworthy jurisdictions.

Key takeaways:

• Cross-border flexibility supports India’s outsourcing economy.
• Blacklist power introduces regulatory uncertainty.
• Businesses must map transfers, embed contractual safeguards, and prepare contingency plans.
• Sectoral rules (RBI, SEBI, IRDAI) may still mandate localization.

For Indian corporates, the message is clear: global data flows are welcome, but sovereignty trumps convenience. Compliance demands foresight, agility, and contractual readiness.

Contributed by – Aurelia Menezes

Further reading

• Navigating Compliance Challenges: A Roadmap for GCCs in Regulatory Frameworks
• Navigating India’s Cross-Border Data Transfer (CBDT)