• October 16, 2018, 3:05 pm


Two top American Senators have asked Prime Minister Narendra Modi to adopt a soft stance on data localisation, warning that India’s policy on the issue will adversely affect American businesses in the country.


Data localization is the act of storing data on any device that is physically present within the borders of a specific country where the data was generated. Free flow of digital data, especially data which could impact government operations or operations in a region, is restricted by some governments. Many attempt to protect and promote security across borders, and therefore encourage data localization.


Given the opacity of policymaking in India, many of the policies and regulations provide no justification at all.

As any data forensic expert would note, chain of custody and data integrity are what are most important components of data handling in fraud investigation, and not physical access to hard drives. It would be difficult for the government to say that it will block all Google services if the company doesn’t provide all the data that Indian law enforcement agencies request from it. However, it would be facile for the RBI to bar Google Pay from operating in India if Google doesn’t provide it “unfettered supervisory access” to data.

The most exhaustive justification of data localisation in any official Indian policy document is that contained in the Srikrishna Committee’s report on data protection.

The report argues that there are several benefits to data localisation:

  1. Effective enforcement,
  2. Avoiding reliance on undersea cables,
  3. Avoiding foreign surveillance on data stored outside India,
  4. Building an “Artificial Intelligence ecosystem”


Requiring mirroring of personal data on Indian servers will not magically give rise to experts skilled in statistics, machine learning, or artificial intelligence, nor will it somehow lead to the development of the infrastructure needed for AI.

The United States and China are both global leaders in AI, yet no one would argue that China’s data localisation policies have helped it or that America’s lack of data localisation polices have hampered it.

On the question of foreign surveillance, data mirroring will not have any impact, since the Srikrishna Committee’s recommendation would not prevent companies from storing most personal data outside of India.

Even for “sensitive personal data” and for “critical personal data”, which may be required to be stored in India alone, such measures are unlikely to prevent agencies like the U.S. National Security Agency or the United Kingdom’s Government Communications Headquarters from being able to indulge in extraterritorial surveillance.

Reducing reliance on undersea cables is, just like reducing foreign surveillance on Indians’ data, a laudable goal. However, a mandate of mirroring personal data in India, which is what the draft Data Protection Bill proposes for all non-sensitive personal data, will not help. Data will stay within India if the processing happens within India. However, if the processing happens outside of India, as is often the case, then undersea cables will still need to be relied upon.


The RBI in April said in order to ensure better monitoring of payment service operators it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers/ intermediaries/third party vendors and other entities in the payment ecosystem.

All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India, it had said. The RBI further said data should include the full end-to-end transaction details, information collected/carried/ processed as part of the message/payment instruction.


The better way to keep data within India is to incentivise the creation of data centres and working towards reducing the cost of internet interconnection by encouraging more peering among Internet connectivity providers.

Given this, the recent spate of data localisation policies and regulation can only be seen as part of an attempt to increase the scope and ease of the Indian government’s surveillance activities, while India’s privacy laws still remain very weak and offer inadequate legal protection against privacy-violating surveillance. Because of this, we should be wary of such requirements, as well as of the companies that are vocal in embracing data localisation.