India is poised to bring its first omnibus data protection law, the Digital Personal Data Protection Act 2023, into force. While the act has been passed into law, it is largely a principles-only legislation that will be implemented through detailed executive rules, likely by the close of 2024.
The act diverges substantially from a draft bill publicized in 2019 on the point of data localization or data residency. Data localization essentially means data is stored locally on servers in countries or regions where it originated from.
The draft bill classified data as sensitive, for data in the realm of financial, health, sex life, sexual orientation, and critical, for data classes to be notified by the central government. It required that sensitive data is be stored only in India and critical data be processed only in India.
On the other hand, the DPDPA does not impose an unconditional localization requirement on any data class. Instead, it adopts a liberalized "blacklisting" model under which the central government can notify specific countries to whom data flow may be restricted — in contrast to "whitelisting" under the EU General Data Protection Regulation. The act also allows more protectionist, sector-specific regulations to govern localization.
The transformation of the bill into the DPDPA lends itself to an inquiry around the value of data localization. Essentially, does localization even serve to further informational data privacy?
The DPDPA, with its broad state exemptions and rulemaking powers, reflects a shift in Indian policy focus, from a rights-centric culture of privacy as seen in the draft bill to a balancing act between citizens' rights and state use of data in the act. While the full effect of this shift will only reveal itself in the awaited rules, the softening of data localization provisions reprioritizes privacy and innovation over state interventionism.
This analysis is based on an assessment of two broad parameters: What are the real consequences of data localization and would they have met the stated objectives of the law, and what are the benefits of the sectoral approach finally adopted in the DPDPA.
Real consequences: Where does localization fail?
Per the thoughtfully drafted expert committee report along which the draft bill was broadly modeled, the introduction of data localization norms was born out of a desire for effective law enforcement, avoiding foreign surveillance, economic benefit to Indians including the growth of an AI ecosystem, and an adequate level of protection for Indians' personal data. However, any strict data localization under the act would have undermined these policy objectives.
First, in the absence of jurisdictional claims to access protected data, localization measures have a low correlation to law enforcement objectives. In any event, the act allows state-use exemptions to "any of its (state's) instrumentalities" from data-handling guardrails on grounds as nebulous as "sovereignty and integrity of India," and imposes excessive restrictions on online speech.
These, coupled with unconditional localization mandates, would have heightened state surveillance concerns because of state agencies' unhindered access to citizens' data.
India's untested infrastructural capacity to secure domestically stored data lends itself to privacy-diminishing interventions from state and non-state actors. In July 2024, a state-run telecommunications company's servers were breached. Ironically, this undertaking is subject to localization norms operating in the Indian telecom sector.
Meanwhile, concerns around international surveillance are adequately met by less stringent means, such as localizing sensitive data — like payment systems data, as done by financial sector regulator the Reserve Bank of India — and encrypted storage or processing of others — as in the case of Aadhaar, India's Social Security number system.
Second, localization alone would not guarantee economic growth and innovation. According to research in the field, it may not increase domestic production of data centers and associated infrastructure, as seen in India's negative trade balance on this front, nor is there any significant competitive advantage to domestic firms.
Importantly, innovation is driven not simply by accessing data, but by harnessing such data. India's AI endeavors are "reactive interventions (for) shorter-term objectives" marked by impressive one-off success stories, but with very limited scalability or a strategic approach. It is through strategic AI initiatives and fast-tracking supportive regulations that data access will translate into innovation. The fragmentation of data caused by geopolitical measures, including localization, may decelerate AI innovation.
Third, and significantly, the enforcement of the act — and furtherance of the central aim of data protection — seem to have only a tangential relationship to localization. The ability to enforce data protection laws depends more on local registration of data fiduciaries than on localization stipulations. This is because local registration brings the data controller or processor squarely within the jurisdiction of local data authorities.
Merits of sectoral approach
In principle, an omnibus free-data-flow approach — subject to the blacklist — with deference to sector-specific requirements, allows for tailored regulatory safeguards for genuinely sensitive data classes.
From global experience, we now know certain kinds of data need heightened protection. Illustratively, the sensitive nature of health data warranted the passage of the European Health Data Space regulation, despite the existence of the GDPR. Similarly, the Central Bank of the United Arab Emirates categorizes consumer and transaction data as sensitive, and goes a step further to mandate its localization. The act gives primacy to sectoral data protection regulations. In India, such regulations exist in relation to several specific classes of data, such as payments data, sensitive telecom subscriber data and insurance-related data.
Relatedly, by making localization measures the remit of specialized regulators, such as the Reserve Bank of India, the act furthers the success of these limited localization measures. Sectoral data fiduciaries are squarely within the jurisdictional field of the regulator and are therefore amenable to effective enforcement upon default.
The Data Protection Board, the enforcement authority established under the act, has the power to investigate breaches in terms of data handling and to impose fines on defaulting data fiduciaries, or processors. The board cannot possibly have the same regulatory effect and hold on enforcement, at least at the outset. It is an inexperienced body and its case-by-case directions to defaulting entities will evolve into a concerted approach only gradually.
Notably, these fragmented requirements would not create similar data protection challenges as in the U.S., that is a gap in ensuring protection of all American citizens' significant personal data, given the absence of a federal data protection law. In contrast, the act is a catch-all legislation that protects all personal data. It is upon this foundation that these sector-specific provisions are simply layered, creating the skeleton for a robust privacy ecosystem.
Takeaways
The DPDPA's diluted localization mandate is positive. A sector-based approach to a measure as restrictive as data localization balances state-protectionism, citizens' privacy and innovation, particularly with the ever-increasing use cases of AI.
It is hoped that the central government's "blacklist" of countries emerges from a tenable basis, such as the GDPR's protection-adequacy standard, and not solely from political considerations.
Vrinda Pareek is an independent law and policy advisor based in New Delhi, India.
