India: The Debate – Data Localization And Its Efficacy

Last Updated: 17 September 2018
Article by Ashi Bhat and Suneeth Katarki

A. Introduction: Data localization is neither a new topic nor an under-argued one. The world stage has been lit with debates on this topic for quite some time now1. In 2013 when Edward Snowden, a former contractor with CIA, leaked to the media details of extensive internet and phone surveillance by American intelligence agency, establishing border control provisions on the internet gained an impetus2. China, Russia, Australia, Canada and several other countries have already adopted data localization provisions. In fact, Russia has already set an example of enforcement of its 'data border control' provisions against LinkedIn3 in 2016, and last year4 the Russian Data Protection Authority, Roskomnadzor, published its 2018 plans for conducting inspections of local companies' compliance with Russian privacy requirements including data localization requirement.

The recent report issued by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna5 ("Committee Report") and the Personal Data Protection Bill, 20186 ("Data Protection Bill") have set the topic sizzling in India again. The Data Protection Bill presently proposes (i) all personal data to which the law applies must have at least one serving copy stored in India, (ii) in respect of certain categories of personal data that are critical to the nation's interests, a mandate is intended to be made to store and process such personal data only in India such that no transfer abroad is permitted, and (iii) the Central Government will be vested with the power to exempt transfers on the basis of strategic or practical considerations.7

This article seeks to understand the various arguments extended by the proponents and opponents of 'data localization' with the aim to understand the implications of the provisions on restrictions on cross-border transfer of personal data proposed under the Data Protection Bill.

B. But first let's understand the technology: Internet is a fabric which weaves data across the world through an intricate network of codes, servers and processes. The core feature being 'seamless access', i.e., movement of data without restrictions and barriers. All web-based businesses like cloud computing8, the Internet of Things (IoT) and big data analytics, apart from the traditional storage, email and social networks, rely9 on the limitless supply of borderless, ubiquitous and on-demand network access. To manage data integrity, data security and speed, service providers use several processes for retrieving and sending data – including storing data in edge cache across borders or on shards10, replicating data for load balancing and storing data in multiple locations across the world to prevent data failure.

Dillion Reisman in his blog 'Where is your data, Really?: The Technical Case Against Data Localization'11 explains the principles driving web development as: "One of the main pillars of web architecture is performance: applications need to get data to users as fast as is reasonably possible. One way to accomplish this is to keep a copy of select chunks of data in "edge caches." Caches place the most in-demand content as close as possible to the end users who will want it, shortening the trip data has to take across the network. The cache network can strategically choose what data to include in cache based on changing demand and other factors. Thus, the expense of storing all data can be moved to a more centralized location while cheaper machines (possibly in different countries) can more quickly distribute data to their locale......Another principle driving the development web services is efficiency: there should be no wasted resources. To make more efficient use of their servers, a web service might replicate user data across multiple data centers in different regions. If one region sees more user activity and has trouble meeting demand, the network might instead route some user activity to a service's replica in a different region...... A web service can save crucial resources by processing data in batches on a set schedule. These operations don't necessarily need to have the same redundancy as other, more user-visible processes, so data can be copied to one single location that is responsible for all of the expensive work. That location might be any one of the data centers that the service operates around the world."

The common thread between all these processes is the ability of a service provider to rely on infrastructure across the world seamlessly. This allows service providers to scale as per user's requirement at a fraction of the actual cost which benefit is passed to the user. Thus, the pricing of web-services is intrinsically linked to the ability to use multiple servers and networks efficiently and strategically.

C. What is Data Localization? Due to the transient and pervasive nature of data on the internet, its security is constantly threatened and indeed been breached at several instances. Data localization is a measure adopted to give countries increased control over the data belonging to their citizens and residents in the interest of enforcing data protection regime set by the country and to secure the critical interests of the nation state. This is achieved by encumbering the transfer of data across national borders – including through rules preventing transmission of data outside the country, requiring a copy of the data to be stored within the country or tax on export of data, and enforcing applicable laws of the country vis-à-vis data security.12

D. The raging debate: Summarized below are the popular arguments on the topic:

S. No. Arguments for Data Localization in the Committee Report13 Arguments against Data Localization
1. Enforcement by local law agencies: A requirement to store personal data locally would boost law enforcement agencies' efforts to access information required for the detection of crime as well as in gathering evidence for prosecution. This is because it would be easier for law enforcement agencies to access information within their jurisdiction as compared to waiting for responses to requests made to foreign entities which store data abroad.

The Committee Report makes a disclaimer to the above argument that keeping server locally will not lead to a perfect compliance since despite being located physically in India, a conflict law question may arise if the country of the concerned entity's registration or any other country with which the entity or the claim is substantially connected, also asserts jurisdiction. However, the Committee Report clarifies that if personal data is within the India then the possibility of a foreign entity refusing access to such data would be reduced.

Safety of the data14: The irony of the enforcement argument is that restricting service providers to use the infrastructure within a limited geographical territory increases the threats to data security. This is because the internet enables centralized data storage and processing, taking advantage of economies of scale and a seamless, global internet. If, web service providers are unable to draw on the infrastructural architecture across the world, then the argument of data security and by extension data enforcement is undermined. Creating check-posts and border controls on transmission of data splinters the internet the core of which is interconnectedness into several clusters of networks. This balkanization of the net weakens the data security measures considerably.15

Data versus Data Center – Jurisdiction: Mere location of a data center within the physical jurisdiction of a country does not entitle law enforcement agencies to have better access to data held by such centers. Access to data depends on who has custody, control and possession of the actual data - and that may not necessarily be with the entity that provides the local hosting facility.

2. Avoiding resultant vulnerabilities of relying on fiber optic cable network16: A large amount of data is transmitted from one country to the other via undersea cables. The location of almost every undersea cable in the world is publicly available, which increases the risk of vulnerability of the internet and cross-border transfer of data.

Localizing data center does not curtail vulnerabilities: Data destruction doesn't always require a continent-scale event. The study by the Leviathan Security Group17 reports that in 2011, a slow water drip in a nondescript office building in Calgary, Alberta set off an explosion that caused days of computer outages for hospitals, ambulances, radio stations, taxis, and criminal justice facilities around the province.
3. Preventing foreign surveillance: Data relating to critical state interests must be drawn up for exclusive processing in India and any such obligations should be limited to it. All other kinds of data should remain freely transferable (subject to the conditions for cross-border transfer mentioned above) in recognition of the fact that any potential fear of foreign surveillance is overridden by the need for access to information. Thus, for prevention of foreign surveillance critical personal data should be exclusively processed within the territory of India.

Data Localization cannot stop foreign surveillance: Several foreign governments are reported to use sophisticated malware for data surveillance. Thus, physical access to the data storage or processing facilities is not technically necessary in order to conduct surveillance activities.

Threat of domestic surveillance:18 By extension of the same argument as the advocates of data localization, local government may exercise greater coercive power over domestic businesses storing data to circumvent legal protections.19

4. Cost of data protection trumps: All or most legal obligations give rise to economic costs for regulated entities and thus mere increase in costs cannot be reason not to introduce legal change. Rather, it must be shown that the costs incurred due to rules demanding local processing outweigh the benefits of such a requirement. This must be done while keeping in mind that the benefits run to the core objectives of data protection.

Building an AI ecosystem: In the coming years AI is expected to become pervasive in all aspects of life that are currently affected by technology and is touted to be a major driver of economic growth. Azmeh and Foster in their 2016 study, point out the benefits that developing countries can derive from a policy of data localization. These include: first, higher foreign direct investment in digital infrastructure and second, the positive impact of server localization on creation of digital infrastructure and digital industry through enhanced connectivity and presence of skilled professionals. Creation of digital industry and digital infrastructure are essential for developments in AI and other emerging technologies, therefore highlighting the significance of a policy of requiring either data to be exclusively processed or stored in India.
Cost of localization20: Reports suggest that the costs of effecting the data localization requirements are prohibitive. A few examples21:

i) The report from Levianthan Security Group shows that data localization measure raise cost of hosting data by nearly 30 % to 60%.

ii) The European Center for International Political Economy reported that enacted or proposed data localization policies in China, for example, would cost as much as 1.1% of its GDP: reducing domestic investment by 1.8%, exports by 1.7%, and welfare by the equivalent of 13% of each citizen's salary. The same report also stated that in the European Union, the costs would add up to .4% of its GDP, reduce investment by 3.9%, and result in welfare costs up to USD193 billion.

Cost of data breach: One must also consider the revenue leakage that will be unavoidable during the transition from the present set-up to a new regime. The 2018 Cost of a Data Breach: Global Overview study22 reports that the global average cost of data breach is already up to 6.4 percent over the previous year to USD 3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent per year over to USD148.

E. Conclusion:

Today, India is poised to write history in the story of evolution of the internet. The question of whether data localization provisions should be implemented, to what extent and their efficacy – must find its basis on the back of (i) a thorough understanding of the technologies and processes used for hosting data and providing services on the internet; and (ii) a study of the cost and value of a move of this nature. A lack of these critical knowledge will leave India with a hollow framework of laws which causes more loss than protection, and as Sir Arthur Conan Doyle, author of Sherlock Holmes, said "It is a capital mistake to theorize before one has data."


1  See 'Current Issues of Cross-Border Personal Data Protection in the context of Cloud Computing and Trans-Pacific Partnership Agreement: Join or Withdraw' by George Yijun Tian, available at; 'Data Localisation and the Balkanisation of the Internet' by Erica Fraser, available at; and also 'Data Localization Laws and their Impact on Privacy, Data Security and the Global Economy' by Bret Cohen, Britanie Hall and Charlie Wood, available at In 'Data Nationalism and Its Discontents' by Christopher Kuner, published in Emory Law Journal (2015), available at, the author points that the phenomenon can be traced back to the 1970s and 1980s, when in 1976 Brazil required the prior permission of a government board for the use of international computer networks (such as corporate networks and foreign databanks) that transferred or accessed data outside the country.

2 See and for the original scoop.

3 The Moscow City Court, upheld, on November 17, 2016, a lower court's decision to block access within Russia to Linkedin Corp's website, after finding the website operator in breach of the requirement to store the personal data of Russian citizens in Russia. See 'Roskomnadzor v. LinkedIn: a milestone for the Russian data protection regime' by Konstantin Bochkarev and Paulina Smykouskaya, PwC Russia, available at; Also see 'Russian Data Localisation Laws: Enriching "Security" & the Economy' published on February 28, 2018 authored by Matthew Newton and Julia Summers, available at

4 See 'Russia Partially Releases 2018 Data Privacy Inspection Plans' posted on November 28, 2017 by Natalia Gulyaeva, maria Sedykh and Bret Cohen, available at

5 Available at

6 Available at,2018.pdf.

7 See Chapter VIII on Transfer of Personal Data Outside India, in the Data Protection Bill. Section 40 of the Data Protection Bill provides the restrictions on cross border transfer of personal data. This Section stipulates that every data fiduciary must ensure storage, on a data server or data location in India, of at least one serving copy of personal data to which the Act will apply. The Central Government may, however, notify categories (other than sensitive personal data) as exempt from this requirement on the grounds of necessity or strategic interests of State to data. The Central Government has also been empowered to notify categories of personal data as critical personal data that must only be processed in a server or data centre located in India. Section 41 contains the conditions for cross border transfer of personal data (other than the notified personal data).

8 The Consultation Paper on Cloud Computing issued by Telecom Regulatory Authority of India, on June 10, 2016 available at, relies on the definition of cloud computing provided by National Institute of Standards and Technology (NIST, USA), US Department of Commerce. The NIST definition of cloud computing is: "a model for enabling ubiquitous convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

9 The four attributes of cloud computing as listed under the Consultation Paper on Cloud Computing issued by TRAI are – a) data intensive, b) resource pooling, c) scalability & rapid elasticity, and d) on demand access.

10 See 'Understanding Sharded Caching System' written by Lorenzo Saino, Ionnis Psaras and George Pavlon, Department of Electronic and Electrical Engineering, University College of London, which explain sharding as "a widely used technique to horizontally scale storage and caching systems and to address both processing and storage capacity bottlenecks. According to this technique, a large set of items is partitioned into set of segments, named shards, based on a result of a hash function computed on the identifier of the item. Each shard is then mapped to a physical storage or caching device. This technique practically enables to partition data across members of a cluster and to identify the member of the cluster responsible for a given item by simply computing a hash function."

11 See 'Where is your data, Really?: The Technical Case Against Data Localization', by Dillion Reisman, available at

'12 Data Nationalism' authored by Anupam Chander and Uyen P. Le, available at

13 See Chapter 6: Transfer of Personal Data Outside India of the Report issued by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna.

14 See 'The Harms of Forced Data Localization' by Frank Heidt dated February 25, 2015, available at

15 See para (b) (ii) under 'II. Exceptions to Free Transfer of Personal Data Outside India' at page 94 of the Committee Report, where it addresses the issue on 'Balkanization of the Internet and Domestic Surveillance and Censorship'. However, the argument there is centered around domestic surveillance, censorship and the freedom of speech.

16 >Ibid.

17 Ibid.

18 See

19 See 'Data Localisation and the Balkanisation of the Internet' by Erica Fraser, available at Also see the Committee Report which argues at page 95 that "While this argument has a certain intuitive appeal, on reflection it suffers from certain logical flaws. First, merely because data is located in a country does not render it vulnerable to censorship. If censorship is indeed made possible, it requires, in addition, a dysfunctional data protection law that allows governments the tools to facilitate such censorship. It is certainly not an automatic consequence of local retention or restriction to local processing." However, the Committee Report also argues that most technologies are US headquartered, and "Based on such access to the data or presence in a foreign jurisdiction, laws of foreign countries may potentially allow surveillance. This is not fear-mongering — the PATRIOT Act amendments to FISA have precisely this effect." Point to note here is that India also has similar surveillance laws. In fact a report titled 'For their eyes only: The commercialization of digital spying' published in 2013 by the Citizen Lab and Canada Centre for Global Security Studies Munk School of Global Affairs, University of Toronto reported that it had found command and control servers for FinSpy backdoors, part of Gamma International's FinFisher "remote monitoring solutions", in a total of 25 countries which included India also alongside the US and UK. The report is available here -

20 See 'Cost of Data Localisation: Friendly Fire on Economic Recovery' published in ECIPE Occasional Paper No. 3/2014, authored by Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel and Bert Verschelde, available at; Report on 'Measuring the Value of Cross-Border Data Flows' prepared by the Economics and Statistics Administration and the National Telecommunications and Information Administration, U.S. Department of Commerce, September 2016, available at; 'Quantifying the Cost of Forced Localization' by Leviathan Security Group (2015), available at; 'Tracing the Economic Impact of Regulations on the Free Flow of Data and Data Localisation' published in May 2016 by Matthias Bauer, Erik van der Marel and Martina F. Ferracane, available at

21 A summary of the various studies on cost implication from data localization is available here

22 Independently conducted by Ponemon Institute LLC, benchmark research sponsored by IBM Security and available at

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions