In Nirvana’s Frances Farmer will have her revenge on Seattle, Kurt Cobain sang, “I miss the comfort in being sad.” This sentiment echoes in India’s renewed engagement with data localisation under the Draft Digital Personal Data Protection (DPDP) Rules. Data localisation has been a perennial issue in India since the B N Srikrishna Committee’s 2018 report which strongly advocated for its adoption.

Simply, data localisation refers to the requirement that personal data be stored and processed within the country of origin, often aimed at safeguarding digital sovereignty, enhancing security, and improving domestic regulatory access. Although its rigid form was gradually diluted in the DPDP Act 2023, the recent revival of localisation under the DPDP Rules signals a return to familiar discussions. Like the ghost of an old debate, localisation has reappeared, raising questions about whether it truly safeguards or constrains India’s digital future. Perhaps there is a certain reassurance in revisiting this recurring issue, as it underscores the continuous balancing act between sovereignty and global integration.

Under Rule 12(4) of the DPDP Rules, “Significant Data Fiduciaries” are required to process specific categories of personal data domestically, as designated by a government-appointed committee. The only hint of data localisation in the Parent Act is a blacklisting provision, where Section 16(1) allows the government to restrict cross-border data transfers to specified countries.

India’s tryst with data localisation gained significant momentum with the recommendations of the Srikrishna Committee. The Committee’s report which laid the foundation for India’s data protection framework advocated for localisation as a means to protect national security, prevent foreign surveillance, increase foreign investment in digital infrastructure and enhance the enforcement of domestic laws. While acknowledging the economic and operational challenges of localisation, the Committee highlighted its importance in securing the personal data of Indian citizens and fostering digital self-reliance. Earlier iterations of data protection bills also included explicit localisation requirements. For instance, the Personal Data Protection Bill, 2019, mandated that sensitive personal data be stored within the country while allowing transfer under stringent conditions.

In 2018, the Reserve Bank of India mandated that payment system data be stored exclusively in India. While that directive addressed sector-specific concerns, its extension across diverse industries, as envisaged in the DPDP Rules, poses far-reaching challenges. Studies by institutions like the European Centre for International Political Economy estimate that localisation mandates could shrink India’s GDP by 0.8%, primarily due to increased compliance costs and barriers to international trade.

Limited access, lowered ambition

Moreover, localisation may or may not lead to increased foreign direct investment in digital infrastructure, but it undoubtedly raises concerns for Artificial Intelligence development. AI models thrive on diverse datasets for training, and restricting data flows could limit access to high-quality, global datasets. This could introduce biases into AI systems, reducing their accuracy and utility. By constraining data availability, India risks stunting its AI ambitions while attempting to secure its digital sovereignty.

Daniel Solove, in Understanding Privacy, underscores the importance of context-specific frameworks rather than one-size-fits-all mandates. The DPDP Act’s omission of a data categorisation system – differentiating between sensitive, critical, and non-sensitive data – limits its ability to craft proportionate rules. By imposing uniform localisation requirements, the Rules risk overregulating low-risk sectors while failing to address more critical vulnerabilities.

The European Union’s General Data Protection Regulation (GDPR) offers a pragmatic alternative by permitting cross-border transfers under strict safeguards. India’s pivot towards isolationist policies may deter foreign investment and stifle its aspirations to become a global technology hub.

While localisation aims to enhance security, it must be paired with robust infrastructure and cybersecurity measures to achieve its objectives.

The DPDP Rules hint at a sector-specific approach to localisation, which could mitigate some concerns, but without graduated categorisation and procedural transparency, this approach may fall short.

A more balanced framework would embrace international best practices. For instance, the EU-US Data Privacy Framework demonstrates how bilateral agreements can facilitate secure data flows without isolationist mandates. The DPDP Rules present an opportunity to redefine India’s digital future. However, their success depends on balancing sovereignty with openness, regulation with innovation, and security with rights.

(The writer is a student at the National Law School of India University, Bengaluru)