“The right of privacy is a fundamental right.

It is a right which protects the inner sphere of the individual

from interference from both State, and non-State actors and allows the individuals to make autonomous
life choices.” -Justice Sanjay Kishan Kaul

Data which is a critical asset is playing a fundamental role in development or enhancement of Indian
economy.

The laws such as Information Technology Act 2000 and the provisions of Indian Penal Code, 1860 are
insufficient for regulating and protecting the personal data of the people.

Personal Data can be said as a data through which an individual can be identified or is identifiable.
Identification can be either directly or indirectly.

Storing of data on any device which is physically found or present within the borders of a specific
country where such data was generated is called as Data Localization. Data localization is just an idea
stating that personal data of individuals of a particular country should be stored and processed within
that particular country. Its inference is that transfer of data across borders should be disallowed and
should be restricted. Generally those individuals who fear losing their data to hackers favour data
localization. As of now mostly all data is stored in cloud, outside India. It may include measures that
specifically prohibit information from being sent off-shore, prior consent of the data subject, and
mirroring of data domestically.

India is also a part of this tectonic change in data protection regime with the introduction of the draft
Personal Data Protection Bill, 2018 and various sector-specific reforms in that direction.

https://www.prsindia.org/billtrack/draft-personal-data-protection-bill-2018

http://www.mondaq.com/india/x/727550/data+protection/The+Personal+Data+Protection+Bill+2018+K
ey+Features+And+Implications

https://www.ey.com/Publication/vwLUAssets/ey-personal-data-protection-bill-2018/%24File/ey-
personal-data-protection-bill-2018.pdf

http://www.businessworld.in/article/The-Personal-Data-Protection-Bill-2018-An-Answer-To-India-s-
Data-Protection-Issues-/01-01-2019-165633/

https://www.thehindubusinessline.com/opinion/approach-data-localisation-with-
care/article24281271.ece

http://www.mondaq.com/india/x/739546/Data+Protection+Privacy/Data+Localisation+Indias+Policy+Fr
amework
https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf

https://scroll.in/article/890888/what-is-data-localisation-and-why-a-push-for-it-is-raising-concerns-
about-privacy-in-india

https://www.e2enetworks.com/data-localisation-india/

https://www.thehindubusinessline.com/opinion/columns/slate/all-you-wanted-to-know-about-data-
localisation/article25363062.ece

https://www.academia.edu/37900448/Data_Localisation_in_a_Globalised_World_An_Indian_Perspecti
ve

https://www.techopedia.com/definition/32506/data-localization

https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf

https://scroll.in/article/890888/what-is-data-localisation-and-why-a-push-for-it-is-raising-concerns-
about-privacy-in-india

Data localization

Data Localization in Existing Laws –

Presently, there are many provisions regarding data storage in India, they are:-

1. The Companies Act, 2013 –

The Companies (Accounts) Rules, 2014 specified under the Companies Act, 2013 provide that a
backup of the books of account and other books and papers of the company maintained in
electronic mode, including at a place outside India, if any, shall be kept in servers physically
located in India on a periodic basis.
2. The Payment and Settlement Systems Act 2007 –
According to Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007,
the Reserve Bank of India issued a directive mandating all payment system operators to store all
data relating to payment systems operated by them only in India.
3. The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 –
The Insurance Regulatory and Development Authority of India has vide the regulations as
mentioned earlier mandated that all original policyholder records be required to be maintained
in India.
4. Guidelines for Government Departments on Contractual Terms Related to Cloud Services –
The Guidelines issued by the Ministry of Electronics and Information Technology, Government
of India mandate all government department to include the following provision in their contract
while procuring cloud services: “The location of the data (text, audio, video, or image files, and
software (including machine images), that are provided to the CSP for processing, storage or
 hosting by the CSP services in connection with the Department's account and any computational
results that a Department or any end user derives from the foregoing through their use of the
CSP’s services) shall be as per the terms and conditions of the Empanelment of the Cloud Service
Provider.” The Guidelines as provide that the law enforcement agency as mandated under any
law for the time being in force may seek access to information stored on the cloud as provided
by the Service Provider. The onus shall be on the Service Provider to perform all due diligence
before releasing any such information to any such law enforcement agency.
5. The Foreign Direct Investment Policy –
The Consolidated FDI Policy (as effective from August 28, 2017), issued by the Department of
Industrial Policy & Promotion, also lays some requirements for keeping specific data in India for
entities engaged in the broadcasting sector. Annexure 7 of the FDI Policy details the conditions
required to be complied by the Indian companies engaged in broadcasting sector proposing to
raise foreign investment and provides that the ‘company shall not transfer the subscribers'
databases to any person/place outside India unless permitted by relevant law.'
6. The Unified License for Telecom Services –
The license agreement prescribed by the Government of India for grant of the unified license
contains the following specific restriction: “The Licensee shall not transfer the following to any
person/place outside India:- a. Any accounting information relating to the subscriber (except for
international roaming/billing) (Note: it does not restrict a statutorily required disclosure of
financial nature); and b. User information (except about foreign subscribers using Indian
Operator's network while roaming and IPLC subscribers)."
7. The Public Records Act of 1993 –
The Public Records Act, 1993 deals with regulating the management, administration, and
preservation of public records of the central government, union territories, public sector
undertaking, etc. The said legislation prohibits transferring of public records out of India without
the prior approval of the Central Government, except for official purposes. In addition to the
above, the requirement to store data locally in India has been included in a few proposed
policies and laws like the draft e-commerce policy, the draft e-pharmacy policy, the draft Digital
Information Security in Healthcare Bill, 2017 and the proposed amendment to the Drugs and
Cosmetics Rules, 1945 etc.
8. Draft Digital Information Security in Healthcare Act, 2018 –
The draft Act seeks to impose data localization concerning digital health data in India.
9. IT Act, 2000 –
Section 43A of the IT Act provides for the payment of compensation for failing to maintain
reasonable security practices in respect of sensitive personal data. The IT Rules issued in 2011
clarified the meaning of sensitive personal data and set out the norms for the collection,
disclosure, storage, and security of such information.

Sector Wise Distribution of data localization regulations in India-