This article is written by Ishika Kushwah, a third-year B.A.LL.B(H) student, SAGE University, Indore, during her internship at Ledroit India.
Content of the article
- Definition
- Types of data used in data localisation and cross-border data transfer
- Need for data localisation and cross-border data transfer
- Process of data localisation
- Process of cross-border data transfer
- Laws governing data localisation and cross-border data transfer
- How does data localisation and transfer privacy risks
- How privacy risks can be prevented
- Important case laws related to privacy in India
Keywords
Privacy risks, data transfer, sensitive personal data, Information Technology Act, 2000, government surveillance, encryption, cybersecurity, Puttaswamy case, foreign surveillance
ABSTRACT
Data localisation and cross-border data transfers have become essential parts of modern data governance, particularly in a digitally connected economy such as India. This article looks at the main ideas behind data localisation and how data moves across international borders, explaining the different kinds of data that are involved, such as personal data, sensitive data, non-personal data, and critical personal data.
It looks at the increasing importance of localisation in protecting national security, making sure data stays under local control, helping law enforcement, keeping sensitive information safe, and building up the country’s own digital systems. At the same time, it shows how important cross-border transfers are for international trade, new technology, working together between systems, saving money, and collaborating on cybercrime cases.
The article discusses how localisation and international money transfers work, and it outlines the laws that regulate these activities in India, such as the DPDP Act, IT Act, IT Rules, and other regulations specific to different sectors. It also looks into the main privacy risks linked to both local data processing and data moving across borders, including dangers from centralised control, government and international monitoring, weak cybersecurity, and difficulties in enforcing regulations. Preventive steps like encryption, reducing data collection, making data unidentifiable, ensuring compliance, and incorporating privacy from the start are all highlighted as important ways to protect data.
Finally, the article includes important Indian court rulings—especially the Puttaswamy judgments—that established the constitutional basis for privacy and data protection, influencing the present regulatory environment. The article offers a thorough look at how the balance is changing between a country’s interests, people’s privacy, and the growing connection of digital systems worldwide.
1. Definition
Data Localisation
The practice of storing the data on any device that exists physically within the borders of the country where the data is generated.
Cross-Border Data Transfer
The transfer of personal or non-personal data from one country server to another country server.
2. Types of Data Used in Localisation & Cross-Border Transfer
A. Personal Data
It includes any type of data that can reveal the identity of an individual. (Name, contact number, email, and address)
B. Sensitive Personal Data / Critical Personal Data
It includes sensitive information that a person tries to keep to themselves, only as financial information, health data, passwords, genetic data, religious or political beliefs and biometric data, etc.
C. Non-Personal Data
It includes data that is not used to identify any individual.
D. Critical Personal Data
Data that, by government notification, has been made critical for national interest that should only be stored in India and the transfer is strictly prohibited.
3. Need for data localisation and cross-border data transfer
1. Need for data localisation
-National security:- Storing data in the country helps the government in protecting the critical personal data of an individual.
-Sovereignty over data:- Ensures that data generated in India should remain within the borders of the country.
-Faster law enforcement access: The domestic data stored in the country helps in investigations by getting quick access to the information, which is stored.
– Protection of sensitive personal data:- Protecting information related to your health, finance, biometric and other critical data which needs strict protection.
-Economic benefits:- Encourages investments in local centres of data and promotes the creation of jobs, infrastructure related to new technology.
2. Need for cross-border data transfer
– Worldwide Companies:- Various worldwide companies will require data to cross borders for their service provision, cloud computing and customer service.
– International Trade and Industry:- International data transfer plays a crucial role in e-commerce, the banking and insurance sectors, logistics and global supply chains.
-Innovation and Technology:- Data transfer serves a cross-border need by allowing access to international servers and global cloud providers, which promote the use of Artificial Intelligence and Advanced Data analytics.
Cross-border access significantly supports Indian based start-ups and other industries, allowing for collaboration with a global partner.
– The Internet Innovation to Internet Fragmentation:- Cross-border transfer is the opposite of localising; however, too much localisation leads to internet fragmentation, where the global internet can turn into separate and isolated nationalised systems.
Supporting a cross-border data transfer helps build unified digital ecosystems through interoperable systems.
– Lower Costs: Many businesses will often utilise global cloud services to host, store and or manage data in-hosted services for multiple locations as needed.
In turn, ultimately drive a reduction in operation costs for stewarding services as a higher level of reliability to the service they provide.
– International Cooperation:- Data transfer can not be ignored. It may be needed to support multiple international cooperation efforts in cyber crime investigations, investigations into financial restraining and counter terrorist events happening among respective countries.
4. Process of data localisation
Requiring local servers: Businesses are required to establish data centres within India.
Local storage copies: Even when processing takes place worldwide, many laws mandate that copies of important or financial data be retained in India.
Export restrictions: Unless legal requirements are met, data cannot be sent outside of India.
Government access: Law enforcement agencies can more easily access data held in India for investigative purposes.
Certifications and compliance: Businesses need to create audits, privacy policies, transfer impact assessments, and adhere to standards such as ISO.
5. Process of cross-border data transfer
Contractual provisions: Making use of data transfer agreements, privacy contracts, and Standard Contractual Clauses (SCCs).
Rule of adequate protection: Transfers are only permitted if the recipient nation guarantees a comparable degree of data security.
Transfers based on consent: Users may agree to send their personal information to servers located elsewhere.
Security precautions include access control, anonymisation, and encryption.
6. Laws Governing Data Localisation & Data Transfer in India
A. Digital Personal Data Protection Act, 2023 (DPDP Act) – Main Law
16. Processing of personal data outside India.
(1)The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. (2)Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.
Explanation of the section:
It permits cross-border data transfer in the country, which is notified by the government by keeping specific conditions in mind and focusing on data protection.
B. Information Technology Act, 2000 & IT Rules, 2000
Section 43A of the Information Technology Act, 2000: Compensation for failure to protect data. –
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation. -For this section, –
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii)“reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
(iii)“sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Rule 7 of IT Rules, 2000. Transfer of information.
– A body corporate or any person on its behalf may transfer sensitive personal data or information, including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and the provider of information, or where such person has consented to data transfer.
C. Sector-Specific Laws
1. Reserve Bank of India (RBI) Regulations (2018) – Payment Data Localisation
2. Aadhaar Act (2016)
3. CERT-In Guidelines (2022)
7. How does Data Localisation & Transfers Privacy Risks
The Privacy Implications of Data Localisation and Cross-Border Data Transfers
1. Privacy Risks Associated with Data Localisation
While data localisation policies are intended to bolster security, they may inadvertently introduce significant privacy vulnerabilities:
(a) Centralisation of Sensitive Data
Consolidating extensive volumes of sensitive information—such as financial, health, and biometric data—within a single national jurisdiction creates a critical point of failure. In the event of a cyberattack on local servers, adversaries could gain access to vast datasets simultaneously.
(b) Enhanced Government Surveillance
Mandatory data localisation facilitates easier governmental access to citizens’ personal information, potentially resulting in excessive surveillance, misuse of data, or violations of the constitutional right to privacy as enshrined in Article 21.
(c) Inadequate Local Cybersecurity Infrastructure
Numerous countries, particularly emerging economies, may possess underdeveloped cybersecurity frameworks characterised by weak encryption protocols, obsolete systems, or insufficient technical expertise, thereby heightening the risk of data breaches.
(d) Unauthorised Access by Domestic Authorities
Multiple governmental and law enforcement agencies may seek access to locally stored data. In the absence of robust safeguards, such access could lead to misuse, including profiling, discrimination, or harassment.
2. Privacy Risks Associated with Cross-Border Data Transfers
The transfer of data beyond national borders also presents distinct privacy challenges:
(a) Variability in Data Protection Standards
Recipient countries may have comparatively weaker privacy regulations. Consequently, once data is transferred outside India, individuals may lose the protections afforded under Indian legislation, such as the Digital Personal Data Protection (DPDP) Act, 2023.
(b) Foreign Government Surveillance
Data stored abroad may be subject to access by foreign governments under their domestic legal frameworks, exemplified by statutes such as the United States CLOUD Act and the United Kingdom’s Investigatory Powers Act.
(c) Potential Misuse by Foreign Entities
Companies operating in jurisdictions with lax regulatory oversight may exploit transferred data for purposes including behavioural profiling, targeted advertising, unauthorised data sales, and manipulation of consumer behaviour.
(d) Cybersecurity Vulnerabilities
Cross-border data transmission exposes information to risks such as interception during transfer, cyberattacks on foreign servers, and insider threats within foreign organisations.
(e) Challenges in Legal Enforcement and Control
India’s jurisdictional limitations impede the enforcement of its data protection laws abroad, complicating efforts by individuals to obtain remedies or compensation in cases of data misuse in foreign territories.
3. Combined Risks Arising from Concurrent Localisation and Cross-Border Processing
In scenarios where data is both stored domestically and processed internationally, multiple vulnerabilities may arise, including:
– Exposure to diverse security weaknesses across various storage and processing environments
– An expanded attack surface for potential breaches
– Legal ambiguities concerning the applicable jurisdiction and regulatory framework
8. How Privacy Risks Can Be Prevented
Strong encryption protects both stored and transferred data effectively. Evidence indicates that this approach helps prevent unauthorised access in various systems. Data minimisation requires collecting only what is truly necessary for operations. Studies show this practice reduces risks associated with excess information handling. Consent-based processing involves informing users clearly about the reasons for data collection. It appears that such transparency builds trust while complying with regulations. Cross-border transfer agreements must confirm adequate protections in the receiving country.
Research suggests these measures mitigate potential vulnerabilities during international data flows. Regular audits and compliance checks occur to maintain standards over time. Anonymisation of sensitive data takes place before any export to enhance security. The DPDP Act establishes strict penalties for breaches, which could deter violations. Privacy-by-design incorporates safeguards directly into system architecture from the outset. This method seems to embed protections naturally throughout development processes.
9. Important Case Laws Related to Privacy in India
1. Justice K.S. Puttaswamy v. Union of India (2017) – Right to Privacy
The Supreme Court held the Right to Privacy = Fundamental Right under Article 21(Right to life and personal liberty) and Part 3(Fundamental rights) of the Indian Constitution.
The basis for all data protection laws in India.
2. Puttaswamy (Aadhaar) Case, 2018
Upheld Aadhaar but restricted data sharing.
Ensured security and restricted linking of Aadhaar to private services.
3. People’s Union for Civil Liberties (PUCL) v. Union of India, 1997 – Phone Tapping Case
In this case court held that the right to privacy is a part of Article 21 and that tapping the telephone violates this right of privacy, except in special circumstances and governed by specific procedures.
Held privacy is part of Article 21 even before the 2017 judgment.
4. Shreya Singhal v. Union of India (2015)
Struck down Section 66A of the IT Act.
Strengthened protection against misuse of digital speech and monitoring.
5. K.S. Puttaswamy (Retd.) v. Union of India, 2019 – Data Protection Committee
Led to the formation of the Justice Srikrishna Committee on Data Protection.
CONCLUSION
The changing digital environment has made data localisation and moving data across borders key parts of India’s way of managing data. As countries start to see data as a valuable resource, India’s strategy aims to keep national security, support economic development, and ensure people’s privacy are all taken care of. Data localisation helps a country keep control over its information, allows police and authorities to get information more quickly when needed, and keeps important and private data safe from being accessed by unauthorised people. At the same time, cross-border data flows are still very important for global trade, international work together, new technology ideas, and how multinational digital systems work.
However, both localisation and international transfers can cause major privacy and security issues—like centralised data being vulnerable, governments stepping in too much, foreign spies watching, and poor protection rules in other countries. These risks show how important it is to have strong rules, good technology protection, and careful ways of handling data. India’s legal system, which includes the DPDP Act, IT Act, and other rules for specific sectors, tries to make sure that activities involving data follow the country’s constitution, especially the right to privacy that was confirmed in important court decisions like Justice K.S.’s. Puttaswamy v. Union of India.
Going ahead, finding the right balance between a country’s interests, people’s rights, and connecting with the rest of the world online will need ongoing changes to laws, strict enforcement, better protection against cyber threats, and following privacy rules from the start. A well-coordinated and strong data governance system is important not just for protecting people’s privacy but also for allowing India to take part confidently and safely in the worldwide digital economy.
REFERENCES
- Indian Kanoon
- Drishti IAS
- Imperva.com
- Data Security Council of India
