Restrictions on Cross Border Data Exchange in India: A Good Move?

Nitya Jain, Institute of Law Nirma University


The unprecedented surge in the global digital market has made data a valuable asset for individuals, corporations and Governments. Cross-border data flows have shrunk the world, allowing people across the globe to have the same user experience on the Internet. However, the explosion in the volume of data has generated as much a threat to its misuse as it created opportunities for companies. Today few global big shot organizations dominate the digital economy and their model is centered around data. Greater access to data provides a greater digital capital to a corporation, granting it an advantage over its competitors. Owing to this disadvantage faced by the domestic and small scale organizations, most jurisdictions impose conditions on when and how data can be transferred, and consequently some resort to physical data localization requirements. A study by Mckinsey Global Institute found that in 2014 the direct impact of cross-border data flows had raised world GDP by 3 percent (worth about $2.2 trillion in 2014), which exceeded the contribution of trade in traditional goods in that year.

With mobile phone penetration projected to touch 90% and internet users touching 850 million by 2022, India’s digital economy opportunities are estimated at USD 1 trillion by 2025. Like other jurisdictions, India also aims to exercise greater sovereign control over their data.[1] Currently, India is implementing aggressive data localization laws, retaining the power to data for their domestic & small scale enterprises. Simply put, data localisation is the act of storing data on any device that is physically present within the borders of a specific country where the data was generated. The free flow of digital data, especially data that could impact government operations or operations in a region, is restricted by the governments of some countries. This article analyses the impact of data localization especially in the Indian market and consequently advocates the free flow of data.

Indian legal framework

India’s data localization gambit started when the Reserve Bank of India issued a directive to store data related to payment systems in India.[2] Since then, there have been 8 sectoral notifications restricting data flow in some form ranging from sectoral regulators governing insurance, healthcare, and e-commerce data.

The draft Personal Data Protection Bill 2019 (‘2019 Bill’) aims to regulate the cross border data flow in India. As per the draft Personal Data Protection Bill 2019. [3] The organizations that collect or process sensitive data in India and store it overseas should not share the information with any other entity, regardless of whether a consumer has given consent. Data export can only be carried out through limited routes.

One notable provision proposed by the bill was regarding the storage of “sensitive personal data” within India.[4] Contrary to the General Data Protection Regulation (EU-GDPR), which provides protection for all kinds of personal data in the context of data export and provides for various alternatives to transfer data, the Clause 41 of 2019 bill prescribes that – sensitive personal data can be only transferred abroad for the purpose of processing upon the fulfillment of certain elaborative conditions. The draft policy also exempts certain categories of data from restrictions on cross-border data flow. Owing to the new policy, multinational companies will be obligated to open new data centers, re-architect their network infrastructure, or use local cloud service providers.

While the Indian government and the domestic parties’ stands in support of data localization for the creation of high-value digital products in the country, the public policy verticals of Big Tech are engaged in protracted lobbying against data localization. For instance, Facebook and Google have openly opposed data localization and the US reportedly mulled restricting H1B visas for any country that has a data localization requirement. The multilateral debate on the free flow of data was showcased on an international level in July 2019 G- 20 summit when the BRICS countries including India releasing a strong statement emphasizing the sovereign right of nations to use data for improving citizen welfare while the US made a statement explicitly opposing data localization.

The Pros and Cons

On one hand, restricted cross border data flow is deemed to protect and develop Medium and Small Manufacturing Enterprises and domestic players from global companies that have firsthand access to data. Local hosting will ensure the safety of sensitive data and will support ‘make in India’ scheme by inviting multinationals to open new data centers, re-architect their network infrastructure, or use local cloud service providers. Further, there is a lack of cross border laws in the country. Indian legal mechanism is not equipped to handle cross border flow of data and a restricted approach works best in lieu of security.

On the other hand, free flow of data will enable Indian MSMEs to digitally engage with the global supply chain and customers that will save the time and cost. Widespread localisation norms coupled with a lack of existing data infrastructure in the country will reduce foreign investment.[5]As per the European Centre for International Political Economy study, imposing economy-wide data localisation requirements could reduce the Indian GDP by 0.8 percent and domestic investments by 1.4 percent and the loss per worker would be equivalent to 11 percent of the average monthly salary. A few authors studied that “any gains stemming from data localization are too small to outweigh losses in terms of welfare and output in the general economy”.[6] Further, given India’s dominant position in the business processing and outsourcing industries, restricting the data flow would appear detrimental to its national economic interests where India is aiming to become a global IT hub.

The free flow of data is a significant driver of innovation. It allows the sharing of ideas and information and the circulation of knowledge as well as collaboration among individuals and companies. Cross-border flows of data help reduce costs related to both trade and transactions. A report by the US ITC in 2014 estimated that the Internet reduces trade costs by approximately 26 percent on an average. In any case, despite posing the strongest resistance to data flow, large global players will be better positioned to absorb the additional costs of localisation compared to smaller players defeating the primary objective of the restrictions. While it has been argued that localisation requirements may ensure that Indian data continues to be available in the case of disconnection from the broader Internet, but this to be improbable and insufficient justification to impose broad localisation measures. At best, this may point to the need to localise certain particularly important or sensitive types of data.


The very recent Schrems Judgment reinforces the importance of secure user data exchange on international commerce. It was observed that data globalization does not translate to an insecure exchange of data. With a robust system of laws in place, the free flow of data will lead to a major boom in trade & commerce. The author opines that it would be premature for a developing economy like India to either opt for sweeping national data localization laws or completely dismiss their ability to do so by adopting sweeping ‘free flow of data’ provisions that are being proposed in trade negotiations.[7]

Indian government’s multidirectional aspirations of ‘Digital India’, ‘Make in India’ and ‘India as a global business hub’ requires avoidance of unidirectional policies. In my opinion, there is a clash between aspirations of the Indian government when the ‘Make in India’ scheme is faced with Increasing foreign direct investment plans and cross border data flow stands in the middle as the deciding factor. While there should be no rush to sign data free flow agreements, aggressive localization provisions incorporated in the policy will do more harm than good. Before introducing extreme localisation regulations India needs to develop equivalent data infrastructure. Eventually the cost of introducing broad and sweeping data localisation norms is likely to outweigh its benefits. India’s position on data localisation must ultimately be weighed against the government’s aspirations to create a ‘Digital India’ and the need for strategic thinking on whether a closed data economy or an open one would be more conducive to meeting those goals. Therefore, data localization is clothed with several challenges, which need to cogitate about in advance.

[1]Draft National e-Commerce Policy, issued by the Department of Industrial Policy and Promotion, dated February 23, 2019. See: pdf. On August 2, 2019, a similar draft policy to regulate e-Commerce entities was released by the Ministry of Consumer Affairs. (see:

[2]RBI’s Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators, dated September 17, 2019,

[3] The Personal Data Protection Bill, 2019 (Act of parliament No. 373 2019).

[4] Section 3, the Personal Data Protection Bill, 2019 (Act of parliament No. 373 2019).

[5]Data localisation in India: Questioning the means and ends, published by Rishab Bailey and Smriti Parsheera on October 31, 2018. See:

[6] European Data Protection Supervisor. (2014). Opinion on the commission communication on internet policy and governance – europe’s role in shaping the future of internet governance. European Data Protection Supervisor. (Retrieved from – 06 – 23 internet governance en.pdf).

[7] Supra Note 4.

Leave a Reply

Your email address will not be published. Required fields are marked *