Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

The Indian government continues to advocate for data localization under the Digital Personal Data Protection (DPDP) Act, emphasizing the need for robust data storage infrastructure within the country. This stance comes despite growing concerns from global tech giants over potential regulatory overreach and operational challenges.

At a recent gathering in Delhi, S. Krishnan, Secretary at the Union Ministry of Electronics and Information Technology (MeitY), highlighted the government's focus on building a “resilient internet” that can withstand global disruptions and maintain reliable connectivity.

“We are not saying there won’t be free flow of data. We have nothing against free flow of data,” Krishnan stated. “However, the data storage capacity is needed to handle the growing amount of data, especially with the rise of artificial intelligence and AI computing.”

The draft DPDP rules, which concluded public consultation on March 5, include mandates requiring significant data fiduciaries to comply with localization requirements for “specific” personal data. These mandates will be determined by a government-appointed data protection committee, with final approvals from the Central government.

Big Tech’s Concerns

Companies like Meta Platforms and Google’s India subsidiaries have voiced strong opposition to the draft rules. They argue that the introduction of a government-appointed committee to oversee cross-border data transfers could lead to unnecessary bureaucracy and regulatory overreach.

“The committee-based approach is not in line with the DPDP Act. The Act does not mention such a body,” said an executive from a major Big Tech firm, requesting anonymity. “It introduces additional complications in operations and increases costs, which could affect business efficiency.”

Another executive noted the challenges of a blanket localization approach, emphasizing the need for a more nuanced policy framework to ensure a uniform business environment.

The Government’s Position

While the DPDP Act allows the Centre to restrict data transfers to specific countries through notifications, it also permits sector-specific rules to take precedence. The government official stated that the forthcoming data protection committee will consult with industry stakeholders before making recommendations on data transfer restrictions.

Rohit Kumar, founding partner at policy think-tank The Quantum Hub, suggested that mandating localization for strategically sensitive data would be more practical. “Sectoral localization has already been successfully implemented, such as the Reserve Bank of India’s rules on sensitive financial data. A similar approach would balance user privacy with business needs,” Kumar said.

Looking Ahead

The final set of DPDP rules is expected to be notified within the next two to three months, with a two-year compliance window for businesses. Both government officials and industry experts anticipate some revisions to the draft rules to address stakeholder concerns.

Conclusion

As India continues to navigate the delicate balance between data sovereignty and global business interests, the coming months will be critical in shaping the country’s digital data landscape. The final rules will not only impact Big Tech operations but also set the tone for India’s role in the global data economy.

#DataLocalization #DPDPAct #IndiaTech #DigitalPrivacy #BigTech #DataProtection #CyberSecurity #TechPolicy #AI #DataSovereignty