Key Terms & Concepts — UPSC Mains
Data Localisation
"The requirement that certain categories of data collected within a country must be stored and processed on servers physically located within that country's borders"
Data localisation (or data residency) is a regulatory requirement mandating that personal data, financial data, or other specified categories of data generated within a nation's borders must be stored, processed, and sometimes exclusively retained on servers or data centres located within that country. It stands in contrast to free cross-border data flows. Proponents argue it enhances national security, law enforcement access, and citizens' privacy; critics contend it increases costs, fragments the global internet, and harms innovation.
India's Digital Personal Data Protection Act (DPDPA), 2023 allows the government to restrict cross-border data transfers to notified countries. The RBI's 2018 directive mandating storage of all payment system data within India was a landmark data localisation measure. UPSC tests this under GS3 (Science and Technology — IT, cybersecurity) and GS2 (Governance — digital rights, regulatory frameworks). Data localisation intersects with digital sovereignty, trade negotiations (WTO e-commerce moratorium), and geopolitics.
- 1 RBI's Payment Data Localisation directive (April 2018) requires all payment system operators (Visa, Mastercard, PayPal) to store the entire data relating to payment systems in India — 'data at rest' must be within India
- 2 The Digital Personal Data Protection Act, 2023 (DPDPA) empowers the Central Government to notify countries to which personal data transfer is permitted; transfer to non-notified countries is restricted
- 3 The erstwhile Personal Data Protection Bill, 2019 (JPC version) had categorised data into personal, sensitive personal, and critical personal data — with critical data requiring strict localisation; the DPDPA simplified this framework
- 4 India's stance at WTO — India has resisted extending the WTO moratorium on customs duties on electronic transmissions, arguing that data localisation and digital trade rules must protect developing countries' policy space
- 5 Russia (Federal Law No. 242-FZ, 2015), China (Cybersecurity Law, 2017), and the EU (GDPR, with adequacy-based transfer mechanism) all have forms of data localisation
- 6 Cost implications — data localisation increases cloud computing costs by 30-60% for companies that must maintain local data centres, potentially harming startups and small businesses
- 7 National security argument — domestic storage ensures that Indian law enforcement can access data under Indian legal process, without depending on Mutual Legal Assistance Treaties (MLATs) or the US CLOUD Act
After the RBI's 2018 data localisation directive, Mastercard was barred from onboarding new customers in India (July 2021) for non-compliance — demonstrating that India was willing to enforce data localisation even against the world's largest payment networks.