Data Localisation Mandates and Cross-Border Data Flows: Legal Implications for Indian Firms
Abstract
Data localisation, the requirement that data generated within a country be stored, processed, or mirrored
inside its territorial boundaries, has emerged as one of the most contested issues in contemporary information
law. Across jurisdictions, governments are framing localisation mandates to protect national security,
privacy, and sovereignty, while global corporations are advocating unhindered cross-border data flows to
preserve economic efficiency and digital innovation. India stands at a complex intersection of these interests.
The Indian economy’s rapid digitalisation, combined with its dependence on multinational service providers,
has triggered an intense legal and policy debate over how far localisation should go and what its
consequences will be for domestic firms. This paper examines the legal, regulatory, and economic
implications of data-localisation mandates for Indian firms in the context of cross-border data transfers. It
situates the discussion within India’s evolving data-protection framework, from the Information Technology
Act 2000 and its rules to the Digital Personal Data Protection Act 2023, and connects it to the global
contestations involving the General Data Protection Regulation in the European Union, the US CLOUD Act,
and emerging trade rules under the World Trade Organization and regional digital-trade agreements.
At the conceptual level, the paper argues that localisation is not a binary phenomenon of either open or
closed borders but a spectrum of regulatory techniques ranging from soft-law guidance to absolute datastorage
obligations. For Indian firms, especially those operating in finance, e-commerce, health-tech, and
information-technology-enabled services, localisation mandates affect compliance costs, data-management
strategies, contractual arrangements with foreign vendors, and exposure to multiple jurisdictions. The legal
uncertainty that accompanies India’s current transition from sectoral regulation to a unified data-protection
law generates compliance ambiguities, which could either strengthen domestic accountability or hinder
competitiveness. The abstract therefore synthesises the key research strands that this paper develops in detail:
first, to analyse how localisation norms interact with India’s constitutional commitments to privacy and free
trade; second, to evaluate the compatibility of Indian mandates with international legal obligations under
trade and investment agreements; and third, to assess the implications for firms’ governance models, dataprocessing
operations, and cross-border collaborations.
inside its territorial boundaries, has emerged as one of the most contested issues in contemporary information
law. Across jurisdictions, governments are framing localisation mandates to protect national security,
privacy, and sovereignty, while global corporations are advocating unhindered cross-border data flows to
preserve economic efficiency and digital innovation. India stands at a complex intersection of these interests.
The Indian economy’s rapid digitalisation, combined with its dependence on multinational service providers,
has triggered an intense legal and policy debate over how far localisation should go and what its
consequences will be for domestic firms. This paper examines the legal, regulatory, and economic
implications of data-localisation mandates for Indian firms in the context of cross-border data transfers. It
situates the discussion within India’s evolving data-protection framework, from the Information Technology
Act 2000 and its rules to the Digital Personal Data Protection Act 2023, and connects it to the global
contestations involving the General Data Protection Regulation in the European Union, the US CLOUD Act,
and emerging trade rules under the World Trade Organization and regional digital-trade agreements.
At the conceptual level, the paper argues that localisation is not a binary phenomenon of either open or
closed borders but a spectrum of regulatory techniques ranging from soft-law guidance to absolute datastorage
obligations. For Indian firms, especially those operating in finance, e-commerce, health-tech, and
information-technology-enabled services, localisation mandates affect compliance costs, data-management
strategies, contractual arrangements with foreign vendors, and exposure to multiple jurisdictions. The legal
uncertainty that accompanies India’s current transition from sectoral regulation to a unified data-protection
law generates compliance ambiguities, which could either strengthen domestic accountability or hinder
competitiveness. The abstract therefore synthesises the key research strands that this paper develops in detail:
first, to analyse how localisation norms interact with India’s constitutional commitments to privacy and free
trade; second, to evaluate the compatibility of Indian mandates with international legal obligations under
trade and investment agreements; and third, to assess the implications for firms’ governance models, dataprocessing
operations, and cross-border collaborations.