Data localization

Data localization denotes a regulatory mandate compelling enterprises to store, and sometimes exclusively process, data generated within a jurisdiction on servers physically located inside that jurisdiction. It rests on the doctrine of data sovereignty — the proposition that data is subject to the laws of the territory in which it is collected. The policy spectrum ranges from "soft" localization (a mirror copy must remain in-country while transfers are permitted) to "hard" localization (data may not leave the territory at all). The Reserve Bank of India's circular of 6 April 2018 on Storage of Payment System Data is a classic hard-localization instance, requiring payment-system operators to store transaction data only in India. The Justice B.N. Srikrishna Committee Report (2018) framed localization as essential to enforcement access, national security, and a domestic data-processing industry.

Operationally, localization rules attach to defined categories of data — "sensitive personal data," "critical personal data," financial data, or government data — and prescribe where each may reside. Mechanisms include in-country storage mandates, prohibitions on cross-border transfer absent adequacy findings or explicit consent, and requirements that copies be mirrored locally. Sovereign rationales are fourfold: securing law-enforcement and intelligence access to evidence without reliance on Mutual Legal Assistance Treaties (MLATs); protecting privacy under regimes the state controls; insulating critical infrastructure; and fostering domestic cloud and data-center capacity. Critics — including the WTO e-commerce negotiating bloc and the OECD — argue localization raises compliance costs, fragments the internet ("splinternet"), and may violate trade commitments on cross-border data flows under GATS and digital-trade chapters.

Comparative practice is instructive. China's Cybersecurity Law (2017) and Personal Information Protection Law (PIPL, 2021) impose localization on "critical information infrastructure operators" and require security assessments for outbound transfers. The EU's GDPR (Regulation 2016/679) is not localization per se but restricts transfers to third countries lacking "adequacy" (Articles 44–49), a logic sharpened by the CJEU's Schrems II judgment (2020) invalidating the Privacy Shield. Russia's Federal Law No. 242-FZ (2015) mandates that personal data of Russian citizens be stored on domestic servers. In India, the Digital Personal Data Protection Act, 2023 adopted a lighter "negative list" model — permitting transfers except to government-notified restricted countries — softening the RBI-era hard-localization posture; as of 2026 the Act's rules are being operationalized.

For the exam, data localization recurs in the GS Paper III domains of internal security, science and technology, and the economy, and in international-relations and global-economy papers for FSOT, CSS, BCS, and Guokao aspirants. Examiners test the privacy-versus-sovereignty-versus-trade trilemma: candidates should contrast the Srikrishna Committee and Puttaswamy (2017) privacy jurisprudence with the DPDP Act 2023, and situate India's stance against China's PIPL and the EU's adequacy regime. A common analytical prompt asks whether localization advances digital sovereignty or merely raises costs and Balkanizes the internet — answerable by citing named statutes, the WTO Joint Statement Initiative on e-commerce, and concrete sectoral mandates like the RBI payments circular.