Table of Contents

Introduction

A 2019 report by India’s Ministry of Electronics and Information Technology predicted that India could have a $1 trillion digital economy by 2025.1 It also acknowledged that this growth potential could only be realized if the country creates an enabling environment of policies, platforms, and partnerships suited to the “borderless” character of the digital world, in which “capital, innovation, data, and design capabilities flow . . . to countries that offer the fewest pain points.”2 But, despite these acknowledgments, the report did not remark further on the relevance of cross-border data flows for meeting its digital ambitions.

Yet the question of how to manage cross-border data flows is central to India’s digital future. After all, it is a country that has reaped significant benefits from being digitally connected and following an open market policy in this space, with the free flow of data being an integral part of that equation. But at the same time, it is also a country that is increasingly grappling with the challenges posed by unchecked data extraction, data monopolization, and barriers to lawful data access.

This dilemma has prompted a new wave of policy thinking, as reflected in debates on data governance and digital regulation, that signals India’s ambition to transition from a user to a controller of digital markets. India’s strategy of technological self-reliance combined with its frequent assertions of digital sovereignty are also reflected in its approach to cross-border data flows.3

Over the last two decades, India has benefited immensely from open practices enabling free cross-border data flows and the import and export of digital services. According to one study, digital trade generated $35 billion in economic benefits for India in 2019, and that figure was projected to rise to $512 billion by 2030, an amount equivalent to 10 percent of the country’s projected gross domestic product (GDP) at that point.4 At the same time, it is undeniable that the social and economic benefits of digital development are not evenly distributed within societies, between private actors, and among countries. To give an example, the revenues of six major U.S.-based technology companies in 2021 exceeded $1.4 trillion,5 which is more than forty times the size of India’s estimated benefits from digital trade in 2019. The data advantage that these large global players enjoy is a crucial component of their economic success.6 This realization is coupled with the limitations of regulatory and law enforcement control over international actors, concerns about privacy and security, and visions of supporting greater economic benefits for local companies. The confluence of all these factors has propelled state actors, in India and globally, toward more restrictive regimes on data flows.

Smriti Parsheera
Smriti Parsheera is a fellow with the CyberBRICS Project at Fundação Getúlio Vargas (FGV) Law School in Brazil. From 2016 to 2020, she was involved in setting up and led the technology policy work at New Delhi’s National Institute of Public Finance and Policy.

A report by the Information Technology and Innovation Foundation recorded a recent surge in regulatory requirements focused on data localization. These include directives that data be stored and/or processed within a country’s territory, either on an exclusive basis or through the local mirroring of data that is stored elsewhere. Whereas thirty-five countries had sixty-seven localization requirements in 2017, the authors found that there were sixty-two countries with 144 data localization restrictions in 2021.7 The report found that India has the second-highest number of such restrictions (behind China), including in areas like financial services, the provision of cloud services to government agencies, telecom subscriber data, company accounts, and public data.8 In addition to the measures already in force, a number of localization proposals are in the pipeline, most notably under India’s proposed data protection law, though this draft has been withdrawn for now.

The subject of cross-border data flows has also moved front and center in several international forums. This includes attempts at building a shared plurilateral position on data flows under the Group of 20’s (G20) Osaka Track and as part of the Joint Statement on Electronic Commerce initiated by a group of countries at the World Trade Organization (WTO).9 In addition to data flows for commercial purposes, new arrangements to enable access to data for law enforcement are taking shape through mechanisms like the Second Additional Protocol to the Budapest Convention on Cybercrime10 and the United States’ Clarifying Lawful Overseas Use of Data Act.11 Further, a 2019 United Nations (UN) resolution has paved the way to developing a treaty for “countering the use of information and communications technologies [ICT] for criminal purposes,” which will also cover issues of data access.12

India’s presence in forums like the G20 and the Global Partnership on Artificial Intelligence gives it the opportunity to be at the forefront of key international conversations on digital governance. Its position on data flows, however, stands apart from those of the other G20 members, most of whom have chosen to pursue international discussions on data flows under the Osaka Track.

India’s stated reasons for this difference revolve around its desire to maintain the space to formulate domestic policies on issues of digital governance and an insistence on more inclusive and multilateral decisionmaking. India’s position on data flows is also influenced by its roots in forums like the Group of 77 (G77) and the BRICS coalition alongside Brazil, Russia, China, and South Africa that allow New Delhi to represent developing and emerging world powers’ responses to the dominance of developed nations, including on matters of technology. But interestingly, and unlike India, others including China and Russia that also belong to the G77 or the BRICS have nevertheless opted to be a part of the Osaka Track. This suggests that, although India routinely relies on its groupings with other developing and emerging countries to assert its positions on issues of digital governance, such platforms may be more of a place to anchor its positions rather than the strategic impetus that brought the country there.

This analysis traces the main instruments and arguments that are driving India’s position on cross-border data flows with respect to domestic policies and international forums. It highlights how India’s unique position in this debate is being shaped by a mix of evolving domestic priorities and the multiple identities that the country straddles on the international stage.

The first section of this analysis outlines the actions and instruments shaping India’s current and proposed restrictions on cross-border data flows. The second section presents an overview of the drivers of data flow restrictions in India, as laid out in expert committee reports, regulatory directives, and other policy documents. The third section widens the lens of analysis from a local perspective to a global one by outlining the strategic and geopolitical dimensions of India’s participation in international conversations on data flows. The next section then looks beyond the issue of commercial data transfers to focus on the actions India has taken to facilitate law enforcement access to data through mechanisms like mutual legal assistance treaties (MLATs). The final section concludes with some suggested paths for reform.

India’s Current and Proposed Restrictions on Data Flows

Numerous policy documents have articulated the role of data in India’s socioeconomic development. This includes various forms of data, including personal and nonpersonal data, and data for various use cases, ranging from government functions to commercial purposes. In general, these discussions focus mainly on the benefits and risks of data processing and the need for regulatory or technical solutions to strengthen India’s data infrastructure.

But references to cross-border data flows tend to be rarer and are usually limited to proposed limitations on such flows, including in the form of localization norms. In this process, the real but invisible role of cross-border data flows in the success of India’s digital economy tends to be overshadowed by the equally real challenges posed by unhindered data flows, particularly for regulatory and law enforcement purposes.

For instance, the Indian Economic Survey of 2018–2019 dedicated a chapter to discussing the many benefits of data for policymaking, welfare delivery, and product innovation.13 It noted that these benefits are spurred largely by the decreasing marginal costs of gathering, storing, processing, and disseminating data. However, the chapter made no specific reference to the current market realities of cross-border data flows and the role they play in lowering the marginal costs of data storage and processing. Recent policy conversations—informed by the findings of the Gopalakrishnan Committee, which was set up by the Indian government in 2019 to develop the regulatory structure for nonpersonal data—follow a similar trend.14

The committee’s report speaks at length about the public benefits that can come from unlocking access to nonpersonal data (meaning information that is not personally identifiable, including anonymized personal data) and suggests a new regulatory structure to enable data access by government agencies and organizations registered in India. While discussing the process of value creation from data, the committee did not account for the role that cross-border flows have historically played and continue to play. Their treatment of the international character of data focused only on the data pools held by large multinational corporations and the resulting market dominance they hold.

The issue of cross-border flows has been more central in ongoing discussions on the regulation of personal data. A draft piece of legislation called the Personal Data Protection Bill, 2019, was introduced in the Indian parliament in December of that year, and a further modified version of the bill—the Data Protection Bill, 2021 (DP Bill)—containing the recommendations of a joint parliamentary committee was submitted in 2021, though the bill was subsequently withdrawn (see below). The bill contained several restrictions on cross-border flows, proposals that originated from the recommendations made by the Committee of Experts Under the Chairmanship of Justice B.N. Srikrishna (or the Srikrishna Committee), which prepared the first draft of the bill in 2018.15 In August 2022, India’s minister of electronics and information technology announced the decision to withdraw the pending bill.16 It is supposed to be replaced by a new draft, details of which are not yet publicly available, in the coming months.17

The Srikrishna Committee emphatically recognized that the “flow of data across borders is essential for a free and fair digital economy.”18 But the committee also noted that data flows cannot be seen as an “unadulterated good” as unchecked data transfers can generate substantial harm to individual privacy. The committee accordingly went on to suggest expansive restrictions on data flows, which included a requirement to maintain a live mirrored copy of all personal data in Indian territory. While the scope of the restrictions suggested by the Srikrishna Committee was curtailed in subsequent drafts of the bill, the implications of localization simultaneously evolved in light of other changes in the legislation. This includes the possibility of granting broad exemptions to select government agencies, such as law enforcement bodies, from “all or any” of the provisions of the draft law and the requirements relating to mandatory sharing of nonpersonal data.19

The Srikrishna Committee’s report cast the spotlight on data localization. The body of work that has emerged since then includes studies examining the motivations and policy processes behind localization,20 those questioning the framing of the debate in terms of economic value,21 and attempts at quantifying the effects of localization.22 Alongside this work, researchers have also examined the barriers and challenges of cross-border data access specifically in the context of law enforcement and the U.S.-India trade relationship.23 Building on this background, it is important to consider India’s internal moves and international positions on cross-border data flows both for law enforcement and commercial purposes.

Table 1 at the end of the chapter summarizes India’s restrictions on cross-border data flows as seen in various policy instruments and recommendations. It displays the type of data that is covered, the nature of the restriction, and the agency responsible for suggesting or implementing it.

Table 1 shows that India’s current restrictions on data flows can be grouped into four sectors or categories of data: data pertaining to financial services, data of telecommunications and broadcasting subscribers, corporate and compliance data, and government data. In addition, there are some cross-sectoral requirements, such as those pertaining to keeping logs of all ICT systems in India for 180 days and other policy proposals containing local storage and/or processing requirements for specific types of data.24 The proposals related to the regulation of personal and nonpersonal data stand out among them, in terms of the omnibus cross-sectoral nature of the proposed laws and the range of entities and individuals that would be affected.

However, the history of the localization debate in India indicates that not all proposals may translate into actual restrictions, at least not in the form originally proposed. As noted earlier, this has been the case with the localization recommendations in the DP Bill, which have gone through several iterations since the proposal was first raised by the Srikrishna Committee. Table 1 references two other examples from the healthcare and e-commerce sectors—the proposal for a Digital Information Security in Healthcare Act and the Draft National e-Commerce Policy—where it appears that the relevant agencies have decided not to act on these proposals for now.25 Yet it may be that the pursuit of localization has not been abandoned in these cases but only delayed with the expectation that the impending governance proposals on personal and nonpersonal data will take care of these interests. There are also other examples where the issue of local data storage came up for discussion but did not materialize as a concrete proposal, such as in the case of the National Telecom M2M Roadmap.26

The Drivers of India’s Position on Cross-Border Data Flows

In previous work co-authored with Rishab Bailey, this author noted that the arguments for and against cross-border data flows (or data localization more specifically) can be divided into three main categories: “civil liberties,” “government functions,” and an “economic perspective.”27 It is important, therefore, to describe each of these perspectives, placing them in the context of the arguments invoked in the policy instruments discussed in table 1.

This discussion needs to be prefaced with two overarching observations. First, these three categories are not mutually exclusive. On the contrary, they tend to be fluid and interconnected in the sense that the same action may have consequences that fall under more than one category. For instance, while the logic of data localization for easier law enforcement access is categorized under the government functions category, this consideration is also intrinsically linked to civil liberties. Accordingly, policy documents often invoke more than one perspective for the same action and may also call for the balancing of different interests. For instance, India’s draft National Geospatial Policy notes that the sensitivity of geospatial data has to be judged by weighing the security or strategic considerations against the potential contribution to the country’s socioeconomic development.28

Second, different stakeholders in the ecosystem tend to selectively rely on the perspectives that are most compatible with their commercial or ideological positions. Researchers at the Centre for Internet and Society mapped some of these broad trends based on their analysis of publicly available responses to the draft personal data bill put out by the Srikrishna Committee in 2018.29 They found that, while most civil society groups opposed the blanket data localization norms, some academic and civil society actors saw them “as a remedy for ‘data colonialism’ by Western companies and governments.”30 Industry players and associations also expressed differing positions. Foreign companies like Google and Facebook were opposed to localization on the grounds of trade restrictions and compliance costs, while players like Reliance, PhonePe, and Paytm supported the move for furthering data sovereignty and the security of financial services.31 Similarly, the views of different departments and agencies within the Indian government are shaped by their respective organizational priorities. Most of these differences in viewpoints are captured in the discussions that follow, though they are not necessarily disaggregated by stakeholder group.

Civil Liberties Perspective

The civil liberties perspective captures the link between data flows and personal liberty, autonomy, privacy and security, and the freedom of speech and expression. This is why regulations on cross-border flows often find a place in data privacy laws to ensure that the transfer of data from one jurisdiction to another does not diminish the protections guaranteed under domestic laws. In this respect, the Srikrishna Committee reasoned that a harmonious balance of mechanisms should be established for the protection of transferred data. This includes a mechanism for determining the adequacy of the transferee jurisdiction’s laws, standard contractual clauses, and consent of the affected individuals.32

The fact that conditional transfers under the (since-withdrawn) DP Bill were supplemented by mandatory localization requirements, however, merits closer scrutiny from a civil liberties perspective. Autonomy, which is an important facet of privacy, demands that individuals should be empowered to make informed, independent decisions about the treatment of their personal data, including contractual decisions about the manner and location of data storage. But the Indian Supreme Court, while recognizing the fundamental right to privacy, clarified that the right remains subject to various reasonable restrictions. It can be overridden by the state for the pursuit of a legitimate aim that is backed by law and that satisfies the test of proportionality as laid down in Justice K. S. Puttaswamy v. Union of India, a 2018 Supreme Court judgment that upheld the constitutional right to privacy in India.33 This case came up in the context of a challenge to the constitutional validity of India’s biometric digital identity project, Aadhaar. Since then, the Puttaswamy tests of legality, legitimate aim, and proportionality have been applied by courts in several contexts.34 Future courts may also be called upon to examine if the localization norms that India finally adopts would satisfy the Puttaswamy tests.

One component of such analysis should include assessing whether localization is the least intrusive means of achieving the state’s legitimate social, economic, and strategic goals. This involves the balancing of multiple interests, including the impact on domestic and foreign surveillance. Easier access to data for domestic law enforcement agencies is one of the main goals of localization from the state’s perspective. Yet localization without surveillance reforms would tilt the balance too far in favor of state access and against privacy rights. As discussed later, India’s current laws allow domestic intelligence and law enforcement agencies fairly unfettered data access. The DP Bill’s proposals on compelling certain categories of data to be stored or mirrored on Indian servers coupled with the exemptions suggested for state agencies would make data access even easier without corresponding safeguards for individuals.

Equally, the impact of localization on other freedoms, particularly the freedom of speech and expression, also needs to be considered. While the link between localization and free speech may not seem as apparent as in the case of privacy, localization can become a potent tool of censorship in the hands of the state.35 For instance, the Ministry of Information and Broadcasting recently announced the blocking of twenty-two YouTube channels under the new Intermediaries Guidelines Rules, 2021, on the grounds that they were spreading disinformation related to India.36 Data localization combined with existing tools of censorship would only increase the likelihood of voluntary or forced adherence to such demands by regulated entities.37

Restricting foreign surveillance is another stated goal of data localization. In 2014, India’s National Security Council suggested that “all email service providers” should be required “to host servers for their India operations in India.”38 This came up soon after the leaks by former U.S. contractor Edward Snowden brought to light the extent of foreign surveillance being carried out by the U.S. government and a few other states. While recognizing this as an important objective, the Srikrishna Committee also acknowledged that complete isolation from the internet in hopes of preventing foreign surveillance or meeting other security goals is not a feasible path for India.39 The committee, therefore, used the threat of foreign surveillance as the basis for recommending the exclusive local processing (and storage) of a narrower set of information deemed to be critical data, a term left for the government to define.

Some of the other instruments and proposals discussed in table 1 also refer to privacy and security-related considerations. For instance, the Reserve Bank of India’s Statement on Developmental and Regulatory Policies, which first announced the payments localization decision, spoke of maintaining the “safety and security of payment systems data . . . to reduce the risks from data breaches.”40 The Reserve Bank of India’s local storage requirement for video know-your-customer data, which involves sensitive biometric information, also stems from the need to store data safely and securely.41 Even the Gopalakrishnan Committee on nonpersonal data relies on the sensitivity of the underlying personal data as its basis for suggesting similar localization norms for nonpersonal data.42 But an overall reading of the report makes it clear that the committee’s recommendations focus primarily on the economic and strategic value of data with privacy featuring more as a collateral concern.

Government Functions Perspective

Three types of arguments are generally presented for restricting cross-border data flows to help the government perform its core functions. These are access to data for regulatory and law enforcement purposes, the preservation of national security interests, and data for informed policymaking.

The delays in accessing data stored in other countries for investigations and other law enforcement purposes features as a prominent justification for data localization in the Srikrishna Committee’s report and that of the joint parliamentary committee.43 Several of the sector-specific restrictions also focus on the need for data access to enable regulatory and supervisory monitoring. This is the case with the Reserve Bank of India’s payment localization directive, which calls for “unfettered supervisory access” to data to “ensure better monitoring,”44 and the Insurance Regulatory and Development Authority of India’s localization mandate for policyholders’ data in the name of regulatory access.45 Another example is the Indian Computer Emergency Response Team’s (CERT-In) mandate that certain organizations “enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days” with the same records maintained within India’s jurisdiction.46

The preservation of national security is another important justification in many of the Indian government’s policy instruments. The Srikrishna Committee raised the issue of safeguarding the country’s critical data from potential disruptions to the country’s internet infrastructure, such as an attack on an undersea cable.47 Beyond data protection, the localization mandate in some other instruments also stems from a national or systemic security perspective. For example, the localization provision in telecoms licenses “appears under the chapter on security . . . conditions, alongside other requirements relating to” national security and the public interest.48 This suggests that the rationale for the restriction stems not just from the protection of subscribers’ data but its broader implications for security interests. Similarly, the advisory issued by the CERT-In on the use of software as a service, which has been endorsed by the Securities and Exchange Board of India, aims to address the overall resilience of the financial sector’s infrastructure to cyber attacks.49

Lastly, policy documents like the National Data Sharing and Accessibility Policy50 and the recommendations on nonpersonal data by the Gopalakrishnan Committee mention the importance of data access for more informed decisionmaking by government agencies and the conducting of sovereign functions.51 These documents do not draw a specific link between these objectives and data localization. Yet their mention of localization requirements suggests that it is seen as part of a general toolkit to achieve the policy’s objectives.

Economics Perspective

The ability to extract the economic value of data that is generated in India factors prominently in data governance debates in the country. This is particularly true in the case of nonpersonal data, for which the committee’s recommendations are premised on a need to correct the imbalance that enables large digital businesses to reap outsized economic benefits from their control over data.52 In the case of personal data, too, both the Srikrishna Committee and the joint parliamentary committee have highlighted the economic value of data in terms of spurring local innovation, creating employment opportunities, attracting investments, and strengthening India’s domestic data center infrastructure.53 However, while making these assertions, the reports do not seem to go the full distance in terms of demonstrating how data localization presents a logical path toward meeting each of these ends.

The claim about generating employment opportunities is precisely an example of the failure to demonstrate this link. The joint parliamentary committee’s report points to the benefits of localization based on employment generation in the cloud storage market and the surrounding ecosystem. According to a table in the report, which is based on submissions to the committee, approximately 2,669 direct, indirect, and induced jobs can be expected to be created in India from the operation of large data centers to be established there by four leading companies—Amazon, Microsoft, Facebook, and Google.54 While this is not an insignificant number, and although this figure is supported by other studies of job creation on account of data centers, it is still a modest figure given the size of the Indian labor market. It is estimated that the Indian IT sector alone accounts for about 5 million direct jobs.55 The job estimates, therefore, do not demonstrate a strong case for mandatory localization on this basis.

The link between mandatory localization and data availability for boosting local innovation in artificial intelligence (AI) also merits closer scrutiny. Many have argued that the mere storage of data in India would not automatically make it accessible to researchers and businesses in the country.56 Yet recent developments suggest that the state may use other tools like regulations on nonpersonal data to compel data sharing by private entities. The DP Bill proposed that India’s central government would have the power to call upon any data fiduciary or data processor to provide any nonpersonal data for “better targeting of delivery of services or formulation of evidence-based policies.”57 The Gopalakrishnan Committee goes a step further in terms of broadening the purposes of such data requests and the entities that may make such requests. For instance, it would enable any organization registered in India to seek anonymized data about the sale of food items on an e-commerce platform or the starting time and duration of cab rides for research and innovation for the public good.58 But even if such requirements were to come into effect, local storage of the data is not a prerequisite for operationalizing data sharing. Moreover, the current draft of the proposals does not compel data sharing for business and commercial uses.

Economic Impact of Local Data Storage

To be clear, these caveats are not meant to suggest that the creation of local data storage infrastructure would not yield economic benefits. In fact, a 2018 report commissioned by Facebook offers evidence to the contrary. According to the report, Facebook’s four data centers “contributed a cumulative $5.8 billion in . . . [GDP] to the U.S. economy” between 2010 and 2016, an amount which translates to “$835 million per year.”59 A large portion of this amount (82 percent) was on account of the upfront capital investments for the construction of the data centers.60 This supports the hypothesis that having data centers located in one’s country generates significant economic benefits. The presence of such data centers may also generate efficiencies for local users of cloud services in the form of improved latency, meaning reduced time for the movement of data packets from source to destination.61

However, a distinction can be drawn here between situations where data centers emerge organically (influenced by geographic, economic, infrastructural, and political factors)62 and scenarios in which this decision is coerced through restrictions on cross-border data flows. The latter scenario would yield an independent set of consequences in terms of compliance costs for businesses and costs for the overall economy that need to be factored into an assessment of the economic effects. For instance, stakeholders have noted that localization may deter some companies, particularly smaller businesses, from having a presence in India. Such requirements could also create barriers for local Indian entrepreneurs that rely on tools offered by other companies, which may not be in a position to rapidly satisfy these localization requirements.63 In addition, the country’s contribution to normalizing policies on data localization will also bear cost and compliance consequences for its own entrepreneurs and businesses operating abroad. Policy documents that propose localization have, however, either ignored the possibility of negative effects on digital trade or dismissed the concern as being one of compliance costs, which will be trumped by “the size and potential of the Indian market.”64 But a granular estimation of the costs and benefits of localization and an evaluation of alternative, less intrusive options has been largely missing from Indian policy discourse.65

Some research studies have tried to fill this gap by modeling how restrictions on data flows would affect India’s trade prospects. For instance, researchers at the Indian Council for Research on International Economic Relations used “international internet bandwidth as a proxy for cross-border data flows” to estimate that a “1 percent decline in cross-border data flows [would] reduce [India’s] volume of trade by $696.7 million.”66 In another study, Carnegie India’s Anirudh Burman and Upasana Sharma deployed a multicriteria decisionmaking methodology to evaluate the suitability of different localization measures in the Indian context. They found that a requirement of local data storage coupled with the ability to process data globally “best meets the objectives of promoting economic growth.”67 However, the nature and extent of such benefits needs to be weighed against the overall costs of restricting cross-border data flows, which includes the social costs in terms of civil liberties.

Finally, many commentators have pointed to the disconnect between India’s data center readiness and its ambitions for data localization, which is contingent upon the availability of the underlying infrastructure. The state of India’s data center infrastructure has begun to change, however, with a surge in announcements of data center projects over the last few years.68 A part of this can be attributed to the threat of localization in various policy documents, which can be viewed as a type of tactical bargaining strategy by policymakers. Companies might be strengthening their local data infrastructure to ward off the threat of mandatory localization or, in some cases, to be better equipped to reap the economic gains from it. But these developments are also accompanied by a more serious focus in government policies on promoting data centers. In 2020, the Ministry of Electronics and Information Technology introduced a draft National Policy on Data Centers that identified five strategies for growth in the sector. This included suggestions for improving the ease of doing business and creating a favorable ecosystem by focusing on the electricity supply and backhaul connectivity.69 While the final policy has yet to be announced, earlier this year the Indian government announced the granting of infrastructure status to data centers, which will provide a boost to credit availability for the sector.70

The Geopolitics of India’s Stance in International Discussions

In addition to the three domestically focused perspectives discussed in the previous section, India also holds a distinct strategic viewpoint on cross-border data flows. This position is reflected in the country’s reservations about unhindered data flows that may jeopardize its domestic interests and an aversion to plurilateral arrangements that do not adequately reflect the voices and priorities of the developing world, a long-standing, central theme of India’s foreign policy.

Globally, there are at least two major initiatives underway related to the free flow of data for commercial and business purposes. The first is the Osaka Track, which advocates data free flow with trust (DFFT), an initiative championed by former Japanese prime minister Abe Shinzo aimed at building an international arrangement on cross-border flows to foster innovation and economic growth.71 The second is the WTO’s Joint Statement on Electronic Commerce, which includes the free flow of data.

Japan originally proposed the concept of DFFT at the World Economic Forum and later incorporated it into the declaration made by the G20 leaders in Osaka, Japan, in 2019. The declaration recognized the critical role of data as “an enabler of economic growth, development, and social well-being,” highlighting both the benefits of cross-border flows and the challenges posed by them.72 In another meeting held on the sidelines of the G20 meeting, a majority of the members (nearly all of them—including China—with the exceptions of India, Indonesia, and South Africa) opted for the Osaka Track of discussions.73 This represented a commitment by the signatories to participate in “international policy discussions for harnessing the full potential of data.”74

According to official statements, India has at least three main concerns with the Osaka Track. These include concerns about the country’s ability to retain the freedom to make its own independent domestic policy decisions on digital trade and data, particularly on data protection and e-commerce; a lack of clarity around the concept of DFFT and the disconnect between uninhibited data flows and India’s concerns of data access; and insufficient regard for the interests of developing countries in terms of equitable access to data and use of “data for development.”75 The last point connects with India’s general stance on favoring a multilateral consensus on key digital trade issues, with equal representation for developing countries, instead of having these discussions in plurilateral forums.76

The Osaka Track signatories also affirmed their support for the Joint Statement on Electronic Commerce initiated at the WTO meeting held in Davos in 2019. With this statement, seventy-six member countries, a number that has now grown to eighty-six, declared that they intended to hold “WTO negotiations on trade-related aspects of e-commerce.”77 India remains fundamentally opposed to these negotiations, which it regards as a way of circumventing the principles of multilateralism and consensus-based decisionmaking.78 New Delhi also believes that the current proposals on e-commerce would freeze an existing, unlevel playing field in favor of a few countries with globally dominant players.79 According to a joint statement released by India and South Africa, a negotiation process on e-commerce should either be approved by consensus or take the form of bilateral or plurilateral trade agreements outside the WTO.80 One of India’s former ministers of commerce and industry has noted that this position also aligns with the views of other members of the African Group.81

Similar views have also surfaced in other venues that India participates in. In an informal BRICS meeting held in 2019, the members affirmed their commitment to safeguarding the role of data for development and reiterated the place of the WTO as the appropriate forum for such work.82 India is also a member of the G77, a body that leverages the joint negotiating capacity of developing countries to pursue common economic interests.83 The group’s focus on inclusive and sustainable development has in the past led it to call out the substantial digital divides and data inequalities that exist in the current international system.84

Compared to its strong stance on e-commerce at the WTO, India has been more open to debating issues of cross-border data flows in bilateral and regional trade agreements.85 In early 2022, India entered into a comprehensive economic partnership agreement with the United Arab Emirates (UAE), an agreement that has a chapter dedicated to digital trade. This includes a provision on cross-border data flows, which reads as follows:

The Parties recognise the importance of the flow of information in facilitating trade, and acknowledge the importance of protecting personal data. As such, the Parties shall endeavour to promote electronic information flows across borders subject to their laws and regulatory frameworks.86

India’s willingness to endorse this text can be attributed to at least three factors: the limits of its language (which only requires attempts to promote free data flows), the inclusion of a clear exception for domestic laws, and the fact that this chapter was not included within the scope of the agreement’s dispute settlement provisions.87 More recently, India also agreed to negotiate a digital trade chapter with Australia pursuant to the Australia-India Economic Cooperation and Trade Agreement that the two countries signed.88 The negotiations on cross-border data flows will be particularly interesting given that Australia is one of the three countries leading the discussions on the Joint Initiative on Electronic Commerce.89

On the regional partnership front, despite reservations about the free data flow provision in the Regional Comprehensive Economic Partnership, India continued to participate in those negotiations.90 While it ultimately did not sign the agreement, this decision was made primarily on account of tariff issues. The reasons the Indian government offered for its walkout did not include a reference to data flows.91

As things stand, India seems unlikely to support the WTO’s Joint Initiative on Electronic Commerce though New Delhi appears to be more amenable to free flow discussions in bilateral and strategic partnerships. Further, the official statement made by the Indian minister of commerce after the Osaka G20 meeting noted that India did not join the track because its reservations were not accommodated. This does not, in theory, rule out future participation by India if the Osaka Track or a derivative of it evolves in a manner that can address some of New Delhi’s key concerns about clarity on the meaning of DFFT, reserving domestic policy space, and acknowledging the role of data for development. India’s 2023 stint holding the G20 presidency, during which it proposes to highlight the “issues and concerns of developing countries and emerging market economies,”92 presents an opportunity to move in that direction although the intertwining between the Osaka Track and the Joint Statement on Electronic Commerce will remain problematic for India.

Challenges With Law Enforcement’s Data Access

As more and more Indians use mobile phones and digital services, electronic evidence has become vital in many cases involving law enforcement. But India faces an odd dichotomy on the issue of data access for law enforcement. On the one hand, the current legal framework allows Indian intelligence and law enforcement agencies fairly broad powers of data access without adequate oversight and accountability.93 This includes a general authorization in the country’s criminal code for a police officer to call for any document or information required for investigating an offense.94 A slightly higher degree of protection is provided in cases of intercepted communications, but in such instances, too, access for law enforcement is possible without prior or subsequent judicial review, transparency, or independent oversight.95

On the other hand, despite the overreaching powers available to Indian law enforcement agencies, data requests are sometimes not fulfilled due to the cross-border character of how data are processed and stored on the internet. The ability of law enforcement agencies to access data is shaped by a mix of factors. These include the laws of the country requesting data access (in this case, India), the business entity’s home laws, and the rules applicable to the place(s) where the data are stored.96 A statistic that often comes up is that eight of the top ten websites in India (in terms of web traffic) are U.S.-based sites that store and process large amounts of their data outside India.97 This makes U.S. policies on data access, such as restrictions on third-party access to stored communications records, particularly relevant for India. In addition, access is also contingent on the nature of the data involved. For instance, basic subscriber information is generally easier to access than content data. Further, the technical design of end-to-end encrypted data, which is coded in a manner that can be deciphered only by the senders and receivers of the messages, makes it harder to access, even if the data were available locally.

Indian policymakers and law enforcement agencies have made various attempts to overcome frictions in seeking data access. Examples include the proposed carveouts for law enforcement and other government agencies under Sections 35 and 36 of the withdrawn DP Bill, the requirement placed on “social media intermediaries to trace the originator of a message or post if required by a court or competent authority,”98 and a centralized monitoring system that gives authorized state agencies unhindered access to the information that flows through communication networks in India.99 The centralized monitoring system, brought into effect through licensing conditions imposed on telecommunication service providers, requires those entities to connect their servers with the regional monitoring centers of the central system. Using this system, law enforcement agencies can directly carry out interception activities, subject to following the relevant processes under Indian law but without any involvement by the service providers.100 Each of these initiatives poses significant concerns from a privacy and civil liberties perspective, leading to impending challenges before various courts to the legality and proportionality of some of these measures.101

This research builds on the author’s previous work co-authored with Prateek Jha to focus only on actions targeted specifically at improving cross-border access by law enforcement.102 At present, Indian law enforcement agencies have two main routes for seeking data that is stored abroad. The first is to directly approach the entity that holds the data in question by following processes enacted by different companies for this purpose. For instance, Facebook (now Meta) reported that it received 40,300 user data requests from India between July and December 2020. The company provided some data in 52 percent of these cases.103

If the authorities fail to obtain the required information through this route or a direct request is otherwise not feasible, they can also send a formal request to the country that exercises jurisdiction over the data or the entity concerned. This can be done through cooperative mechanisms established under mutual legal assistance treaties (MLATs) or under a letters rogatory process, a formal request for assistance issued by an Indian court to a foreign court.104 India currently has MLATs with forty-two countries.105 A recent Indian parliamentary committee report revealed that, in 2021, India had 845 requests pending with various countries under these two processes.106 Over 50 percent of these pending requests were with the United States, the UAE, the UK, Switzerland, Singapore, and Hong Kong.107

Several research studies and news reports have highlighted complexities and delays in the MLAT process. According to a 2015 Economic Times article, an internal survey by India’s Central Bureau of Investigation found that on average an MLAT request took about forty months to be fulfilled.108 However, the submissions made by various government ministries before the Parliamentary Committee on External Affairs curiously did not highlight MLAT delays as a particularly major concern. While the committee itself raised the alarm about the 845 pending requests, its report does not contain any details about how long these requests had been pending or the reasons for these delays.109 The committee directed the Ministry of External Affairs to constitute a task force to look into the matter.

The relevant academic literature suggests that such requests can lead to delayed responses or refusals not only due to lengthy procedures in the corresponding country but also due to incomplete or poorly drafted requests. Furthermore, such requests may also tend to prompt refusals if they are raised on matters that do not qualify for such assistance, such as de minimis requests, which are deemed trivial or disproportionate in nature.110

Actions taken to improve the MLAT process include joint efforts at training and capacity building, including collaboration between India’s Central Bureau of Investigation and the U.S. Federal Bureau of Investigation.111 In 2019, India’s Ministry of Home Affairs also revised its comprehensive guidelines on this issue laying down step-by-step procedures and the recommended form and content of such information requests.112 Moreover, as discussed in the previous section, both the Srikrishna Committee and the joint parliamentary committee identified faster data access for law enforcement agencies as grounds for supporting data localization. Commentators, however, have questioned the use of localization as a solution to this problem, as local storage would neither override conflict-of-laws problems, including restrictions on data sharing imposed by a multinational corporation’s home jurisdiction, nor enable access to encrypted data.113

Further, when seeking alternatives to promote data access for law enforcement, there is a need to look to international instruments like the Budapest Convention, which gives member states the option of direct access to data under certain circumstances. India is not a signatory to the Budapest Convention, “which is the only binding international instrument” on cybersecurity at present.114 The reason for India’s position is that New Delhi regards the Budapest Convention as a regional European initiative that is not sufficiently broad-based to be internationally acceptable.115 This stance led India to support a 2019 UN General Assembly resolution introduced by Russia to work toward an international convention on countering the use of ICT for criminal purposes. This initiative, however, has been criticized for its failure to balance the interests of law enforcement and respect for fundamental human rights, a balance that many argue is better achieved under the Budapest Convention.116 Besides concerns about the proper balancing of such interests, progress on this resolution could also be negatively affected by the crisis created due to Russia’s invasion of Ukraine.

The report of the Parliamentary Committee on External Affairs chaired by P. P. Malhotra, the same member of parliament who chaired the joint parliamentary committee on data protection, made some interesting observations on this issue. Without specifically naming the Budapest Convention, the committee urged the Indian government to “secure the cooperation of countries with established multilateral and regional instruments of cooperation on cyber security protocols.”117 The committee also observed that, rather than pushing for localization “which is proving to be impossible in [the] near future,” the government should strengthen its cybersecurity laws and capabilities for now and then gradually proceed in the direction of data localization as a means of addressing power asymmetries in cyberspace.118 In its submissions to the committee, the Ministry of External Affairs noted that the government would examine the Budapest Convention more closely after deliberations on the DP Bill conclude.119 With the withdrawal of the DP Bill, such an examination is likely to be further delayed.

Three main observations can be drawn from these discussions. First, the issue of efficiency in relation to law enforcement’s data access is intrinsically linked to the broader need for safeguards and accountability in how law enforcement agencies use such data. Trying to solve one problem without addressing the other would lead to grossly suboptimal solutions from a human rights perspective. Second, the link between localization and access to cross-border data is not as simplistic or obvious as it is sometimes made out to be. Third, while India may continue to engage with the UN resolution process on developing a cybersecurity convention, the country needs to more seriously consider participating in existing mechanisms such as the Budapest Convention, which do more to respect rights and offer immediate solutions.

A Way Forward

The recent policy discourse in India reflects the country’s growing assertions of technological self-reliance and sovereignty in data governance. The same logic also extends to other avenues like the promotion of homegrown application programming interface solutions, the focus on domestic startups and unicorns, and the stricter regulation of online intermediaries. On a macro-level, these developments signal a desire to shift India’s position from being just a large digital user to having a more controlling stake in shaping digital outcomes. The country’s position on cross-border data flows must be seen in the context of this larger debate.

India’s unique position on cross-border data flows is shaped by a mix of domestic priorities and the multiple identities that it straddles on the international stage. This analysis began by discussing the instruments and arguments that are driving India’s policies on cross-border data flows. Current restrictions on data flows are concentrated in financial services, telecommunications and broadcasting, corporate and compliance records, and government data. In addition, India has had a vibrant policy debate over the last few years on the localization of personal data, and, more recently, nonpersonal data. This is indicative of a shift toward more wide-ranging and cross-sectoral localization norms.

This analysis examined the justifications offered for these moves through the lens of various motivations, including preserving privacy and civil liberties, performing state functions, developing the local economy, and addressing geopolitical and strategic considerations. It finds that the case for restrictions on data flows on these grounds is generally based on assertions, not robust evidence. When such justifications are supplied, policy documents rarely demonstrate how data localization presents a logical path toward meeting the desired ends or how the perceived benefits stack up against the social and economic costs of localization. The committee reports on data protection do a better job of engaging with these issues compared to the sectoral localization mandates. But even in the committee’s report, the link between local data storage and goals like promoting local AI innovation or ease of access by law enforcement agencies for all types of data has not been adequately demonstrated.

The practice of offering multiple explanations or claimed advantages for the same policy poses another problem. This approach misses the fact that the varied objectives behind a policy move could often conflict with one another. The tussle between the goals of easier data access for surveillance and law enforcement purposes and the risks of curtailing privacy and other civil liberties is a case in point. Similarly, broad surveillance powers for the Indian government could deter foreign firms from setting up cloud servers in India or utilizing Indian ICT service providers, and these consequences would conflict with the economic goal of creating a vibrant data market in the country. For instance, ExpressVPN recently became the first virtual private network provider to remove its servers from India. It made this decision in response to the intrusive data requirements imposed by the government’s new CERT-In directive on cybersecurity.120 In addition, having such a multiplicity of objectives can blur accountability by making it possible for agencies to pick and choose varying explanations for their actions in different contexts. This issue is compounded by the lack of tools for systematically measuring the consequences and effects of such policy moves.

In debates on international data flows, meanwhile, India’s positions are being shaped by interactions between the country’s stated priorities and its assertion of its identity as a developing country. India has been a vocal critic of unhindered free flow of data, which the Indian government believes fails to account for emerging economies’ developmental interests. This stance led New Delhi to opt out of the G20’s Osaka Track and the Joint Initiative on Electronic Commerce, although the Indian government appears to be more open to discussing data flows in bilateral and regional trade agreements.

While there are several country-specific nuances at play, global differences on the free flow of data can crudely divide countries into two categories. Members of the first group prioritize the idea of data for innovation and economic growth, viewing growing restrictions on data flows as a barrier to trade. In contrast, the second group focuses on the role of “data for development,” treating data as a form of national wealth that needs to be safeguarded from external exploitation and made available for domestic requirements.121 Reaching a reconciled understanding between these positions, while difficult, is possible provided that all viewpoints are brought to the table. India will have the opportunity to take a lead in facilitating such an open and nonbinding discussion during its upcoming stint holding the G20 presidency. However, this would be feasible only if such discussions can take place outside of the current design of the Osaka Track since participation in the track indicates that a country endorses the WTO Joint Statement, which India strongly opposes.

On the issue of data access for law enforcement, this analysis highlights an odd dichotomy whereby Indian law enforcement agencies on the one hand enjoy wide, unchecked legal powers of data access but, on the other hand, conflict-of-laws prevent them from freely accessing data under the control of foreign corporations. Any move to reduce frictions in access to foreign data, whether through localization or international agreements for direct data access, must therefore be accompanied by domestic surveillance reforms. Failing this, easier data access would only exacerbate the privacy and human rights concerns in India’s current surveillance framework. Keeping in mind this overarching recommendation, the following moves can be considered for improving the existing systems of data access for law enforcement purposes without coercive localization.

First, these practices can be made more efficient and consistent if the government publishes the formats and protocols for sending direct information requests to service providers, similar to the guidelines for MLAT requests. This may be accompanied by the creation of a streamlined technical architecture to monitor the authentication and flow of such data requests in a standardized and secure format.122

Second, the Indian government should initiate bilateral dialogues with countries like the United States, the UK, and Australia that are among India’s key digital partners. The purpose of such dialogues would be to tangibly improve the mutual assistance process. This may include joint training programs, resource and time commitments for the handling of data access requests from abroad, and other capacity-building measures. Drawing on the recommendations of the Parliamentary Committee on External Affairs, India would also benefit from the creation of a task force to evaluate the implementation of its MLAT guidelines and identify the duration of and reasons for undue delays and rejected requests.

Third, the Indian government ought to create a multistakeholder task force to evaluate the pros and cons of international agreements on direct data access and formulate India’s position on this issue.123 This could be the same body as the one referred to above or a different one, the critical consideration being to ensure representation from a “diverse group of stakeholders, including representatives from different government departments, the private sector, civil society organizations, and experts in international law.”124 Further, while India may continue to engage with the UN resolution process on developing a cybersecurity convention, it needs to more seriously consider participating in existing mechanisms like the Budapest Convention.

In conclusion, effective and consistent data policies that enable Indians to fully engage in the global economy will benefit Indian users and the businesses serving them as well as the country’s burgeoning start-up ecosystem, with an eye toward global markets. India enjoys a unique position as an emerging digital power, a strategic digital partner to several advanced economies, and a country that shares its developmental priorities with large parts of the developing world. Its ability to reach a nuanced response on the issue of cross-border data flows is therefore important not just for achieving its own economic, strategic, and human rights ends but also in terms of the possibility of bridging the global divide on governing cross-border data flows.

Table 1. India’s Current and Proposed Restrictions on Cross-border Data Flows
Data Type Agency Instrument Requirement Status
Financial Sector Data
Insurance policyholder records Insurance Regulatory and Development Authority of India Outsourcing of Activities by Indian Insurers Regulations, 2017125 “In cases where Insurer outsources to the service providers outside India, the Insurers shall ensure . . . compliance with respective local regulations [and that] . . . regulatory access and oversight by the Authority [are not impeded]. All original policyholder records continue to be maintained in India.”126 In effect
Payments data Reserve Bank of India Directive on Storage of Payment System data, 2018127

A related webpage with frequently asked questions (FAQs) on storage of payment system data128
All data related to payment transactions is to be “stored in a system only in India.”129

The FAQs webpage clarified that data can be processed abroad but has to be deleted within twenty-four hours and stored only in India.

There is an exception for “data pertaining to the foreign leg of [a cross-border] transaction [that] can be stored outside the country.”130
In effect
Video know-your- customer verification data Reserve Bank of India Amendment to the Master Direction on Know Your Customer, 2021131 Entire data and recordings of the video customer identification procedure are to be stored in systems located in India. In effect
Communications and Broadcasting Data
Telecoms subscriber data Department of Telecommunications Unified License Agreement entered into between the Department of Telecommunications and telecommunication service providers132 Restrictions on transferring any “accounting information relating to [a] subscriber” or “user information” to “any person/ place outside India.”133

Exception for transfers made for international roaming and billing purposes.
In effect
Broadcasting subscriber data Ministry of Commerce and Industry’s Department for Promotion of Industry and Internal Trade Consolidated Foreign Direct Investment Policy, 2020134 Foreign direct investment is subject to the condition that “the company shall not transfer . . . subscribers’ databases to any person/place outside India unless permitted by relevant law.”135 In effect
Corporate and Compliance Data
Books of companies’ accounts Ministry of Corporate Affairs Companies (Accounts) Rules, 2014136 “Back-up of the books of account and other books and papers of the company maintained in electronic mode . . . shall be kept in servers physically located in India.”137 In effect
Risk and compliance data of financial institutions Securities and Exchange Board of India
based on an advisory by CERT-In
Advisory for Financial Sector Organizations Regarding Software as a Service (SaaS) Based Solutions138 Financial institutions utilizing software as a service must keep critical data relating to risk, audits, and compliance within the legal boundary of India. In effect
Government Data
Public records Parliament,
National Archives of India, and the Ministry of Culture
Public Records Act, 1993139 Prohibits anyone from “tak[ing] or caus[ing] to be taken out of India any public records without the prior approval of the central government.” Approval is not needed if the document is “sent out of India for any official purpose.”140 In effect
Cloud storage of government data Ministry of Electronics and Information Technology Guidelines for Government Departments on Contractual Terms Related to Cloud Services141 Empanelment conditions for providing cloud services to the government require that “data center facilities and the physical and virtual hardware should be located within India.”142 In effect
Shareable data held by the Indian government Department of Science and Technology National Data Sharing and Accessibility Policy, 2012143 The policy’s implementation guidelines state that the open government data platform is to be managed and hosted at the National Data Centre of the National Informatics Centre. In effect
Cross-sectoral Application
Logs of all ICT systems Indian Computer Emergency Response Team (CERT-In) Directions under Subsection (6) of Section 70B of the Information Technology Act, 2000144 “All service providers, intermediaries, data centres, body corporate and government organisations” need to keep ICT system records in India “for a rolling period of 180 days.”145 In effect
(An extension on some aspects has been granted until September 2022)146
Sensitive personal data Ministry of Electronics and Information Technology Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011147 Transfer of data is allowed only “if it is necessary for the performance of [a] lawful contract” or with the person’s consent.148 In effect
Personal data, sensitive personal data, and critical data Ministry of Electronics and Information Technology

Joint parliamentary committee on data protection
Personal Data Protection Bill, 2019 and DP Bill (2021)149 Mirroring requirement for all sensitive personal data and critical data, which has to be stored and processed only in India. Proposed by the Srikrishna Committee

(The DP Bill has now been withdrawn with plans to introduce a new draft.)
Nonpersonal data derived from personal data Gopalakrishnan Committee Report by the Committee of Experts on Nonpersonal Data Governance Framework, 2020150 Nonpersonal data “shall inherit the sensitivity of the underlying personal data for storage requirements as specified in the [data protection bill].”151 Proposed
Other Proposals
Healthcare data Ministry of Health and Family Welfare Digital Information Security in Healthcare Act, 2018152 Proposed the creation of a National Electronic Health Authority that would have the power to enact protocols for the exchange of digital healthcare data with other countries.153 No specific localization requirement. Proposed
(but the draft law has been abandoned)
E-pharmacy data Ministry of Health and Family Welfare Draft Drugs and Cosmetics (Amendment) Rules, 2018154 “The E-pharmacy portal shall be established in India . . . and shall keep the data generated localised.” Data are not to be “sent or stored . . . outside . . . India.”155 Proposed
E-commerce data Ministry of Commerce and Industry’s Department for Promotion of Industry and Internal Trade Draft National e-Commerce Policy, 2019156 Restrictions on flow of “data collected by [Internet of Things] devices installed in public places . . . [and from] various sources including e-commerce platforms, social media, search engines etc.”157 Proposed
(but the localization provisions have reportedly been abandoned)
Geospatial data Department of Science and Technology Draft National Geospatial Policy, 2021158 The draft notes that the government does not intend to restrict the export of maps and geospatial data subject to the threshold values and negative lists to be specified by the department.159 Proposed

Notes

1 Indian Ministry of Electronics and Information Technology, “India’s Trillion-Dollar Digital Opportunity, Indian Ministry of Electronics and Information Technology, 2019, https://web.archive.org/web/20220604181319/https://www.meity.gov.in/writereaddata/files/india_trillion-dollar_digital_opportunity.pdf.

2 Ibid., 9.

3 For instance, the report by the joint parliamentary committee encourages a push for sovereignty by noting, “India may no more leave its data to be governed by any other country.” See Joint Committee on the Personal Data Protection Bill, 2019 (Joint Parliamentary Committee), Report of the Joint Committee on the Personal Data Protection Bill, 2019 (New Delhi: Lok Sabha Secretariat, December 16, 2021), 41, http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf.

4 Hinrich Foundation, All India Management Association, and AlphaBeta, “The Digital Opportunity: The Promise of Digital Trade for India,” 2019, 17, 24, https://alphabeta.com/wp-content/uploads/2019/08/digitrade_india.pdf.

5 Chaim Gartenberg, “Big Tech’s 2021 Earnings Were Off the Chart,” Verge, February 11, 2022, https://www.theverge.com/2022/2/11/22925859/big-tech-companies-2021-earnings-record-revenue-apple-amazon-alphabet-meta.

6 Urvashi Aneja and Angelina Chamuah, “A Balancing Act: The Promise and Peril of Big Tech in India,” Tandem Research, 2020, https://www.responsibletech.in/post/big-tech-in-india; and Richard Blumenthal, Brian Schatz, Ron Wyden, Elizabeth Warren, and Christopher A. Coons et. al., “Letter to FTC Chairperson Lina Khan,” September 20, 2021, https://www.blumenthal.senate.gov/imo/media/doc/2021.09.20%20-%20FTC%20-%20Privacy%20Rulemaking.pdf.

7 Nigel Cory and Luke Dascoli, “How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them,” Information Technology and Innovation Foundation, July 19, 2021, https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost.

8 Ibid.

9 Japanese Ministry of Foreign Affairs, “Osaka Declaration on Digital Economy,” Japanese Ministry of Foreign Affairs, https://www.mofa.go.jp/policy/economy/g20_summit/osaka19/pdf/special_event/en/special_event_01.pdf; and World Trade Organization, “Joint Statement on Electronic Commerce,” World Trade Organization WT/L/1056, January 25, 2019, https://docs.wto.org/dol2fe/Pages/SS/directdoc.aspx?filename=q:/WT/L/1056.pdf&Open=True.

10 The Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence was adopted in November 2021. See Council of Europe, “Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence,” Council of Europe, May 12, 2022, https://rm.coe.int/1680a49dab.

11 U.S. Department of Justice, “CLOUD Act Resources,” U.S. Department of Justice, August 17, 2022, https://www.justice.gov/dag/cloudact.

12 United Nations (UN) General Assembly, “Countering the Use of Information and Communications Technologies for Criminal Purposes, Resolution Adopted by the General Assembly,” UN General Assembly A/RES/74/247, December 27, 2019, https://digitallibrary.un.org/record/3847855?ln=en.

13 Indian Ministry of Finance, “Data ‘of the People by the People, for the People,” in Economic Survey 2018–2019 1 (2019): 78–97, https://www.indiabudget.gov.in/budget2019-20/economicsurvey/doc/vol1chapter/echap04_vol1.pdf.

14 Indian Ministry of Electronics and Information Technology and Committee of Experts on Non-Personal Data Governance Framework (Gopalakrishnan Committee), “Report by the Committee of Experts on Non-Personal Data Governance Framework,” Indian Ministry of Electronics and Information Technology and Gopalakrishnan Committee, December 16, 2020, https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf. An earlier version of the committee’s recommendations was put out for public comments in July 2020. See Indian Ministry of Electronics and Information Technology and Gopalakrishnan Committee, “Report by the Committee of Experts on Non-Personal Data Governance Framework,” Indian Ministry of Electronics and Information Technology and Gopalakrishnan Committee, 2020, https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf.

15 Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (Srikrishna Committee), A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, (New Delhi: Srikrishna Committee, 2018), https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.

16 Lok Sabha, “List of Business,” Lok Sabha, August 3, 2022, http://164.100.47.194/Loksabha/Business/ListofBusiness.aspx.

17 Press Trust of India, “Vaishnaw Hopeful of Getting New Data Protection Bill Passed by Budget,” Business Standard, August 5, 2022, https://www.business-standard.com/article/current-affairs/vaishnaw-hopeful-of-getting-new-data-protection-bill-passed-by-budget-122080400290_1.html.

18 Srikrishna Committee, A Free and Fair Digital Economy, 12.

19 See Sections 35 and 91 of the Personal Data Protection Bill, 2019. Both these provisions were retained, with minor modifications, in the joint parliamentary committee’s recommendations. Lok Sabha, “The Personal Data Protection Bill, 2019,” Lok Sabha, Bill No. 373 of 2019, http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.

20 Rishab Bailey and Smriti Parsheera, “Data Localization in India: Paradigms and Processes,” CSI Transactions on ICT 9, no. 3 (September 2021):137–150, https://doi.org/10.1007/s40012-021-00337-4; Anirudh Burman and Upasana Sharma, “How Would Data Localization Benefit India?,” Carnegie India, April 14, 2021, https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291; and Arindrajit Basu, Ellonai Hickok, and Aditya Singh Chawla, “The Localisation Gambit: Unpacking Policy Measures for Sovereign Control of Data in India,” Centre for Internet and Society, March 19, 2019 https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf.

21 Anja Kovacs and Nayantara Ranganathan, “Data Sovereignty, of Whom? Limits and Suitability of Sovereignty Frameworks for Data in India,” Data Governance Network Working Paper 3, November 2019, https://datagovernance.org/report/data-sovereignty.

22 Rajat Kathuria, Mansi Kedia, Gangesh Varma, and Kaushambi Bagchi, “Economic Implications of Cross Border Data Flows,” Indian Council for Research on International Economic Relations and Internet and Mobile Association of India, November 2019, https://icrier.org/pdf/Economic_Implications_of_Cross-Border_Data_Flows.pdf; Shagufta Gupta, Kapil Gupta, Poulomi Ghosh, and Sudip Kumar Paul, “Data Localisation: India’s Double-Edged Sword?,” CUTS International, 2020, https://cuts-ccier.org/pdf/data-localisation-indias-double-edged-sword.pdf; and Sai Rakshith Potluri, V. Sridhar, and Shrisha Rao, “Effects of Data Localization on Digital Trade: An Agent-Based Modeling Approach,” Telecommunications Policy 44, no. 9 (2020), https://doi.org/10.1016/j.telpol.2020.102022.

23 Smriti Parsheera and Prateek Jha, “Cross-Border Data Access for Law Enforcement: What Are India’s Strategic Options?,” Carnegie India, November 2020, https://carnegieendowment.org/files/ParsheeraJha_DataAccess.pdf; Madhulika Srikumar, Sreenidhi Srinivasan, DeBrae Kennedy-Mayo, and Peter Swire, “India-US Data Sharing for Law Enforcement: Blueprint for Reforms,” Observer Research Foundation and Georgia Tech Institute for Information Security & Privacy’s Cross-Border Requests for Data Project, January 17, 2019, https://www.orfonline.org/wp-content/uploads/2019/01/MLAT-Book-_v8_web-1.pdf; Amber Sinha, Elonnai Hickok, Udbhav Tiwari, and Arindrajit Basu, “Cross Border Data-Sharing and India: A Study in Processes, Content and Capacity,” Centre for Internet and Society, February 2016, https://cis-india.org/internet-governance/files/mlat-report; and Justin Sherman, “Trading in US-India Data Flows: Prospects for Cooperation in US-India Data Policy,” Atlantic Council, March 2022, https://www.atlanticcouncil.org/wp-content/uploads/2022/03/Cross_Border_Data_Flows.pdf.

24 Indian Ministry of Electronics and Information Technology Indian Computer Emergency Response Team (CERT-In), “Directions Under Sub-section (6) of Section 70B of the Information Technology Act, 2000 Relating to Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents for Safe and Trusted Internet,” Indian Ministry of Electronics and Information Technology CERT-In, No. 20(3)/2022-CERT-In, April 28, 2022, https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf.

25 In the case of the Ministry of Health and Family Welfare, this was due to the abandonment of the draft Digital Information Security in Healthcare Act as a whole. The e-commerce data localization issue, on the other hand, ran into troubles of ministerial remit since the subject of data flows falls under the domain of the Ministry of Electronics and Information Technology, not the Ministry of Commerce and Industry, which is the agency that produced the draft of the e-commerce policy. See Asit Ranjan Mishra, “Data Storage Rules Out of e-Commerce Policy,” Live Mint, June 26, 2019, https://www.livemint.com/politics/policy/data-storage-rules-out-of-e-commerce-policy-1561488393145.html. Indian Ministry of Commerce and Industry Department for Promotion of Industry and Internal Trade, “Draft National e-Commerce Policy: India’s Data for India’s Development,” Indian Ministry of Commerce and Industry Department for Promotion of Industry and Internal Trade, February 23, 2019, https://dpiit.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf; and Indian Ministry of Health and Family Welfare, “Subject: Placing the Draft of ‘Digital Information Security in Healthcare, Act (DISHA)” in Public Domain for Comments/Views-Reg,” Indian Ministry of Health and Family Welfare,” March 21, 2018, https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf.

26 In 2015, India’s Department of Telecommunications issued a National Telecom M2M Roadmap stating that there was a “strong case for all M2M Gateways and application servers, servicing the customers in India, to be physically located in India” for security reasons. See Indian Ministry of Communications Department of Telecommunications, “National Telecom M2M Roadmap,” Indian Ministry of Communications Department of Telecommunications, May 2015, https://web.archive.org/web/20220305194717/https://dot.gov.in/sites/default/files/National%20Telecom%20M2M%20Roadmap.pdf.

27 Bailey and Parsheera, “Data Localization in India: Paradigms and Processes”; Rishab Bailey and Smriti Parsheera, “Data Localisation in India: Questioning the Means and Ends,” National Institute of Public Finance and Policy Working Paper No. 242, September 2018, https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf; Christopher Kuner, “Data Nationalism and Its Discontents,” Emory Law Journal 64 (2015): 2089, https://scholarlycommons.law.emory.edu/elj-online/25/; and Anupam Chander and Uyên P. Lê, “Data Nationalism,” Emory Law Journal 64 (2015): 677, https://scholarlycommons.law.emory.edu/elj/vol64/iss3/2/.

28 See Paragraph 3.11.2. Survey of India, “National Geospatial Policy,” Survey of India, July 11, 2021, https://www.surveyofindia.gov.in/webroot/UserFiles/files/NGP_11_07_Draft.pdf.

29 Basu, Hickok, and Chawla, “The Localisation Gambit,” 48–49.

30 Ibid., 49.

31 Ibid.

32 Srikrishna Committee, A Free and Fair Digital Economy, 84–86.

33 D Y Chandrachud, “Justice K.S. Puttaswamy (Retd) v. Union of India and Ors.,” Indian Kanoon (Indian Supreme Court Writ Petition (Civil) No. 494 of 2012) 2012, https://indiankanoon.org/doc/91938676.

34 For further discussion on the Puttaswamy tests, see Vrinda Bhandari, Amba Kak, Smriti Parsheera, and Faiza Rahman, “An Analysis of Puttaswamy: The Supreme Court’s Privacy Verdict,” Leap Blog, September 20, 2017, https://blog.theleapjournal.org/2017/09/an-analysis-of-puttaswamy-supreme.html.

35 The Srikrishna Committee’s report, however, dismisses this concern on the grounds that censorship is not an automatic consequence of local retention and would only be possible with a dysfunctional data protection law that allows governments the tools to facilitate such censorship. See Srikrishna Committee, A Free and Fair Digital Economy, 95.

36 “22 YouTube Channels Blocked Over ‘Anti-India’Content,” Indian Express, April 5, 2022, https://indianexpress.com/article/india/govt-blocks-youtube-channels-anti-india-7853880.

37 Bailey and Parsheera, “Data Localization in India: Paradigms and Processes”, 141.

38 Thomas K. Thomas, “National Security Council Proposes 3-Pronged Plan to Protect Internet Users,” Hindu, February 13, 2014, https://www.thehindubusinessline.com/info-tech/National-Security-Council-proposes-3-pronged-plan-to-protect-Internet-users/article20727012.ece.

39 Srikrishna Committee, A Free and Fair Digital Economy, 92–93.

40 Reserve Bank of India, “Statement on Developmental and Regulatory Policies,” Reserve Bank of India, April 5, 2018, https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=43574.

41 Reserve Bank of India, “Storage of Payment System Data,” Reserve Bank of India, 2018, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244.

42 The recommendations link the requirements on local data storage with the sensitivity attached to the underlying personal data. This may suggest that nonpersonal data that is not derived from personally identifiable information would not be subject to any cross-border flow restrictions, though the committee has not made this clear.

43 Joint Parliamentary Committee, Report of the Joint Committee on the Personal Data Protection Bill, 2019, 40.

44 Reserve Bank of India, “Storage of Payment System Data,” paragraph 2.

45 This is preceded by a requirement that the outsourcing of activities to entities abroad is subject to the laws and regulations of that jurisdiction not impeding regulatory access and oversight by the Insurance Regulatory and Development Authority of India. Insurance Regulatory and Development Authority of India (IRDAI), “Outsourcing of Activities by Indian Insurers Regulations, 2017,” IRDAI, April 20, 2017, 13, https://www.irdai.gov.in/admincms/cms/frmGeneral_Layout.aspx?page=PageNo3149&flag=1.

46 Indian Ministry of Electronics and Information Technology CERT-In, “Directions Under Sub-section (6) of Section 70B of the Information Technology Act, 2000 Relating to Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents for Safe and Trusted Internet.”

47 The Srikrishna Committee noted that critical data in this context may well extend beyond personal data to include things like information relating to government services or the country’s critical infrastructure. See Srikrishna Committee, A Free and Fair Digital Economy, 91.

48 Bailey and Parsheera, “Data Localization in India: Paradigms and Processes,” 145–146.

49 Securities and Exchange Board of India, “Annexure A, CERT Fin Advisory 201155100308, Advisory for Financial Sector Organizations - RBI and SEBI,” Securities and Exchange Board of India, 2020, https://web.archive.org/web/20211015204605/https://www.sebi.gov.in/sebi_data/commondocs/nov-2020/Annexure%20A_p.pdf.

50 See Paragraph 6.5 of India’s National Data Sharing and Accessibility Policy. See Indian Ministry of Science and Technology Department of Science and Technology, “National Data Sharing and Accessbility Policy-2012 (NDSAP-2012),” Indian Ministry of Science and Technology Department of Science and Technology, 2012, 5, https://geoportal.mp.gov.in/geoportal/Content/Policies/NDSAP_2012.pdf.

51 See Paragraph 8.1 of the Gopalakrishnan Committee’s report. See Gopalakrishnan Committee, “Report by the Committee of Experts on Non-Personal Data Governance Framework,” 23.

52 See Appendix 2 of the Gopalakrishnan Committee’s report. See Gopalakrishnan Committee, “Report by the Committee of Experts on Non-Personal Data Governance Framework,” 38–43.

53 Joint Parliamentary Committee, “Report of the Joint Committee on the Personal Data Protection Bill, 2019,” 9.

54 This is in addition to the jobs generated during the project’s construction phase, a figure estimated at 28,696 jobs. See Joint Parliamentary Committee, “Report of the Joint Committee on the Personal Data Protection Bill, 2019,” 41.

55 Swathi Moorthy and Chandra R Srikanth, “Indian IT Industry Crosses $200 Billion in Revenue With 5 Million Direct Employees,” Money Control, February 15, 2022, https://www.moneycontrol.com/news/opinion/indian-it-industry-crosses-200-billion-in-revenue-with-5-million-direct-employees-8099841.html.

56 Bailey and Parsheera, “Data Localisation in India: Questioning the Means and Ends,” 31.

57 See Section 91(2) of the Personal Data Protection Bill, 2019, and Section 92(2) of the 2021 DP Bill.

58 Gopalakrishnan Committee, “Report by the Committee of Experts on Non-Personal Data Governance Framework,” 23–24, 29–30.

59 Zachary Oliver, Kyle Clark-Sutton, Sara VanLear, Lindsay Aramayo, and Brian Lim et al., “The Impact of Facebook’s U.S. Data Center Fleet,” RTI International, March 2018, https://baxtel.com/data-center/facebook/files/facebook_data_centers_2018.

60 Ibid.

61 While announcing its new cloud platform region in Mumbai, Google declared that this would improve latency from 20 percent to 90 percent for end users in certain Indian cities compared to hosting these services in Singapore, which was the closest region. See Dave Stiver, “GCP Arrives in India With Launch of Mumbai Region,” Google Cloud, November 1, 2017, https://cloud.google.com/blog/products/gcp/gcp-arrives-in-india-with-launch-of-mumbai-region.

62 Shamel Azmeh and Christopher Foster, “The TPP and the Digital Trade Agenda: Digital Industrial Policy and Silicon Valley’s Influence on New Trade Agreements,” London School of Economics, Working Paper Series No. 16-175, 2016, http://hdl.handle.net/10419/224801.

63 Mitaksh, “Data Protection Bill: Restrictions on Cross-Border Data Transfer Will Hurt Indian Start-ups That Depend on Global Tools #NAMA,” Medianama, January 27, 2022, https://www.medianama.com/2022/01/223-cross-border-data-transfer-small-business.

64 Srikrishna Committee, A Free and Fair Digital Economy, 94.

65 Bailey and Parsheera, “Data Localization in India: Paradigms and Processes,” 148.

66 Kathuria, Kedia, Varma, and Bagchi, “Economic Implications of Cross Border Data Flows,” 29.

67 Burman and Sharma, “How Would Data Localization Benefit India?.”

68 Sebastian Moss, “India’s Data Center Market Heats Up,” Data Center Dynamics, October 7, 2021, https://www.datacenterdynamics.com/en/analysis/indias-data-center-market-heats-up.

69 Indian Ministry of Electronics and Information Technology e-Governance Division, “Data Centre Policy 2020,” Indian Ministry of Electronics and Information Technology e-Governance Division, 2020, https://web.archive.org/web/20220310202706/https://www.meity.gov.in/writereaddata/files/Draft%20Data%20Centre%20Policy%20-%2003112020_v5.5.pdf.

70 Vandana Ramnani, “Budget 2022: Data Centres to Be Given Infrastructure Status to Boost Financing of Sector,” Money Control, February 1, 2022, https://www.moneycontrol.com/news/business/real-estate/budget-2022-data-centres-to-be-given-infrastructure-status-8018221.html.

71 Japanese Ministry of Foreign Affairs, “Osaka Declaration on Digital Economy.”

72 See Paragraphs 10 and 11 of the following G20 declaration. See Japanese Ministry of Foreign Affairs, “G20 Osaka Leaders’ Declaration,” Japanese Ministry of Foreign Affairs, 2019, https://www.mofa.go.jp/policy/economy/g20_summit/osaka19/en/documents/final_g20_osaka_leaders_declaration.html#:~:text=We%2C%20the%20Leaders%20of%20the,for%20the%20benefit%20of%20all.

73 Japanese Ministry of Foreign Affairs, “Osaka Declaration on Digital Economy”; and Prerna Gandhi, “Review of Japan 2019 and Outlook for 2020,” Vivekananda International Foundation, February 3, 2020, http://manage.vifindia.org/print/7087.

74 Ibid.

75 Indian Ministry of Commerce and Industry, “Shri Piyush Goyal Participates in the G-20 Meeting of the Trade and Investment Ministers,” Indian Press Information Bureau, September 22, 2020, https://pib.gov.in/PressReleasePage.aspx?PRID=1657874; and Indian Ministry of External Affairs, “G20 Sherpa, Shri Piyush Goyal Holds Special Briefing From Rome,” Indian Ministry of External Affairs, October 30, 2021, https://www.mea.gov.in/press-releases.htm?dtl/34444/G20+Sherpa+Shri+Piyush+Goyal+holds+Special+Briefing+from+Rome.

76 D. Ravi Kanth, “India Boycotts ‘Osaka Track’ at G20 Summit,” Live Mint, June 30, 2019, https://www.livemint.com/news/world/india-boycotts-osaka-track-at-g20-summit-1561897592466.html; and Indian Ministry of External Affairs, “Transcript of Media Briefing by Foreign Secretary After BRICS Leaders’ Informal Meeting in Osaka,” Indian Ministry of External Affairs, June 28 2019, https://www.mea.gov.in/media-briefings.htm?dtl/31516/Transcript_of_Media_Briefing_by_Foreign_Secretary_after_BRICS_Leaders_Informal_meeting_in_Osaka.

77 World Trade Organization, “Joint Initiative on E-commerce,” World Trade Organization, https://www.wto.org/english/tratop_e/ecom_e/joint_statement_e.htm.

78 World Trade Organization (Statement by India and South Africa), “The Legal Status of ‘Joint Statement Initiatives’ and Their Negotiated Outcomes,” World Trade Organization, February 19, 2021, https://docs.wto.org/dol2fe/Pages/SS/directdoc.aspx?filename=q:/WT/GC/W819.pdf&Open=True.

79 Indian Ministry of Commerce and Industry, “India’s Stand in the WTO: Statement in Parliament,” Statement by Shri Suresh Prabhu, Minister of Commerce and Industry after the Eleventh Ministerial Conference of the World Trade Organization held in Buenos Aires, Argentina, December 2017, https://commerce.gov.in/wp-content/uploads/2020/11/Flag-L_CIM-statement-in-Parliament-after-MC-11.pdf.

80 World Trade Organization (Statement by India and South Africa), “The Legal Status of ‘Joint Statement Initiatives’ and Their Negotiated Outcomes.”

81 Indian Ministry of Commerce and Industry, “India’s Stand in the WTO,” 5.

82 Indian Prime Minister’s Office, “Joint Statement on BRICS Leaders’ Informal Meeting on the Margins of G20 Summit,” Press Information Bureau, June 28, 2019, https://pib.gov.in/PressReleseDetail.aspx?PRID=1576270.

83 Group of 77, “About the Group of 77,” Group of 77, https://www.g77.org/doc/index.html.

84 Group of 77, “Ministerial Declaration (adopted by the 45th Annual Meeting of Ministers for Foreign Affairs of the Group of 77),” Group of 77, November 30, 2021, https://www.g77.org/doc/Declaration2021.htm.

85 Arindrajit Basu, “The Retreat of the Data Localization Brigade: India, Indonesia and Vietnam,” Diplomat, January 10, 2020, https://thediplomat.com/2020/01/the-retreat-of-the-data-localization-brigade-india-indonesia-and-vietnam.

86 See Article 9.11 in the Comprehensive Economic Partnership Agreement (CEPA) between India and the United Arab Emirates (UAE). Indian Ministry of Commerce and Industry, “Chapter 9: Digital Trade,” Indian Ministry of Commerce and Industry, https://commerce.gov.in/wp-content/uploads/2022/03/Chapter-9.pdf.

87 See Article 9.3(4) of the CEPA between India and the UAE. Indian Ministry of Commerce and Industry, “Chapter 9: Digital Trade.”

88 Kritika Sunej, “India May Get Access to $10-billion Australian Government Tenders,” Economic Times, April 4, 2022, https://economictimes.indiatimes.com/news/economy/foreign-trade/india-may-get-access-to-10-billion-australian-government-tenders/articleshow/90631268.cms.

89 World Trade Organization, “E-commerce Co-Convenors Welcome Substantial Progress in Negotiations,” World Trade Organization, December 14, 2021, https://www.wto.org/english/news_e/news21_e/ecom_14dec21_e.htm.

90 Basu, “The Retreat of the Data Localization Brigade: India, Indonesia and Vietnam.”

91 Akshay Mathur and Purvaja Modak, “Goodbye, RCEP,” Gateway House, November 7, 2019, https://web.archive.org/web/20210509035604/https://www.gatewayhouse.in/rcep/.

92 Indian Ministry of External Affairs, “G20 Sherpa, Shri Piyush Goyal Holds Special Briefing From Rome.”

93 Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, and Faiza Rahman, “Use of Personal Data by Intelligence and Law Enforcement Agencies,” National Institute of Public Finance and Policy, August 1, 2018, https://macrofinance.nipfp.org.in/PDF/BBPR2018-Use-of-personal-data.pdf.

94 See Section 91 of the Code of Criminal Procedure, 1973. India Code, “The Code of Criminal Procedure, 1973,” India Code, 1973, https://www.indiacode.nic.in/handle/123456789/16225?sam_handle=123456789/1362.

95 See Section 5 of the Indian Telegraph Act, 1885. See Indian Ministry of Communications Department of Telecommunications, “Indian Telegraph Act, 1885,” Indian Ministry of Communications Department of Telecommunications, 1885, https://dot.gov.in/sites/default/files/the_indian_telegraph_act_1985_pdf.pdf. Also see Section 69 of the Information Technology Act, 2000. India Code, “Information Technology Act, 2000,” India Code, 2000, https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf. For further information, see Bailey, Bhandari, Parsheera, and Rahman, “Use of Personal Data by Intelligence and Law Enforcement Agencies.”

96 Parsheera and Jha, “Cross-Border Data Access for Law Enforcement.”

97 Joint Parliamentary Committee, “Report of the Joint Committee on the Personal Data Protection Bill, 2019,” 8.

98 See Rule 4(2) of the “Information Technology (Intermediary Guidelines and Digital Media Ethics Code), 2021.” See Indian Ministry of Electronics and Information Technology, “Information Technology (Intermediary Guidelines and Digital Media Ethics Code), 2021,” Indian Ministry of Electronics and Information Technology, February 25, 2021, https://web.archive.org/web/20220310204124/https://www.meity.gov.in/writereaddata/files/Intermediary_Guidelines_and_Digital_Media_Ethics_Code_Rules-2021.pdf; and Prasid Banerjee and Richa Banka, “WhatsApp Case in Delhi HC First Big Test of Privacy Law,” Live Mint, May 27, 2021, https://www.livemint.com/news/india/whatsapps-case-against-indian-govt-could-be-first-true-test-of-right-to-privacy-11622028707630.html.

99 Indian Press Information Bureau, “Centralised System to Monitor Communication,” Indian Press Information Bureau, November 26, 2009, http://pib.nic.in/newsite/PrintRelease.aspx?relid= 54679.

100 Internet Freedom Foundation, “Watch the Watchmen Series, Part 2: The Centralised Monitoring System,” September 14, 2020, https://internetfreedom.in/watch-the-watchmen-series-part-2-the-centralised-monitoring-system. Also see Bailey, Bhandari, Parsheera, and Rahman, “Use of Personal Data by Intelligence and Law Enforcement Agencies,” 12.

101 “Why Five Petitions Are Challenging the Constitutional Validity of India's Surveillance State,” Wire, January 14, 2019, https://thewire.in/law/supreme-court-pil-centre-snooping.

102 Parsheera and Jha, “Cross-Border Data Access for Law Enforcement.”

103 Press Trust of India, “Received 40,300 Govt Requests for User Data From India: Facebook Report,” Hindustan Times, May 20, 2021,

https://www.hindustantimes.com/india-news/received-40-300-govt-requests-for-user-data-from-india-facebook-report-101621505028130.html.

104 Letters rogatory can be issued under Section 166A and Section 105K of the Code of Criminal Procedure, 1973; Section 57 and Section 61 of the Prevention of Money Laundering Act, 2002; and Section 12 of the Fugitive Economic Offenders Act, 2018. See Indian Ministry of Home Affairs, “Guidelines on Mutual Legal Assistance in Criminal Matters,” Indian Ministry of Home Affairs, December 2019, 5, https://web.archive.org/web/20211117011824/https://www.mha.gov.in/sites/default/files/ISII_ComprehensiveGuidelines16032020.pdf.

105 Indian Ministry of Home Affairs, “Guidelines on Mutual Legal Assistance in Criminal Matters,” 4.

106 This information was submitted before the committee by the Ministry of Home Affairs. See Lok Sabha Parliamentary Committee on External Affairs, “Report of the Committee on External Affairs (2020-21) on India and International Law Including Extradition Treaties With Foreign Countries, Asylum Issues, International Cyber-Security and Issues of Financial Crimes,” Lok Sabha Parliamentary Committee on External Affairs, 13, https://web.archive.org/web/20211203114141/http://164.100.47.193/lsscommittee/External%20Affairs/17_External_Affairs_9.pdf.

107 Ibid.

108 Neha Alawadhi, “CBI and FBI Join Hands to Reduce Time Required to Fulfil Requests on Information and Evidence,” Economic Times, December 7, 2015, https://economictimes.indiatimes.com/news/politics-and-nation/cbi-fbi-join-hands-to-reduce-time-required-to-fulfil-requests-on-information-and-evidence/articleshow/50069794.cms.

109 Lok Sabha Parliamentary Committee on External Affairs, “Report of the Committee on External Affairs (2020-21) on India and International Law Including Extradition Treaties With Foreign Countries, Asylum Issues, International Cyber-Security and Issues of Financial Crimes,” 16.

110 Indian Ministry of Home Affairs, “Guidelines on Mutual Legal Assistance in Criminal Matters,” 4.

111 Lok Sabha Parliamentary Committee on External Affairs, “Report of the Committee on External Affairs (2020-21) on India and International Law Including Extradition Treaties With Foreign Countries, Asylum Issues, International Cyber-Security and Issues of Financial Crimes.”

112 Indian Ministry of Home Affairs, “Guidelines on Mutual Legal Assistance in Criminal Matters.”

113 Basu, Hickok, and Chawla, “The Localisation Gambit”; Burman and Sharma, “How Would Data Localization Benefit India?”; and Parsheera and Bailey, “Data Localization in India: Paradigms and Processes.”

114 Monika Zalnieriute, “Big Brother Watch and Others V. the United Kingdom,” American Journal of International Law 116, no. 3 (July 2022): 585–592, https://www.cambridge.org/core/journals/american-journal-of-international-law/article/big-brother-watch-and-others-v-the-united-kingdom/024BF9DDDFA0C882358B052845230352.

115 Lok Sabha Parliamentary Committee on External Affairs, “Report of the Committee on External Affairs (2020-21) on India and International Law Including Extradition Treaties With Foreign Countries, Asylum Issues, International Cyber-Security and Issues of Financial Crimes,” 29.

116 7amleh - The Arab Center for the Advancement of Social Media, Access Now, Africa Freedom of Information Centre, Albanian Media Institute, and Americans for Democracy and Human Rights in Bahrain et al., “Open Letter to UN General Assembly: Proposed International Convention on Cybercrime Poses a Threat to Human Rights Online,” Association for Progressive Communications, November 6, 2019, https://www.apc.org/en/pubs/open-letter-un-general-assembly-proposed-international-convention-cybercrime-poses-threat-human.

117 Lok Sabha Parliamentary Committee on External Affairs, “Report of the Committee on External Affairs (2020-21) on India and International Law Including Extradition Treaties With Foreign Countries, Asylum Issues, International Cyber-Security and Issues of Financial Crimes,” 30.

118 Ibid., 45.

119 Ibid., 29.

120 Soumyarendra Barik, “Why ExpressVPN Has Removed Its Servers From India, and What Happens to Users Now,” Indian Express, June 2, 2022, https://indianexpress.com/article/explained/expressvpn-services-india-new-vpn-rules-explained-7948845.

121 Indian Ministry of External Affairs, “G20 Sherpa, Shri Piyush Goyal Holds Special Briefing From Rome.”

122 Parsheera and Jha, “Cross-Border Data Access for Law Enforcement.”

123 Ibid.

124 Ibid., 25.

125 IRDAI, “Outsourcing of Activities by Indian Insurers Regulations, 2017.”

126 Ibid. See Regulation 18(ii).

127 Reserve Bank of India, “Storage of Payment System Data.”

128 Reserve Bank of India, “Frequently Asked Questions: Storage of Payment System Data,” Reserve Bank of India, April 6, 2018, https://m.rbi.org.in/scripts/FAQView.aspx?Id=130.

129 Reserve Bank of India, “Storage of Payment System Data.” See Paragraph 2(1).

130 Bailey and Parsheera, “Data Localization in India: Paradigms and Processes,” 144.

131 Reserve Bank of India, “Amendment to the Master Direction (MD) on KYC,” Reserve Bank of India, May 10, 2021, https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT354BE2BCC23B344982BD5793737940EFF3.PDF.

132 See 39.23 (vi), Chapter 1, Part IV of the License Agreement for Unified License. See

Indian Ministry of Communications and Information Technology Department of Telecommunications, “License Agreement for Unified License,” Indian Ministry of Communications and Information Technology Department of Telecommunications,

https://dot.gov.in/sites/default/files/Unified%20Licence_0.pdf. A similar provision appears in the Unified Access Service License.

133 Ibid.

134 See Annexure 6, Condition 1.3(ix) of the Consolidated FDI Policy. See Indian Ministry of Commerce and Industry, Department for Promotion of Industry and Internal Trade, “Consolidated FDI Policy,” Indian Ministry of Commerce and Industry, Department for Promotion of Industry and Internal Trade, October 15, 2020, https://dpiit.gov.in/sites/default/files/FDI-PolicyCircular-2020-29October2020.pdf.

135 Ibid.

136 See Proviso to Rule 3(2)(5). See Indian Ministry of Corporate Affairs, “Notification: G.S.R.239,” Indian Ministry of Corporate Affairs, March 31, 2014, https://www.mca.gov.in/Ministry/pdf/NCARules_Chapter9.pdf.

137 Ibid.

138 Securities and Exchange Board of India, “Advisory for Financial Sector Organizations Regarding Software as a Service (SaaS) Based Solutions,” Securities and Exchange Board of India, November 3, 2020, https://www.sebi.gov.in/legal/circulars/nov-2020/advisory-for-financial-sector-organizations-regarding-software-as-a-service-saas-based-solutions_48081.html. The advisory by CERT-In is included as an annexure to this circular. See Securities and Exchange Board of India, “Annexure A: CERT-Fin Advisory – 201155100308: Advisory for Financial Sector Organisations – RBI and SEBI,” Securities and Exchange Board of India, November 3, 2020, https://www.sebi.gov.in/sebi_data/commondocs/nov-2020/Annexure%20A_p.pdf.

139 National Archives of India, “Public Records Act, 1993,” National Archives of India, 1993, http://nationalarchives.nic.in/content/public-records-act-1993-0.

140 Ibid., Section 4.

141 Indian Department of Electronics and Information Technology, “Request for Proposal for Provisional Empanelment of Cloud Service Providers,” Indian Department of Electronics and Information Technology, December 30, 2015, https://web.archive.org/web/20220302220806/https://www.meity.gov.in/writereaddata/files/RFP_CSPs_10_16.pdf; and Indian Ministry of Electronics and Information Technology, “Guidelines for Government Departments on Contractual Terms Related to Cloud Services,” Indian Ministry of Electronics and Information Technology, March 31, 2017, https://web.archive.org/web/20220608195421/https://www.meity.gov.in/writereaddata/files/Guidelines-Contractual_Terms.pdf.

142 Indian Department of Electronics and Information Technology, “Request for Proposal for Provisional Empanelment of Cloud Service Providers,” Clause 5.7(2).

143 Indian Ministry of Science and Technology Department of Science and Technology, “National Data Sharing and Accessibility Policy-2012 (NDSAP-2012),” Indian Ministry of Science and Technology Department of Science and Technology, 2012, https://geoportal.mp.gov.in/geoportal/Content/Policies/NDSAP_2012.pdf.

144 (CERT-In), “Directions Under Sub-section (6) of Section 70B of the Information Technology Act, 2000 Relating to Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents for Safe and Trusted Internet.”

145 Ibid., 3.

146 Indian Ministry of Electronics and Information Technology (CERT-In), “Extension of Timelines for Enforcement of Cyber Security Directions of 28th April, 2022,” Indian Ministry of Electronics and Information Technology (CERT-In), June 27, 2022, https://web.archive.org/web/20220701155342/https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf.

147 Indian Ministry of Communications and Information Technology, “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011,” Indian Ministry of Communications and Information Technology, April 11, 2011, https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.

148 Ibid., Rule 7.

149 Lok Sabha, “Personal Data Protection Bill, 2019.”

150 Gopalakrishnan Committee, “Report by the Committee of Experts on Non-Personal Data Governance Framework.”

151 Ibid., 31.

152 Indian Ministry of Health and Family Welfare, “Digital Information Security in Healthcare Act [Draft for Public Consultation],” Indian Ministry of Health and Family Welfare, November 2017, https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf.

153 Ibid., Section 22(1)(e).

154 Indian Ministry of Health and Family Welfare Central Drugs Standard Control Organization, “Draft Drugs and Cosmetics (Amendment) Rules, 2018,” Indian Ministry of Health and Family Welfare Central Drugs Standard Control Organization, August 28, 2018, https://cdsco.gov.in/opencms/opencms/system/modules/CDSCO.WEB/elements/download_file_division.jsp?num_id=MTkzOQ==.

155 Ibid., Rule 67K(3).

156 Indian Ministry of Commerce and Industry Department for Promotion of Industry and Internal Trade, “Draft National e-Commerce Policy.”

157 Ibid., 16.

158 Survey of India, “National Geospatial Policy.”

159 Ibid., Paragraph 7.2.10.