Professional Documents
Culture Documents
Project report towards the fulfilment of assessment in the subject of Constitutional Theories
Divya Pandey
Roll No: 1778, Semester X Asst. Prof. Rudra Charan
Faculty of Law
Harsh Bishnoi National Law University, Jodhpur
Roll No: 1783, Semester X
We extend our sincere gratitude and profound appreciation to Assistant Professor Rudra Charan,
for her invaluable support and guidance throughout the duration of this project. Her expertise in
the subject matter, unwavering encouragement, and diligent supervision have been instrumental
in shaping our understanding and approach towards this challenging topic.
We also wish to express our heartfelt thanks to the authors of the online sources whose valuable
insights and research have enriched our work. Additionally, we acknowledge the support and
camaraderie of our colleagues at the college, whose collaboration and assistance have been
invaluable in navigating through the complexities of this project.
Lastly, we are deeply grateful to our families for their unwavering support and encouragement,
which has been a constant source of motivation throughout this endeavor. Their belief in us has
been the driving force behind the successful completion of this assignment.
Thank you.
2|Page
Abstract
This paper presents a thorough examination of data localization policies, with an emphasis on
their consequences for internet freedom, the IT sector, the cost of online services, and policy
issues. It studies India's regulatory framework, namely the Digital Personal Data Protection Act
(DPDPA) of 2023, and assesses its provisions on fines, compliance deadlines, and conflicts with
other laws. It also covers the implications of the Reserve Bank of India's data localization
strategy, as well as criticism from US industry leaders. Furthermore, it investigates the
suggestion for an indigenous proportionality test inside the Indian legal system to determine the
constitutionality of data localization policies. The statement finishes by emphasising the need of
taking a balanced strategy that protects data while also supporting global data flows and
encouraging innovation.
Research Problem
The research subject addressed in this paper is concerned with the consequences and problems of
data localization procedures, particularly in light of the Indian legislative environment. It aims to
investigate the possible impact of these policies on a variety of stakeholders, including internet
users, the IT industry, and the cost of online services. Furthermore, the study seeks to assess the
efficiency and legality of the Digital Personal Data Protection Act (DPDPA) of 2023 in
addressing issues such as data localization, breach fines, compliance deadlines, and conflicts
with other laws. Furthermore, it investigates criticism of data localization regulations,
particularly from US corporate leaders, and suggests the notion of an indigenous proportionality
test as a possible remedy. Overall, the study challenge involves a comprehensive examination of
data localization policies and their consequences in the Indian context, emphasising the need for
a balanced regulatory strategy that protects data while encouraging innovation and economic
progress.
Research Methodology
The research methodology used in this publication is interdisciplinary, integrating legal analysis,
policy assessment, and critical investigation of industrial activities. It starts with a thorough
analysis of current literature, such as academic articles, legal texts, regulatory documents, and
industry reports, to gain a solid grasp of data localization measures and their ramifications.
3|Page
Primary research approaches such as interviews with legal experts, policymakers, and industry
players may also be used to acquire insights and viewpoints on the topic. Furthermore,
comparative examination of data localization policies across different jurisdictions, with a
particular emphasis on the Indian regulatory landscape, is an important component of the
research approach. The paper uses qualitative analysis methodologies to understand and assess
the findings, drawing conclusions and offering suggestions based on the information synthesised
information.
Research Objective
1.) To investigate the effects of data localization policies on internet freedom, the IT industry,
and the cost of online services.
2.) To assess the efficiency and validity of the 2023 Digital Personal Data Protection Act
(DPDPA) in addressing issues such as data localization, breach fines, compliance timetables, and
inconsistencies with existing laws.
3.) To investigate the impact of the Reserve Bank of India's data localisation policy and criticism
from US business leaders on the Indian regulatory structure.
4.) To propose and examine the viability of an indigenous proportionality test within the Indian
legal framework as a viable option for determining the validity of data localization procedures.
5.) To present ideas for politicians, industry stakeholders, and legal practitioners on developing a
balanced regulatory framework that protects data.
Literature Review
Data Sovereignty: The Quintessential Model for The New World Order by Aparajita Bhatt
The literature emphasizes data sovereignty's role in safeguarding national interests and privacy,
advocating for robust legal frameworks like the GDPR. It explores the impact of data
localization on global digital trade, balancing sovereignty needs. Case studies, such as India's
Meghraj initiative and RBI directives, offer practical insights. Overall, scholars stress the
4|Page
intricate relationship between sovereignty, data protection, and global trade, urging a balanced
approach for national and international benefit.1
Data localisation in India: Questioning the means and ends by Rishab Bailey and Smriti
Parsheera
The literature on internet governance in India encompasses a range of topics, including human
rights protection, data localization policies, and technology regulation. UN statements
underscore the importance of safeguarding human rights online, while debates surrounding data
localization highlight tensions between privacy concerns and economic interests. Government
reports and court cases offer insights into evolving regulatory frameworks, addressing issues like
digital payments, cybersecurity, and cross-border data flows. International perspectives and
comparative analyses further contextualize India's approach to internet governance, emphasizing
the need for nuanced policies that balance societal needs with technological innovation and
economic development.2
Data sovereignty: A review by Patrik Hummel, Matthias Braun, Max Tretter and Peter Dabrock.
The literature on data sovereignty explores its multifaceted nature, covering topics such as
privacy, governance, and autonomy. Studies examine its implications for various stakeholders,
including individuals, organizations, and nations. Key themes include the challenges of
regulating data in a globalized world, the importance of Indigenous data sovereignty, and the role
of technology in shaping data governance frameworks. Overall, the literature underscores the
need for robust policies and ethical considerations to address the complex issues surrounding
data sovereignty effectively.3
1
Bhatt, A. (2021) “DATA SOVEREIGNTY: THE QUINTESSENTIAL MODEL FOR THE NEW WORLD
ORDER”, ILI Law Review. Available at: https://ili.ac.in/pdf/12.pdf (Accessed: 29 February 2024).
2
Bailey, R. and Parsheera, S. (2018) “Data Localisation in India: Questioning the means and ends”, NIPFP Working
Paper Series. Available at: https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf (Accessed: 29
February 2024).
3
Hummel, P., Braun, M., Tretter, M., & Dabrock, P. (2021). “Data sovereignty: A review. Big Data & Society”, 8(1).
https://doi.org/10.1177/2053951720982012.
5|Page
Introduction
BACKGROUND AND RATIONALE
The proliferation of digital technologies has transformed the way in which information is
generated, transmitted, and stored. Data localization, the practice of requiring data to be stored
within a specific geographical location, has gained prominence as governments seek to address
concerns related to national security, data privacy, and economic protectionism. 4 Proponents
argue that data localization measures can enhance privacy and security by subjecting data to
domestic laws and regulations, thereby mitigating risks associated with foreign surveillance and
data breaches. Additionally, data localization is seen as a means to promote domestic economic
growth by fostering the development of local infrastructure and creating job opportunities in the
digital sector.5
However, critics of data localization caution that it may lead to fragmentation of the internet,
increased costs for businesses, and reduced innovation due to restricted access to global data
resources. They argue that cross-border data flows are essential for driving economic
competitiveness, fostering innovation, and facilitating international cooperation in areas such as
research, development, and trade.6
Privacy considerations play a crucial role in the conceptual framework, as individuals and
societies seek to protect personal data from unauthorized access, misuse, and exploitation.
4
The Economist, “The world’s most valuable resource is no longer oil, but data.” May 6, 2017. Retrieved from
https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
5
“Encyclopedia, Definition of: data localization”, (May.09, 2019, 3:50pm),
https://www.pcmag.com/encyclopedia/term/66382/data-localization
6
Rishab Bailey and Smriti Parsheera, “Data localisation in India: Questioning the means and ends” (May.09, 2019,
3:55 pm), https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf
7
Yudhistira Nugraha, Kautsarina and Ashwin Sasongko Sastrosubroto, “Towards Data Sovereignty in Cyberspace”
SSRN, available at: SSRN-id2610314.pdf (last visited on April 1, 2021).
6|Page
Privacy rights are enshrined in various legal instruments and frameworks, reflecting the
recognition of privacy as a fundamental human right. Data localization measures are often
justified on grounds of enhancing privacy protection by ensuring that personal data is subject to
local laws and regulations, thereby minimizing risks associated with cross-border data transfers. 8
On the other hand, the digital economy is characterized by global interconnectedness, with data
flowing seamlessly across national borders to support diverse activities such as e-commerce,
cloud computing, social networking, and digital communication. Globalization and digitalization
have blurred traditional boundaries, creating tensions between national regulatory regimes and
transnational data flows. Data localization measures risk fragmenting the global internet and
impeding the free flow of information, services, and ideas, potentially undermining the benefits
of digital globalization.10
8
Madhura Bhandarkar, “DATA LOCALIZATION: IS IT A SOLUTION TO PRIVACY CONCERNS?”, RGNUL,
(29 February, 2024), http://rsrr.in/2019/02/05/data-localization-solution-to-privacy-concerns/
9
“Data Sovereignty”, available at: https://www.stratokey.com/solutions/data-sovereignty-and-the-cloud (last visited
on February, 2024).
10
C. Matthew Snipp, “What Does Data Sovereignty Imply-What Does it Look Like?”, in Tahu Kukutai, John Taylor,
Indigenous Data Sovereignty-Towards An Agenda, Australian National University Press, 2016
7|Page
Navigating the interplay between national sovereignty and global interconnectedness requires a
balanced approach that reconciles legitimate regulatory interests with the imperatives of
openness, interoperability, and innovation. Policymakers, businesses, civil society organizations,
and international stakeholders must engage in constructive dialogue and cooperation to develop
regulatory frameworks that address legitimate concerns while preserving the benefits of digital
connectivity and global interdependence.
Data Localisation and the Balkanization of the Internet: Implications for the Accessibility
and Affordability of Online Services
The phenomenon of data localisation has emerged as a critical issue in contemporary discourse
surrounding internet governance, with significant implications for the accessibility and
affordability of online services. This section delves into the intricate dynamics underlying the
process of data localisation and its potential ramifications, particularly in terms of its impact on
the foundational principles of a free and affordable internet.11
11
Fraser, E. (2016) “Data localisation and the balkanisation of the internet”, ResearchGate. Available at:
https://www.researchgate.net/publication/312436514_Data_Localisation_and_the_Balkanisation_of_the_Internet
(Accessed: 29 February 2024).
8|Page
Pie Chart Analysis: Global Trends in Data Localization and Privacy Concerns
9|Page
CHALLENGES TO THE IT SECTOR
The Indian IT sector could also be hurt by the need for data localization. This is because the
global service delivery model is based on the idea that offshoring services to Indian IT
companies should work smoothly with support provided by Indian IT professionals both offsite
(via remote support) and onsite (when needed). Companies from around the world might be less
likely to do business with these Indian companies.12
IMPACT ON AFFORDABILITY
Furthermore, the balkanization of the internet exacerbates concerns regarding the affordability of
online services, particularly in regions where access to digital infrastructure is already limited.
By fragmenting the internet into disparate national networks, data localisation measures impede
economies of scale and hinder the efficient provision of online services across borders.
Consequently, this fragmentation may result in increased costs for both service providers and
end-users, thereby exacerbating existing digital divides and hindering efforts to promote
universal access to information and communication technologies (ICTs).
12
RV Anuradha, India: “Why the Personal Data Protection Bill spells trouble for India’s IT sector”, Clarus Law
Associates, Mondaq
http://www.mondaq.com/india/x/737032/IT+internet/Why+the+Personal+Data+Protection+Bill+spells+trouble+for
+ Indias+IT+sector.
10 | P a g e
boundaries. However, the imposition of such measures must be proportionate to the objectives
pursued and balanced against the potential impact on individual rights, economic interests, and
international trade obligations.
UNDERSTANDING PROPORTIONALITY
The proportionality principle, rooted in international law and legal theory, requires that measures
restricting fundamental rights or imposing burdens on individuals must be proportionate to the
legitimate aims pursued. In the context of data localization, this entails assessing whether the
measures enacted are suitable, necessary, and balanced in relation to the objectives of
safeguarding data security, promoting economic growth, and advancing national interests.
13
“Understanding the data localisation debate in India”, available at: https://www.investindia.gov.in/team-
indiablogs/understanding-data-localisation-debate-india.
14
Ibid.
11 | P a g e
India's Approach to Data Localisation: Exploring the Rationale Behind the Recent
Emphasis
India's stance on data localisation has garnered significant attention in recent years, marked by a
notable shift towards advocating for stringent measures to regulate cross-border data flows. This
section delves into the underlying motivations and contextual factors driving India's push for
data localisation, examining the multifaceted rationale behind this policy shift within the
framework of broader socio-economic and geopolitical dynamics.
12 | P a g e
SECTORAL REGULATIONS AND GUIDELINES
Aside from general laws, specialised rules and standards in different sectors also impact data
localization procedures in India. The Reserve Bank of India (RBI) requires that payment system
data must be retained only inside the country's borders, according to its circular released in April
2018. This rule demonstrates the RBI's emphasis on improving the security and integrity of
financial data, in line with the larger goals of data localization.
In December 1962, the Supreme Court recognised the right to privacy, even though it was a
minority viewpoint. The Supreme Court majority opinion dismissed the idea of an inherent right
to privacy and allowed surveillance in a case where police monitoring methods were questioned.
The minority opinion contended that privacy was protected as a fundamental right under the
Constitution. It was only the subjective perspective of a select few persons, hence not
mandatory.16
In March 1975, the Supreme Court affirmed that privacy is a right derived from common law.
The Supreme Court acknowledged a common law right to privacy for the first time. The Court
recognised a right to privacy, even though it is neither legally protected or deemed a basic right.
The case challenged the legality of police rules permitting them to conduct surveillance on
people.17
In October 1994, the Supreme Court linked the constitutionally protected right to privacy with
the right to life. The Supreme Court first linked the right to privacy with the right to life and
personal liberty protected by Article 21 of the Constitution in a case where a notorious felon
15
MP Sharma & Ors. v. Satish Chandra, District Magistrate, Delhi & Ors, 1954 AIR 300, 1954 SCR 1077.
16
Kharak Singh v. State of Uttar Pradesh, 1963 AIR 1295, 1964 SCR (1) 332.
17
Govind Singh v. State of M.P. 1975 AIR 1378, 1975 SCR (3) 946.
13 | P a g e
contended that a news magazine's publication of his memoirs violated his right to privacy. The
Court declared that the right to privacy is not unlimited.18
In recent years, India has been increasingly aware of privacy issues, especially after the
Puttaswamy case and the Cambridge Analytica-Facebook scandal. This is often cited as a reason
for mandating the storage of personal data inside India. We need enhanced protections for Indian
data, especially private data, in response to the widespread sharing of information online and the
potential harm from unauthorised disclosures. Storing data in India does not always provide
enhanced security or less risk of misuse. This will continue to be true unless we implement
thorough and effective data security laws.
The Srikrishna Committee has published a first draft of the Personal Data Protection Bill, 2018,
which contains safeguards that may not completely resolve concerns about protecting people
from unchecked government monitoring. It is unclear how much time India will need to create
suitable laws and construct the required institutions to efficiently investigate and punish those
who break these rules. Indian espionage regulations today provide the government substantial
discretion to be invasive, making this matter critical. The IT Act and the Telegraph Act of 1885,
which deal with monitoring, are presently not in accordance with the Supreme Court's rulings in
the Puttaswamy case.19 The current privacy policy under the IT Act is deficient in terms of rights,
solutions, and enforcement. If these events occur, requiring the localization of a significant
amount of data without ensuring its protection might potentially compromise the security of
Indian data rather than enhancing it.
One major concern was the potential for this whitelist approach to disrupt global business
processes. By requiring prior authorization for data transfers to specific jurisdictions, the
18
R. Rajagopal v. State of Tamil Nadu, 1995 AIR 264, 1994 SCC (6) 632.
19
Justice K.S Puttaswamy (Retd.) v. Union of India and Ors., WP (C) 494 of 2012.
14 | P a g e
provision introduced uncertainty and administrative burdens for businesses engaged in cross-
border data flows. The lack of clarity regarding which territories would be included in the
whitelist and the process for obtaining approval raised practical challenges for organizations
operating internationally.20
Another criticism centered around the compatibility of Section 17 with existing localization
requirements in India. Given that various sectors already had sector-specific localization
mandates, there was ambiguity about how the whitelist mechanism would interact with these pre-
existing regulations. This raised questions about whether transfer to whitelisted locations would
be permissible under the DPDA Bill's provisions or if it would conflict with the existing
localization regime.
Overall, Section 17 of the DPDA Bill aimed to regulate cross-border data transfers by
establishing a whitelist of approved territories. However, concerns about its potential impact on
global business operations and its compatibility with existing localization requirements
highlighted the need for a careful review and reconsideration of this provision in subsequent
legislative iterations.
This section delves into the Central Government's authority to limit access to content deemed to
be against the public interest. It references Section 69A of the IT Act, which permits the
government to mandate internet information filtering for certain reasons, without explicitly
stating "interest of the general public." Article 19(2) of the Indian Constitution allows restrictions
on freedom of speech and expression to protect India's sovereignty, integrity, state security,
international relations, public order, decency, and morality. Judicial precedents, such as the State
of Orissa v. Radhey Shyam Meher case, have interpreted the term "in the interest of the general
public" to include public health, morality, economic stability, prevention of fraud, and the
implementation of Directive Principles under Part IV of the Constitution. The statement
20
Shroff, Cyril, et al. (2023) “A Fine Balance:The DPDA and Data Localization”, Cyril Amarchand Blogs, 17
August. Available at: https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-
localization/ (Accessed: February, 2024).
15 | P a g e
emphasises that intermediaries, including ISPs and TSPs, are required to comply with blocking
orders issued by the Central Government.21
PENALTIES
This section outlines the consequences for violating the DPDPA, with the severity of the
infraction dictating the amount of the penalty. When calculating the punishment, various factors
are taken into account, including the type, severity, and length of the breach, as well as its impact
and any mitigating measures taken. The DPDPA's Schedule outlines different fines for different
kinds of violations; the failure to put sufficient security measures in place to prevent breaches of
personal data carries a maximum penalty of INR 2.5 billion. Sections 8, 33, and 44 of the
DPDPA are pertinent sections, and references to the Indian Penal Code (IPC) for specific legal
aspects are also included.23
DELEGATED LEGISLATION
This section addresses the rule-making powers granted to the government under the DPDPA,
covering various aspects such as breach notifications, registration of consent managers, and the
composition of the Data Protection Board. It refers to Section 40 of the DPDPA and underscores
21
Desai, N. (2023) News details, Nishith Desai Associates India’s Digital Personal Data Protection Act, 2023:
“History in the Making”. Available at: https://www.nishithdesai.com/NewsDetails/10703 (Accessed: 29 February
2024).
22
Section 177 of the Indian Penal Code, 1860.
23
Section 8, Section 33 and Section 44 of the DPDPA, 2023.
24
Supra at 19.
16 | P a g e
the need for legislative guidance for each rule-making power to ensure transparency and
effectiveness in implementation.
17 | P a g e
IMPLICATIONS AND CHALLENGES WITHIN THE DPDA
Implementing an indigenous proportionality test presents both opportunities and challenges
within the context of the DPDA. While it provides a principled approach to assess regulatory
measures, its effective application necessitates careful consideration of contextual factors and
stakeholder perspectives. Ensuring consistency and coherence in its application across diverse
regulatory contexts poses a notable challenge.
ANALYSIS
The incorporation of an indigenous proportionality test into the DPDA signifies a significant step
towards ensuring the legality and legitimacy of data localization measures. By considering
India's unique socio-economic and cultural landscape, this approach can enhance the
accountability and transparency of regulatory decisions while safeguarding individual data
rights. However, challenges such as ensuring consistency and balancing competing interests
underscore the need for meticulous implementation and ongoing refinement of the
proportionality doctrine within the DPDA framework. Moreover, aligning domestic regulations
with international standards and best practices will be crucial in fostering interoperability and
facilitating cross-border data flows, thereby promoting India's participation in the global digital
economy.
The evolution of Indian regulations, from initial drafts raising concerns about localization to the
final enactment of the DPDA, reflects a responsive approach to stakeholder feedback and global
best practices. The Act's provisions, particularly Section 16, signify a departure from restrictive
measures towards a more facilitative framework for cross-border data transfers.
18 | P a g e
However, challenges persist in implementing effective safeguards to ensure data protection and
privacy while promoting business interests. The absence of detailed guidelines on safeguards
leaves room for uncertainty, necessitating proactive measures by businesses to ensure
compliance with evolving regulatory requirements.28
Nevertheless, the DPDA represents a significant step towards aligning India's data protection
regime with international standards while accommodating sector-specific regulations. As India
continues to navigate the complexities of the digital economy, the DPDA provides a foundation
for ensuring a harmonious balance between data localization imperatives and the imperative of
global data flows.29
In essence, the DPDA embodies India's commitment to fostering a conducive environment for
data-driven innovation while upholding individual privacy rights and ensuring data sovereignty.
The Act's implementation and enforcement will be crucial in realizing its objectives and
maintaining the delicate equilibrium between competing interests in the digital age.
28
Kalika Likhi, “India’s data localization efforts could do more harm than good,” The Atlantic Council. February,
2024. https://www.atlanticcouncil.org/blogs/new-atlanticist/india-s-data-localization-efforts-could-do-more-harm-
than-good/.
29
Jonah Force Hill, Matthew Noyes, “Rethinking Data, Geography, and Jurisdiction: Towards a Common
Framework for Harmonizing Data Flow Controls”. The New America Foundation. February 2024. P.9, 11, 12.
19 | P a g e