Constitutional Regulation of Data Localization and Cross-Border Data Flows: A Legal Analysis

of India's Regulatory Framework

Project report towards the fulfilment of assessment in the subject of Constitutional Theories

SUBJECT – CONSTITUTIONAL THEORIES

Submitted by: Submitted to:

Divya Pandey
Roll No: 1778, Semester X Asst. Prof. Rudra Charan
Faculty of Law
Harsh Bishnoi National Law University, Jodhpur
Roll No: 1783, Semester X

Winter Semester (January – May 2024)

NATIONAL LAW UNIVERSITY, JODHPUR

 Acknowledgement

We extend our sincere gratitude and profound appreciation to Assistant Professor Rudra Charan,
for her invaluable support and guidance throughout the duration of this project. Her expertise in
the subject matter, unwavering encouragement, and diligent supervision have been instrumental
in shaping our understanding and approach towards this challenging topic.

We also wish to express our heartfelt thanks to the authors of the online sources whose valuable
insights and research have enriched our work. Additionally, we acknowledge the support and
camaraderie of our colleagues at the college, whose collaboration and assistance have been
invaluable in navigating through the complexities of this project.

Lastly, we are deeply grateful to our families for their unwavering support and encouragement,
which has been a constant source of motivation throughout this endeavor. Their belief in us has
been the driving force behind the successful completion of this assignment.

Thank you.

2|Page
 Abstract

This paper presents a thorough examination of data localization policies, with an emphasis on
their consequences for internet freedom, the IT sector, the cost of online services, and policy
issues. It studies India's regulatory framework, namely the Digital Personal Data Protection Act
(DPDPA) of 2023, and assesses its provisions on fines, compliance deadlines, and conflicts with
other laws. It also covers the implications of the Reserve Bank of India's data localization
strategy, as well as criticism from US industry leaders. Furthermore, it investigates the
suggestion for an indigenous proportionality test inside the Indian legal system to determine the
constitutionality of data localization policies. The statement finishes by emphasising the need of
taking a balanced strategy that protects data while also supporting global data flows and
encouraging innovation.

Research Problem

The research subject addressed in this paper is concerned with the consequences and problems of
data localization procedures, particularly in light of the Indian legislative environment. It aims to
investigate the possible impact of these policies on a variety of stakeholders, including internet
users, the IT industry, and the cost of online services. Furthermore, the study seeks to assess the
efficiency and legality of the Digital Personal Data Protection Act (DPDPA) of 2023 in
addressing issues such as data localization, breach fines, compliance deadlines, and conflicts
with other laws. Furthermore, it investigates criticism of data localization regulations,
particularly from US corporate leaders, and suggests the notion of an indigenous proportionality
test as a possible remedy. Overall, the study challenge involves a comprehensive examination of
data localization policies and their consequences in the Indian context, emphasising the need for
a balanced regulatory strategy that protects data while encouraging innovation and economic
progress.

Research Methodology

The research methodology used in this publication is interdisciplinary, integrating legal analysis,
policy assessment, and critical investigation of industrial activities. It starts with a thorough
analysis of current literature, such as academic articles, legal texts, regulatory documents, and
industry reports, to gain a solid grasp of data localization measures and their ramifications.

3|Page
Primary research approaches such as interviews with legal experts, policymakers, and industry
players may also be used to acquire insights and viewpoints on the topic. Furthermore,
comparative examination of data localization policies across different jurisdictions, with a
particular emphasis on the Indian regulatory landscape, is an important component of the
research approach. The paper uses qualitative analysis methodologies to understand and assess
the findings, drawing conclusions and offering suggestions based on the information synthesised
information.

Research Objective

1.) To investigate the effects of data localization policies on internet freedom, the IT industry,
and the cost of online services.

2.) To assess the efficiency and validity of the 2023 Digital Personal Data Protection Act
(DPDPA) in addressing issues such as data localization, breach fines, compliance timetables, and
inconsistencies with existing laws.

3.) To investigate the impact of the Reserve Bank of India's data localisation policy and criticism
from US business leaders on the Indian regulatory structure.

4.) To propose and examine the viability of an indigenous proportionality test within the Indian
legal framework as a viable option for determining the validity of data localization procedures.

5.) To present ideas for politicians, industry stakeholders, and legal practitioners on developing a
balanced regulatory framework that protects data.

Literature Review
Data Sovereignty: The Quintessential Model for The New World Order by Aparajita Bhatt
The literature emphasizes data sovereignty's role in safeguarding national interests and privacy,
advocating for robust legal frameworks like the GDPR. It explores the impact of data
localization on global digital trade, balancing sovereignty needs. Case studies, such as India's
Meghraj initiative and RBI directives, offer practical insights. Overall, scholars stress the

4|Page
intricate relationship between sovereignty, data protection, and global trade, urging a balanced
approach for national and international benefit.1

Data localisation in India: Questioning the means and ends by Rishab Bailey and Smriti
Parsheera

The literature on internet governance in India encompasses a range of topics, including human
rights protection, data localization policies, and technology regulation. UN statements
underscore the importance of safeguarding human rights online, while debates surrounding data
localization highlight tensions between privacy concerns and economic interests. Government
reports and court cases offer insights into evolving regulatory frameworks, addressing issues like
digital payments, cybersecurity, and cross-border data flows. International perspectives and
comparative analyses further contextualize India's approach to internet governance, emphasizing
the need for nuanced policies that balance societal needs with technological innovation and
economic development.2

Data sovereignty: A review by Patrik Hummel, Matthias Braun, Max Tretter and Peter Dabrock.

The literature on data sovereignty explores its multifaceted nature, covering topics such as
privacy, governance, and autonomy. Studies examine its implications for various stakeholders,
including individuals, organizations, and nations. Key themes include the challenges of
regulating data in a globalized world, the importance of Indigenous data sovereignty, and the role
of technology in shaping data governance frameworks. Overall, the literature underscores the
need for robust policies and ethical considerations to address the complex issues surrounding
data sovereignty effectively.3

1
Bhatt, A. (2021) “DATA SOVEREIGNTY: THE QUINTESSENTIAL MODEL FOR THE NEW WORLD
ORDER”, ILI Law Review. Available at: https://ili.ac.in/pdf/12.pdf (Accessed: 29 February 2024).
2
Bailey, R. and Parsheera, S. (2018) “Data Localisation in India: Questioning the means and ends”, NIPFP Working
Paper Series. Available at: https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf (Accessed: 29
February 2024).
3
Hummel, P., Braun, M., Tretter, M., & Dabrock, P. (2021). “Data sovereignty: A review. Big Data & Society”, 8(1).
https://doi.org/10.1177/2053951720982012.

5|Page
 Introduction
BACKGROUND AND RATIONALE
The proliferation of digital technologies has transformed the way in which information is
generated, transmitted, and stored. Data localization, the practice of requiring data to be stored
within a specific geographical location, has gained prominence as governments seek to address
concerns related to national security, data privacy, and economic protectionism. 4 Proponents
argue that data localization measures can enhance privacy and security by subjecting data to
domestic laws and regulations, thereby mitigating risks associated with foreign surveillance and
data breaches. Additionally, data localization is seen as a means to promote domestic economic
growth by fostering the development of local infrastructure and creating job opportunities in the
digital sector.5

However, critics of data localization caution that it may lead to fragmentation of the internet,
increased costs for businesses, and reduced innovation due to restricted access to global data
resources. They argue that cross-border data flows are essential for driving economic
competitiveness, fostering innovation, and facilitating international cooperation in areas such as
research, development, and trade.6

III. Conceptual Framework

PRINCIPLES OF DATA SOVEREIGNTY, PRIVACY, AND ECONOMIC DEVELOPMENT
The conceptual framework of data localization and cross-border data flows is based on important
concepts such as data sovereignty, privacy, and economic growth. Data sovereignty is the
concept that a country has the right to own, possess, and have jurisdiction over data created
inside its boundaries. This concept embodies the protection of national interests, preservation of
sensitive information, and establishing regulatory control over data processing and storage.7

Privacy considerations play a crucial role in the conceptual framework, as individuals and
societies seek to protect personal data from unauthorized access, misuse, and exploitation.
4
The Economist, “The world’s most valuable resource is no longer oil, but data.” May 6, 2017. Retrieved from
https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
5
“Encyclopedia, Definition of: data localization”, (May.09, 2019, 3:50pm),
https://www.pcmag.com/encyclopedia/term/66382/data-localization
6
Rishab Bailey and Smriti Parsheera, “Data localisation in India: Questioning the means and ends” (May.09, 2019,
3:55 pm), https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf
7
Yudhistira Nugraha, Kautsarina and Ashwin Sasongko Sastrosubroto, “Towards Data Sovereignty in Cyberspace”
SSRN, available at: SSRN-id2610314.pdf (last visited on April 1, 2021).

6|Page
Privacy rights are enshrined in various legal instruments and frameworks, reflecting the
recognition of privacy as a fundamental human right. Data localization measures are often
justified on grounds of enhancing privacy protection by ensuring that personal data is subject to
local laws and regulations, thereby minimizing risks associated with cross-border data transfers. 8

Economic development is another fundamental aspect of the conceptual framework, as nations

seek to leverage data-driven innovation and digital technologies to drive growth,
competitiveness, and prosperity. Data localization policies are frequently framed within the
context of promoting domestic industries, fostering innovation ecosystems, and enhancing
economic self-sufficiency. By requiring data to be stored and processed locally, governments aim
to stimulate investment in data infrastructure, create jobs, and retain economic value within their
jurisdictions.9

THE INTERPLAY BETWEEN NATIONAL SOVEREIGNTY AND GLOBAL INTERCONNECTEDNESS:

The interplay between national sovereignty and global interconnectedness represents a central
theme in the conceptual framework of data localization and cross-border data flows. On one
hand, data localization measures are often framed as exercises of national sovereignty, reflecting
governments' prerogative to regulate data within their jurisdictions and assert control over digital
assets. Such measures may be motivated by concerns about national security, law enforcement,
cultural preservation, and economic protectionism.

On the other hand, the digital economy is characterized by global interconnectedness, with data
flowing seamlessly across national borders to support diverse activities such as e-commerce,
cloud computing, social networking, and digital communication. Globalization and digitalization
have blurred traditional boundaries, creating tensions between national regulatory regimes and
transnational data flows. Data localization measures risk fragmenting the global internet and
impeding the free flow of information, services, and ideas, potentially undermining the benefits
of digital globalization.10

8
Madhura Bhandarkar, “DATA LOCALIZATION: IS IT A SOLUTION TO PRIVACY CONCERNS?”, RGNUL,
(29 February, 2024), http://rsrr.in/2019/02/05/data-localization-solution-to-privacy-concerns/
9
“Data Sovereignty”, available at: https://www.stratokey.com/solutions/data-sovereignty-and-the-cloud (last visited
on February, 2024).
10
C. Matthew Snipp, “What Does Data Sovereignty Imply-What Does it Look Like?”, in Tahu Kukutai, John Taylor,
Indigenous Data Sovereignty-Towards An Agenda, Australian National University Press, 2016

7|Page
Navigating the interplay between national sovereignty and global interconnectedness requires a
balanced approach that reconciles legitimate regulatory interests with the imperatives of
openness, interoperability, and innovation. Policymakers, businesses, civil society organizations,
and international stakeholders must engage in constructive dialogue and cooperation to develop
regulatory frameworks that address legitimate concerns while preserving the benefits of digital
connectivity and global interdependence.

Data Localisation and the Balkanization of the Internet: Implications for the Accessibility
and Affordability of Online Services
The phenomenon of data localisation has emerged as a critical issue in contemporary discourse
surrounding internet governance, with significant implications for the accessibility and
affordability of online services. This section delves into the intricate dynamics underlying the
process of data localisation and its potential ramifications, particularly in terms of its impact on
the foundational principles of a free and affordable internet.11

CONCEPTUALIZING DATA LOCALISATION

At its core, data localisation refers to the regulatory requirement mandating the storage and
processing of data within the physical boundaries of a specific jurisdiction. This regulatory
approach diverges from the traditional paradigm of a borderless internet, where data flows
seamlessly across national borders, transcending geographical constraints.

11
Fraser, E. (2016) “Data localisation and the balkanisation of the internet”, ResearchGate. Available at:
https://www.researchgate.net/publication/312436514_Data_Localisation_and_the_Balkanisation_of_the_Internet
(Accessed: 29 February 2024).

8|Page
 Pie Chart Analysis: Global Trends in Data Localization and Privacy Concerns

BALKANIZATION OF THE INTERNET

The proliferation of data localisation measures has fueled concerns regarding the balkanization
of the internet, wherein the once-unified cyberspace becomes fragmented along nationalistic
lines. By erecting virtual barriers to data flows, countries seek to assert sovereignty over digital
infrastructure and exercise greater control over the dissemination of information within their
territories. Consequently, this fragmentation undermines the cohesive and interconnected nature
of the internet, giving rise to a fragmented ecosystem characterized by jurisdictional silos and
restricted data flows.

CHALLENGES TO INTERNET FREEDOM

The imposition of data localisation requirements poses significant challenges to the foundational
principles of internet freedom, openness, and accessibility. By constraining the free flow of
information and erecting barriers to cross-border data transfers, data localisation measures
impede the ability of users to access online content and services from diverse geographic
locations. This erosion of internet freedom undermines the democratic ideals of free expression,
information sharing, and knowledge dissemination that underpin the open internet.

9|Page
CHALLENGES TO THE IT SECTOR
The Indian IT sector could also be hurt by the need for data localization. This is because the
global service delivery model is based on the idea that offshoring services to Indian IT
companies should work smoothly with support provided by Indian IT professionals both offsite
(via remote support) and onsite (when needed). Companies from around the world might be less
likely to do business with these Indian companies.12

IMPACT ON AFFORDABILITY
Furthermore, the balkanization of the internet exacerbates concerns regarding the affordability of
online services, particularly in regions where access to digital infrastructure is already limited.
By fragmenting the internet into disparate national networks, data localisation measures impede
economies of scale and hinder the efficient provision of online services across borders.
Consequently, this fragmentation may result in increased costs for both service providers and
end-users, thereby exacerbating existing digital divides and hindering efforts to promote
universal access to information and communication technologies (ICTs).

POLICY IMPLICATIONS AND CONSIDERATIONS

In light of these challenges, policymakers must carefully weigh the purported benefits of data
localisation against its potential adverse effects on internet freedom, affordability, and
innovation. While data localisation measures may be motivated by legitimate concerns regarding
data sovereignty, security, and privacy, policymakers must adopt a balanced approach that
safeguards these interests without unduly restricting the free flow of information or impeding
access to online services.

Understanding Proportionality Principle: Drawing Insights from EU and WTO

Jurisprudence
The growing prominence of data localization measures has brought the concept of
proportionality to the forefront of legal discourse. In light of concerns regarding data privacy,
national security, and economic development, governments around the world are increasingly
enacting regulations requiring the storage and processing of data within their territorial

12
RV Anuradha, India: “Why the Personal Data Protection Bill spells trouble for India’s IT sector”, Clarus Law
Associates, Mondaq
http://www.mondaq.com/india/x/737032/IT+internet/Why+the+Personal+Data+Protection+Bill+spells+trouble+for
+ Indias+IT+sector.

10 | P a g e
boundaries. However, the imposition of such measures must be proportionate to the objectives
pursued and balanced against the potential impact on individual rights, economic interests, and
international trade obligations.

UNDERSTANDING PROPORTIONALITY
The proportionality principle, rooted in international law and legal theory, requires that measures
restricting fundamental rights or imposing burdens on individuals must be proportionate to the
legitimate aims pursued. In the context of data localization, this entails assessing whether the
measures enacted are suitable, necessary, and balanced in relation to the objectives of
safeguarding data security, promoting economic growth, and advancing national interests.

INSIGHTS FROM EU AND WTO JURISPRUDENCE

The jurisprudence of the EU and the WTO provides valuable insights into the application of the
proportionality principle in the regulation of cross-border data flows. In EU law, the principle of
proportionality is a fundamental tenet of legal reasoning, requiring measures to be necessary and
proportionate to achieve their intended objectives. Similarly, WTO jurisprudence emphasizes the
need for trade-related measures to be justified, legitimate, and proportionate to the pursued
objectives.13

RECOMMENDATIONS FROM INTERNATIONAL ORGANIZATIONS

International organizations such as the OECD have issued recommendations on factors to
consider in assessing the proportionality of data localization measures. These factors include the
sensitivity of data, the effectiveness of alternative measures, the implications for international
trade, and the scalability of the measures across jurisdictions.14

APPLICATION IN THE INDIAN LEGISLATIVE LANDSCAPE

In India, the proportionality principle finds application in the evaluation of data localization
regulations and their alignment with constitutional rights, economic interests, and international
trade commitments. The Indian judiciary has invoked the principle of proportionality in cases
involving the restriction of fundamental rights, emphasizing the need for measures to be
justified, necessary, and balanced.

13
“Understanding the data localisation debate in India”, available at: https://www.investindia.gov.in/team-
indiablogs/understanding-data-localisation-debate-india.
14
Ibid.

11 | P a g e
 India's Approach to Data Localisation: Exploring the Rationale Behind the Recent
Emphasis
India's stance on data localisation has garnered significant attention in recent years, marked by a
notable shift towards advocating for stringent measures to regulate cross-border data flows. This
section delves into the underlying motivations and contextual factors driving India's push for
data localisation, examining the multifaceted rationale behind this policy shift within the
framework of broader socio-economic and geopolitical dynamics.

REGULATORY FRAMEWORK AND POLICY INITIATIVES

In India, the legal and regulatory landscape governing data localization has witnessed significant
developments, marked by legislative initiatives and judicial pronouncements aimed at balancing
data protection, national security, and economic interests. The proposed Data Protection Bill,
along with existing statutes and case law, provides insight into the country's approach to data
localization.

PROPOSED DATA PROTECTION BILL (DPDA BILL)

The Data Protection Bill is crucial to developing India's data localization policies by regulating
the processing of personal data and protecting people' privacy rights. The measure does not
require data to be stored in a certain location, but it does give the government the authority to
specify some types of personal data that must only be handled inside the country for strategic or
national security purposes. This clause demonstrates India's increasing focus on protecting
sensitive data and guaranteeing data sovereignty.

INFORMATION TECHNOLOGY ACT, 2000 (IT ACT)

The principal legislation governing several aspects of digital commerce, including data
protection and cybersecurity, is the IT Act, which was updated in 2008. Organisations handling
sensitive personal data are required by Section 43A of the IT Act and the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 to implement appropriate security measures to protect data from
unauthorised access, disclosure, or misuse. The IT Act does not mandate data localization but
underscores the need of data security and privacy in the digital realm.

12 | P a g e
SECTORAL REGULATIONS AND GUIDELINES
Aside from general laws, specialised rules and standards in different sectors also impact data
localization procedures in India. The Reserve Bank of India (RBI) requires that payment system
data must be retained only inside the country's borders, according to its circular released in April
2018. This rule demonstrates the RBI's emphasis on improving the security and integrity of
financial data, in line with the larger goals of data localization.

RELEVANT CASE LAW

The Supreme Court established the basic right to privacy in March 1953. People opposed
government-issued search warrants because they violated basic rights. The Supreme Court
determined that the Constitution of India does not clearly state a fundamental right to privacy. 15

In December 1962, the Supreme Court recognised the right to privacy, even though it was a
minority viewpoint. The Supreme Court majority opinion dismissed the idea of an inherent right
to privacy and allowed surveillance in a case where police monitoring methods were questioned.
The minority opinion contended that privacy was protected as a fundamental right under the
Constitution. It was only the subjective perspective of a select few persons, hence not
mandatory.16

In March 1975, the Supreme Court affirmed that privacy is a right derived from common law.
The Supreme Court acknowledged a common law right to privacy for the first time. The Court
recognised a right to privacy, even though it is neither legally protected or deemed a basic right.
The case challenged the legality of police rules permitting them to conduct surveillance on
people.17

In October 1994, the Supreme Court linked the constitutionally protected right to privacy with
the right to life. The Supreme Court first linked the right to privacy with the right to life and
personal liberty protected by Article 21 of the Constitution in a case where a notorious felon

15
MP Sharma & Ors. v. Satish Chandra, District Magistrate, Delhi & Ors, 1954 AIR 300, 1954 SCR 1077.
16
Kharak Singh v. State of Uttar Pradesh, 1963 AIR 1295, 1964 SCR (1) 332.
17
Govind Singh v. State of M.P. 1975 AIR 1378, 1975 SCR (3) 946.

13 | P a g e
contended that a news magazine's publication of his memoirs violated his right to privacy. The
Court declared that the right to privacy is not unlimited.18

In recent years, India has been increasingly aware of privacy issues, especially after the
Puttaswamy case and the Cambridge Analytica-Facebook scandal. This is often cited as a reason
for mandating the storage of personal data inside India. We need enhanced protections for Indian
data, especially private data, in response to the widespread sharing of information online and the
potential harm from unauthorised disclosures. Storing data in India does not always provide
enhanced security or less risk of misuse. This will continue to be true unless we implement
thorough and effective data security laws.

The Srikrishna Committee has published a first draft of the Personal Data Protection Bill, 2018,
which contains safeguards that may not completely resolve concerns about protecting people
from unchecked government monitoring. It is unclear how much time India will need to create
suitable laws and construct the required institutions to efficiently investigate and punish those
who break these rules. Indian espionage regulations today provide the government substantial
discretion to be invasive, making this matter critical. The IT Act and the Telegraph Act of 1885,
which deal with monitoring, are presently not in accordance with the Supreme Court's rulings in
the Puttaswamy case.19 The current privacy policy under the IT Act is deficient in terms of rights,
solutions, and enforcement. If these events occur, requiring the localization of a significant
amount of data without ensuring its protection might potentially compromise the security of
Indian data rather than enhancing it.

Analyzing the balance between DPDA and data localization

Section 17 of the Digital Personal Data Protection Bill, 2022 (DPDA Bill) addresses cross-border
data transfers, a crucial aspect of data protection laws with significant implications for global
business operations. This section proposed a mechanism whereby the Central Government would
create a whitelist of territories to which the transfer of personal data is permissible. However, this
provision raised several concerns and criticisms within the industry and among legal experts.

One major concern was the potential for this whitelist approach to disrupt global business
processes. By requiring prior authorization for data transfers to specific jurisdictions, the
18
R. Rajagopal v. State of Tamil Nadu, 1995 AIR 264, 1994 SCC (6) 632.
19
Justice K.S Puttaswamy (Retd.) v. Union of India and Ors., WP (C) 494 of 2012.

14 | P a g e
provision introduced uncertainty and administrative burdens for businesses engaged in cross-
border data flows. The lack of clarity regarding which territories would be included in the
whitelist and the process for obtaining approval raised practical challenges for organizations
operating internationally.20

Another criticism centered around the compatibility of Section 17 with existing localization
requirements in India. Given that various sectors already had sector-specific localization
mandates, there was ambiguity about how the whitelist mechanism would interact with these pre-
existing regulations. This raised questions about whether transfer to whitelisted locations would
be permissible under the DPDA Bill's provisions or if it would conflict with the existing
localization regime.

Overall, Section 17 of the DPDA Bill aimed to regulate cross-border data transfers by
establishing a whitelist of approved territories. However, concerns about its potential impact on
global business operations and its compatibility with existing localization requirements
highlighted the need for a careful review and reconsideration of this provision in subsequent
legislative iterations.

Comprehensive Analysis of Key Provisions in Nishith Desai Associates India’s Digital

Personal Data Protection Act, 2023
BLOCKAGE OF INFORMATION

This section delves into the Central Government's authority to limit access to content deemed to
be against the public interest. It references Section 69A of the IT Act, which permits the
government to mandate internet information filtering for certain reasons, without explicitly
stating "interest of the general public." Article 19(2) of the Indian Constitution allows restrictions
on freedom of speech and expression to protect India's sovereignty, integrity, state security,
international relations, public order, decency, and morality. Judicial precedents, such as the State
of Orissa v. Radhey Shyam Meher case, have interpreted the term "in the interest of the general
public" to include public health, morality, economic stability, prevention of fraud, and the
implementation of Directive Principles under Part IV of the Constitution. The statement

20
Shroff, Cyril, et al. (2023) “A Fine Balance:The DPDA and Data Localization”, Cyril Amarchand Blogs, 17
August. Available at: https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-
localization/ (Accessed: February, 2024).

15 | P a g e
emphasises that intermediaries, including ISPs and TSPs, are required to comply with blocking
orders issued by the Central Government.21

EXCLUSION OF CIVIL COURTS' JURISDICTION

This section explains that civil courts do not have the authority to hear cases or procedures
pertaining to topics within the jurisdiction of the Data Protection Board as per the DPDPA. No
injunctions may be granted against activities conducted under the Act. Section 177 of the Indian
Penal Code (IPC) highlights the limitation of civil court jurisdiction in certain cases. 22

PENALTIES
This section outlines the consequences for violating the DPDPA, with the severity of the
infraction dictating the amount of the penalty. When calculating the punishment, various factors
are taken into account, including the type, severity, and length of the breach, as well as its impact
and any mitigating measures taken. The DPDPA's Schedule outlines different fines for different
kinds of violations; the failure to put sufficient security measures in place to prevent breaches of
personal data carries a maximum penalty of INR 2.5 billion. Sections 8, 33, and 44 of the
DPDPA are pertinent sections, and references to the Indian Penal Code (IPC) for specific legal
aspects are also included.23

PARTIES LIABLE FOR PENALTIES

This section discusses the entities that may be subject to penalties under the DPDPA, including
data fiduciaries, consent managers, and intermediaries. Unlike previous drafts, the DPDPA does
not empower affected data principals to seek compensation directly. The sums collected as
penalties are directed to the Consolidated Fund of India. Relevant sections include Section 8,
Section 33, and Section 44 of the DPDPA.24

DELEGATED LEGISLATION
This section addresses the rule-making powers granted to the government under the DPDPA,
covering various aspects such as breach notifications, registration of consent managers, and the
composition of the Data Protection Board. It refers to Section 40 of the DPDPA and underscores
21
Desai, N. (2023) News details, Nishith Desai Associates India’s Digital Personal Data Protection Act, 2023:
“History in the Making”. Available at: https://www.nishithdesai.com/NewsDetails/10703 (Accessed: 29 February
2024).
22
Section 177 of the Indian Penal Code, 1860.
23
Section 8, Section 33 and Section 44 of the DPDPA, 2023.
24
Supra at 19.

16 | P a g e
the need for legislative guidance for each rule-making power to ensure transparency and
effectiveness in implementation.

TIMELINES FOR COMPLIANCE AND CONFLICT WITH OTHER LAWS

This section emphasises the lack of defined compliance deadlines in the DPDPA and the possible
contradictions with other current legislations. The provisions of the DPDPA take precedence in
the event of disputes with other legislation. The relevant legislation are the Right to Information
(RTI) Act and the IT Act. The Constitution of India, namely Article 19(2), establishes the
foundation for imposing reasonable limitations on certain rights, such as freedom of speech and
expression, to address distinct public interests.25

Understanding the Indigenous "Proportionality Test": A Probable Solution?

The principle of proportionality, deeply entrenched in constitutional law, serves as a fundamental
tool for resolving conflicts between individual rights and state interests. It stipulates that any
measures curtailing rights must be proportional to the objectives pursued, emphasizing
legitimacy, necessity, suitability, and balance.

THE NEED FOR AN INDIGENOUS APPROACH WITHIN THE DPDA

In the realm of data localization regulations, there's a growing recognition of the necessity for an
indigenous approach to assess proportionality. Such an approach would take into account the
unique socio-economic, legal, and cultural dynamics within India, while drawing insights from
international jurisprudence.26

APPLICATION IN THE INDIAN CONTEXT

The integration of an indigenous proportionality test into the Indian legal framework holds
significant promise in ensuring the alignment of data localization measures with constitutional
principles and international obligations. By evaluating the legitimacy, necessity, and impact of
such regulations, policymakers and courts can effectively balance individual rights with national
interests.27
25
Christoffersen, J. (2009) “Chapter 2. the principle of proportionality”, Brill. Available at:
https://brill.com/display/book/9789004180819/Bej.9789004170285.i-670_003.xml (Accessed: 29 February 2024).
26
Hildebrandt, Mireille, “Privacy and Data Protection”, Law for Computer Scientists and Other Folk (Oxford, 2020;
online edn, Oxford Academic, 23 July 2020), https://doi.org/10.1093/oso/9780198860877.003.0005, accessed 29
Feb. 2024.
27
Shekhar, Raj and Choudhary, Aman Yuvraj, “Data Localisation and Cross- Border Flow of Data: Balancing the
Incongruent Dimension of Barriers”, Safeguards and “Free Flow of Data”. RGNUL FINANCIAL AND

17 | P a g e
IMPLICATIONS AND CHALLENGES WITHIN THE DPDA
Implementing an indigenous proportionality test presents both opportunities and challenges
within the context of the DPDA. While it provides a principled approach to assess regulatory
measures, its effective application necessitates careful consideration of contextual factors and
stakeholder perspectives. Ensuring consistency and coherence in its application across diverse
regulatory contexts poses a notable challenge.

ANALYSIS
The incorporation of an indigenous proportionality test into the DPDA signifies a significant step
towards ensuring the legality and legitimacy of data localization measures. By considering
India's unique socio-economic and cultural landscape, this approach can enhance the
accountability and transparency of regulatory decisions while safeguarding individual data
rights. However, challenges such as ensuring consistency and balancing competing interests
underscore the need for meticulous implementation and ongoing refinement of the
proportionality doctrine within the DPDA framework. Moreover, aligning domestic regulations
with international standards and best practices will be crucial in fostering interoperability and
facilitating cross-border data flows, thereby promoting India's participation in the global digital
economy.

Conclusion- A Need for Fine Balance:The DPDA and Data Localization

In conclusion, the analysis of the Digital Personal Data Protection Act, 2023 (DPDA) in the
context of data localization reveals a delicate balancing act undertaken by Indian regulators. The
DPDA, while addressing concerns surrounding cross-border data transfers, seeks to strike a fine
balance between data sovereignty and enabling global data flows to foster innovation and
economic growth.

The evolution of Indian regulations, from initial drafts raising concerns about localization to the
final enactment of the DPDA, reflects a responsive approach to stakeholder feedback and global
best practices. The Act's provisions, particularly Section 16, signify a departure from restrictive
measures towards a more facilitative framework for cross-border data transfers.

MERCANTILE LAW REVIEW 2022, Available at SSRN: https://ssrn.com/abstract=4692903

18 | P a g e
However, challenges persist in implementing effective safeguards to ensure data protection and
privacy while promoting business interests. The absence of detailed guidelines on safeguards
leaves room for uncertainty, necessitating proactive measures by businesses to ensure
compliance with evolving regulatory requirements.28

Nevertheless, the DPDA represents a significant step towards aligning India's data protection
regime with international standards while accommodating sector-specific regulations. As India
continues to navigate the complexities of the digital economy, the DPDA provides a foundation
for ensuring a harmonious balance between data localization imperatives and the imperative of
global data flows.29

In essence, the DPDA embodies India's commitment to fostering a conducive environment for
data-driven innovation while upholding individual privacy rights and ensuring data sovereignty.
The Act's implementation and enforcement will be crucial in realizing its objectives and
maintaining the delicate equilibrium between competing interests in the digital age.

28
Kalika Likhi, “India’s data localization efforts could do more harm than good,” The Atlantic Council. February,
2024. https://www.atlanticcouncil.org/blogs/new-atlanticist/india-s-data-localization-efforts-could-do-more-harm-
than-good/.
29
Jonah Force Hill, Matthew Noyes, “Rethinking Data, Geography, and Jurisdiction: Towards a Common
Framework for Harmonizing Data Flow Controls”. The New America Foundation. February 2024. P.9, 11, 12.

19 | P a g e