India's Digital Trade Policy: Navigating Data Localisation vs Global Integration

The Digital Personal Data Protection Act 2023 is notably less prescriptive about data localisation than its predecessor, the Personal Data Protection Bill 2019, which had been withdrawn after years of lobbying by technology companies. The DPDPA does not mandate that all personal data be stored in India—a requirement that would have imposed compliance costs estimated at $5-10 billion on multinational companies. Instead, it grants the government authority to notify 'countries or territories outside India' to which personal data transfer is permitted, a positive list approach that is more nuanced than an outright localisation mandate. Data processing entities must notify individuals of data collection purposes, respond to access and deletion requests, and report breaches within 72 hours. Penalties for violations reach ₹250 crore ($30 million) per incident, with aggregate penalties capped at ₹500 crore. Critical sectors—financial services, healthcare, and defence—may face additional sector-specific localisation requirements from their respective regulators, creating a complex patchwork of compliance obligations.

For Google, Meta, Amazon, and Microsoft—all with enormous India operations—the DPDPA creates a compliance investment imperative regardless of the final regulatory detail. Google has spent $1 billion building data centres in Mumbai and Pune, in part to demonstrate its commitment to India-based infrastructure. Amazon Web Services has invested $12.7 billion in its India cloud region. Meta has deployed local content moderation infrastructure. These investments partly reflect genuine business logic—latency advantages for local users—but are also insurance against data localisation requirements that could mandate Indian data residency for Indian users. The Indian government's relationship with Big Tech is complex: it relies on US platforms for digital public goods delivery (UPI payments run on Google Pay and PhonePe; government services use WhatsApp for citizen notifications), while simultaneously asserting regulatory sovereignty. The government's blocking orders for Twitter/X and its demands for compliance with IT Rules 2021 have created friction that threatens the 'trusted partner' narrative both sides prefer.

The deepest contradiction in India's digital trade position involves its own IT services industry. India's $250 billion software and IT services exports depend fundamentally on unrestricted cross-border data flows. When a Bengaluru-based engineer processes payroll data for a German manufacturer, or when an Indian bank's back-office in Chennai handles a British retail bank's customer service—these activities require personal data to flow across borders without friction. India has historically championed free cross-border data flows in WTO digital trade negotiations precisely because data localisation requirements in the US or Europe would devastate its IT services competitiveness. India's position in WTO's Joint Statement Initiative on e-Commerce has been to oppose rules that would allow governments to mandate data localisation as a trade barrier. The DPDPA's positive list approach—where India reserves the right to designate 'safe' countries—is a mirror of exactly the data sovereignty posture India opposes when other countries adopt it.

India's FTA negotiations now routinely include digital trade chapters, and the tension between India's desire for market access in services and its assertion of data sovereignty is creating complex negotiating dynamics. The India-UK FTA digital trade chapter is relatively thin: both sides agreed to principles of open internet, interoperability, and paperless trading, while deferring data flow and localisation provisions to a separate track. India has declined to include binding data flow commitments in any FTA, citing national security concerns. The India-EU Trade and Investment Agreement negotiations have stalled partly over data adequacy—the EU requires that countries receiving European personal data provide 'essentially equivalent' protection, and India's DPDPA framework does not yet meet that standard. This data adequacy gap could effectively block Indian IT firms from handling EU citizens' data post-agreement, a potentially devastating restriction on a $30 billion industry.

India's digital trade policy requires a coherent strategic choice: it cannot simultaneously assert maximum data sovereignty domestically and demand maximum market access for its data-intensive service exports. The most viable resolution is a differentiated approach—robust sovereignty protections for consumer data in sectors like social media, e-commerce, and fintech, combined with flexible cross-border data flow arrangements for B2B services, professional services, and research data. Several models are available: the Singapore-Australia Digital Economy Agreement provides detailed frameworks for data flow without requiring full liberalisation; the APEC Cross-Border Privacy Rules system allows interoperability between different national frameworks through voluntary participation. India's membership in the India-EU data adequacy discussions and the US-India iCET technology partnership are the most likely vectors for building a coherent framework. The government's target of a ₹5.4 lakh crore ($65 billion) digital economy by 2026 requires clarity on data governance—investors, both domestic and foreign, are waiting.