Rule 3.5 of the Companies (Accounts) Rules of 2014 provides that if company books and papers (or backups of them) are kept electronically in any location, they must also be periodically stored on a server physically located in India. 

In April 2018, the Reserve Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.
Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction so as to allow payment firms to store data offshore as long as a copy was kept in India. The RBI has further clarified that for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may be stored abroad if required.
With respect to the processing of payment transactions outside India, the RBI requires that the data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity, such as settlement processing after payment processing done outside India, must be undertaken on a real-time basis, pursuant to which the data must be stored only in India.
The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad. Still, with respect to domestic payment transactions, the data must be stored only in India.

According to the Insurance Regulatory and Development Authority of India (IRDAI) Maintenance of Insurance Records Regulations, 2015 (Regulation 3.9), "Insurers are required that [...] (ii) the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centres located and maintained in India." In addition, the 2017 Regulations on Outsourcing of Activities by Indian Insurers provide that Indian insurers, even in cases where they outsource their services outside India, must retain all original records in India.

Rule 7 of Information Technology Rules 2011 states that the export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Sensitive personal information includes passwords, financial information such as bank account or credit/debit card details, sexual orientation, physical and mental health condition, and biometric information, among others.

India has not joined any agreement with binding commitments to open transfers of data across borders.

India has not yet enacted specific legislation concerning data protection. Currently, the regulation of personal data processing is primarily governed by the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, which were promulgated under the Act. Additionally, sector-specific laws, such as those applicable to the financial services and telecommunications sectors, contribute to the regulatory framework.
The Digital Personal Data Protection Act was enacted on 11 August 2023 and will come into force on a date to be notified by the Government of India. As of February 2024, the Act has not yet become effective. Once in effect, the Act is expected to establish a comprehensive data protection regime in India.

Section 5 of Direction No. 20(3)/2022-CERT-In mandates data centres, virtual private server providers, cloud service providers, and virtual private network service providers to mandatorily collect and retain certain subscriber-related information accurately for a minimum period of five years after the subscriber is no longer availing the underlying services. These data sets include subscriber names, period of hire including dates, IPs allocated and used, e-mail address along with IP and time stamp used at time of registration, purpose of availing the services, verified address and contact numbers, and ownership pattern of subscribers. Virtual asset service providers, virtual asset exchange providers and custodian wallet providers must also maintain KYC information and records of financial transactions for a period of 5 years. Specific to transaction records, Direction No. 20(3)/2022-CERT-In states that information must be maintained accurately in such a way that individual transactions can be reconstructed along with the relevant constituents such as IP addresses, time zones, transaction ID, public keys or equivalent identifiers, addresses or accounts involved, nature and date of transaction, amount transferred, etc.

Bharat Sanchar Nigam Limited, the incumbent, is fully owned by the Government of India. BSNL (Bharat Sanchar Nigam Ltd.) provides all types of telecom services, namely telephone services on landlines, Wireless Local Loop and GSM mobile, Broadband, Internet, leased circuits and long-distance telecom services.

According to the License Agreement for Provision of Internet Services, the Internet Service Provider licensee shall maintain all commercial records, call detail records, exchange detail records, and IP detail records with regard to the communications exchanged on the network. Such records shall be archived for at least two years for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the Licensor.

India does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, the Accounting Separation Regulation is applicable to all the service providers having aggregate turnover of not less than rupees one hundred crore (approx. 12,182,700 USD) during the accounting year for which report is required to be submitted from operations under the telecom license(s) issued to them under section 4 of the Indian Telegraph Act 1885. The telecom service providers are required to submit their audited accounting separation reports based on a historical cost basis every year and on a replacement cost basis every second year within seven months of the end of the accounting year.

According to the Consolidated Foreign Direct Investment (FDI) Policy Circular 2020, foreign direct investment in telecom services (including fixed, mobile, and internet) is subject to compliance with both licensing and security conditions by the licensees and investors. These regulatory requirements have been in place since the implementation of the Consolidated FDI Policy Circular 2013 (Section 6.2.15). The conditions are outlined in the License Agreement for Unified License, which applies to all telecom services across the country.
Internet Service Providers (ISPs) and Telecom Service Providers (TSPs) in India must comply with the License Agreement for the Provision of Internet Services. Additionally, TSPs are required to adhere to two separate license agreements: the Cellular Mobile Telephone Service (CMTS) License Agreement, which governs cellular mobile communications, and the License Agreement for the Provision of Basic Telephone Services (BTS), which covers landlines. Reports suggest that these licenses provide the government with significant access to communication data held and processed by service providers.
It is also noted that India’s one-time licensing fees—approximately USD 500,000 for a service-specific license or USD 2.7 million for an all-India Universal License—act as a barrier to market entry for small and medium-sized enterprises.

India has traditionally implemented FDI screening for investors from Bangladesh and Pakistan. According to Section 3.1.1 of the Consolidated FDI Policy 2020, non-resident entities may invest in India, subject to the conditions specified in the policy, except in prohibited sectors or activities. However, investment by citizens of Bangladesh or Pakistan is permitted solely through government approval. This regulatory requirement has been in effect since the enactment of the Consolidated FDI Policy Circular 2013 (Section 3.1.1).
Notwithstanding this framework, in April 2020, the Ministry of Commerce and Industry introduced the Review of Foreign Direct Investment (FDI) Policy for Curbing Opportunistic Acquisitions of Indian Companies (Press Note 3). Under this policy revision, the FDI regime was expanded to mandate government approval for investments from any entity based in a country that shares a land border with India. Furthermore, the policy stipulates that any direct or indirect transfer of ownership of existing or future FDI in India, which results in a change in beneficial ownership falling within the scope of the conditions set forth in the Press Note, will similarly require government approval.
This legislative adjustment primarily targeted China in response to escalating border tensions between the two nations. Since the introduction of Press Note No. 3, an estimated 150 private equity and venture capital investment applications from China and Hong Kong have remained pending government clearance.

According to Section. 6.2.14 of the 2020 Consolidated Foreign Direct Investment (FDI) Policy Circular, full foreign direct ownership is permitted in the telecommunications sector (including Category-I Telecommunications Infrastructure Providers). However, government approval is required for FDI above 49%. This regulatory requirement has been in effect since the enactment of the Consolidated FDI Policy Circular 2013 (Section 6.2.15).

According to the Patent Act, 1970 (Act No. 39 of 1970, as amended up to Act No. 15 of 2005) and the Patents Rules, 2003 (as amended up to Patents (Amendment) Rules, 2012), applications for copyright, trademark and patents can be filed online, however, design applications can only be filed in person. Moreover, applicants who do not have a registered place of business in India are required to file applications through an Indian attorney or agent.

In 2002, the foreign filing license requirement was introduced in the Indian Patents Act of 1970. This requirement provides that any inventor who is a resident of India should file a patent application for his/her own invention first in India. The patent application can be extended internationally only six weeks after the initial filing date. Alternatively, the inventor is required to obtain the controller’s permission for filing the patent application outside India. However, given that the process is reported as burdensome, applying first in India is the preferred way of complying with these provisions. The violation of such rule results in criminal liability under Section 118 of the Indian Patent Act of 1970, with consequent monetary fine or imprisonment of up to two years, in addition to the impossibility of proceeding with the patent application.