INDIA
Since August 2023, entry into force in May 2027
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Digital Personal Data Protection Act, 2023
Pursuant to Section 10 of the Digital Personal Data Protection Act, a significant data fiduciary must appoint a data protection officer based in India, who is responsible, inter alia, for conducting periodic data protection impact assessments comprising a description of the rights of data principals, the purposes for which their personal data are processed, an evaluation and management of risks to those rights, and any additional matters prescribed in relation to such assessments. Under Section 2, a data fiduciary is defined as any person who, alone or jointly with others, determines the purposes and means of processing personal data; a significant data fiduciary refers to any data fiduciary, or class thereof, designated as such by the Central Government under Section 10; and a data principal denotes the individual to whom the personal data relate.
Coverage Horizontal
INDIA
Since February 2021
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
Under Rule 4 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021, a "significant" social media intermediary (defined as a social media intermediary having number of registered users in India above 5,000,000) must appoint a Chief Compliance Officer who must ensure compliance with the Rules and will be liable in any proceedings relating to any relevant third-party information, data or communication link made available or hosted by that intermediary where he/she fails to ensure that such intermediary observes due diligence while discharging its duties under the Rules.
Coverage Significant social media intermediaries
INDIA
Since June 2000, as amended in October 2009, last amended in August 2023
Since October 2009
Since October 2009
Since October 2009
Since October 2009
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Information Technology Act, 2000
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
Under Section 69 of the Information Technology Act, both central and state governments are empowered to instruct any government agency to intercept, monitor, or decrypt electronic information. This authority can be exercised on the following grounds: in the interest of India's sovereignty or integrity; for the security of the State; to maintain friendly relations with foreign states; for public order; or to prevent or investigate the commission of an offence. Additionally, under Section 69B, the government is authorised to permit any agency to monitor and collect traffic data or information exchanged through a computer resource.
The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules of 2009, both promulgated under the Information Technology Act, provide procedural guidelines for carrying out such interception and monitoring. For example, Rule 3 of the latter Rules permits the collection and/or monitoring of traffic data or information via a computer resource for several purposes, including: forecasting imminent cyber incidents; monitoring network applications; identifying and determining viruses or computer contaminants; tracking cybersecurity breaches or incidents; identifying individuals who have breached or are suspected of breaching cybersecurity measures; conducting forensic analyses as part of investigations or internal audits of information security practices; accessing stored data for the enforcement of cybersecurity law; or addressing any other cybersecurity-related issues.
The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules of 2009, both promulgated under the Information Technology Act, provide procedural guidelines for carrying out such interception and monitoring. For example, Rule 3 of the latter Rules permits the collection and/or monitoring of traffic data or information via a computer resource for several purposes, including: forecasting imminent cyber incidents; monitoring network applications; identifying and determining viruses or computer contaminants; tracking cybersecurity breaches or incidents; identifying individuals who have breached or are suspected of breaching cybersecurity measures; conducting forensic analyses as part of investigations or internal audits of information security practices; accessing stored data for the enforcement of cybersecurity law; or addressing any other cybersecurity-related issues.
Coverage Horizontal
Sources
- https://web.archive.org/web/20211115020524/https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
- https://web.archive.org/web/20231005133242/https://www.meity.gov.in/writereaddata/files/Information%20Technology%20(Procedure%20and%20Safeguards%20for%20Interception,%20Monitoring%20and%20Decryption%2...
- https://web.archive.org/web/20221223012141/https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=ru_cen_45_0_00028_1519711141735.pdf
- https://www.dataguidance.com/notes/india-third-country-assessment
- https://web.archive.org/web/20231221030143/https://www.gp-digital.org/world-map-of-encryption/
- Show more...
INDIA
Since December 2023
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Telecommunications Act, 2023
Pursuant to Art. 20(2) of the Telecommunications Act, 2023, in the event of a public emergency or in the interest of public safety, the Central Government, a State Government, or any officer specifically authorised by either, may issue an order—if deemed necessary or appropriate—directing that any message or category of messages, whether sent or received by any person or group of persons, through any telecommunication equipment or network, and relating to any specific subject, be prohibited from transmission, intercepted, detained, or disclosed in an intelligible format to the designated officer identified in the order. It is not clear whether a court order is required to access the data.
Coverage Horizontal
INDIA
Since November 2023
Pillar Cross-border data policies |
Indicator Ban to transfer and local processing requirement
Pension Fund Regulatory and Development Authority (PFRDA) Circular No. PFRDA/2023/33/ICS/01 - Policy on adoption of cloud services by intermediaries regulated by PFRDA
Section 5.e of the Annexure to Circular No. PFRDA/2023/33/ICS/01 stipulates that entities regulated by the Pension Fund Regulatory and Development Authority (PFRDA) are required to ensure that all data storage and processing activities, including logs and any other information pertaining to the intermediary hosted on cloud infrastructure, are conducted strictly within the territorial jurisdiction of India.
Coverage Pension services sector
INDIA
Since May 2025
Pillar Cross-border data policies |
Indicator Ban to transfer and local processing requirement
Reserve Bank of India (Digital Lending) Directions, 2025
Section 13.4 of the "Reserve Bank of India (Digital Lending) Directions, 2025" stipulates that regulated entities must ensure that all data are stored exclusively on servers located within India. Where data are processed outside India, such data must be deleted from servers located abroad and repatriated to India within 24 hours of completion of processing. These requirements apply to all commercial banks; all primary (urban) co‑operative banks, state co‑operative banks, and central co‑operative banks; all non-banking financial companies, including housing finance companies; and all all‑India financial institutions.
Previously, pursuant to Section 4.4.2.2 of Annex 1 of the Regulatory Framework for Digital Lending, entities were required to ensure that all data were hosted on servers located within India, in strict adherence to applicable regulatory directives and legal obligations. This framework was introduced by the Reserve Bank of India, drawing upon the recommendations of the Working Group on Digital Lending, which examined lending practices conducted through online platforms and mobile applications.
Previously, pursuant to Section 4.4.2.2 of Annex 1 of the Regulatory Framework for Digital Lending, entities were required to ensure that all data were hosted on servers located within India, in strict adherence to applicable regulatory directives and legal obligations. This framework was introduced by the Reserve Bank of India, drawing upon the recommendations of the Working Group on Digital Lending, which examined lending practices conducted through online platforms and mobile applications.
Coverage Financial sector
Sources
- https://web.archive.org/web/20260428220126/https://rbidocs.rbi.org.in/rdocs/notification/PDFs/36NT8C402BE7C2A349E0BFFF3C526668CD7A.PDF
- https://web.archive.org/web/20260428220351/https://digitalpolicyalert.org/event/30271-reserve-bank-of-india-digital-lending-directions-2025-rbi2025-2636-including-data-localisation-requirement-enters-...
- https://web.archive.org/web/20250903215303/https://rbidocs.rbi.org.in/rdocs/content/pdfs/PR689DL10082022_AN1.pdf
- https://web.archive.org/web/20250903215318/https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=54187
- https://web.archive.org/web/20250903215435/https://digitalpolicyalert.org/event/6422-rbi-released-regulatory-framework-for-digital-lending-including-provisions-on-data-localisation
- Show more...
INDIA
Since April 2022, entry into force in September 2022
Pillar Cross-border data policies |
Indicator Local storage requirement
Indian Computer Emergency Response Team (CERT-In) Direction No. 20(3)/2022-CERT-In
Clause IV of Direction No. 20(3)/2022-CERT-In requires all service providers, intermediaries, data centres, body corporates, and government organisations to enable logs of all their ICT systems (that is, chronological record of system activities—a set of logs that can show who did what, when, and how within an ICT system) and to maintain such logs securely for a rolling period of 180 days within India.
Coverage Horizontal
Sources
- https://web.archive.org/web/20250817103450/https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
- https://www.dataguidance.com/notes/india-data-transfers
- https://web.archive.org/web/20250903230435/https://digitalpolicyalert.org/event/8749-implemented-cert-ins-information-security-practices-directive-including-data-localisation-requirement-for-msmes
- Show more...
INDIA
Since April 2018
Pillar Cross-border data policies |
Indicator Local storage requirement
Reserve Bank of India Directive
In April 2018, the Reserve Bank of India (RBI) issued a directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.
Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction so as to allow payment firms to store data offshore as long as a copy was kept in India. The RBI has further clarified that for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may be stored abroad if required.
With respect to the processing of payment transactions outside India, the RBI requires that the data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity, such as settlement processing after payment processing done outside India, must be undertaken on a real-time basis, pursuant to which the data must be stored only in India.
The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad. Still, with respect to domestic payment transactions, the data must be stored only in India.
Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction so as to allow payment firms to store data offshore as long as a copy was kept in India. The RBI has further clarified that for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may be stored abroad if required.
With respect to the processing of payment transactions outside India, the RBI requires that the data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity, such as settlement processing after payment processing done outside India, must be undertaken on a real-time basis, pursuant to which the data must be stored only in India.
The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad. Still, with respect to domestic payment transactions, the data must be stored only in India.
Coverage Financial sector
Sources
- https://web.archive.org/web/20220831194833/https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0
- https://web.archive.org/web/20210203072145/https://m.rbi.org.in/Scripts/FAQView.aspx?Id=130
- https://web.archive.org/web/20181006025709/https://in.reuters.com/article/india-data-localisation-exclusive/exclusive-india-proposes-easing-local-data-storage-rules-for-foreign-payment-firms-document-...
- https://web.archive.org/web/20211018072920/https://www.mondaq.com/india/financial-services/1098560/guidelines-for-storage-of-payment-data
- Show more...
INDIA
Since March 2014, entry into force in April 2014
Pillar Cross-border data policies |
Indicator Local storage requirement
Companies (Accounts) Rules, 2014
Rule 3.5 of the Companies (Accounts) Rules of 2014 provides that if company books and papers (or backups of them) are kept electronically in any location, they must also be periodically stored on a server physically located in India.
Coverage Horizontal
INDIA
N/A
Pillar Telecom infrastructure & competition |
Indicator Signature of the WTO Telecom Reference Paper
Partial appendment of WTO Telecom Reference Paper to schedule of commitments
India has only partially appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector
INDIA
Since August 2023, entry into force in May 2027
Since November 2025, entry into force in May 2027
From April 2011 to May 2027
Since November 2025, entry into force in May 2027
From April 2011 to May 2027
Pillar Cross-border data policies |
Indicator Conditional flow regime
Digital Personal Data Protection Act, 2023
Digital Personal Data Protection Rules, 2025
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Digital Personal Data Protection Rules, 2025
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Section 16.1 of the Digital Personal Data Protection Act stipulates that the Central Government may, by notification, impose restrictions on the transfer of personal data by a data fiduciary for processing to any country or territory outside India as may be specified. In addition, Section 16.2 provides that nothing in Section 16 shall limit the operation of any law currently in force in India that affords a higher level of protection or imposes stricter conditions on the transfer of personal data by a data fiduciary outside India, whether in respect of particular categories of personal data, specific data fiduciaries, or designated classes thereof. Under Section 2, a data fiduciary is defined as any person who, either independently or jointly with others, determines the purpose and means of processing personal data.
Section 15 of the Digital Personal Data Protection Rules, which implement the Digital Personal Data Protection Act, provides that personal data processed by a data fiduciary under the Act may be transferred outside the territory of India, subject to the requirement that the data fiduciary complies with such conditions as the Central Government may prescribe, by general or special order, in relation to making such personal data available to any foreign State, or to any person, entity, or agency under the control of, or associated with, such a State; in addition, section 13.4 of the Rules requires a significant data fiduciary to implement measures ensuring that personal data specified by the Central Government, on the basis of recommendations of a committee constituted for that purpose, is processed subject to the restriction that both the personal data and the traffic data relating to its flow are not transferred outside the territory of India. “Significant data fiduciary” is defined as any data fiduciary or class of data fiduciaries notified as such by the Central Government under section 10 of the Act.
Once the Digital Personal Data Protection Act is fully in force, on 13 May 2027, the Information Technology Rules will be repealed. Rule 7 of Information Technology Rules states that the export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Sensitive personal information includes passwords, financial information such as bank account or credit/debit card details, sexual orientation, physical and mental health condition, and biometric information, among others.
Section 15 of the Digital Personal Data Protection Rules, which implement the Digital Personal Data Protection Act, provides that personal data processed by a data fiduciary under the Act may be transferred outside the territory of India, subject to the requirement that the data fiduciary complies with such conditions as the Central Government may prescribe, by general or special order, in relation to making such personal data available to any foreign State, or to any person, entity, or agency under the control of, or associated with, such a State; in addition, section 13.4 of the Rules requires a significant data fiduciary to implement measures ensuring that personal data specified by the Central Government, on the basis of recommendations of a committee constituted for that purpose, is processed subject to the restriction that both the personal data and the traffic data relating to its flow are not transferred outside the territory of India. “Significant data fiduciary” is defined as any data fiduciary or class of data fiduciaries notified as such by the Central Government under section 10 of the Act.
Once the Digital Personal Data Protection Act is fully in force, on 13 May 2027, the Information Technology Rules will be repealed. Rule 7 of Information Technology Rules states that the export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Sensitive personal information includes passwords, financial information such as bank account or credit/debit card details, sexual orientation, physical and mental health condition, and biometric information, among others.
Coverage Horizontal
Sources
- https://web.archive.org/web/20251216131748/https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
- https://web.archive.org/web/20251216133658/https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf
- https://web.archive.org/web/20260501180450/https://www.dpdpa.com/DPDP_Rules_2025_English_only.pdf
- https://web.archive.org/web/20150909231036/http://www.wipo.int/wipolex/en/text.jsp?file_id=338328
- https://www.dataguidance.com/notes/india-data-protection-overview
- https://web.archive.org/web/20260501181151/https://digitalpolicyalert.org/event/35475-ministry-of-electronics-and-information-technology-issued-digital-personal-data-protection-rules-including-data-lo...
- https://web.archive.org/web/20160405081123/https://clientsites.linklaters.com/Clients/dataprotected/Pages/India.aspx
- Show more...
INDIA
Since March 1997, last amended in 2023
Pillar Telecom infrastructure & competition |
Indicator Presence of an independent telecom authority
Telecom Regulatory Authority of India Act, 1997
It is reported that the Telecom Regulatory Authority of India (TRAI), the executive body responsible for the supervision and regulation of services in the telecommunications sector, operates independently of the government in its decision‑making processes. Pursuant to section 3 of the Telecom Regulatory Authority of India Act, TRAI is constituted as a body corporate with perpetual succession and a common seal, and is empowered, subject to the provisions of the Act, to acquire, hold and dispose of movable and immovable property, to enter into contracts, and to sue or be sued in its corporate name.
Coverage Telecommunications sector
INDIA
Since December 1993
Pillar Cross-border data policies |
Indicator Ban to transfer and local processing requirement
Public Records Act (No. 69 of 1993)
Section 4 of the Public Records Act states that no person shall take or cause to be taken public records out of India without the prior approval of the Central Government, except if done for any official purpose.
Coverage Public sector
INDIA
Since March 2012
Pillar Cross-border data policies |
Indicator Ban to transfer and local processing requirement
National Data Sharing and Accessibility Policy
India’s National Data Sharing and Accessibility Policy requires that “non-sensitive data available either in digital or analogue forms but generated using public funds” must be stored within the borders of India. The policy states that data belongs to the "agency/department/ministry/entity which collected them and resides in their IT-enabled facility” (Section 10).
Coverage Public sector
Sources
- https://web.archive.org/web/20230211101614/https://dst.gov.in/sites/default/files/gazetteNotificationNDSAP.pdf
- https://web.archive.org/web/20231006094116/https://www.usitc.gov/publications/332/pub4716.pdf
- https://web.archive.org/web/20220306032815/https://www.itic.org/public-policy/SnapshotofDataLocalizationMeasures6-13-2016.pdf
- https://web.archive.org/web/20211026012321/http://mapit.gov.in/pdf/carculer/NDSAP_2012.pdf
- Show more...
INDIA
Since December 2015
Since March 2017
Since October 2019
Since March 2017
Since October 2019
Pillar Cross-border data policies |
Indicator Ban to transfer and local processing requirement
Request for Proposal (RFP) for Provisional Empanelment of Cloud Service Offerings of Cloud Service Providers (CSPs)
Guidelines for Government Departments on Contractual Terms Related to Cloud Services
Master Service Agreement: Procurement of Cloud Services
Guidelines for Government Departments on Contractual Terms Related to Cloud Services
Master Service Agreement: Procurement of Cloud Services
In 2015, India’s Ministry of Electronics and Information Technology (MeitY) issued guidelines for a cloud computing empanelment process under which cloud computing service providers may be provisionally accredited as eligible for government procurement of cloud services. The guidelines require such providers to store all data in India to qualify for accreditation.
In addition, Section 2.1.d of the Guidelines for Government Departments on Contractual Terms Related to Cloud Services requires that any government contracts contain a localisation clause mandating that all government data residing in cloud storage networks is located on servers in India.
Also, Section 1.17.4 of the Master Service Agreement: Procurement of Cloud Services outlines, among other things, that cloud service providers must offer cloud services to the purchaser from a MeitY-enrolled data centre which is located in India, the data must be stored within India, and must not be taken out of India without explicit approval by the purchaser.
In addition, Section 2.1.d of the Guidelines for Government Departments on Contractual Terms Related to Cloud Services requires that any government contracts contain a localisation clause mandating that all government data residing in cloud storage networks is located on servers in India.
Also, Section 1.17.4 of the Master Service Agreement: Procurement of Cloud Services outlines, among other things, that cloud service providers must offer cloud services to the purchaser from a MeitY-enrolled data centre which is located in India, the data must be stored within India, and must not be taken out of India without explicit approval by the purchaser.
Coverage Cloud computing services
Sources
- https://web.archive.org/web/20211004024352/https://www.meity.gov.in/writereaddata/files/RFP_CSPs_10_16.pdf
- https://web.archive.org/web/20210514050834/https://www.meity.gov.in/writereaddata/files/Guidelines_Contractual_Terms_Cloud_Procurement_V1.2.pdf
- https://egovstandards.gov.in/sites/default/files/2026-03/Guidelines%20for%20Master%20Service%20Agreement.pdf
- https://web.archive.org/web/20231006094116/https://www.usitc.gov/publications/332/pub4716.pdf
- https://web.archive.org/web/20220622000610/https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost/
- https://www.dataguidance.com/news/india-meity-issues-guidelines-cloud-services
- Show more...
