Data Localization in the Digital Personal Data Protection Act (DPDPA)

The Digital Personal Data Protection Act (DPDPA) by India has a differentiated approach for data localization and primarily adopts a blacklisting model. This means that the Indian government can refuse the data flow to specific countries or territories deemed inadequate with respect to data protection standards.

Therefore, the DPDPA recognizes the importance of allowing cross-border data flows for businesses and innovation. It duly recognizes the opportunity for the cross-border transfer of personal data to countries or territories with adequate data protection mechanisms and laws.

The DPDPA does not permit nor require all kinds of personal data to be stored in India. However, it requires certain categories of sensitive personal data that may be anticipated to be stored locally.

In this way, it tries to balance the demands of data protection with those of the global digital economy.

Key takeaways:

• The DPDPA takes a blacklisting approach to data localization.

• Cross-border data transfers are generally admissible with a limited number of conditions.

• The DPDPA may place some sensitive personal data under the obligation for local storage. 

Conclusion:

The DPDPA  therefore attempts to achieve a balance between individual privacy protection and an active digital economy. By implementing risk-based approaches and avoiding excessive restrictions, the Act aims to develop a structure that promotes innovation but ensures the secure processing of personal data within India.