budding planted April 16, 2026 11 min read

Data Localisation in India

Why India mandates that payment data stays within its borders, and what that means for infrastructure, sovereignty, and you.

datafolksindiapolicydata-sovereigntyinfrastructure

In April 2018, the Reserve Bank of India issued a circular that shook the fintech industry: all payment system operators must store their data exclusively in India. Not a copy, the primary data. Within India’s borders, on Indian servers, subject to Indian law.

Visa, Mastercard, PayPal, and dozens of other companies were given six months to comply. Some pushed back. Some asked for extensions. But the mandate held.

This is data localisation. And to understand why India chose this path, and why it matters to you, we need to start with a more basic question: where does data actually live?

Where Does Data Live?

When you pay ₹20 for chai via UPI, we traced in Chapter 2 how the transaction generates records at five different entities, your PSP, your bank, NPCI, the recipient’s bank, and the recipient’s PSP.

But those records aren’t abstract. They exist as physical bits, magnetic patterns on hard drives, electrical charges in memory chips, sitting inside servers, which sit inside data centers, which sit in specific physical locations on Earth.

What Is a Data Center?

A data center is a building (or a campus of buildings) full of computers. Rows and rows of rack-mounted servers, connected by thick cables, cooled by industrial air conditioning, powered by redundant electricity supplies with backup generators.

India has data centers in Mumbai, Chennai, Hyderabad, Pune, Delhi-NCR, and other cities. The largest ones are run by companies like NTT, Equinix, CtrlS, and the Adani Group. Cloud providers like AWS (Amazon), Azure (Microsoft), and GCP (Google) operate their own data centers or lease space in existing ones.

When you hear that your data is “in the cloud,” it’s in one of these buildings. There is no cloud, just someone else’s computer, in a specific building, in a specific city, in a specific country.

Why Location Matters

Here’s the key fact: the physical location of a server determines which country’s laws apply to the data on it.

A server in Mumbai is subject to Indian law. Indian courts can issue orders to access data on it. Indian regulators can inspect it. Indian law enforcement can seize it.

A server in Virginia, USA is subject to American law. Even if it stores data about Indian citizens, collected by an Indian company, about transactions that happened in India, if the server sits in Virginia, American law has jurisdiction.

This is the root of the data localisation debate.

Before 2018: Where Was Indian Data?

Before the RBI mandate, the picture looked like this:

Visa and Mastercard, processed card transactions through Indian banks but stored transaction data on servers in the US and Singapore. Your HDFC credit card purchase at a Mumbai restaurant? The transaction record might be sitting in a data center in Ashburn, Virginia.

PayPal, stored user data and transaction records on US servers, even for transactions between two Indian users.

WhatsApp, stored messages (and metadata) on servers in the US, even for conversations between two people in Mumbai.

Google and Facebook, stored Indian users’ data across a globally distributed network of data centers, with no guaranteed Indian presence.

This meant that a significant portion of India’s digital activity, payments, communications, social interactions, search history, was physically stored outside India, in jurisdictions where Indian regulators had limited or no direct access.

If Indian law enforcement wanted transaction records from Visa for a fraud investigation, they had to go through Mutual Legal Assistance Treaties (MLATs), slow diplomatic processes that could take months or years. Meanwhile, a US court could potentially access the same data with a domestic warrant.

The RBI Circular

On April 6, 2018, the RBI issued its circular: “Storage of Payment System Data.” The key requirement:

All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India.

The scope was specific to payment data, not all data, but transaction records, customer data, payment credentials, and any information collected/processed as part of a payment transaction.

The deadline: October 15, 2018.

This was not a gentle suggestion. Non-compliance meant potential loss of operating licenses in India.

Why India Did This

The RBI circular didn’t exist in a vacuum. Several forces converged:

National Security

India’s financial data, in aggregate, is a matter of national security. Transaction patterns can reveal:

  • Military procurement and logistics
  • Government spending patterns
  • Strategic infrastructure investments
  • Economic vulnerabilities during geopolitical tensions

If this data sits on foreign servers, foreign intelligence agencies could potentially access it, through legal means (court orders in their jurisdiction), through intelligence operations, or through pressure on the companies storing it.

Regulatory Sovereignty

Indian regulators, the RBI, SEBI, the Enforcement Directorate, income tax authorities, need timely access to financial data for:

  • Fraud investigation
  • Tax compliance enforcement
  • Anti-money laundering
  • Financial stability monitoring

When data is stored abroad, regulatory access depends on international cooperation. This is slow, uncertain, and subject to the diplomatic relationship between countries. Localisation puts the data within arm’s reach of Indian regulators.

The Snowden Effect

The 2013 Edward Snowden revelations showed that the US National Security Agency had extensive access to data flowing through American companies and American infrastructure. The PRISM program collected data from Google, Facebook, Apple, Microsoft, and others.

For countries like India, this was a wake-up call. If your citizens’ data sits on American servers, it’s potentially accessible to American intelligence, regardless of what the hosting company promises about privacy.

Infrastructure Investment

A practical benefit: mandating local storage drives investment in Indian data center infrastructure. Companies that must store data in India need to either build or lease data center capacity, creating jobs, developing technical capabilities, and generating economic activity.

The Arguments Against

Data localisation has vocal critics, and their arguments are substantive:

Cost and Complexity

Building redundant infrastructure in India is expensive. For smaller fintech companies and startups, the cost of maintaining India-specific data infrastructure can be prohibitive. International companies must maintain separate data systems for India, increasing complexity and cost, costs that may be passed to Indian consumers.

The Balkanisation Problem

If every country mandates local storage, the global internet fragments. India localises. The EU has GDPR with data transfer restrictions. China has strict localisation requirements. Russia requires personal data of Russian citizens to be stored domestically. Brazil, Vietnam, Nigeria, the list grows.

For a company operating globally, this means maintaining separate data infrastructure in dozens of countries, each with different rules. Cross-border services become harder, slower, and more expensive.

Security Tradeoffs

Centralising data in one jurisdiction creates a single geographic target. A well-designed distributed system stores copies across multiple geographies, if one data center is compromised (by a natural disaster, a cyberattack, or a state-level adversary), the data survives elsewhere. Forcing all data into India might actually reduce resilience compared to a distributed approach.

The Authoritarian Tool Concern

Civil liberties organisations argue that data localisation can be a tool for authoritarian control. If all citizen data must stay within the country, it’s easier for the government to conduct mass surveillance, suppress dissent, and monitor political opponents. The same “regulatory access” that helps catch tax evaders also enables monitoring of journalists, activists, and political opponents.

What Actually Changed

After the 2018 mandate, here’s what happened:

Visa and Mastercard eventually complied, establishing local data storage and processing capabilities in India. The process took longer than the original deadline, with some companies receiving extensions.

Google Pay, PhonePe, and Paytm were already largely compliant, as UPI transactions flow through NPCI’s infrastructure which is India-based.

WhatsApp faced prolonged battles over its payment service launch, with data localisation being one of several regulatory hurdles.

Foreign fintech companies had to make costly infrastructure decisions: build in India, partner with Indian hosting providers, or scale back Indian operations.

The Bigger Picture: The Srikrishna Committee

The RBI’s payment data circular was part of a broader policy movement. The Justice B.N. Srikrishna Committee, tasked with drafting India’s data protection framework, addressed data localisation in its 2018 report.

The committee proposed a tiered approach:

  • Critical personal data (financial data, health data, biometric data): must be stored exclusively in India
  • Sensitive personal data: can be processed abroad but a copy must be in India
  • General personal data: can be transferred abroad with conditions

This nuanced approach acknowledges that different types of data carry different sovereignty and security implications. Payment data is treated more strictly than, say, your e-commerce browsing history.

The subsequent Digital Personal Data Protection Act (DPDP Act), passed in 2023, took a somewhat different approach, allowing data transfers to approved countries while giving the government power to restrict transfers to specific jurisdictions. The full regulations are still being finalised.

The Packet Perspective

Let’s return to the packet layer for a moment.

When you make a UPI payment, the packets carrying your transaction data travel through Indian networks, from your phone to PhonePe’s servers in India, to NPCI’s infrastructure in India, to your bank’s systems in India. The data never needs to leave the country.

But consider a Visa card transaction before localisation: the packets might travel from the POS machine in Mumbai to a Visa server in Singapore for processing, then to your bank’s international processing center, potentially touching servers in multiple countries before the authorisation comes back. Each hop across a national border is a hop across a legal jurisdiction.

Data localisation doesn’t change how packets work, they still follow the most efficient route through the physical network. What it changes is where the packets come to rest, where the transaction record is permanently stored. The packets are transient; the stored data is what the law cares about.

Try It Yourself

The Data Jurisdiction Explorer in the lab lets you see how data flows change under different localisation regimes. Toggle localisation on and off to see where payment data ends up, and which jurisdictions have access.

What This Means for You

As an Indian internet user, data localisation affects you in several ways:

Your payment data is in India. When you make a UPI payment, the transaction record is stored on servers within Indian borders, subject to Indian law. Indian regulators can access it directly without going through international legal processes.

Your data is more accessible to Indian authorities. This is simultaneously a feature and a risk. It means faster fraud investigation and better financial regulation. It also means easier surveillance and data requests by Indian government agencies.

Some services may be slower or more expensive. Companies that previously routed through optimally located global servers may now need to route through Indian infrastructure, which may not always be the fastest path. The cost of maintaining India-specific infrastructure is ultimately borne by consumers.

The conversation is ongoing. Data localisation isn’t settled policy, it’s an evolving framework. The DPDP Act’s regulations, sector-specific requirements from RBI, SEBI, IRDAI, and other regulators, and India’s position in international trade negotiations all continue to shape where your data lives and who can access it.

The Deeper Question

Data localisation is really a question about who controls the infrastructure layer.

Packets don’t respect borders, they route through whatever path is most efficient. But the data they carry, once stored, becomes subject to the jurisdiction where it rests. This creates a fundamental tension: the internet was designed to be borderless, but sovereignty is inherently bordered.

India is not alone in navigating this tension. The EU’s GDPR restricts data transfers to countries without “adequate” privacy protections. China requires broad categories of data to stay within its borders. The US has no comprehensive federal data localisation law but uses sanctions and entity lists to restrict data flows to adversary nations.

Each country is answering the same question differently: in a world where data flows like water, who gets to build the dams?

The answer reshapes the internet, from a single global network to something more like a network of national networks, each with its own rules about what data can enter and leave. Whether this makes the internet safer or fragments it into something less useful is one of the defining debates of our time.

Related: How UPI Actually Works traces the payment journey this data comes from. What Is a Packet? covers the foundation of how data moves across networks.

SEARCH