Data Localisation in India
Why India mandates that payment data stays within its borders — and what that means for infrastructure, sovereignty, and you.
In 2018, the Reserve Bank of India issued a circular that shook the fintech industry: all payment system operators must store their data exclusively in India. Not a copy — the primary data. Within India’s borders, on Indian servers.
This is data localisation. And understanding why India chose this path requires understanding what happens to your data after a UPI transaction completes.
Where Data Lives
When you pay ₹20 for chai via UPI, the transaction data — your identity, the recipient, the amount, the timestamp, device information — is recorded by at least five entities. Where those entities store this data matters enormously.
Before the RBI mandate, international payment processors like Visa and Mastercard stored Indian transaction data on servers in the US, Singapore, and Europe. This meant that Indian financial data was subject to foreign jurisdiction. A US court order could, in theory, compel access to Indian payment records.
Data localisation changes this calculus. If the data lives on Indian soil, it falls under Indian law.
The Arguments
For localisation:
- Sovereignty: A nation’s financial data is a matter of national security. Foreign access to aggregate payment data reveals economic patterns, military procurement, strategic vulnerabilities.
- Regulatory access: Indian regulators (RBI, SEBI, law enforcement) can access data faster when it’s stored domestically, without navigating international legal frameworks like MLATs.
- Infrastructure development: Mandating local storage drives investment in Indian data centers and cloud infrastructure.
Against localisation:
- Cost: Building redundant infrastructure in India is expensive, especially for smaller fintech companies.
- Balkanisation: If every country mandates local storage, the global internet fragments. Cross-border services become harder to operate.
- Security: Centralizing data in one jurisdiction creates a single target. Distributed storage across multiple geographies can be more resilient.
The Deeper Question
Data localisation is really a question about who controls the infrastructure layer. Packets don’t respect borders — they route through whatever path is most efficient. But the data they carry, once stored, becomes subject to the jurisdiction where it rests.
This tension — between the borderless nature of networks and the bordered nature of sovereignty — is one of the defining challenges of the internet age.
This is Chapter 3 of DataFolks, currently a seedling. It will grow to cover the Srikrishna Committee recommendations, the Personal Data Protection Act, and comparisons with GDPR and China’s data localisation approach.