Data localisation remains one of the most pressing challenges for Indian organisations operating across multiple jurisdictions. At ETLegalWorld’s IP and Innovation conclave in a panel discussion moderated by Tanvi Muraleedharan, Partner at LawKnit, industry leaders gathered to discuss how companies balance privacy compliance with innovation in the era of the Digital Personal Data Protection (DPDP) Act.
A pivotal exchange emerged when the panel addressed whether data restrictions stifle innovation. Sandesh Jadhav, Cyber Leader and Global Data Privacy Officer at Wipro clarified that innovation doesn’t inherently require end-user data. “Sixty to seventy percent of the time, we develop without it. But robust AI/ML models require comprehensive datasets, considering how ride-sharing platforms evolved from routing data to home-location data to support salon and food delivery services. Maturity demands more information.”
The critical question isn’t whether to collect data, but how to do so responsibly. “Privacy by design doesn’t stifle innovation,” Debarshi Mukherjee, Managing Counsel and Global Head of Product and IP at Coursera countered. “Over-complicating it does.”
The discussion highlighted that while India’s data protection framework has strengthened organisational compliance positions, implementation complexities threaten to create a landscape where only the best-resourced players can navigate successfully.
Margaret D’Souza, VP Legal at Suzlon Energy Limited, opened the discussion with a practical challenge many multinational Indian firms face. Suzlon operates across 16 countries, yet maintains its data repository in Pune. “As the holding company, we’ve established subsidiaries in different jurisdictions, so centralised data management makes sense,” D’Souza explained. “However, this requires stringent arrangements to ensure each subsidiary complies with applicable guidelines while Suzlon itself adheres to multiple regulatory regimes.”
The complexity multiplies when organisations span numerous sites and local offices. D’Souza highlighted that managing data localisation while maintaining operational efficiency has become a “marathon effort,” not a sprint.
Jadhav brought the perspective of a technology integrator serving over 7,000 customers globally. “Before the DPDP Act, data localisation requirements existed across multiple sectors under Companies Act provisions and TRAI regulations,” he noted. “Now, with DPDP, we have a unified framework reinforcing that sensitive data shouldn’t cross borders without justification rooted in business needs, national integrity, or security concerns.”
Mukherjee noted a clear difference, “Personal data and intellectual property are fundamentally different. Personal data is inalienable, but IP can be assigned.” He cautioned against hasty decisions about cross-border transfers without understanding the specific sector, data types, and processing methods involved.
Mukherjee advocated for a technical-plus-legal strategy by suggesting to combine detailed data transfer analysis with privacy-enhancing technologies like differential privacy and encryption.” “You must get your hands dirty understanding the technology and the nitty-gritties of what you’re transferring,” he stressed.
Privacy: Innovation’s Partner, Not Adversary
“Innovation was always present. Privacy rights existed too. We now monitor because data is transmittable and accessible. Basic controls prevent unscrupulous misuse,” said D’souza.
When asked about specific operational hurdles, D’Souza highlighted that categorising data into critical and non-critical, technical versus patent-related, and establishing contractual arrangements governing each category’s transfer. Encryption and IT infrastructure verification proved most challenging.
Jadhav identified regulatory vagueness on “best practices” as a persistent problem. While the DPDP rules were recently notified, they lack the specificity found in China’s PIPL (integrated with cybersecurity laws) or GDPR’s detailed frameworks. “SMEs particularly suffer,” he noted.
He advocated for rule amendments specifying standards like NIST frameworks and ISO 27701, ensuring smaller entities understand baseline requirements.
Global Alignment Without Redundancy
Addressing how to align multiple global privacy regimes, Margaret D’Souza recommended hiring local legal expertise and conducting regular gap assessments. “Laws constantly evolve, so continuous auditing is essential.”
Debarshi suggested treating GDPR as a “golden standard” reference point. “For B2C operations, separate opt-in jurisdictions (like GDPR regions) from opt-out regions. This prevents unnecessary compliance duplication while maintaining required protections. If you nail the fundamentals, organisational measures, legal documentation, data retention policies, deletion processes and audit provisions, most compliance complexities resolve.”
The moderator notes that technical and legal frameworks alone prove insufficient. “The real challenge isn’t compliance; it’s attitude. Many stakeholders, lawyers, engineers, business leaders, don’t understand privacy fundamentals. We must first establish what we’re protecting and why.”
Jadhav echoed this, emphasising that law and technology must progress together. “Writing lengthy contracts means little against technological threats like GPS spoofing. We need semiconductor capabilities and genuine technological innovation alongside legal measures. Legal engineers, lawyers and technologists collaborating must become standard practice.”
The panel’s closing discussion revolved around three themes. First, get contractual and legal documentation right, but understand these documents reflect organisational reality. Second, implement robust technical controls like data retention, deletion processes, and responsible sharing mechanisms. Third, cultivate a culture where privacy, innovation, and accountability advance together rather than conflict.
