Data Regulations and AI: What India’s data centres need to know

The Indian government’s Digital India and data localisation policies have significantly boosted the data centre industry, resulting in the establishment of more than 248 data centres across the country, with Hyderabad, Bengaluru and Mumbai hosting more than 30 data centres each. In January 2025, Telangana signed several high-value MoUs to advance the data centre market in the state–with Tillman Global Holdings for a Rs 150 billion 300 MW facility; CtrlS Datacenters Limited for a Rs 100 billion 400 MW cutting-edge artificial intelligence (AI) cluster; Adani ConneX for Rs 5 billion; and ST Telemedia Global Data Centres Limited for Rs 35 billion. Contributing to this growth is India’s increasing data consumption, which soared to 24.1 GB per user per month in 2023, amplifying the need for data storage and its protection in India.

In contrast, the launch of DeepSeek-R1 on January 20, 2025, powered by its open-source real intelligence (RI) developed under $6 million, claiming high efficiency-low processing requirements, sent ripples through the heavy investment-driven data centre market and raised concerns around data processing and privacy.

In the context of data centres, it may be noted that the Supreme Court of India, in the Justice K.S. Puttaswamy. The Union of India case, has recognised the right to privacy as a fundamental right under Article 21 and had directed the government to establish a robust data protection regime, causing a surge in data regulations and policies, which, along with recent AI/RI advancements, has affected the regulation of data centres in India.

What are data centres?

Data centres are required for the safe storage of data and the daily operations of businesses and governments, including digital personal data. It involves data collection, recording, organisation adaptation, modification, etc. They support high demands of AI and cloud computing, which requires massive computing power and infrastructure while promoting technological advancement and job creation. It also operates as IT and IT-enabled services (ITeS) establishments.

While the term “data centre” is not specifically defined under Indian laws, the Data Centre Policy, 2020, defines it in terms of its functions as “a dedicated secure space within a building/centralised location, where computing and networking equipment is concentrated for the purpose of collecting, storing, processing, distributing or allowing access to large amounts of data”. The Andhra Pradesh Data Centre Policy, 2024 defines it as “a physical facility comprising computing network and storage that enables departments of governments to share applications and data”. Thus, under Indian laws, they primarily function as data intermediaries and data processors for enterprise businesses and governments, while also acting in a fiduciary capacity to create, collect, store and manage data.

Regulations applicable to data centres

Data centres are obligated to lawfully process data, ensure security and privacy, enter into various partnerships for infrastructure development, and adhere to applicable data localisation requirements including, inter alia, Reserve Bank of India Guidelines, 2018, the Insurance Regulatory and Development Authority of India Guidelines, 2015, SEBI Framework for Regulated Entities and the Public Records Act, 1993. This requires additional compliances under the IT Act, 2000, as well as various IT rules including the IT Guidelines for (Intermediaries and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021), the IT (Intermediaries Guidelines) Rules, 2011, sectoral regulations, the Digital Personal Data Protection [DPDP] Act, 2023, the DPDP Rules, 2025, and framework approvals under data centre and IT/ITeS policies.

The DPDP Act, 2023 regulates the processing of personal data collected digitally or digitised subsequently within and outside India. It requires a data fiduciary to give notice to the data principal (to whom the data relates) for data processing, engaging data processors under valid contracts, maintaining data accuracy, notifying breaches, implementing data retention policies, providing contact information for enquiries, etc. Interestingly, it mandates verifiable consent from the parent/guardian for the data processing of a child or a person with disability. The draft DPDP Rules, 2025 further seek to mandate transparency in data processing and informed consent by data fiduciaries.

The IT Act, 2000 deals with e-records, e-communication and e-governance, and provides for compensation and punishment for violation of privacy and disclosure of information in breach of lawful contract. The IT Rules, 2021, mandate due diligence for intermediaries, additional requirements for significant social media and news/current affairs content intermediaries, and punishment for non-observance, including under criminal laws. In addition, for handling intimations and complaints, it provides for the establishment of grievance redressal mechanisms, including a board comprising members appointed by the central government, an appellate tribunal for appeals, provisions for reference to mediation, and the option of voluntary undertakings for corrective action. Further, the IT (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011 require organisations to have a publicly available privacy policy.

In line with the National Cyber Security Policy, 2013, and the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, which give immunity from unauthorised actions, data centres must ensure audit and safety standards certifications, as well as the timely reporting of all cyber incidents.

Further, under the Data Centre Policy, 2020, and relevant state data centre policies notified by eight states (including Telangana and Andhra Pradesh), businesses can claim benefits such as power and capital subsidies, costs reimbursement for registration, stamp duty, preference in land allotment, etc.

Landmark judicial pronouncements impacting data centres

With respect to the indiscriminate processing of personal data by intelligence and security agencies, it is pertinent to note that the government can demand data from the intermediary/fiduciary for any purpose listed under Schedule 7 of the Indian Constitution. The Data Privacy and Protection Bill, 2019 aimed to address this issue but was replaced without relevant restrictions by the DPDP Act, 2023. However, the European Court of Justice (ECJ) in 2020, in the Privacy International case, held that blanket surveillance violates fundamental rights, and though national security concerns justify sharing such data, it must comply with privacy laws.

Notably, an intermediary is exempted under the IT Act, 2000 from liability for a third-party information/data/ communication link made available by it, providing “safe harbour protection” under Section 79, subject to its limited role, allowing the non est factum defense plea. On the other hand, the courts have consistently directed the lawful processing of data in numerous cases and have recognised the Right to be Forgotten, for instance, in the Aaradhya Bachchan. Bollywood Time, 2023 case, where the Delhi High Court restrained multiple YouTube channels circulating false information about the plaintiff, in violation of the DPDP Rules, 2021, directing Google LLC, being the intermediary, to ensure compliance.

Further, where data transfer is allowed outside India, inadequate data protection under the laws of a foreign jurisdiction can be challenged, as held by the ECJ in the landmark case involving Facebook Ireland Limited. In this case, it was found that US surveillance laws did not provide adequate protection, effectively invalidating transatlantic data transfers.

Challenges to data centre operations

Setting up vast infrastructure for data centre operations faces significant challenges, including acquisition or lease of large building/spaces/land parcels, availability of scalable power infrastructure, consideration for environmental impacts, operational risks, continuous technology upgrades, and discretionary implementation of policies, which become an obstacle in ensuring transparency and enabling ease of doing business (EoDB). Further, increased data consumption and data processing under the new AI/RI models have necessitated adherence to multiple data regulations for data centres.

Recommendations and the way forward

To combat the risks, legal assistance becomes necessary for drafting contracts; conducting title due diligence in property acquisitions and leasing; ensuring adherence with land zoning regulations of the region; identifying encumbrances/restrictions on land; checking pending litigations, tax dues, etc., against the vendors and sellers to secure indemnity against future losses; and obtaining land conversion certificates, building clearances and framework approvals from concerned authorities to determine costs, claim incentives and subsidies. Most importantly, compliance with data laws in the adoption of AI/RI models for data processing and usage must ensure that legal rights and regulatory requirements are upheld by the data centres.

India’s data centre market and AI adoption are witnessing unprecedented growth, highlighting the need to regulate the indiscriminate processing of personal data, expedite dispute resolution processes for public-private partnerships, and implement a single-window clearance system for certifications and clearances like TS-iPASS in Telangana and Andhra Pradesh, which have successfully promoted EoDB in the region.