What is AMLEGALS AI Law Practice?

AMLEGALS is India's leading AI and technology law firm specializing in EU AI Act compliance, India DPDPA, AI governance, data privacy, and technology contracts. We have expert AI lawyers across 6 offices in India serving clients globally.

How can AMLEGALS help with EU AI Act compliance?

Our AI lawyers provide comprehensive EU AI Act compliance services including risk classification, conformity assessments, documentation requirements, and ongoing compliance monitoring for businesses deploying AI systems in or serving the European Union.

Does AMLEGALS handle India DPDPA compliance?

Yes, AMLEGALS is a leading law firm for India's Digital Personal Data Protection Act (DPDPA) compliance. We help businesses implement data protection frameworks, draft privacy policies, conduct DPIAs, and ensure regulatory compliance.

Where are AMLEGALS offices located?

AMLEGALS has 6 offices across India: Ahmedabad (Head Office), Mumbai, Bengaluru, New Delhi, Kolkata, and Chennai. We serve clients pan-India and globally for AI and technology law matters.

INFRASTRUCTURE LAW • JANUARY 2026

DATA CENTRES
IN INDIA.

The legal architecture governing data centre operations in India sits at the intersection of infrastructure policy, data protection law, and cross border trade considerations. This analysis examines the regulatory framework that practitioners must navigate.

EXECUTIVE SUMMARY

India has emerged as one of the most attractive destinations for data centre investment globally. The combination of a massive domestic digital economy, competitive power costs in certain regions, and the government's express policy support through the Data Centre Policy 2020 has attracted hyperscalers and colocation providers alike. Yet the legal framework remains fragmented across multiple statutes, and practitioners advising on data centre projects must grapple with overlapping regulatory requirements.

The Digital Personal Data Protection Act 2023 introduces material considerations for data centre operators, particularly where personal data of Indian residents is processed. While the DPDPA does not mandate blanket data localisation in the manner that earlier drafts contemplated, it does impose conditions on cross border transfers that operators cannot ignore. For data centres serving international clients, the interplay between Indian law and the regulatory requirements of client home jurisdictions creates layered compliance obligations.

The central question for cross border service delivery is not whether data can leave India but rather under what conditions and with what safeguards. The answer depends on the nature of the data, the identity of the data fiduciary, and increasingly, the geopolitical relationship between India and the destination jurisdiction.

Regulatory Architecture

SECTION I

The Policy Framework:
Infrastructure Status and Incentives

1.1 Infrastructure Status Recognition

The Ministry of Electronics and Information Technology accorded infrastructure status to data centres in 2020, a development that fundamentally altered the economics of the sector. This recognition brings data centres within the ambit of the Reserve Bank of India's External Commercial Borrowing guidelines, enabling operators to access cheaper offshore debt financing. It also qualifies data centre projects for infrastructure lending norms under which banks can provide longer tenure loans with more favourable terms.

Several state governments have built upon this foundation with their own incentive frameworks. Maharashtra, Tamil Nadu, Telangana, and Uttar Pradesh have each promulgated dedicated data centre policies offering varying combinations of land subsidies, power tariff concessions, stamp duty exemptions, and capital subsidies. From a legal structuring perspective, the choice of location therefore involves careful analysis of not only physical infrastructure considerations such as power availability, connectivity, and seismic risk, but also the comparative regulatory and fiscal treatment across states.

Maharashtra Policy Highlights

•100% stamp duty exemption for land registration
•Industrial power tariff at Rs 3.5 per unit
•Single window clearance mechanism
•IT and ITeS classification for zone compliance

Tamil Nadu Policy Highlights

•Capital subsidy up to 25% of fixed assets
•Dedicated power corridor allocations
•Land at concessional rates in SIPCOT parks
•Priority grid connectivity for hyperscale facilities

1.2 Licensing and Operational Approvals

Data centre operations in India do not require a specific operating licence in the manner that telecommunications services do. However, operators must secure a range of approvals depending on the nature of their services. Where a data centre provides internet services to tenants or connects to public telecommunications infrastructure, it may require registration as an Other Service Provider under the Unified Licence framework. Operators providing international connectivity directly may additionally need to comply with Department of Telecommunications gateway regulations.

Environmental clearances present another layer of compliance. Large scale data centres with significant power consumption typically require consent to establish and consent to operate from the relevant State Pollution Control Board. The introduction of sustainability requirements in many state policies means that operators increasingly need to demonstrate renewable energy procurement plans and water recycling capabilities.

Data Protection Framework

SECTION II

DPDPA 2023:
Obligations for Data Centres

2.1 The Data Processor Position

Under the DPDPA, most data centre operators will be classified as data processors rather than data fiduciaries. This distinction is critical because the primary compliance obligations under the Act fall upon data fiduciaries. Data processors are required to process personal data only in accordance with the instructions of the data fiduciary and must implement appropriate security safeguards.

This does not mean, however, that data centres can simply rely on their customers to handle all compliance matters. The DPDPA contemplates that data fiduciaries remain responsible for the acts of their processors, which creates contractual implications. Clients will invariably seek robust data processing agreements that impose compliance obligations flowing down to the data centre operator. Standard industry templates such as those developed under GDPR provide a useful starting point, but Indian law specific provisions addressing the unique requirements of the DPDPA must be incorporated.

Key Contractual Considerations

1.Clear delineation of processing activities and purposes
2.Security standards aligned with Section 8 requirements
3.Breach notification timelines and procedures
4.Data subject rights facilitation mechanisms
5.Return and deletion obligations upon termination

2.2 Security Safeguard Requirements

Section 8 of the DPDPA requires that data fiduciaries and their processors implement reasonable security safeguards to prevent personal data breaches. While the Act does not prescribe specific technical standards, the expectation is that industry accepted frameworks such as ISO 27001, SOC 2 Type II, and the forthcoming Indian Data Security Standards will serve as benchmarks.

For data centres, this translates into requirements around physical security, network segmentation, access controls, encryption protocols, and logging capabilities. Clients processing sensitive categories of data may require additional safeguards such as dedicated hardware security modules, enhanced monitoring, and segregated infrastructure. The commercial arrangements governing these enhanced security services should clearly allocate responsibility for implementation and ongoing maintenance.

SECTION III

Cross Border
Service Delivery

3.1 Outbound Transfers from India

The DPDPA permits transfers of personal data outside India except to countries that the Central Government may notify as restricted destinations. This negative list approach represents a significant departure from earlier draft legislation that contemplated a positive adequacy framework similar to GDPR. As of this writing, no countries have been added to the restricted list, though the government has indicated that geopolitical considerations will inform future notifications.

For data centre operators serving multinational clients, this means that personal data processed in Indian facilities can generally be transferred to parent companies, affiliates, or service providers abroad. However, the transfer must occur under a valid legal basis. Where the original processing relies on consent, the consent must specifically authorise cross border transfer. Where processing is pursuant to a contract, the transfer should be necessary for performance of that contract.

3.2 Inbound Services to India

International data centre operators providing services to Indian clients face their own set of compliance considerations. The DPDPA has extraterritorial application to data fiduciaries processing personal data in connection with offering goods or services to data principals in India. A cloud service provider operating data centres in Singapore or Frankfurt that serves Indian enterprises must therefore comply with DPDPA requirements with respect to the personal data of Indian individuals processed through its facilities.

This creates practical challenges around data subject rights enforcement, breach notification to the Data Protection Board, and representation in India. Prudent operators will establish clear contractual frameworks that address these requirements and may consider whether local presence through subsidiaries or partners is advisable.

The interplay between Indian data protection requirements and those of client home jurisdictions such as GDPR in Europe or CCPA in California requires careful mapping. Data centre operators increasingly need to demonstrate compliance with multiple overlapping frameworks, and contractual documentation must reflect this multilayered reality.

3.3 Government Data and Critical Information Infrastructure

Distinct rules apply to data centres processing government data or designated as Critical Information Infrastructure under Section 70 of the IT Act. The National Critical Information Infrastructure Protection Centre has issued guidelines that impose heightened security requirements on such facilities, including mandatory security audits, incident response protocols, and restrictions on foreign personnel access.

Data localisation requirements for government data remain more stringent than for private sector data. The Government of India's cloud procurement framework, GI Cloud or MeghRaj, requires that government data be stored within India on infrastructure meeting specified security standards. Data centres seeking government sector business must therefore obtain appropriate empanelment and demonstrate compliance with these more exacting requirements.

Strategic Considerations

The legal landscape for data centres in India continues to evolve. The subordinate legislation and rules under the DPDPA, expected during 2026, will provide greater clarity on several open questions including the specific security standards expected of data processors and the mechanics of cross border transfer compliance.

For practitioners advising data centre projects, the current period demands careful attention to both existing requirements and anticipated developments. Transactional documentation should incorporate flexibility to accommodate regulatory changes, while operational compliance programmes should be designed with scalability in mind.

The strategic opportunity remains substantial. India's digital economy continues to expand rapidly, and the infrastructure to support that growth must be built. Those who navigate the regulatory complexity successfully will be well positioned to capture this opportunity.

AMLEGALS AI Policy Hub • Infrastructure Law Practice

Back to Insights Next: Generative AI Regulation

DATA CENTRES IN INDIA.