Mandating backdoors and data-local storage will raise costs, scare investors and push talent out of India, jeopardising the sector’s rise as a global powerhouse.

India’s Encryption Conundrum

Google’s India chief, Sanjay Gupta, was handed a copy of the Draft Encryption Bill in February, with a request to sign a compliance pledge within weeks. The draft forces service providers to install “lawful access” mechanisms that can decrypt user data on demand and to store all encrypted traffic on indian servers.

Tech firms warn that such mandates erode the very security that encryption provides. Infosys’ chief security officer, Neha Sharma, said mandatory decryption “creates a single point of failure” that could be exploited by hackers or hostile states.

Global Regulatory Context

India is not drafting these rules in a vacuum. Beijing has long required cryptographic backdoors for domestic firms, while the United States is tightening export controls on encryption software. The GDPR has set a high bar for data protection in Europe, forcing firms worldwide to adopt privacy-by-design architectures.

The global trend is a patchwork of rules that reward jurisdictions with clear, predictable standards.

Companies that already comply with GDPR find India’s new demands contradictory, forcing them to run two parallel compliance regimes. The global trend is a patchwork of rules that reward jurisdictions with clear, predictable standards.

High Stakes for India’s Tech Sector

The Indian tech ecosystem contributed $194 billion to GDP in FY 2023, with exports of IT services hitting a record $227 billion. A slowdown would ripple through the broader economy.

Foreign venture capital has already shown caution. Sequoia Capital India halted a $50 million Series B for a fintech startup after learning the firm would need to store all encrypted transaction logs locally. If investors perceive regulatory risk, capital inflows could dry up, stalling the next wave of home-grown unicorns.

Response from Industry and Civil Society

Industry bodies have mobilised quickly. NASSCOM issued a joint statement urging the government to replace “mandatory decryption” with a “targeted, court-approved” access model. Meta’s India head, Anjali Raghav, warned that the bill could force the company to relocate its encrypted messaging services out of the country.

Civil-society groups are echoing these concerns. The Internet Freedom Foundation filed a petition in the Delhi High Court, arguing that the draft violates the Constitution’s right to privacy, as affirmed by the Supreme Court in 2017.

You may also like

AI & Technology

Investors Prioritize Narrow AI Safeguards Amid Systemic Risks

Investors chase quick AI safety wins, but neglect systemic coordination research, risking far greater losses than any projected economic gains.

Read More →

Sequoia Capital India halted a $50 million Series B for a fintech startup after learning the firm would need to store all encrypted transaction logs locally.

Outlook and Future Directions

The government has opened a 60-day public comment period, and several ministries have signalled willingness to amend the most contentious clauses. If policymakers adopt a balanced model—limited backdoors, clear judicial oversight, and exemptions for non-sensitive data—the bill could become a template for emerging economies.

Conversely, a hardline version could push multinational firms to relocate R&D hubs to Singapore or the United Arab Emirates, where regulatory certainty is higher. That would erode India’s ambition to become the world’s “software superpower.”