Data Centres Under Fire, Why India’s AI Ambitions Need a Robust Legal Framework
As the Government Offers a 21-Year Tax Holiday to Attract Foreign Data Centres, Questions of Geopolitical Risk, Environmental Sustainability, Domestic Innovation, and Data Sovereignty Demand Urgent Attention
India is aspiring to become a hub for AI infrastructure. The most visible policy initiative targeting this goal is the 21-year tax holiday for foreign companies to establish data centres in India—the computer systems facilities underpinning everything from cloud storage to AI. The tax holiday galvanised pledges worth $240 billion for Indian AI and data infrastructure at February’s AI Summit.
Yet there are fundamental questions about the geopolitical risks created by hosting foreign data on Indian soil. Iran’s attacks on AWS data centres in the UAE and Bahrain have established how critical they are for economies worldwide. Iran published a list of targets including data centres of major US tech companies, categorising them as “enemy technology infrastructure.” The war in West Asia has made clear that data centres are not neutral infrastructure; they are strategic assets that can become targets in conflict.
The Tax Holiday and Its Limitations
The tax holiday seeks to protect companies from being taxed both in India and their home countries. A company is taxable in India if it has a “significant economic presence” in India, which can arise under tax law when a company contracts to download data or software above a prescribed limit, even if it has no physical presence here. Usually, double taxation avoidance agreements (DTAA) mitigate these risks, but the Indian Supreme Court’s recent Tiger Global judgment has reopened DTAA transactions to scrutiny if tax authorities determine they lack commercial substance.
The tax holiday requires foreign companies to procure services from a “specified data centre”—one established under an approved scheme to be notified by the Ministry of Electronics and Information Technology (MeitY), and owned and operated by an Indian company. Under FDI regulations, Indian residents should own more than 50 per cent of the shares for a company to be “Indian-owned.” Further, the tax holiday requires sales in India to be routed through an Indian reseller.
This structure reflects the government’s well-founded concerns about data sovereignty. But it raises critical questions about how effective Indian ownership alone is in insulating data centres from geopolitical risks.
The Environmental Deficit
The Budget announcements provide useful tax certainty, but three deficits demand attention. The first is environmental. Speaking at an Indian Express event recently, Sam Altman dismissed water concerns, arguing that critics ignore the resources consumed in training humans to an equivalent capability. Others argue that India needs infrastructure build-out and that environmental concerns are a Western luxury.
This ignores the real threat of water bankruptcy for India, which has 18 per cent of the world’s population and only 4 per cent of its water. Data centres are water-intensive facilities. They require vast amounts of water for cooling, and they consume electricity that is often generated from water-intensive thermal power plants.
Down to Earth, Planet Tracker, and the World Resources Institute report that 50 existing Indian data centres are in zones facing high water stress. Adding more data centres in these zones without adequate environmental safeguards would exacerbate an already critical situation.
MeitY must impose environmental standards, including water use reduction, for foreign companies. These standards should be mandatory, not voluntary. They should be enforced, not merely suggested. And they should be applied equally to domestic and foreign operators.
The Innovation Deficit
The second deficit is domestic innovation. Data centres without technology transfer are warehouses, not engines of innovation. The tax holiday, as currently structured, does not require technology transfer. Foreign companies can set up data centres in India, import equipment from their home countries, and operate without any obligation to build Indian manufacturing or technological capacity.
Under the prevailing India-US trade framework, India has committed to buying up to $500 billion of US goods and services, including technology, and to eliminate import restrictions on US ICT equipment. Consequently, Indian companies operating data centres are more likely to import equipment from the US than develop domestic capacity.
The MeitY scheme must require knowledge transfer and direct incentives for Indian operators, without which India will be in the infrastructure tier of the AI value chain, not the capability tier. A data centre is a facility; AI capability is about the ability to design, build, and operate the technologies that run in that facility.
There is no technology transfer condition for foreign companies availing these tax exemptions, and thus no systematic mechanism to augment Indian AI manufacturing and technological capacity. This is a missed opportunity. India should use its market size and strategic importance as leverage to build domestic capability, not just attract foreign investment.
The Data Sovereignty Deficit
The third deficit is data sovereignty. Indian ownership of data centres alone does not insulate them from geopolitical risks. Even if they comply with FDI regulations, a minority foreign stake still leaves specified data centres vulnerable to international sanctions.
Under European regulations, sanctions are enforceable against European companies and their associated entities or subsidiaries. In the ongoing Nayara Energy v. SAP India case before the Delhi High Court, SAP withdrew services to Nayara following EU sanctions. Although both Nayara and SAP are Indian companies, Nayara was on an EU sanctions list because Rosneft, the Russian state oil company, holds a 49 per cent stake; SAP India enforced the sanctions because its parent company is German. The court did not give Nayara interim protection.
This case illustrates a critical vulnerability. An Indian company with a foreign minority stake can be subject to sanctions applied by its foreign partner’s home country. The same logic could apply to data centres. If a foreign company holds a minority stake in an Indian data centre, that data centre could be subject to sanctions that the foreign company’s home country imposes.
The legal framework for data centres and services must be ring-fenced against the capriciousness of international sanctions and given appropriate data privacy protections. This requires careful legal design, balancing India’s need for foreign investment with its need for strategic autonomy.
The Data Protection Question
It is also unclear whether specified data centres must comply with the Digital Personal Data Protection Act, 2023 (DPDPA). In general, the DPDPA applies to the data of Indians and to data processed within India. However, Section 17 exempts data of persons outside India if this data is processed under a contract between Indian and foreign contracting parties.
Section 17 would exempt a foreigner’s data, processed by a specified data centre, for a foreign data service provider. This includes, for example, the obligation under Section 8(6) to inform an affected individual and the Data Protection Board of India in the event of a data breach. However, Section 8(1) also requires companies to comply with the DPDPA, “irrespective of any agreement.”
The law must clarify whether foreign data stored in specified data centres in India will be exempted under the DPDPA. If foreign data is exempt, then the data centre is effectively a foreign enclave on Indian soil, subject to foreign laws and not Indian data protection standards. If foreign data is not exempt, then foreign companies may be deterred by the additional compliance burden.
The Geopolitical Context
Earlier this year, the French government replaced Microsoft Teams and Zoom with indigenous alternatives to avoid risks associated with the US CLOUD Act, which allows US law enforcement to compel companies to produce data stored overseas. In 2025, the prosecutor of the International Criminal Court lost access to his email following US sanctions. Both incidents illustrate how digital infrastructure is being weaponised in a troubled geopolitical environment.
India cannot afford to be naive about these risks. Data centres are not just commercial infrastructure; they are strategic assets. The data stored in them, the services they provide, the companies that operate them—all are subject to geopolitical pressures that can change rapidly.
The Path Forward
The government must address these three deficits—environmental, innovation, and sovereignty—if India’s data centre policy is to succeed in its stated goals. The tax holiday is a useful incentive, but it is not enough.
On the environmental front, MeitY must impose mandatory standards for water use, energy efficiency, and environmental impact. These standards should apply to all data centres, domestic and foreign, and should be enforced through regular audits and penalties for non-compliance.
On the innovation front, the MeitY scheme must require technology transfer and provide direct incentives for Indian operators. Tax holidays should be conditional on commitments to build domestic manufacturing capacity, to invest in research and development, and to train Indian workers in advanced technologies.
On the sovereignty front, the legal framework must insulate data centres from the capriciousness of international sanctions. This may require restrictions on foreign ownership, requirements for Indian control over operations, and clear rules about when and how foreign law can apply to data stored in India.
The vision of India as an AI hub is achievable. But it requires more than tax incentives. It requires a robust legal framework that protects India’s interests while attracting the investment it needs. The government has taken the first step. The next steps will determine whether India becomes a true hub for AI infrastructure or just a host for foreign-owned data warehouses.
Q&A: Unpacking India’s Data Centre Policy
Q1: What is the government’s tax holiday for data centres, and what has it achieved?
A: The government has offered a 21-year tax holiday for foreign companies to establish data centres in India, designed to protect them from double taxation under Indian tax law. The tax holiday galvanised pledges worth $240 billion for Indian AI and data infrastructure at February’s AI Summit. It requires foreign companies to procure services from Indian-owned and operated “specified data centres” and to route Indian sales through Indian resellers.
Q2: What are the three deficits the authors identify in the current approach?
A: The authors identify three deficits: environmental (data centres are water-intensive, and 50 existing Indian data centres are in water-stressed zones); domestic innovation (the tax holiday has no technology transfer condition, so India remains in the infrastructure tier rather than the capability tier of the AI value chain); and data sovereignty (Indian ownership alone does not insulate data centres from international sanctions, as the Nayara Energy case illustrates).
Q3: How does the Nayara Energy v. SAP India case illustrate data centre vulnerabilities?
A: In this case, SAP withdrew services to Nayara Energy following EU sanctions, even though both are Indian companies. Nayara was on the EU sanctions list because Russian state oil company Rosneft holds a 49 per cent stake; SAP India enforced sanctions because its parent company is German. The court did not grant interim protection. This shows that Indian companies with foreign minority stakes can be subject to sanctions applied by their foreign partner’s home country—a risk that applies equally to data centres.
Q4: What are the data protection law uncertainties for specified data centres?
A: Section 17 of the Digital Personal Data Protection Act, 2023, exempts data of persons outside India if processed under a contract between Indian and foreign parties. This could exempt foreign data stored in specified data centres from DPDPA obligations like breach notification. However, Section 8(1) requires compliance “irrespective of any agreement.” The law must clarify whether foreign data in Indian data centres will be exempted—a question with significant implications for both foreign companies and Indian data sovereignty.
Q5: What measures do the authors recommend to address these deficits?
A: The authors recommend: environmental standards, including mandatory water use reduction, enforced through audits and penalties; technology transfer requirements and direct incentives for Indian operators as conditions for tax benefits; and a legal framework that insulates data centres from international sanctions, potentially through restrictions on foreign ownership, requirements for Indian operational control, and clear rules on applicability of foreign law to data stored in India. Without these, India will remain in the infrastructure tier of the AI value chain, not the capability tier.
