India is aspiring to become a hub for AI infrastructure. The most visible policy initiative targeting this goal is the 21-year tax holiday for foreign companies to establish data centres in India — the computer systems facilities undergirding everything, from cloud storage to AI. The tax holiday galvanised pledges worth $240 billion for Indian AI and data infrastructure at February’s AI Summit.
Yet there are fundamental questions about the geopolitical risks created by hosting foreign data on Indian soil. Iran’s attacks on AWS data centres in the UAE and Bahrain have established how critical they are for economies worldwide. Iran published a list of targets including data centres of major US tech companies, categorising them as “enemy technology infrastructure”. Further, environmental concerns about power consumption and water for cooling require regulatory oversight in a country where heat waves and water scarcity already affect liveability. In addition, Indian companies operating data centres do not benefit from this tax holiday, making the move asymmetrical.
The tax holiday seeks to protect companies from being taxed both in India and their home countries. A company is taxable in India if it has a “significant economic presence” in India, which can arise under tax law when a company contracts to download data or software above a prescribed limit, even if it has no physical presence here. Usually, double taxation avoidance agreements (DTAAs) mitigate these risks, but the Indian Supreme Court’s recent Tiger Global judgment has reopened DTAA transactions to scrutiny if tax authorities determine they lack commercial substance.
The tax holiday requires foreign companies to procure services from a “specified data centre” — one established under an approved scheme to be notified by MeitY, and owned and operated by an Indian company. Under FDI regulations, Indian residents should own more than 50 per cent of the shares for a company to be “Indian-owned”. Further, the tax holiday requires sales in India to be routed through an Indian reseller.
Interestingly, there is no technology transfer condition for foreign companies availing these tax exemptions, and thus no systematic mechanism to augment Indian AI manufacturing and technological capacity. Under the prevailing India-US trade framework, India has committed to buying up to $500 billion of US goods and services, including technology, and to eliminate import restrictions on US ICT equipment. Consequently, Indian companies operating data centres are more likely to import equipment from the US than develop domestic capacity.
Requiring data centres to be Indian-owned and operated, and routing Indian sales through Indian companies, reflects the government’s well-founded concerns about data sovereignty. Earlier this year, the French government replaced Microsoft Teams and Zoom with indigenous alternatives to avoid risks associated with the US CLOUD Act, which allows US law enforcement to compel companies to produce data stored overseas. In 2025, the prosecutor of the International Criminal Court lost access to his email following US sanctions. Both incidents illustrate how digital infrastructure is being weaponised in a troubled geopolitical environment.
However, Indian ownership of data centres alone does not obviate these risks. Even if they comply with FDI regulations, a minority foreign stake still leaves specified data centres vulnerable to international sanctions. Under European regulations, sanctions are enforceable against European companies and their associated entities or subsidiaries. In the ongoing Nayara Energy v. SAP India case before the Delhi High Court, SAP withdrew services to Nayara following EU sanctions. Although both Nayara and SAP are Indian companies, Nayara was on an EU sanctions list because Rosneft, the Russian state oil company, holds a 49 per cent stake; SAP India enforced the sanctions because its parent company is German. The court did not give Nayara interim protection.
It is also unclear whether specified data centres must comply with the Digital Personal Data Protection Act, 2023 (DPDPA). In general, the DPDPA applies to the data of Indians and to data processed within India. However, Section 17 exempts data of persons outside India if this data is processed under a contract between Indian and foreign contracting parties. Section 17 would exempt a foreigner’s data, processed by a specified data centre, for a foreign data service provider. This includes, for example, the obligation under Section 8(6) to inform an affected individual and the Data Protection Board of India in the event of a data breach. However, Section 8(1) also requires companies to comply with the DPDPA, “irrespective of any agreement”. The law must clarify whether foreign data stored in specified data centres in India will be exempted under the DPDPA.
The Budget announcements provide useful tax certainty but three deficits demand attention. The first is environmental. Speaking at an Indian Express event recently, Sam Altman dismissed water concerns, arguing that critics ignore the resources consumed in training humans to an equivalent capability. Others argue that India needs infrastructure build-out and that environmental concerns are a Western luxury. This ignores the real threat of water bankruptcy for India, which has 18 per cent of the world’s population and 4 per cent of its water. Down to Earth, Planet Tracker and the World Resource Institute report that 50 existing Indian data centres are in zones facing high water stress. MeitY must impose environmental standards, including water use reduction, for foreign companies.
The second is domestic innovation. Data centres without technology transfer are warehouses and not engines of innovation. The MeitY scheme must require knowledge transfer and direct incentives for Indian operators, without which India will be in the infrastructure tier of the AI value chain, not the capability tier.
The third is data sovereignty. Indian ownership alone does not insulate data centres from sanctions exposure. The legal framework for data centres and services must be ring-fenced against the capriciousness of international sanctions and given appropriate data privacy protections.
Roy is a partner at Cyril Amarchand Mangaldas and Katju is a senior advocate. Views are personal
