PrepLiberty.
Updated · Today
Science & Technology June 22, 2026 6 min read Daily brief · #6 of 22

The challenge of India’s digital sovereignty

A detailed analysis has highlighted the structural challenge facing India's pursuit of digital sovereignty: while India generates vast quantities of data thr...

["GS3" "GS2"]

What Happened

  • A detailed analysis has highlighted the structural challenge facing India's pursuit of digital sovereignty: while India generates vast quantities of data through digital services, the compute infrastructure, cloud platforms, and AI systems capturing economic value from that data are predominantly owned and operated by foreign entities.
  • The challenge goes beyond data localization (storing data in India) to include control over foundational layers — semiconductor manufacturing, cloud computing infrastructure, AI model development, and platform-level operating systems.
  • India's current policy toolkit (data localization mandates, the DPDP Act, 2023) is argued to be necessary but insufficient — true digital sovereignty requires domestic capability at the compute and software infrastructure layers.
  • The analysis situates this challenge within India's broader strategic autonomy concerns — similar to defence sector indigenisation, digital self-reliance has become a security imperative.

Static Topic Bridges

Digital Personal Data Protection Act, 2023 (DPDP Act)

India's DPDP Act, enacted in August 2023 (No. 22 of 2023), is the country's first comprehensive data protection law. It replaced the limited data protection framework under the Information Technology Act, 2000 and sought to align India with global data protection standards.

  • Scope: The Act covers all digital personal data (data about an identifiable individual) processed in India, and also data processed outside India if it involves offering goods/services to Indian residents.
  • Data Fiduciaries (entities that determine the purpose and means of data processing) must obtain consent for processing, ensure data minimisation, maintain data accuracy, and implement security safeguards.
  • Data Localisation: The DPDP Act does not impose blanket data localisation — instead, it empowers the government to notify cross-border data transfer restrictions to specific countries or territories. Sectoral regulators (RBI, SEBI, IRDAI) have separate data localisation requirements.
  • Government Exemption: Section 17 of the Act allows the central government to exempt processing by government agencies for national security, public order, prevention of offences, or research/archiving — a broad exemption that critics argue creates surveillance loopholes.
  • Data Protection Board: The Act establishes a Data Protection Board of India to hear complaints and adjudicate breaches — but the Board's independence has been questioned as members are appointed by the government.

Connection to this news: The DPDP Act is the primary legal instrument for data governance, but its exemptions and absence of provisions on non-personal data, AI systems, and surveillance mean it addresses only one dimension of digital sovereignty.

Section 69 of the IT Act, 2000 and Surveillance Powers

The Information Technology Act, 2000 (amended 2008) is the foundational law governing digital infrastructure in India. Section 69 is the key surveillance provision.

  • Section 69: Empowers the central and state governments to direct interception, monitoring, or decryption of any information through any computer resource in the interest of sovereignty, integrity, security of the state, friendly relations with foreign states, public order, or prevention of offences.
  • Section 69A: Empowers blocking of public access to information (used extensively for blocking apps and websites, including TikTok ban in 2020).
  • Section 69B: Empowers monitoring and collection of traffic data.
  • The Supreme Court struck down Section 66A of the IT Act in Shreya Singhal v. Union of India (2015) as unconstitutional for being vague and overbroad — a significant judicial check on overreach.
  • Section 69 operates without a dedicated judicial oversight mechanism or mandatory prior authorisation by an independent body — a feature that distinguishes India's surveillance law from many democratic counterparts.

Connection to this news: If India's cloud and data infrastructure is foreign-owned, Section 69 interception orders must be routed through foreign companies potentially subject to other jurisdictions' laws — a direct tension between domestic surveillance authority and foreign infrastructure control.

Cloud Computing and Foreign Infrastructure Dependency

India's digital economy is heavily dependent on cloud services provided by foreign technology companies. This creates both economic and security vulnerabilities.

  • India's public cloud market was valued at approximately US$ 8 billion in 2024–25, dominated by Amazon Web Services (AWS), Microsoft Azure, and Google Cloud — all US-headquartered entities subject to US laws including the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018), which allows US law enforcement to compel cloud providers to produce data stored outside the US.
  • This creates a jurisdictional conflict: Indian data stored on US-headquartered cloud platforms is potentially accessible to US authorities, regardless of India's data protection laws.
  • India Stack — including Aadhaar, UPI, ONDC, and account aggregator frameworks — was designed for indigenous digital public infrastructure, but the higher compute layers (AI, cloud) remain import-dependent.
  • The IndiaAI Mission (2024, ₹10,371 crore) aims to build domestic AI capacity including shared compute infrastructure (India AI Compute Facility) and large language model development — directly addressing the sovereignty gap in AI.
  • Several countries (France's sovereign cloud, Germany's Gaia-X, China's domestic cloud ecosystem) have pursued sovereign cloud initiatives as strategic imperatives.

Connection to this news: The analysis argues that data localisation alone is insufficient if the servers on which Indian data is stored are designed, manufactured, and operated by foreign entities — a point India's policymakers are now beginning to act on through missions like IndiaAI.

Strategic Autonomy and Technology: Lessons from Defence Indigenisation

India's pursuit of digital sovereignty mirrors earlier debates around defence indigenisation — the argument that strategic capabilities cannot be permanently outsourced to foreign suppliers.

  • India's Defence Acquisition Procedure (DAP) has progressively increased "indigenisation quotas" and introduced Positive Indigenisation Lists (PIL) — categories of defence equipment that can only be sourced domestically. Three PILs have been announced since 2020, covering hundreds of items.
  • The Production Linked Incentive (PLI) Scheme for semiconductors (₹76,000 crore) and the establishment of the India Semiconductor Mission (ISM) are direct analogies in the digital domain — recognising that chip manufacturing is a strategic necessity, not merely an economic opportunity.
  • Digital sovereignty concerns are amplified by the global AI race: countries that control frontier AI models, data infrastructure, and compute chips hold asymmetric leverage over nations that do not.
  • India's position in geopolitical technology contestation (US-China tech decoupling, export controls on advanced chips) makes self-reliance in digital infrastructure both more urgent and more difficult.

Connection to this news: The article's core argument is that India must treat digital infrastructure with the same strategic seriousness as defence hardware — accepting near-term costs for long-term autonomy.

Key Facts & Data

  • DPDP Act, 2023 (No. 22 of 2023): Received Presidential assent on August 11, 2023; India's first comprehensive data protection law.
  • IT Act, 2000, Section 69: Empowers interception/monitoring of electronic communications on national security grounds; no mandatory prior judicial authorisation.
  • Shreya Singhal v. Union of India (2015): Section 66A struck down as unconstitutional — court limits overreach in digital speech restriction.
  • KS Puttaswamy v. Union of India (2017): Privacy is a fundamental right under Article 21; state surveillance must satisfy legality, legitimate aim, and proportionality.
  • IndiaAI Mission (2024): ₹10,371 crore approved to build domestic AI compute, datasets, and startup ecosystem.
  • India Semiconductor Mission: ₹76,000 crore PLI for semiconductor manufacturing — strategic response to chip dependency.
  • India's cloud market dominated by AWS, Azure, Google Cloud (all US-headquartered); US CLOUD Act (2018) creates jurisdictional exposure.
  • RBI has mandated payment data localisation since 2018; SEBI mandated financial data localisation from 2023 — patchwork sectoral approach.
  • Positive Indigenisation Lists (defence): Over 400 items on three lists since 2020 — the template for digital indigenisation policy.
On this page
  1. What Happened
  2. Static Topic Bridges
  3. Digital Personal Data Protection Act, 2023 (DPDP Act)
  4. Section 69 of the IT Act, 2000 and Surveillance Powers
  5. Cloud Computing and Foreign Infrastructure Dependency
  6. Strategic Autonomy and Technology: Lessons from Defence Indigenisation
  7. Key Facts & Data
Display