Digital Sovereignty

Digital sovereignty refers to the assertion of national authority over the digital domain — encompassing the ability to control data generated by a country's citizens and enterprises, regulate foreign technology platforms, ensure the security and resilience of critical digital infrastructure, and develop indigenous technology capabilities that reduce dependence on foreign vendors. It is the cyber-age equivalent of the traditional Westphalian principle of territorial sovereignty. The concept operates across multiple dimensions. Data sovereignty concerns which entities may collect, store, process, and transfer data about a country's citizens — reflected in data localisation requirements that mandate certain categories of data to be stored on servers within the country. Infrastructure sovereignty concerns ownership and control of physical and logical components of the internet — cables, cloud servers, satellite networks, and operating systems. Technological sovereignty concerns a country's ability to develop and deploy critical technologies (semiconductors, AI, operating systems) domestically rather than importing them from potentially adversarial or unreliable foreign vendors. India's approach to digital sovereignty is articulated through several policy instruments. The Digital Personal Data Protection Act, 2023 (DPDP Act) empowers the government to restrict transfer of personal data to notified countries and establish data fiduciaries' obligations. India Stack — comprising Aadhaar, UPI, DigiLocker, and ONDC — represents a deliberate strategy of building state-owned or open-protocol digital public infrastructure to avoid dependency on US Big Tech. The National Cyber Security Policy and the proposed National Data Governance Framework further operationalise digital sovereignty. At the international level, India's position in the Global Digital Compact (2024, UN) and its advocacy for 'multi-stakeholder plus government' internet governance reflects a sovereign-state-centric view of digital governance.

• 1 Digital Personal Data Protection (DPDP) Act, 2023: India's first comprehensive data protection law — replaces the outdated IT Act Section 43A framework.
• 2 Data localisation: DPDP Act empowers government to restrict transfer of personal data to specific countries; RBI mandates payment data localisation since 2018.
• 3 India Stack: Aadhaar (1.4B enrollments), UPI (14B+ monthly transactions), DigiLocker (300M+ registered) — state-built infrastructure to reduce Big Tech dependency.
• 4 TikTok ban (June 2020): India banned 59 Chinese apps under Section 69A of IT Act — the world's largest app ban — citing national security and data sovereignty.
• 5 Semiconductor Mission (India Semiconductor Mission, 2021): USD 10 billion incentive package to build domestic chip fabrication capacity.
• 6 ONDC (Open Network for Digital Commerce): government-built alternative to Amazon/Flipkart marketplace dominance — operationalised 2023.
• 7 EU GDPR (2018): global benchmark for data sovereignty legislation; DPDP Act's consent framework is inspired by GDPR but with notable government exemptions.

India's requirement for international payment networks (Mastercard, Visa, American Express) to store Indian payment data exclusively on servers within India — mandated by the RBI circular of April 2018 — is a direct exercise of data sovereignty. Mastercard violated this directive and was barred from issuing new cards in India from July 2021 to June 2022, demonstrating India's willingness to enforce sovereignty even against systemically important global financial networks.