In August 2017, a nine-judge bench of the Supreme Court settled something India had long left ambiguous: the right to privacy is a fundamental right, woven into Article 21 of the Constitution. Justice K.S. Puttaswamy vs. Union of India was not merely a judgment about Aadhaar. It was the constitutional moment that made data governance a matter of rights, not just regulation. Everything that has followed — the Digital Personal Data Protection Act of 2023, the DPDP Rules notified in November 2025, the February 2026 amendments to India’s IT Intermediary Rules — flows from that single constitutional anchor. The citizen owns their data. The state must protect it. Companies may only use it on defined, consented terms.
That framework, in theory, makes Indian citizen data a protected national asset. In practice, we are nowhere near treating it as one.
THE STRUCTURAL PROBLEM
India’s digital economy is one of the most consequential data-generation engines on the planet. Hundreds of millions of Indians transact, communicate, seek healthcare, farm, borrow, and vote — generating data whose breadth and diversity is genuinely unmatched. Health records across a country with a disease burden distinct from the West. Agricultural data across climatic and soil profiles no other nation can replicate. Financial behaviour patterns from a population that moved from cash to digital payments in a single generation. This data is not generic. It is irreplaceable raw material for the artificial intelligence systems that will govern the next century.
Also Read – Powering India’s Future: Inside the Strategy to Meet 366 GW Demand by 2032
And yet, most of it lives somewhere else. Social media data flows to servers in the United States. Cloud-hosted enterprise and consumer data sits in infrastructure governed primarily by American law. When foreign AI companies build large language models that understand Hindi idiom, predict Indian consumer behaviour, or diagnose conditions more prevalent in South Asia — they are, in a meaningful sense, mining Indian intellectual wealth without commensurate return.
“The country that controls the training data for AI systems governing healthcare, finance, and public administration holds a structural advantage that cannot easily be reversed.”
— The core strategic case for data sovereignty
WHAT THE LAW NOW SAYS
India’s legal architecture has moved considerably, even if enforcement has not. The DPDP Act 2023 — operationalised through the Rules notified in November 2025 — establishes, for the first time, a consent-centric regime where any entity collecting personal data must specify its purpose and obtain informed, free, and specific consent for each use. If consent is withdrawn or the purpose lapses, the data must be erased. For any AI company training a model on Indian user data without this consent architecture in place, every data point is potentially unlawfully held.
INDIA’S DATA GOVERNANCE STACK — AS OF APRIL 2026
01 Puttaswamy v. Union of India (2017) — Supreme Court recognises privacy as a fundamental right under Article 21. The constitutional basis for all data protection law that follows.
02 IT Act 2000 & SPDI Rules 2011 — The legacy framework, still in force. AI systems, LLMs, and data processing infrastructure fall within its scope as ‘computer resources.’ Applies alongside newer law.
03 DPDP Act 2023 & DPDP Rules 2025 — India’s comprehensive data protection law. Consent-centric, rights-based. Applies to foreign companies offering services to Indians. Data Protection Board constituted November 2025. Hard compliance deadline: May 2027.
04 IT (Intermediary) Amendment Rules, February 2026 — MeitY’s most recent intervention. Brings AI-generated content — text, images, audio, video — under mandatory due diligence. Signals the state’s intent to govern AI outputs, not just data inputs.
05 RBI Payment Data Localisation Circular (2018) — All payment transaction data must be stored in India. The only sector with hard, enforced localisation to date.
The DPDP Act’s extraterritorial reach is deliberately constructed to mirror GDPR logic: any entity outside India that processes data in connection with offering goods or services to individuals in India is subject to Indian law. This includes the major American social platforms and cloud infrastructure providers. Whether India has the enforcement capacity and diplomatic leverage to make that extraterritoriality meaningful is a different — and far more uncomfortable — question.
What the law does not yet have is a standalone AI Act. As of today, India regulates AI through a mosaic — the IT Act, the DPDP Act, the February 2026 intermediary amendments, and sectoral guidelines from bodies like the RBI and SEBI. A dedicated AI governance framework, as recommended by the government’s own expert committee, remains pending. That gap matters acutely when it comes to algorithmic accountability and AI training data consent, neither of which is fully resolved by the existing stack.
THE ACCOUNTABILITY VACUUM
Here is the practical problem that no law has yet solved cleanly. When an Indian user’s behavioural data moves through an Indian app, is processed on a foreign cloud platform under an Indian company’s account, and is then used by a foreign AI firm as training data — who is accountable? The DPDP Act holds the ‘Data Fiduciary’ — the Indian entity collecting data — primarily responsible. But the entity that actually extracts intelligence value is a processor’s processor, operating under contract terms that Indian regulators rarely see and cannot easily reach. The accountability chain dissolves before it arrives at the party doing the most consequential thing with the data.
The Data Protection Board of India, constituted in November 2025, is the intended enforcement body. But it has no precedent to draw on, no established jurisprudence, and faces the daunting task of regulating global technology companies from a standing start. The Significant Data Fiduciary list — which would subject the highest-risk data processors to mandatory audits and algorithmic fairness assessments — remains unpublished, more than two years after the Act’s passage. Every month that list stays unpublished, companies that should face the highest scrutiny do not.
“The accountability chain dissolves before it arrives at the party doing the most consequential thing with the data.”
— On the structural gap in India’s data law
THE PATH FORWARD
None of this argues for building a digital wall around India. The Economic Survey tabled in Parliament earlier this year put it well: sovereignty need not mean physical containment. It means enforceable rights and institutional capacity — the ability to require that AI systems trained on Indian data maintain verifiable records within Indian jurisdiction, that Indian citizens can exercise erasure and correction rights regardless of where their data is processed, and that India participates in the economic value chain of AI rather than merely supplying its inputs.
The constitutional foundation is solid. The legislative framework is broadly in place, if imperfect. What is missing is enforcement will — publishing the Significant Data Fiduciary list, equipping the Data Protection Board with genuine technical expertise, pushing through the pending AI governance framework, and using India’s enormous market leverage to demand compliance from foreign technology companies that cannot afford to exit a population of this scale.
Data sovereignty is not a sentiment. In the age of AI, it is the difference between a nation that shapes its own future and one whose future is shaped by algorithms trained elsewhere, on its own people’s lives, for other people’s profit.
About the Author
(Dr. Sumit Suri is a research scholar specialising in AI policy and digital governance. He is an Advocate and a member of the Bar Council of Delhi, holding an LLB and LLM. His research focuses on the intersection of emerging technology law, data sovereignty, and regulatory frameworks in the Indian and global context.)
Also Read – Radha: The Rewilded Tigress Who Brought a Forest Back to Life
