top of page

Data Sovereignty As An Enterprise Risk: Localisation Strategy, Regulator-To- Regulator Co-Operation Under India’s Digital Personal Data Protection Act, 2023




Maitry Kumari, BSc LLB (Hons.), National Forensic Sciences University, Gandhinagar

Tanbi Bhadani, BBA LLB (Hons), Chanakya National Law University, Patna


ABSTRACT


Data sovereignty has emerged as an increasingly important enterprise risk in contemporary regulatory discourse, warranting strategic governance at the board and C-suite levels. India’s Data Protection Act, functionally operationalised through rules notified in November 2025, emerged as a calibrated, risk-proportionate framework for personal data governance, embodying the SARAL (Simple, Accessible, Rational, Actionable and Lawful) design principles. Unlike rigid data localisation regimes, the statute vests the State with discretionary authority to restrict cross-border personal data flows on a permissioned, case-by-case basis, thereby maintaining the balance between national data sovereignty imperatives and international data transfer obligations under the law of trade and investment.


This article interrogates the amalgamation of data sovereignty and enterprise risk management (ERM), placing the DPDP act in the context of the global data protection regulatory ecosystem and a growing body of adequacy decision jurisprudence. Using doctrinal and comparative regulatory scholarship, the paper identifies the transactional and operational risks associated with data sovereignty regulations, particularly those related to the M&A process, third- party vendor management, digital transformation of the global supply chain, and multi-cloud and hybrid cloud procurement. In this respect, the study indicates that the cost of compliance due to data residency and localisation requirements amounts to 15-30% of operational technology costs in MNEs. In this case, it is important to consider a strategy for responding to these challenges. Therefore, the paper discusses the viability of layered data residency architectures and privacy-enhancing. technologies (PETs) such as pseudonymization, end-to-end encryption, tokenisation, and differential privacy as tools of regulatory compliance while maintaining operational interoperability.


Keywords: Data Sovereignty, Digital Personal Data Protection Act 2023, cross- border data flow, enterprise risk, Data localisation, adequacy decision.



Indian Journal of Law and Legal Research

Abbreviation: IJLLR

ISSN: 2582-8878

Website: www.ijllr.com

Accessibility: Open Access

License: Creative Commons 4.0

Submit Manuscript: Click here

Licensing: 

 

All research articles published in The Indian Journal of Law and Legal Research are fully open access. i.e. immediately freely available to read, download and share. Articles are published under the terms of a Creative Commons license which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

 

Disclaimer:

The opinions expressed in this publication are those of the authors. They do not purport to reflect the opinions or views of the IJLLR or its members. The designations employed in this publication and the presentation of material therein do not imply the expression of any opinion whatsoever on the part of the IJLLR.

bottom of page