Data Sovereignty Vs. Data Protection: A Comparative Constitutional Analysis Of India’s Privacy Laws And GDPR

Ashutosh Panda, LLM, Lovely Professional University, Phagwara

Dr. Amit Kashyap, Associate Professor, Lovely Professional University, Phagwara

ABSTRACT

The current paradigms of data sovereignty and data protection discussed within this review of constitutional comparative analysis are domains influenced by the Digital Personal Data Protection Act 2023 (DPDPA) of India and the General Data Protection Regulation (GDPR) of the European Union. In India, Right to privacy has been declared as a fundamental right under Article 21 of the Constitution with the most notable Supreme Court decision being the justice K.S. Puttaswamy vs. Union of India. The driving force to a holistic law on privacy was the Union of India even though the DPDPA has moved this right by enforcing rules of processing of data that contain lawful processing, limitation of purpose, minimization of data, consent, transparency, and redress of grievances.

A key differentiating aspect of India's regime is the emphasis on data sovereignty. The DPDPA includes provisions for data localization, meaning that certain categories of data, such as payment or sensitive personal data, must be stored and processed within India's borders. However, selective trans-border data transfer to "trustworthy" jurisdictions is permitted. The emphasis of the DPDPA on data sovereignty aligns with national interests in economic control, law enforcement access, and national security. On the other hand, the principle of the GDPR is, in general, harmonized data protection regardless of where the data is located. The GDPR establishes free flow of data within the EU and freely to third countries as long as those countries have an adequate privacy legal regime.

Both legal regimes established robust user rights that included rights of accessing personal data, rights to correction of the personal data, and right of erasure albeit with different exceptions. GDPR limits government scoping over the rights related to national security to quite narrowly interpreted circumstances, whereas the DPDPA has broader exceptions based on public interest and sovereignty that would allow for governmental interference. Each legal including the DPDPA an GDPR include strict penalties, respectively due to violation of those personal data protection regimes

reflecting a shared commitment to privacy as a basic right.

Overall, this analysis show that while the India’s Digital Personal Data Protection Act (DPDPA) is developed from the models of data protection established by the GDPR, it contemplates unique constitutional consideration along the same pathway of data sovereignty. The consideration of state interests, individual privacy, and data flows on a global scale motion the DPDPA along unique different pathways from the GDPR.

Keywords: Data Sovereignty, Data Protection, Digital Personal Data Protection Act (DPDPA), General Data Protection Regulation (GDPR), Fundamental Right to Privacy, Constitution of India Article 21, Data Localization.