Image Source: Getty
This article is a part of the essay series “U.S.-India AI Fellowship Program”
In an interconnected world, digital infrastructure, platforms, and services play a pivotal role in the functioning of everything, from communication to commerce. Given the importance of digital technologies, the pursuit of technological sovereignty has become a strategic imperative for some countries. For advocates of this approach, the state’s ability to control and govern digital assets, systems, and data is crucial to achieving the country’s economic, developmental, and security goals, while also strengthening its geo-political influence. The focus is on establishing or advancing domestic capabilities and attaining self-sufficiency in essential technological sectors by either limiting reliance on foreign entities or fostering “national champions”.
Indian policymakers view technological sovereignty to usher in a new industrial revolution and enable the nation to leapfrog into a leadership role on the global stage.
Indian policymakers view technological sovereignty to usher in a new industrial revolution and enable the nation to leapfrog into a leadership role on the global stage. Initiatives like “Make in India” or “Digital India” offer compelling examples of India’s state-centric approach to self-reliance or Aatmanirbharta in strategic industries and critical technologies. Integral to India's vision of technological sovereignty is data sovereignty—efforts to extend and secure the state's power over the personal and non-personal data of citizens. Achieving data sovereignty requires India to control the collection and usage of its citizens’ data. Given this goal, India's data sovereignty strategy has two elements: control, which is exercised by placing restrictions on data; and accumulation, which is intended to enable the creation and sharing of data. This essay explores India's data sovereignty strategy that is focused on restricting access to data, and how this approach is shaping India’s nascent Artificial Intelligence (AI) policy.
The restriction strategy
Under the “restriction strategy”, the link between data and territory is emphasised to exert control over data. Data is considered most secure if it is in the territory it is being generated in. Concerns over data protection, privacy, foreign surveillance and national security are highlighted to justify pressuring both foreign companies and domestic businesses to store data locally. The government blocks platforms or services and uses data localisation measures to restrict access to data for foreign entities. By restricting access to data and compelling foreign entities to relocate their services to India, the government is not only attempting to retain control over sensitive data but also promoting national champions and local data ecosystems.
In 2022, the government introduced rules mandating Virtual Private Network (VPN) providers and cloud service operators to maintain comprehensive records of their customers, including their names, addresses, IP (Internet Protocol) addresses, and transaction histories for five years.
Since 2018, the Reserve Bank of India (RBI) has introduced a series of regulations aimed at mandating the localisation of payment data to ensure its security. In June 2020, Chinese-owned apps, including TikTok and WeChat were blocked because of the “compilation of these data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India [and] requires emergency measures”. In 2022, the government introduced rules mandating Virtual Private Network (VPN) providers and cloud service operators to maintain comprehensive records of their customers, including their names, addresses, IP (Internet Protocol) addresses, and transaction histories for five years. The stringent requirements have prompted major brands like NordVPN to withdraw their server infrastructure from India and led to VPN apps being pulled from India’s Apple App Store and Google Play Store.
Balancing data sovereignty with AI ambitions
India is eager to position itself as a trustworthy ally and regional tech powerhouse in AI. Yet, its quest to integrate into global AI supply chains is hindered by resource constraints, particularly in computing power and large-scale models. Consequently, India's approach to building sovereign AI is intrinsically linked to its data strategy.
The rise of generative AI like OpenAI’s ChatGPT has underscored the need for vast amounts of high-quality data for the development and training of advanced AI systems. The availability of high-quality data not only impacts technical performance and accuracy but is also critical for building an equitable AI landscape that benefits all segments of society. Recognising this, India has shifted to a more nuanced policy framework—one that balances data sovereignty with the imperative to foster innovation, collaboration, and access to global AI advancements. The focus is on building a data ecosystem that allows for AI applications to be scaled and deployed in a frugal and cost-effective manner. To that end, data sovereignty has become a central policy focus with both data restriction and data accumulation strategies.
Regulators in India are pushing for data localisation, i.e., measures that prohibit or impede international data transfers. Restrictions on data are driven by shifting national economic policy priorities, rising geopolitical tensions, and concerns over data privacy or compliance. Another factor is the security benefit of not allowing certain nations to have access to critical or sensitive data that will allow them to interfere in domestic AI systems or to develop their own AI applications.
SDFs are designated based on certain criteria: the volume and sensitivity of data; risks to data protection rights; impacts on sovereignty and integrity; risks to electoral democracy, security, and public order.
In 2023, the government passed the Digital Personal Data Protection Act (DPDPA). Despite being the first cross-sectoral framework for personal data protection in India, the DPDPA does not replace any existing law with one that provides for a higher degree of protection, nor does it restrict the transfer of personal data for processing to any country or territory outside India. While it does not include any provision for data localisation, it does grant the government the broad authority to restrict access to personal data. The DPDPA also establishes the category of Significant Data Fiduciaries (SDFs), who are required to comply with extra obligations in addition to the general obligations of data fiduciaries. SDFs are designated based on certain criteria: the volume and sensitivity of data; risks to data protection rights; impacts on sovereignty and integrity; risks to electoral democracy, security, and public order.
Last week the government released draft Digital Personal Data Protection (DPDP) Rules, 2025, for public comments. Aimed at operationalising the DPDP Act, the rules extend government control over how personal data is handled and where it flows outside India. Using the category of significant data fiduciaries (SDFs), the government is giving itself the power to localise or place conditions for the transfer of certain categories of data. Rule 12 (4) requires entities classified as SDFs to “undertake measures” to ensure that certain government-specified categories of personal data are “processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.” The government will determine which personal data falls under these restrictions based on recommendations from a designated committee. Rule 14 mandates all data fiduciaries that are processing data within India, or offering goods or services to individuals in India, to comply with conditions specified by the Indian government before sharing that data with any foreign state, its agencies, or its entities. This rule is designed to ensure that personal data remains protected according to Indian laws, giving the government greater oversight and control over sensitive data flows.
Impact of data restrictions on AI development
Local data storage and processing demands are shaping AI development in India. Generative AI (GenAI) companies are voluntarily undertaking data localisation and creating infrastructure for in-country data handling. For example, Google’s Gemini 1.5 flash large language model (LLM) allows Indian organisations to store data and process machine learning models locally.
India’s emphasis on data localisation is not only driven by data protection and national security concerns but is also about creating the infrastructure necessary to support India's AI ambitions.
India’s emphasis on data localisation is not only driven by data protection and national security concerns but is also about creating the infrastructure necessary to support India's AI ambitions. The Indian government is contemplating investing in a sovereign cloud infrastructure to support local data storage and computation, ensuring compliance with national laws. The government’s INR 100 billion AI mission, is prioritising building a network of data centres, which will provide high computing facilities on lease to industry players to train and develop their models. These AI data centres are expected to consist of high-performance Graphics Processing Units (GPUs), storage systems, network infrastructure, and other specialised hardware accelerators. The charges and duration of the lease will be fixed by the government.
Data localisation is also creating significant opportunities for the country’s data centre and cloud industry, which is witnessing significant growth. Global giants such as Amazon Web Services (AWS), as well as local data centre operators in India, are expanding their facilities to support data localisation and AI growth. Lenovo has committed to manufacturing AI servers at its plant in India. Microsoft is planning to invest about US$80 billion in the 2025 fiscal year in developing data centres to train AI models and deploy cloud-based AI applications. Since taking the reins, Reliance Jio Infocomm's new chairman, Akash Ambani, has made a strong pitch for Indian data to remain in India’s data centres. Reliance, which is building a gigawatt-scale AI-ready data centre in Jamnagar has been advocating for government incentives for companies establishing AI and machine learning data centres. The company is also partnering with companies like NVIDIA to build a “national AI infrastructure”. Creating demand for the use of this infrastructure, Reliance Jio has announced that it will provide 100 gigabytes of free storage for Jio's 490 million users.
While big firms can bear the immense costs of setting up domestic data infrastructures, local data storage and processing will likely impede the ability of small and medium-sized firms to access data to train models and deploy AI-driven services within the country.
India’s focus on building a self-sufficient AI ecosystem, its data localisation policies, and its growing investments in local data infrastructure, signals a shift toward a more insular technological landscape. Data restriction strategies are often pursued under the assumption that data stored within India’s borders is inherently more accessible. This logic overlooks the reality that simply placing data within a country’s territory does not guarantee easier or more efficient access. While big firms can bear the immense costs of setting up domestic data infrastructures, local data storage and processing will likely impede the ability of small and medium-sized firms to access data to train models and deploy AI-driven services within the country. Similarly, it’s equally misguided to assume that data stored abroad is forever out of reach for Indian law enforcement regulators or startups. Rather than relying solely on restrictive, domestic policies, the Indian government would be better served by securing global cooperation to ensure reliable access and secure handling of data.
Jyoti Panday is the Regional Director (Asia) of the Internet Governance Project at the Georgia Institute of Technology
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.