
Dutch Microsoft Issue: A Business Perspective for Indian Enterprises
A recent incident in the Netherlands has sent a quiet but unmistakable signal to boardrooms and policy corridors around the world — including in India. Microsoft reportedly shared documents containing the names of Dutch civil servants, who were working with Dutch regulators, with the United States House of Representatives. The documents included emails, meeting minutes and official invitations. Dutch authorities said they needed to investigate further before drawing conclusions.
For Indian businesses, the lesson is not about the Netherlands. It is about the nature of cloud dependency — and what it means when the infrastructure your enterprise runs on is ultimately governed by a foreign legal system.
1. Data Residency vs. Data Sovereignty: A Critical Distinction
Many Indian companies believe they have addressed their data risk by choosing a cloud provider’s Mumbai or Hyderabad region. That belief is dangerously incomplete. There is a fundamental difference between two concepts that are often conflated:
| Concept | What It Actually Means |
| Data Residency | Where the server physically sits. Your data may be stored in Mumbai, but the company that runs that server may be incorporated in the United States. |
| Data Sovereignty | Who can legally compel access to that data — through whose courts, under whose laws, and through which administrative and technical controls. |
The Netherlands’ own Court of Audit had already warned in January 2025 that the Dutch central government had entered cloud contracts without completing mandatory risk assessments for two-thirds of major cloud services reviewed. India must not make the same error.
2. The U.S. CLOUD Act: What Every Indian Business Leader Should Know
Under U.S. federal law (18 U.S.C. § 2713), any U.S.-based provider of electronic communication or cloud computing services must preserve, back up, or disclose customer data within its possession, custody, or control — regardless of where that data is physically located. This is not a hypothetical risk. It is a statutory obligation.
This does not mean that a U.S. government official can browse your company’s data at will. The correct position is more nuanced: a U.S. cloud provider may be legally compelled, under appropriate legal process, to produce data it technically controls — even if that data is stored in a server in India.
For Indian enterprises, the practical question is straightforward: Does your cloud provider’s parent company have U.S. jurisdiction? If yes, U.S. lawful access risk exists regardless of which Indian region your data sits in.
3. Can Indian Data Be Shared with a Foreign Government via an Indian Subsidiary?
This is a question increasingly being asked by Indian businesses that use global cloud platforms through locally-incorporated entities. The answer is: not automatically — but the risk is real, and it depends on how the system is architected.
An Indian subsidiary is a separate legal entity under Indian law. However, if the U.S. parent company or a U.S.-governed service provider has access to administrative controls, identity systems, support logs, telemetry, backup infrastructure, or encryption keys — a foreign legal demand may create real exposure for Indian data.
Practical scenarios Indian businesses must consider:
- If you use Microsoft 365, Azure, AWS, or Google Cloud under a globally-managed service model, foreign lawful access risk exists — even for data stored in India.
- If your data is stored in India but identity management, support, telemetry or backups are handled globally, local storage alone does not guarantee sovereignty.
- If encryption keys are exclusively controlled by you or an Indian-governed entity, your exposure is materially reduced.
- If your vendor’s Indian subsidiary operates with no parent-company access and no U.S.-controlled cloud layer, the risk is lower — but must be verified through contracts and audits.
4. It Is Not Only a U.S. Issue — The Broader Principle
India should be careful not to frame this as a problem unique to American technology companies. Sovereign access laws exist in multiple jurisdictions:
- The United Kingdom’s Investigatory Powers Act has extraterritorial features, with certain notices already being served on overseas operators.
- Australia’s Assistance and Access Act gives agencies tools to require industry cooperation and access digital evidence.
- China’s National Intelligence Law (Article 7) requires organisations and citizens to support, assist and cooperate with state intelligence work.
The principle, therefore, is universal: any foreign-controlled digital infrastructure may carry foreign sovereign access risk. Indian businesses need a framework grounded in this reality — not one that merely substitutes one foreign provider for another.
5. Why This is Now an Economic and Business Competitiveness Issue
Data is no longer merely an operational input. It is a strategic economic asset. It drives AI models, credit scoring, health analytics, market intelligence, consumer behaviour mapping, financial surveillance, and supply chain optimisation.
When Indian enterprise data sits on foreign-controlled infrastructure, the business consequences are tangible:
- Loss of bargaining power: Indian firms become dependent on foreign providers’ pricing, licensing, service continuity, and policy decisions.
- Compliance cost escalation: DPDP Act obligations, sector-specific regulations (RBI, IRDAI, SEBI), and cross-border transfer requirements all add legal and operational overhead.
- Innovation dependency: Indian AI and analytics capability built on foreign APIs and model ecosystems may be subject to unilateral access restrictions or commercial discontinuation.
- Competitive intelligence exposure: Even anonymised or aggregated data, when processed on foreign infrastructure, can reveal patterns about Indian market behaviour, pricing, and institutional strategy.
- Trade friction risk: Cross-border data restrictions can impede outsourcing, SaaS delivery, cloud migration, and global service contracts.
The European Union has already navigated this at scale. The Court of Justice of the European Union invalidated the EU–U.S. Privacy Shield in 2020, primarily over concerns about U.S. surveillance access. A new EU–U.S. Data Privacy Framework came into force in July 2023 — but the repeated litigation surrounding these arrangements demonstrates how economically consequential and legally fragile cross-border data flows can be. India should observe this experience and prepare its own frameworks proactively.
6. Should Indian Businesses Push for Indian Sovereign Cloud?
Yes — but with an important qualification. A data centre located in India is not, by itself, a sovereign cloud. What India needs is not mere data residency but genuine digital sovereignty: Indian-owned infrastructure, Indian-law-governed operations, India-based administrators, India-controlled encryption keys, auditable sub-processor chains, and strong security standards.
India has already taken steps in this direction. MeitY has empanelled cloud service providers following Standardisation Testing and Quality Certification (STQC) Directorate audits against ISO 27001, ISO 27017, ISO 27018 and ISO 20000 standards. NIC functions as a government cloud provider while engaging private players through structured tender processes.
A tiered sovereign cloud policy — rather than a blanket localisation mandate — is the right direction:
| Data Category | Recommended Approach |
| Ordinary commercial data | Global cloud with DPDP compliance, robust contracts, security controls, and transfer impact assessments. |
| Financial, health, children’s data, public-sector databases | India-region storage mandated, stronger encryption, and auditable access logs. |
| Defence, law enforcement, judicial systems, core government identity | Sovereign cloud operated by Indian entities or government-controlled bodies with no foreign administrative access. |
| AI training datasets derived from Indian citizens | Special rules on anonymisation, model training, onward transfer, and foreign access — to be developed as a priority. |
7. An Immediate Compliance Checklist for Indian Organisations
Indian businesses using foreign SaaS and cloud services should immediately review the following:
- Data Map: What personal data is collected, where it is stored, and where it is processed.
- Vendor Map: Cloud provider, SaaS provider, sub-processors, and support locations — including parent company jurisdiction.
- Cross-Border Transfer Register: All instances where data moves outside India, with the legal basis for each transfer.
- Processor Contracts: Agreements under Section 8 of the DPDP Act with all data processors.
- Foreign Lawful Access Risk Assessment: Assess whether your vendor’s parent company is subject to U.S. CLOUD Act or equivalent foreign access laws.
- Encryption and Key Management Policy: Ensure encryption keys are controlled by your organisation or an India-governed entity.
- Breach Notification Readiness: Plans and timelines to comply with DPDP Act breach notification obligations.
- Exit and Data Portability Plan: Ability to migrate data and operations if a vendor relationship ends.
- Sectoral Law Review: Review obligations under RBI, IRDAI, SEBI, telecom, health, and government procurement rules.
- Board-Level Data Sovereignty Policy: Governance-level oversight of data sovereignty decisions for sensitive datasets.
The Business Leadership Imperative
The Dutch–Microsoft episode is not a distant IT story. It is a warning signal for every Indian enterprise that has signed a cloud contract without fully understanding who ultimately controls its data — and under whose law.
India should not reject foreign cloud technology. That would compromise innovation and efficiency. But Indian business leaders must stop treating data infrastructure as purely a technology or procurement decision. It is simultaneously a legal risk, an economic policy choice, and a national security variable.
The real question — the one that every board, every CFO, and every CTO in India should now be asking — is not where is our data stored? but rather: who can legally, technically and operationally control our data when pressure comes?
Answering that question honestly is the first step towards genuine digital sovereignty.
Disclaimer / Author’s Note
The views and opinions expressed in this article are solely those of the author and are intended for general information and discussion purposes only. They do not constitute legal advice, professional opinion, or the official position of any organisation with which the author may be associated. Readers are advised to seek appropriate professional advice before acting on any matter discussed herein.
Author: CA.Sunil Elayadath | Partner | Karthik & Sunil |
