Cloud Dependency is No Longer Only an IT Procurement Matter; It is a Sovereignty, Economic Policy and National Security Matter

Dutch Microsoft Issue: A Business Perspective for Indian Enterprises

A recent incident in the Netherlands has sent a quiet but unmistakable signal to boardrooms and policy corridors around the world — including in India. Microsoft reportedly shared documents containing the names of Dutch civil servants, who were working with Dutch regulators, with the United States House of Representatives. The documents included emails, meeting minutes and official invitations. Dutch authorities said they needed to investigate further before drawing conclusions.

For Indian businesses, the lesson is not about the Netherlands. It is about the nature of cloud dependency — and what it means when the infrastructure your enterprise runs on is ultimately governed by a foreign legal system.

1.  Data Residency vs. Data Sovereignty: A Critical Distinction

Many Indian companies believe they have addressed their data risk by choosing a cloud provider’s Mumbai or Hyderabad region. That belief is dangerously incomplete. There is a fundamental difference between two concepts that are often conflated:

ConceptWhat It Actually Means
Data ResidencyWhere the server physically sits. Your data may be stored in Mumbai, but the company that runs that server may be incorporated in the United States.
Data SovereigntyWho can legally compel access to that data — through whose courts, under whose laws, and through which administrative and technical controls.

The Netherlands’ own Court of Audit had already warned in January 2025 that the Dutch central government had entered cloud contracts without completing mandatory risk assessments for two-thirds of major cloud services reviewed. India must not make the same error.

2.  The U.S. CLOUD Act: What Every Indian Business Leader Should Know

Under U.S. federal law (18 U.S.C. § 2713), any U.S.-based provider of electronic communication or cloud computing services must preserve, back up, or disclose customer data within its possession, custody, or control — regardless of where that data is physically located. This is not a hypothetical risk. It is a statutory obligation.

This does not mean that a U.S. government official can browse your company’s data at will. The correct position is more nuanced: a U.S. cloud provider may be legally compelled, under appropriate legal process, to produce data it technically controls — even if that data is stored in a server in India.

For Indian enterprises, the practical question is straightforward: Does your cloud provider’s parent company have U.S. jurisdiction? If yes, U.S. lawful access risk exists regardless of which Indian region your data sits in.

3.  Can Indian Data Be Shared with a Foreign Government via an Indian Subsidiary?

This is a question increasingly being asked by Indian businesses that use global cloud platforms through locally-incorporated entities. The answer is: not automatically — but the risk is real, and it depends on how the system is architected.

An Indian subsidiary is a separate legal entity under Indian law. However, if the U.S. parent company or a U.S.-governed service provider has access to administrative controls, identity systems, support logs, telemetry, backup infrastructure, or encryption keys — a foreign legal demand may create real exposure for Indian data.

Practical scenarios Indian businesses must consider:

  • If you use Microsoft 365, Azure, AWS, or Google Cloud under a globally-managed service model, foreign lawful access risk exists — even for data stored in India.
  • If your data is stored in India but identity management, support, telemetry or backups are handled globally, local storage alone does not guarantee sovereignty.
  • If encryption keys are exclusively controlled by you or an Indian-governed entity, your exposure is materially reduced.
  • If your vendor’s Indian subsidiary operates with no parent-company access and no U.S.-controlled cloud layer, the risk is lower — but must be verified through contracts and audits.

4.  It Is Not Only a U.S. Issue — The Broader Principle

India should be careful not to frame this as a problem unique to American technology companies. Sovereign access laws exist in multiple jurisdictions:

  • The United Kingdom’s Investigatory Powers Act has extraterritorial features, with certain notices already being served on overseas operators.
  • Australia’s Assistance and Access Act gives agencies tools to require industry cooperation and access digital evidence.
  • China’s National Intelligence Law (Article 7) requires organisations and citizens to support, assist and cooperate with state intelligence work.

The principle, therefore, is universal: any foreign-controlled digital infrastructure may carry foreign sovereign access risk. Indian businesses need a framework grounded in this reality — not one that merely substitutes one foreign provider for another.

5.  Why This is Now an Economic and Business Competitiveness Issue

Data is no longer merely an operational input. It is a strategic economic asset. It drives AI models, credit scoring, health analytics, market intelligence, consumer behaviour mapping, financial surveillance, and supply chain optimisation.

When Indian enterprise data sits on foreign-controlled infrastructure, the business consequences are tangible:

  • Loss of bargaining power: Indian firms become dependent on foreign providers’ pricing, licensing, service continuity, and policy decisions.
  • Compliance cost escalation: DPDP Act obligations, sector-specific regulations (RBI, IRDAI, SEBI), and cross-border transfer requirements all add legal and operational overhead.
  • Innovation dependency: Indian AI and analytics capability built on foreign APIs and model ecosystems may be subject to unilateral access restrictions or commercial discontinuation.
  • Competitive intelligence exposure: Even anonymised or aggregated data, when processed on foreign infrastructure, can reveal patterns about Indian market behaviour, pricing, and institutional strategy.
  • Trade friction risk: Cross-border data restrictions can impede outsourcing, SaaS delivery, cloud migration, and global service contracts.

The European Union has already navigated this at scale. The Court of Justice of the European Union invalidated the EU–U.S. Privacy Shield in 2020, primarily over concerns about U.S. surveillance access. A new EU–U.S. Data Privacy Framework came into force in July 2023 — but the repeated litigation surrounding these arrangements demonstrates how economically consequential and legally fragile cross-border data flows can be. India should observe this experience and prepare its own frameworks proactively.

6.  Should Indian Businesses Push for Indian Sovereign Cloud?

Yes — but with an important qualification. A data centre located in India is not, by itself, a sovereign cloud. What India needs is not mere data residency but genuine digital sovereignty: Indian-owned infrastructure, Indian-law-governed operations, India-based administrators, India-controlled encryption keys, auditable sub-processor chains, and strong security standards.

India has already taken steps in this direction. MeitY has empanelled cloud service providers following Standardisation Testing and Quality Certification (STQC) Directorate audits against ISO 27001, ISO 27017, ISO 27018 and ISO 20000 standards. NIC functions as a government cloud provider while engaging private players through structured tender processes.

A tiered sovereign cloud policy — rather than a blanket localisation mandate — is the right direction:

Data CategoryRecommended Approach
Ordinary commercial dataGlobal cloud with DPDP compliance, robust contracts, security controls, and transfer impact assessments.
Financial, health, children’s data, public-sector databasesIndia-region storage mandated, stronger encryption, and auditable access logs.
Defence, law enforcement, judicial systems, core government identitySovereign cloud operated by Indian entities or government-controlled bodies with no foreign administrative access.
AI training datasets derived from Indian citizensSpecial rules on anonymisation, model training, onward transfer, and foreign access — to be developed as a priority.

7.  An Immediate Compliance Checklist for Indian Organisations

Indian businesses using foreign SaaS and cloud services should immediately review the following:

  • Data Map: What personal data is collected, where it is stored, and where it is processed.
  • Vendor Map: Cloud provider, SaaS provider, sub-processors, and support locations — including parent company jurisdiction.
  • Cross-Border Transfer Register: All instances where data moves outside India, with the legal basis for each transfer.
  • Processor Contracts: Agreements under Section 8 of the DPDP Act with all data processors.
  • Foreign Lawful Access Risk Assessment: Assess whether your vendor’s parent company is subject to U.S. CLOUD Act or equivalent foreign access laws.
  • Encryption and Key Management Policy: Ensure encryption keys are controlled by your organisation or an India-governed entity.
  • Breach Notification Readiness: Plans and timelines to comply with DPDP Act breach notification obligations.
  • Exit and Data Portability Plan: Ability to migrate data and operations if a vendor relationship ends.
  • Sectoral Law Review: Review obligations under RBI, IRDAI, SEBI, telecom, health, and government procurement rules.
  • Board-Level Data Sovereignty Policy: Governance-level oversight of data sovereignty decisions for sensitive datasets.

The Business Leadership Imperative

The Dutch–Microsoft episode is not a distant IT story. It is a warning signal for every Indian enterprise that has signed a cloud contract without fully understanding who ultimately controls its data — and under whose law.

India should not reject foreign cloud technology. That would compromise innovation and efficiency. But Indian business leaders must stop treating data infrastructure as purely a technology or procurement decision. It is simultaneously a legal risk, an economic policy choice, and a national security variable.

The real question — the one that every board, every CFO, and every CTO in India should now be asking — is not where is our data stored? but rather: who can legally, technically and operationally control our data when pressure comes?

Answering that question honestly is the first step towards genuine digital sovereignty.

Disclaimer / Author’s Note

The views and opinions expressed in this article are solely those of the author and are intended for general information and discussion purposes only. They do not constitute legal advice, professional opinion, or the official position of any organisation with which the author may be associated. Readers are advised to seek appropriate professional advice before acting on any matter discussed herein.

Author: CA.Sunil Elayadath | Partner | Karthik & Sunil |

Cloud Dependency is No Longer Only an IT Procurement Matter; It is a Sovereignty, Economic Policy and National Security Matter

DPDP Series 1.8: Penalty under DPDP Act, 2023

Penalties Under the DPDP Act, 2023

The DPDP Act establishes a clear and significant penalty framework. Penalties are imposed by the Data Protection Board of India after due inquiry, giving the accused an opportunity to be heard. The penalties are civil in nature — monetary fines, not criminal prosecution.


The Penalty Schedule

BreachMaximum Penalty
Failure to implement security safeguards₹250 crore
Failure to notify breach to Board or individuals₹200 crore
Breach of children’s data obligations₹200 crore
Breach of Significant Data Fiduciary obligations₹150 crore
Any other provision of the Act or Rules₹50 crore
Breach of duties by a Data Principal₹10,000

What Factors Determine the Penalty Amount?

The Board does not automatically impose the maximum. It considers:

  • Nature, gravity, and duration of the breach
  • Sensitivity of the personal data involved
  • Whether the breach was repetitive
  • Whether any gain was made or loss avoided
  • Whether timely steps were taken to mitigate harm
  • The likely impact of the penalty on the organisation

Examples

Example 1 — Failure to Secure Data (₹250 crore) A large e-commerce platform stores millions of customer records — names, addresses, and payment details — without encryption or access controls. Hackers exploit this and steal the data. The platform had no reasonable safeguards in place. The Board finds them liable for up to ₹250 crore.

Example 2 — Failure to Report a Breach (₹200 crore) A telecom company discovers that its customer database has been compromised. Instead of notifying the Board and affected customers promptly, it delays disclosure for weeks hoping to manage the situation internally. This failure to notify attracts a penalty of up to ₹200 crore.

Example 3 — Children’s Data Violation (₹200 crore) An ed-tech platform collects data of students under 18 without obtaining verifiable parental consent. It also runs targeted advertisements directed at children on its platform. Both violations together attract a penalty of up to ₹200 crore.

Example 4 — Significant Data Fiduciary Default (₹150 crore) A major social media platform notified as a Significant Data Fiduciary fails to appoint a Data Protection Officer based in India and does not conduct its mandatory annual Data Protection Impact Assessment. The Board imposes a penalty of up to ₹150 crore.

Example 5 — Data Principal Misuse (₹10,000) An individual files repeated false complaints against a company with the Data Protection Board, with no genuine grievance. The Board finds the complaints frivolous and imposes a penalty of up to ₹10,000 on the individual.


Can the Government Go Further?

Yes. If the Board reports that penalties have been imposed on a Data Fiduciary on two or more occasions, the Central Government may direct platforms and intermediaries to block public access to that organisation’s services in India — making repeat non-compliance an existential risk for businesses.


The Key Takeaway

Penalties under the DPDP Act are not symbolic. They are substantial, scalable, and designed to deter. Compliance is not a one-time exercise — it is an ongoing obligation, and the cost of ignoring it far exceeds the cost of getting it right.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.8: Penalty under DPDP Act, 2023

DPDP Series 1.7: Consent

What is Valid Consent Under the DPDP Act?

Consent is the foundation of the DPDP Act. Before collecting or processing any personal data, a Data Fiduciary must obtain consent that meets every one of the following conditions. If even one condition is missing — the consent is invalid.


The Five Pillars of Valid Consent

Free — Consent must not be forced, pressured, or made a condition for a service where the data is not genuinely necessary. The individual must have a real choice.

Specific — Consent must be tied to a clearly defined purpose. A blanket “I agree to everything” is not valid. Each purpose requires its own consent.

Informed — The individual must know exactly what data is being collected, why it is being collected, and what their rights are — before they consent.

Unconditional — Consent cannot be bundled with unrelated terms or conditions. It must stand on its own.

Unambiguous with a Clear Affirmative Action — Silence, pre-ticked boxes, or inaction do not count as consent. The individual must actively and clearly say yes.


What is the Notice Requirement?

Before seeking consent, every Data Fiduciary must serve a Notice to the individual. This notice must be in clear, plain language — not buried in legal jargon. It must be available in English or any language listed in the Eighth Schedule of the Indian Constitution.

The Notice must contain:

What data is being collected — A clear description of the personal data proposed to be processed.

Why it is being collected — The specific purpose for which the data will be used.

How to exercise rights — A clear explanation of how the individual can access, correct, erase their data, or withdraw consent.

How to withdraw consent — The notice must explicitly tell the individual the manner in which they can withdraw consent. This is a distinct and mandatory element, separate from the general rights section.
The notice must make clear that consent is limited to data necessary for the specified purpose — the individual should understand they are not consenting to unlimited data collection. The notice must clarify that withdrawing consent will not affect the legality of processing already carried out before withdrawal — so individuals understand what withdrawal does and does not undo. For existing data collected before the Act, the notice obligation is triggered as soon as reasonably practicable — this timeline aspect was mentioned but could be more explicit.

How to complain — Details of how the individual can raise a complaint with the Data Protection Board of India.

Who to contact — Business contact information of the Data Protection Officer or a designated person who can answer questions about data processing.


What About Data Already Collected Before the Act?

If consent was obtained before the Act came into force, the Data Fiduciary must still issue a notice — as soon as reasonably practicable — informing the individual of the data held, its purpose, and how to exercise their rights going forward.


What Happens to Invalid Consent?

Any portion of consent that violates the Act is invalid to that extent. The rest of the consent may still hold — but the Data Fiduciary cannot rely on the invalid portion to justify processing.


A Practical Example

A food delivery app asks you to sign up. Before you proceed, it shows a notice stating: your name, phone number, and address will be used to deliver your orders. It tells you how to delete your account and who to contact for queries. You then tap “I Agree” — actively, not by default. That is valid consent.

If instead the app pre-ticks a box agreeing to share your data with advertising partners — that portion of consent is invalid.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.7: Consent

DPDP Series 1.6: Services to Indian Individuals by Foregin Entity

I’m a US Citizen Providing Services to Indians. Am I Covered Under the DPDP Act?

The short answer is — Yes, very likely.

The DPDP Act, 2023 is not limited to organisations or individuals based in India. Its reach is intentionally extraterritorial, designed to protect Indian individuals regardless of where the entity collecting their data is located.


What Does the Act Say?

The Act applies to the processing of digital personal data in two scenarios:

Within India — Any personal data collected in digital form (or digitised from non-digital form) within the territory of India.

Outside India — Any processing of digital personal data outside India, if such processing is in connection with offering goods or services to individuals in India.

This second provision is what covers you directly as a US-based service provider.


Does This Apply to Me?

Ask yourself these questions:

Do you collect personal data of individuals located in India? If yes — names, email addresses, phone numbers, payment details, usage behaviour — you are processing personal data of Indian Data Principals.

Do you offer goods or services to individuals in India? If your platform, app, or service is accessible to and targeted at Indian users — even if your servers are in the US — you fall within the scope of the Act.

Do you receive payment or registrations from Indian users? If Indian individuals are signing up, subscribing, or transacting with you, you are offering services to Data Principals within India.

If your answer to any of the above is yes, the DPDP Act applies to you.


What Are Your Obligations?

As a Data Fiduciary operating from outside India, you must:

  • Obtain free, informed, and unambiguous consent from Indian users before collecting their data
  • Provide a clear notice describing what data is collected and why
  • Use the data only for the stated purpose
  • Implement reasonable security safeguards to prevent breaches
  • Delete the data once the purpose is served or consent is withdrawn
  • Report breaches to the Data Protection Board of India and affected users promptly

Are There Any Restrictions on Sending Data Back to the US?

Yes, potentially. The Central Government has the power to restrict transfer of personal data to specific countries. If India notifies the US as a restricted destination, additional compliance steps may apply before you can transfer or store Indian users’ data on US servers.


What Happens If You Don’t Comply?

Non-compliance exposes you to penalties imposed by the Data Protection Board of India — up to ₹250 crore for security failures and up to ₹200 crore for failure to report a breach. The Board has jurisdiction over processing that affects Indian Data Principals, regardless of where you are based.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.6: Services to Indian Individuals by Foregin Entity

DPDP Series 1.5: Data Breaches

What is a Data Breach?

A personal data breach under the DPDP Act, 2023 is any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data — that compromises its confidentiality, integrity, or availability.

In plain terms: if personal data ends up where it shouldn’t, gets changed without authorisation, or becomes inaccessible when it should be available — it is a breach.


How Does a Breach Happen?

Breaches can occur in many ways — through external attacks, internal negligence, or simple system failures.

Example 1 — Cyberattack A hospital’s patient database is hacked. Names, phone numbers, diagnoses, and medical histories of thousands of patients are stolen and published online. This is a breach of confidentiality.

Example 2 — Accidental Disclosure An HR executive accidentally emails salary slips of 500 employees to the wrong mailing list. The data was not stolen — but it was disclosed without authorisation. Still a breach.

Example 3 — Insider Threat A bank employee downloads and sells customer account details to a third party for personal gain. This is unauthorised processing — a serious breach.

Example 4 — Ransomware Attack A company’s servers are encrypted by ransomware. All customer data becomes inaccessible. Even though data was not stolen, loss of availability is a breach under the Act.

Example 5 — Third-Party Vendor Failure A Data Fiduciary shares customer data with a cloud service provider (Data Processor). The vendor suffers a security failure and the data is exposed. The Data Fiduciary remains accountable.


What Must a Data Fiduciary Do After a Breach?

The Act imposes a strict response obligation:

Notify immediately — Inform every affected Data Principal about the nature of the breach, its likely consequences, and the steps being taken to contain it.

Report to the Board — Intimate the Data Protection Board of India with full details: the root cause, timeline of events, persons responsible, mitigation measures taken, and steps to prevent recurrence.


What Are the Consequences?

Failure to implement safeguards that could have prevented the breach attracts a penalty of up to ₹250 crore. Failure to notify the Board or affected individuals attracts up to ₹200 crore — both imposed by the Data Protection Board.


The Key Takeaway

A breach is not just a hacking incident. Sending data to the wrong person, losing a device with unencrypted data, or a vendor’s server going down — all can qualify. The obligation to protect data, and to respond swiftly when things go wrong, rests squarely on the Data Fiduciary.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.5: Data Breaches

DPDP Series 1.4: Data Fiduciary – Obligations

Am I a Data Fiduciary? What Are My Obligations?


Q: How do I know if I am a Data Fiduciary?

If your organisation decides why and how personal data is collected and processed — you are a Data Fiduciary. This includes businesses, hospitals, schools, employers, apps, government bodies, and NGOs. Size does not matter; if you collect personal data of individuals in India, you qualify.


Q: Do I need consent before collecting data?

Yes. Before collecting any personal data, you must give the individual a clear notice describing what data is being collected and why. Consent must be free, specific, informed, and unambiguous.


Q: Can I collect more data than I need? No. You may only collect data that is necessary for the stated purpose. Collecting excess data is a violation of the Act.


Q: How long can I keep the data?

Only as long as the purpose requires. Once the purpose is served or the individual withdraws consent, you must delete the data — unless a law requires you to retain it for a specific period.


Q: What security measures must I put in place?

You must implement reasonable technical and organisational safeguards — including encryption, access controls, monitoring logs, and data backups — to prevent unauthorised access or breaches.


Q: What must I do if there is a data breach?

You must immediately notify the Data Protection Board and every affected individual, describing the nature of the breach, its likely impact, and the steps being taken to contain it.


Q: Must I have a grievance mechanism?

Yes. Every Data Fiduciary must establish an effective grievance redressal system and publish contact details of a person who can respond to Data Principal queries.


Q: What are the penalties for non-compliance?

Penalties can reach up to ₹250 crore for failure to implement security safeguards, and up to ₹200 crore for failure to report a breach — imposed by the Data Protection Board.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.4: Data Fiduciary – Obligations