RBI established data localisation requirements which force financial services organisations to undergo the most difficult evaluation tests for sovereignty assessment.
This article is one of the winning entries (Ranked 5th) of Lexathon organised by NLU, Odisha, a technology law conclave on AI, data protection, and innovation which took place in April, 2026.
Introduction
The digital shift and the sovereignty paradox
Indian financial institutions — Housing Development Finance Corporation (HDFC Bank), State Bank of India, Industrial Credit and Investment Corporation of India (ICICI Bank) and various fintech startups have transitioned their major business functions to hyperscale the cloud services which are offered by Amazon Web Services (AWS) and Microsoft Azure and Google Cloud.1 The system provides organisations with the ability to grow their operations, and it offers improved disaster recovery capabilities while decreasing their financial costs. The technological progress originates from a basic conflict situation which occurs when financial institutions keep personal data on Mumbai servers while American companies based in Seattle handle the data management process.
India has established thorough data protection through the Digital Personal Data Protection Act, 2023 (DPDP Act)2 and Reserve Bank of India’s (RBI’s) stringent data localisation regulations that govern payment systems. The two instruments establish that all data which exists within India’s territorial boundaries must follow Indian jurisdictional laws The territorial principle conflicts with the US of 2018 because this law establishes US A3 US courts can use the CLOUD Act standard for “possession custody or control” to compel American Cloud Service Providers (4
Scope and significance
The research maintains a research focus through its use of specific analytical methods. The research focuses on financial services data banking payment systems and insurance because these sectors represent the highest economic and strategic risks.5 RBI established data localisation requirements which force financial services organisations to undergo the most difficult evaluation tests for sovereignty assessment.
The geographic corridor primarily examines the India-United States jurisdictional nexus, which shows that AWS and Microsoft Azure and Google Cloud hold most cloud services in India because their market share exceeds 60 per cent.6 The US CLOUD Act functions as the most advanced extraterritorial data-access system which enables US Authorities to access data stored outside the United States while European and Chinese cloud services create similar sovereignty problems through General Data Protection Regulation (GDPR) and Chinese cybersecurity law.7 The analysis establishes its time-frame by using current regulations that exist in early 2025 which follows the DPDP Act‘s implementation and the period before all delegated regulations are completed.
The conceptual framework
Deconstructing the cloud
The cloud functions as a network which operates through physical servers located inside concrete buildings.8 Indian banks store their data “in the cloud” which means that their data exists on hard drives located in designated facilities. The AWS Mumbai region consists of actual data centres which operate from locations throughout Maharashtra. The control system contains various elements which go beyond physical location as its only aspect. The essential understanding shows that physical data storage does not limit legal access to information.9 A server may exist as a fixed installation in India but the US-based corporation which controls the encryption keys and administrative access will create legal jurisdiction through its operations in the United States.
The Triad: Residency, localisation, and sovereignty
Data residency refers to physical storage location, a purely geographical concept. The process of data localisation creates a legal duty to maintain data within national borders by transforming data residency into a binding requirement.10 Data sovereignty represents the apex: supreme authority to govern data, which includes access rights, and the power to choose who can access the data and under what conditions.11 India has achieved residency and localisation, yet may lack complete sovereignty if foreign jurisdictions can compel access by targeting corporate entities controlling those servers.
The control test
The fundamental rule states that whoever possesses encryption keys and administrative access rights will control everything, regardless of where the hardware exists.12 AWS can decrypt customer data because it uses AWS Key Management Service to handle its encryption keys. Indian banks can maintain exclusive decryption rights when they use Bring Your Own Key (BYOK) solutions because AWS does not access their plaintext keys. The CLOUD Act establishes a control standard that permits law enforcement agencies to issue warrants which require providers to release data that exists within the provider’s possession and control.13 The system enables remote control through three main components: digital administrative interfaces, encryption key hierarchies, and corporate command structures which operate beyond physical geographic limits.
India’s data shield
The DPDP Act
The DPDP Act distinguishes between data fiduciaries [entities determining processing purposes and means banks, non-banking financial companies (NBFCs), fintech] and data processors (entities processing data on behalf of fiduciaries cloud service providers).14 Fiduciaries remain responsible for processors’ activities, with potential fines up to Rs 250 crores for severe violations.15 Section 16 adopts a permissive “negative list” approach to cross-border transfers, currently allowing transfers to any destination absent specific government blacklisting.16 Critically, the DPDP Act focuses on voluntary transfers initiated by fiduciaries or processors but provides no clear guidance on resisting involuntary extraterritorial access demands a gaping hole when analysing conflicts with the CLOUD Act.
RBI payment data localisation
RBI issued a mandate in April 2018 which requires all payment system operators in India to store their complete payment records within Indian territory.17 The localisation requirement was sweeping complete data must always be stored in India, with no exclusive foreign storage permitted.18 RBI aimed to achieve its mission by enabling regulators to access all the data without any limitations.19 The Master Direction on IT Outsourcing requires contracts with CSPs to incorporate localisation mandates, guarantee RBI supervisory access, and implement strong encryption.20 The requirements assume that CSPs will fulfil their Indian contractual obligations which becomes difficult to achieve when foreign courts issue contempt-based orders.
The foreign sword
The Microsoft Ireland case
The CLOUD Act started its development because US law enforcement attempted to obtain emails which Microsoft had stored in Dublin.21 Microsoft argued the Stored Communications Act (SCA) applied only domestically; requiring production of Irish-stored data would constitute impermissible extraterritorial application. The Second Circuit reached a 2016 decision which established that the SCA determined data access based on data storage positions instead of business headquarters.22 The ruling established a system which allowed criminals to protect their communications through international data storage services. The government used its appeal to drive the CLOUD Act development into a legislative solution.23
The CLOUD Act mechanism
The CLOUD Act from March 2018 provides law enforcement agencies the authority to obtain data stored outside the United States24 establishes that providers must comply “regardless of whether such communication, record, or other information is located within or outside of the United States”. The statute establishes a control-based jurisdictional test based on three overlapping bases: possession (physical holding), custody (legal responsibility), and control (practical ability to retrieve).25 Control is the most expansive, encompassing technical capabilities (encryption keys, administrative credentials) and organisational authority (corporate structures that enable US parents to command foreign subsidiaries).
For Indian banks that use AWS Mumbai to store data, AWS India Pvt. Ltd. acts as the legal custodian according to Indian law, but Amazon Web Services Inc. (US parent) maintains control through its global administrative consoles and encryption key management systems located in Virginia. The control established through this process enables US Authorities to exercise jurisdiction over the case. The Act includes a comity mechanism that permits providers to challenge orders that conflict with foreign privacy laws, but in the absence of an executive agreement this protection becomes discretionary and limited.26 US courts have historically favoured law enforcement through their balancing tests which particularly benefit national security cases. The absence of a CLOUD Act executive agreement in India creates a disadvantage for Indian data compared to UK and Australian data.27
The collision
The Mumbai server fallacy
The common belief that international legal authorities cannot access the data which exists on Indian soil creates a complete misunderstanding of this matter. The “Mumbai Server Fallacy” creates confusion because it links residency with the concept of sovereignty.28 The standard AWS Mumbai architecture which Indian banks use stores customer data on Maharashtra servers to meet RBI data localisation requirements. Banks use AWS Identity and Access Management (IAM) as their data access method through a control system that operates from Virginia. Data objects remain in Mumbai while authentication systems and encryption key hierarchies operate across AWS global network. Amazon Web Services Inc. provides services through its legal entity which exists as a Delaware corporation. The CLOUD Act receives jurisdictional authority because of this corporate structure.29
The legal void
The Indian and US legal systems both fail to provide solutions for resolving jurisdictional disputes between their countries. The DPDP Act governs the voluntary transfer of data, yet it does not control the mandatory data transfer requirements established by foreign legal systems.30 Section 16 definition of cross-border transfer in Microsoft relationship to a CLOUD Act warrant compliance requires assessment. The Act provides no mechanism for preventing foreign compulsion targeting foreign processors.31 Cloud service agreements include conflicting obligations because RBI requires Indian law compliance while CSPs maintain their right to follow the laws of their own jurisdictions. The existing legal provisions create an unresolvable situation because the laws establish conflicting requirements. The resolution of disputes between sovereign States exists outside the jurisdiction of private contractual agreements.32
The CLOUD Act enables direct company service and gag orders to bypass government notifications. India cannot escalate conflicts it does not know exist. India lacks a treaty-based right to challenge US data requests because there is no existing CLOUD Act executive agreement. The absence of this system creates non-equal power dynamics because the US possesses complete legal systems which US courts enforce while India has only domestic regulations that control local businesses yet cannot stop foreign companies from accessing Indian data.33
Mitigation strategies
Technical solutions: Customer-controlled encryption
If data is encrypted with keys held exclusively by Indian institutions, cloud providers cannot produce intelligible data in response to legal compulsion. Hold Your Own Key (HYOK) models represent the gold standard: encryption keys never leave customer infrastructure. When CSPs need to encrypt/decrypt data, they make Application Programming Interface (API) calls to the customer’s external key management system, which performs operations without exposing keys. RBI could mandate that systemically important financial institutions use HYOK with keys managed exclusively on Indian-located, Indian-certified Hardware Security Modules (HSMs).34 This would effectively neutralise the CLOUD Act’s reach even if US authorities obtain warrants; encrypted data would be useless without keys perpetually in India under Indian control.35
Confidential computing addresses vulnerabilities during processing through hardware-based Trusted Execution Environments (TEEs). Technologies like Intel Software Guard Extensions (Intel SGX) create isolated enclaves where code and data are encrypted during processing and remain inaccessible to hypervisors or administrators. Combined with HYOK, confidential computing provides end-to-end sovereignty: keys in India, data encrypted everywhere, including during processing, and CSPs unable to access intelligible information under any circumstances.
Diplomatic solutions: India-US executive agreement
The signing of a bilateral CLOUD Act executive agreement between two countries will establish unified systems which enable both countries to share their data resources. India would gain two critical benefits:
1. Indian law enforcement would obtain the ability to deliver orders directly to US-based CSPs without needing to use MLAT procedures,36 and
2. India would obtain formal ways to challenge US requests for data about Indian citizens.37 The US-UK agreement prohibits intentional targeting of persons in the partner jurisdiction without consent.38 Indian objections require political costs which prevent complete power to override them.
India needs to fulfil America’s requirements, which demand it to establish strong privacy protection measures and judicial authorisation for monitoring as well as complete transparency of operations and mechanisms to address rights violations. The Information Technology Act of India gives security agencies extensive powers to conduct interception activities which law enforcement agencies can use with minimal court oversight, leading to US security concerns. The qualifying process demands legal changes which will enhance judicial authorisation standards and create operational transparency, thus increasing protection for civil liberties through improvements to domestic rights safeguards. The parties have been negotiating since 2019, yet they have not reached a resolution because civil liberties protection needs require political dedication at the highest level.
Blocking statutes and regulatory innovation
India could create specific blocking laws which would stop companies operating in India from fulfilling international legal requests that India considers to be illegal. The EU’s blocking regulation provides a template. The proposed legislation would establish complete bans against international data request compliance which would need to be fulfilled through official MLAT procedures39 while all foreign data requests must be reported to Indian Authorities under the new requirements. The regulations would impose heavy fines and licence suspension on CSPs that violate these provisions while Indian entities who face harm from unauthorised disclosure can pursue monetary compensation through legal actions which do not depend on international legal obligations40. A blocking statute creates legal dilemmas for CSPs who must choose between two options which require them to either follow US CLOUD Act regulations and face Indian criminal or civil penalties or they must follow Indian laws which will lead to US contempt penalties. The need to resolve this conflict between two different legal systems drives CSPs to support bilateral treaties which will settle their operational disputes41. The implementation of blocking statutes presents a risk which will discourage CSPs from establishing operations in India because it will create two negative effects. The internet will undergo fragmentation while service providers will need to create their own expensive systems. The United States will respond with protective measures which will extend into wider economic battles. The system’s success depends on both its enforcement reliability and the actual prosecution of all criminal activities, and the imposition of penalties against leading global businesses. Blocking statutes lose their power as sovereignty defences because they turn into mere symbolic actions which lack trustworthy enforcement capabilities.42
Structural reform: Sovereign cloud infrastructure
The technological self-sufficiency solution establishes complete sovereignty through the creation of an indigenous cloud infrastructure which enables organisations to handle essential workloads without relying on international cloud service providers. The government cloud project Ministry of Electronics and Information Technology (MeitY) MeghRaj and the proposed national cloud platforms which State-run enterprises will manage offer reliable sovereignty solutions. RBI can require payment systems which have systemic importance to operate on sovereign cloud services that meet four conditions: Indian majority ownership, an Indian-headquartered corporate structure, Indian nationals controlling encryption keys and administrative systems, and contractual commitments never to disclose data to foreign authorities except through MLAT processes.
This strategy encounters three main obstacles because it needs extensive financial resources while its operations do not match hyperscale providers and it risks cutting India off from worldwide technological progress. The government and defence sectors together with financial infrastructure should have their sovereignty needs met through strategic sovereignty whereas commercial workloads should be open to competition which enables organisations to choose their sovereignty requirements and costs and capabilities based on their risk assessment.
Conclusion
Answering the research question
The DPDP Act, and RBI’s data localisation framework mark a strong statement of India’s authority over financial data. These measures provide solid privacy protections. They require payment and financial data to be stored physically within Indian territory and ensure that Indian law oversees routine processing and supervisory access. This framework successfully improves domestic regulatory capability and decreases reliance on foreign legal systems for accessing data.
However, an operational limitation remains. The framework cannot stop foreign authorities from forcing access to data through legal mechanisms directed at multinational cloud service providers. The US CLOUD Act allows American law enforcement to demand that US-based cloud providers hand over data within their “possession, custody, or control,” no matter where it is stored. Because of this, data kept in India may still be legally accessible to foreign authorities without involving Indian judicial processes. This creates an alternative access channel that exists outside India’s legal protections.
Broader implications: Rethinking digital sovereignty
This situation shows a wider change in the concept of sovereignty in the digital age. The traditional model believed that legal authority directly related to physical location. Cloud computing challenges this idea by separating where data is stored from who controls and manages it. Authority can now come from control over infrastructure, encryption systems, and companies, not just territorial ownership.
Thus, data localisation ensures residency but does not guarantee full sovereign control. Real sovereignty needs control over encryption keys, administrative power, and the legal responsibilities of service providers. Laws like the CLOUD Act show that jurisdiction is increasingly based on the nationality of a company and its operational capacity, rather than just its location. Therefore, digital sovereignty needs to be seen as depending on both territorial regulation and technological control.
The path forward
This research shows that localisation alone is not enough to achieve full digital sovereignty. Sovereignty in the cloud era needs a layered approach that combines territorial regulation with technical, legal, and institutional protections. Technical options, like customer-controlled encryption and local key management, can lessen the reach of foreign legal demands. Regulatory and contractual arrangements can improve transparency and strengthen local legal authority. Diplomatic work and institutional coordination can also help reduce jurisdictional conflicts.
In the end, sovereignty in the digital realm does not just depend on where data is kept but on who exercises real control over it. India’s current framework lays a crucial foundation by ensuring territorial storage and regulatory power. However, to achieve true and lasting digital sovereignty, it will be necessary to extend that control to the technical and legal frameworks governing access. Only by connecting territorial localisation with operational and cryptographic control can India fully achieve the sovereign goals behind its data protection strategy.
*National Forensic Sciences University, Gandhinagar.
**National Forensic Sciences University, Gandhinagar.
1. Asian Development Bank, Cloud Computing as a Key Enabler for Digital Government across Asia and the Pacific (2021) Chs. 2-3.
2. Digital Personal Data Protection Act, 2023.
3. Justin Hemmings, Sreenidhi Srinivasan and Peter Swire, ”Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the CLOUD Act” (2020) 10, 631, available at <https://nationalsecurity.law.georgetown.edu/wp-content/uploads/2020/05/Defining-the-Scope-of-Possession-Custody-or-Control.pdf>.
4. 18 USC S. 2713; Theodore Christakis, “Extraterritorial Enforcement Jurisdiction in Cyberspace: Normative Shifts” (2023) Leiden Journal of International Law.
5. PwC India, “On-Soil Storage of Payments Data” (2018).
6. Amazon Web Services, MeitY (Ministry of Electronics and Information Technology) Empanelment (2026).
7. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), (2016) OJ L119/1; Cybersecurity Law of the People’s Republic of China (adopted 7 November 2016, effective 1 June 2017) Art. 37.
8. David Vaile, Kevin Kalinich, Patrick Fair and Adrian Lawrence, “Data Sovereignty and the Cloud” (2013) UNSW Law Research Paper 2013-84.
9. Prashant Dubey, “Cloud Computing and Data Sovereignty: Navigating Legal and Regulatory Challenges” (2024) 2(7) International Journal for Legal Research and Analysis.
10. David Vaile, Kevin Kalinich, Patrick Fair and Adrian Lawrence, “Data Sovereignty and the Cloud” (2013) UNSW Law Research Paper 2013-84.
8—12.
11. David Vaile, Kevin Kalinich, Patrick Fair and Adrian Lawrence, “Data Sovereignty and the Cloud” (2013) UNSW Law Research Paper 2013-84, 12—15.
12. David Vaile, Kevin Kalinich, Patrick Fair and Adrian Lawrence, “Data Sovereignty and the Cloud” (2013) UNSW Law Research Paper 2013-84, 12—15; Prashant Dubey, “Cloud Computing and Data Sovereignty: Navigating Legal and Regulatory Challenges” (2024) 2(7) International Journal for Legal Research and Analysis.
13. 18 USC S. 2713.
14. Digital Personal Data Protection Act, 2023, Ss. 8 and 10.
15. Digital Personal Data Protection Act, 2023,S. 33; Aastha Kaul, “The Digital Personal Data Protection Act, 2023: Strengthening Privacy in the Digital Age” (2024) International Journal of Law Review and Analysis (forthcoming).
16. Digital Personal Data Protection Act, 2023, S. 16.
17. Reserve Bank of India, Storage of Payment System Data.
18. Reserve Bank of India, Storage of Payment System Data.
19. PwC India, “On-Soil Storage of Payments Data” (2018).
20. Khaitan & Co., “RBI Releases Master Direction to Regulate Outsourcing of IT Services” (15-5-2023).
21. United States v. Microsoft Corpn., 829 F 3d 197 (2d Cir 2016).
22. United States v. Microsoft Corpn., 829 F 3d 197, 222-25 (2d Cir 2016).
23. United States v. Microsoft Corpn., 2018 SCC OnLine US SC 72 : 584 US ___ : 138 S Ct 1186 (2018).
24. United States v. Microsoft Corpn., 2018 SCC OnLine US SC 72 : 584 US ___ : 138 S Ct 1186 (2018).
25. Justin Hemmings, Sreenidhi Srinivasan and Peter Swire, ”Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the CLOUD Act” (2020) 10, 631, available at <https://nationalsecurity.law.georgetown.edu/wp-content/uploads/2020/05/Defining-the-Scope-of-Possession-Custody-or-Control.pdf>.
26. 18 USC S. 2523.
27. Mayer Brown, “The Legal Nature of the UK-US CLOUD Agreement” (Cross-Border Data Forum, 19 April 2020)
28. David Vaile, Kevin Kalinich, Patrick Fair and Adrian Lawrence, “Data Sovereignty and the Cloud” (2013) UNSW Law Research Paper 2013-64; Prashant Dubey, “Cloud Computing and Data Sovereignty: Navigating Legal and Regulatory Challenges” (2024) 2(7) International Journal for Legal Research and Analysis.
29. Amazon Web Services, Clarifying Lawful Overseas Use of Data (CLOUD) Act (AWS Compliance Centre, updated 8-2-2026).
30. Digital Personal Data Protection Act, 2023, S. 16.
31. Digital Personal Data Protection Act, 2023, S. 16.
32. Reserve Bank of India, Master Direction on Outsourcing of Information Technology Services, RBI/2023-24/102 (Issued on 10-4-2023).
33. Jukka Ruohonen, “Recent Trends in Cross-Border Data Access by Law Enforcement Agencies” (2021) Springer, available at <https://arxiv.org/pdf/2302.09942>.
34. Intel, “Intel® Software Guard Extensions (Intel® SGX)”, Product Documentation (16-10-2024).
35. Wikipedia, Trusted Execution Environment, available at <https://en.wikipedia.org/wiki/Trusted_execution_environment>.
36. 18 USC S. 2523.
37. Mayer Brown, “The Legal Nature of the UK-US CLOUD Agreement”, Cross-Border Data Forum (19-4-2020); Reed Smith, “Does the UK-US Agreement under the US CLOUD Act Affect UK’s Adequacy under the GDPR? approach to data access?”, Technology Law Dispatch (12-10-2022).
38. Mayer Brown, “The Legal Nature of the UK-US CLOUD Agreement”, Cross-Border Data Forum (19-4-2020).
39. Erwan Guerineau, “The European Union’s Blocking Statute against Extraterritorial Legislation: An Effective Instrument for Protecting the EU’s Economic Interests?”, Custax & Legal (31-7-2023).
40. Norton Rose Fulbright, “Potential Impacts of the EU Blocking Statute”, Regulation Tomorrow (10-12-2018).
41. Sidley Austin, “EU Blocking Statute: Toward Enhanced Enforcement?”, Sidley (3-2-2022).
42. Mayer Brown, “EU Top Court Issues First-Ever Judgment on the EU Blocking Statute Against US Sanctions” (21-12-2021).
