The Battle for Bytes: Navigating the Clash Between Data Flows and India’s Digital Sovereignty
India’s efforts toward achieving digital sovereignty aim to secure national data, reduce dependence on foreign technologies, and strengthen its digital autonomy. The government has taken many steps that include transferring over 1.2 million government email accounts to the India based Zoho Mail platform and enacting the Digital Personal Data Protection (DPDP) Act, 2023, which sets up a legal framework for personal data governance. These steps respond to risks brought to the forefront by global data misuse incidents, such as Cambridge Analytica, and budding threats from artificial intelligence, foreign-owned digital platforms and social media influence. Rapid internet expansion has increased connectivity, but it has also heightened vulnerabilities related to misinformation and digital threats. This paper argues that if India wants to have digital sovereignty, then it requires a balance between security and democratic freedoms, promoting homegrown technologies, and enacting robust governance and security frameworks to protect citizens’ data.
In a major step toward digital sovereignty, the Government of India has recently transferred all 1.2 million (12 lakh) official e-mail addresses of Central government employees including those associated with the Prime Minister’s Office (PMO) from a National Informatics Centre (NIC)-based system to Zoho Mail, an indigenous email platform developed by Zoho Corporation, a Chennai-based technology company. (The Hindu, 2025). This step underscores India’s growing emphasis on developing and adopting domestic technologies to ensure greater control over its digital infrastructure and data governance. In a significant move Union Home Minister Amit Shah has also adopted Zoho Mail substituting foreign platforms such as Google and Microsoft, conveying strong governmental support for India’s technological self-reliance. (The Times of India, 2025) This move fits with the government’s vision of “Atmanirbhar Bharat” (self-reliant India) and addresses important concerns over data security and privacy in an era where data has become a critical resource and tool. As the world becomes increasingly dependent on digital systems, the protection and localization of data have become central to national security and policy autonomy. Cybersecurity expert Gene Spafford famously stated in 1989, “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards and even then I have my doubts” (Spafford, 1989, as cited in Perlroth, 2021). More than three decades later, this statement remains valid, reflecting the vulnerabilities and the danger of interconnected digital systems.
Toward a Framework for Digital Sovereignty
The Indian government with the growing challenges of data misuse and cyber threats brought into effect the Digital Personal Data Protection (DPDP) Act 2023 which establishes a legal framework for the collection, processing, and protection of digital personal data. According to the Act, “data” refers to any representation of information, facts, concepts, opinions, or instructions in a form suitable for communication, interpretation, or processing by humans or automated systems (Ministry of Electronics and Information Technology [MeitY], 2023). The DPDP Act applies to data processing activities carried out within India and it also include data collected offline and later converted into digital form. It also extends to data processing conducted outside India if it involves offering goods or services to individuals referred to as data principals located within the country (MeitY, 2023).
The DPDP Act, 2023 is an important benchmark in India’s cyber governance. It gives a robust framework to protect personal data, reduce data theft, and strengthen the national cybersecurity framework. The Act puts strict obligations on data fiduciaries entities that is the organizations that decide why and how our data is used They must keep information of citizen accurate, protect it with solid security measures, and immediately inform both the Data Protection Board of India and the people affected if any kind of threat, theft or breach emerge. These measures establish accountability, discourage carelessness, and make it easier to trace who is responsible in case of misuse. The Act also requires companies to delete the data once it has served its purpose which helps prevent the buildup of unnecessary information that often becomes an easy target for hackers and the possibility of heavy penalties in case of any failure or security lapses sends a strong message to organizations to stay alert and follow the rules. From a national security perspective, the Act strengthens India’s ability to protect critical information centers and sensitive citizen information and data from foreign hands and its wrongful use. By allowing the government to restrict data transfers to certain countries it puts data sovereignty ensuring that sensitive information remains under India’s jurisdiction rather than being exposed to the laws of foreign countries. This is important against the backdrop of rising concerns over cyber warfare, cross-border data trafficking, and misuse of personal data by foreign entities, by recognizing lawful grounds for the State to process data for national security, law enforcement, and emergency purposes, the Act enhances India’s ability to recognize and counter threats such as terrorism, cyberattacks, and financial fraud.
Yet, while these steps strengthen data security, they also raise serious concerns regarding privacy, accountability, and potential misuse of power. The act gives wide ranging exemptions to government agencies allowing them to bypass consent requirements and keep data indefinitely for reasons such as public order or national security. This kind of unchecked authority can easily lead to overreach and even mass surveillance Such powers may undermine the fundamental right to privacy stated in Justice K.S. Puttaswamy v. Union of India (2017), which emphasized that any restriction on privacy must adhere to the principles of legality, necessity, and proportionality. Without safety mechanisms like transparency, judicial oversight, and accountability from the side of the government, these immunities can reduce public trust and make it harder to tell the difference between genuine security needs and Government control. Therefore, the government must exercise this authority responsibly and make sure that the provisions of the DPDP Act are not exploited as a political tool to monitor dissent or suppress opposing voices. Safeguards must be implemented to prevent arbitrary surveillance and to ensure that data protection remains a mechanism for public security and individual privacy rather than an instrument of political influence or control.
India’s push for developing its own digital systems becomes even more meaningful when it sees how data has been misused around the world. The Cambridge Analytica scandal, for instance, exposed how personal data from up to 87 million Facebook users was taken through a quiz app and shared with a political consultancy firm without user consent (BBC News, 2018). These data were used to influence voter behavior during elections and the Brexit referendum showing just how dangerous unregulated data practices and unrestricted cross-border data flows can be.
In today’s time when data derive everything the importance of data security cannot be clearer. There is no doubt that India has made good progress in establishing a cybersecurity framework, it must continue to strengthen safeguards, particularly with the rise of Artificial Intelligence (AI). The Ministry of Finance has recently advised government officials to refrain from using AI tools such as ChatGPT and Deep Seek on official devices, warning that sensitive information could be exposed. (The Hindu, 2025). Global corporations also share similar concerns Samsung Electronics has banned the use of ChatGPT and other AI-powered chatbots due to fears of internal data leaks (Bloomberg, 2023).
The risks are not hypothetical. A 2023 study by ‘Cyberhaven’ found that about 10.8% of employees worldwide had used ChatGPT at work, and 8.6% had even pasted company data into the platform. Major organizations like J.P. Morgan and Verizon have imposed definite caps on generative AI tools to prevent accidental leaks of confidential information. Such incidents can seriously threaten both corporate and national security, especially when the companies behind these AI tools operate outside India’s legal reach. India's recent actions like backing local platforms such as Zoho Mail and enacting data protection laws are steps toward gaining digital sovereignty. Continuous efforts are necessary to guard against emerging threats from AI tools, cross-border data transfers, and dependence on global technology. India’s stance in securing its digital ecosystem marks an important stride toward a more secure, self-reliant, and sovereign digital future.
India must also stay alert towards the growing influence of major social media companies that may align with certain political ideologies or attempt to shape public opinion. Globally, social media platforms have come under intense scrutiny for their role in democratic processes and the elections to be more precise. The 2016 United States presidential election exposed the weaknesses of these platforms, with Russian-linked accounts reportedly using Facebook and other media to manipulate and sway voters. Adding to these concerns, Cambridge Analytica gained unauthorized access to data from millions of Facebook users, allegedly to influence voter behavior (BBC News, 2018). These incidents show how easy it is for foreign or private digital actors to interfere in any country’s political processes or elections through data-driven targeting and misinformation and how much impact it can create.
In India the digital revolution has grown rapidly. A 2024 report from the Ministry of Communications declares that, as of April 2024, 95.15% of the country's villages have internet access through 3G or 4G connectivity. Internet subscriptions jumped from 251.59 million in March 2014 to 954.40 million in March 2024. (Ministry of Communications, 2024). This increase is partly due to nearly a 2,000% drop in mobile data prices in recent years. Along with more affordable smartphones, this has fueled the digital boom. (Press Information Bureau, 2024). However, this rapid growth brings new challenges: many first-time internet users lack digital literacy, making them more vulnerable to misinformation, manipulation, and organized disinformation campaigns.
Let’s take example of recent crisis in Nepal it highlights the dangers and powerful impact of social media. When the Government of Nepal ordered authorities to block 26 social media platforms, the country was instantly plunged into chaos. The decision prompted widespread public outrage, protests and criticism as citizens saw this as direct attack by the government on the freedom of expression and access to information. This incident shows how deeply social media is woven with daily life of people and communication, as well as how its restriction even temporarily can quickly lead to social unrest and political tension. Despite ongoing discussions and debates on data protection and end-to-end encryption, large volumes of sensitive information continue to flow through servers controlled by foreign corporations. Such realities raise serious questions about national sovereignty in the digital domain.
Given the growing number of internet users and the sheer scale of India’s digital transformation, the country must strengthen its cyber security framework and actively support home grown digital platforms. Supporting homegrown companies not only enhances economic self-reliance but also ensures that sensitive government and citizen data remain within the jurisdiction and the protection of Indian law. As the principle of sovereignty state that ‘supreme authority within a defined territory ‘forms the foundation of the modern state it must now be extended into the digital spaces.
Conclusion
This is the new frontier of sovereignty: the ability to govern and protect a nation’s own data and digital infrastructure. India’s challenge lies in striking a balance between security and liberty. Even though it is required to regulate digital spaces to safeguard national interests, such measures must not come at the cost of democratic values, the open flow of information, or fundamental rights to privacy and expression. Moving forward India requires a democratically guided framework one that preserves freedom, ensures accountability, and strengthens India’s control over its digital destiny.
References
1. Al?Jazeera. (2025, September 9). Nepal lifts social media ban after 19 killed in protests against corruption. Al?Jazeera. https://www.aljazeera.com/news/2025/9/9/nepal-lifts-social-media-ban-after-19-killed-in-protests-report
2. BBC News. (2018, May 5). Cambridge Analytica: The story so far. BBC News. https://bbc.com/news/business-43983958
3. BBC News. (2024, June 6). Cambridge Analytica whistleblower revisits Facebook data scandal. BBC News. https://bbc.com/news/articles/cp98n1eg443o
4. CNN. (2019, March 11). India election: WhatsApp, Twitter and Facebook under scrutiny. CNN. https://edition.cnn.com/2019/03/11/tech/india-election-whatsapp-twitter-facebook
5. Cyberhaven. (2023, May 5). 4.2% of workers have pasted company data into ChatGPT. https://www.cyberhaven.com/blog/4-2-of-workers-have-pasted-company-data-into-chatgpt
6. Forbes. (2023, May 2). Samsung bans ChatGPT and other chatbots for employees after sensitive code leak. Forbes. https://www.forbes.com/sites/siladityaray/2023/05/02/samsung-bans-chatgpt-and-other-chatbots-for-employees-after-sensitive-code-leak/
7. K.S. Puttaswamy (Retd.) v. Union of India, 10 SCC 1 (2017). https://indiankanoon.org/doc/127517806/
8. Ministry of Electronics & Information Technology. (2023). The Digital Personal Data Protection Act, 2023 (No.?22 of?2023). Government of India. https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
9. Perlroth, N. (2021). This is how they tell me the world ends: The cyberweapons arms race. Bloomsbury Publishing.
10.Press Information Bureau. (2024, August). Universal connectivity and Digital India initiatives reaching to all areas, including tier 2/3 cities and villages [Press release]. Government of India. https://pib.gov.in/PressReleasePage.aspx?PRID=2040566
11. The Hindu. (2025, February 6). India’s Finance Ministry asks employees to avoid AI tools like ChatGPT, DeepSeek. The Hindu. https://www.thehindu.com/sci-tech/technology/indias-finance-ministry-asks-employees-to-avoid-ai-tools-like-chatgpt-deepseek/article69183180.ece
12.The Hindu. (2025, October 13). Email accounts of 12 lakh Central government employees now run on Zoho’s platform. The Hindu. https://www.thehindu.com/news/national/email-accounts-of-12-lakh-central-government-employees-now-run-on-zohos-platform/article70155315.ece
13.The Times of India. (2025, October 17). Home Minister Amit Shah opens Zoho email account: Top features of Zoho’s Gmail rival that Indian government has moved email IDs of 12?lakh employees to. The Times of India. https://timesofindia.indiatimes.com/technology/tech-news/home-minister-amit-shah-opens-zoho-email-account-top-features-of-zohos-gmail-rival-that-indian-government-has-moved-email-ids-of-12-lakh-employees-to/articleshow/124623429.cms
(The views expressed are those of the author and do not represent the views of CESCUBE)
Photo by Towfiqu barbhuiya on Unsplash
