I. Abstract
As of 2026, “digital sovereignty” has shifted from a theoretical geopolitical concept to a rigid regulatory reality. Through mandates like the EU Data Act and India’s DPDP Rules (2025), states are increasingly enforcing data localisation to escape the extraterritorial reach of the U.S. CLOUD Act. However, this “territorialisation” of data presents a fundamental conflict with global privacy standards. This paper analyses the tension between state-centric sovereignty and person-centric privacy, arguing that localised data silos often increase state surveillance capabilities, thereby eroding the very privacy they claim to protect.
II. Introduction
In 2026, the internet is no longer a “borderless” space. The rise of “sovereign clouds” and national firewalls has fragmented the global web into a “splinternet”. Governments argue that digital sovereignty is essential for national security and economic autonomy. Yet, for the individual, the move toward data residency often creates a “honeypot” effect, making personal data more accessible to local law enforcement without the procedural safeguards of international treaties.
Key Themes Discussed in This Paper
- Digital sovereignty and regulatory control
- Data localisation laws in 2026
- Privacy versus national security concerns
- The EU Data Act and India’s DPDP Rules
- The impact of the U.S. CLOUD Act
- Global surveillance and cross-border data conflicts
- Cryptographic sovereignty and interoperable privacy
III. The Legal Framework of 2026
3.1 The European “Third Way”
The EU has solidified its “Sovereign Strategy” through the EU Data Act (fully enforceable as of late 2025) and the NIS2 Directive. These laws require that “highly sensitive” data remain within European infrastructure to prevent access by non-EU authorities.
Conflict
While this protects against foreign spying, it centralises data under European “CSAs” (Cybersecurity Acts), which some civil liberties groups argue streamlines internal state monitoring.
3.2 India’s DPDP Rules (2025) and Section 37
The notification of the Digital Personal Data Protection (DPDP) Rules in November 2025 marked a turning point. While the Act allows for data transfers, the “blacklist” mechanism (Section 37) serves as a tool for digital sovereignty, allowing the government to block data flows to specific “untrusted” jurisdictions.
3.3 The U.S. CLOUD Act vs. the World
The U.S. continues to assert that if a company is American, its data is subject to U.S. warrants, regardless of where the server sits. This has led to the 2026 “Cloud Cold War”.
Comparison of Global Data Sovereignty Models
| Region/Country | Key Law or Framework | Primary Objective | Major Privacy Concern |
|---|---|---|---|
| European Union | EU Data Act and NIS2 Directive | Prevent foreign access to sensitive data | Centralised state monitoring |
| India | DPDP Rules (2025) | Control cross-border data transfers | Government exemption powers |
| United States | U.S. CLOUD Act | Global access to data held by U.S. companies | Extraterritorial surveillance concerns |
IV. The Core Conflict: Security vs. Liberty
This section examines the “double-edged sword” of data localisation:
1. The Protection Argument
Localisation prevents “data colonialism” and ensures local laws (like GDPR) are enforceable.
2. The Surveillance Argument
Data stored locally is easier for authoritarian or overreaching domestic regimes to seize via “administrative subpoenas” without the friction of Mutual Legal Assistance Treaties (MLATs).
Security vs. Liberty Analysis
| Argument | Advantages | Risks |
|---|---|---|
| Protection Argument | Strengthens enforcement of local privacy laws | Can create fragmented digital ecosystems |
| Surveillance Argument | Improves domestic investigative efficiency | Increases risk of unchecked state surveillance |
V. Comparative Analysis: 2025-2026 Case Law
The Russmedia Judgement (CJEU 2025)
Establishing that online marketplaces are joint controllers with heightened obligations for localised sensitive data.
The Supreme Court of India (2026 Review)
Analysing the proportionality of the 2025 DPDP Rules regarding government exemptions from privacy obligations for “national security” reasons.
Important Legal Developments
- Expansion of regulatory oversight on digital platforms
- Greater scrutiny of cross-border data transfers
- Judicial balancing of privacy and national security
- Growing focus on accountability for data controllers
VI. Proposed Solution: “Interoperable Privacy”
The paper proposes a move away from geographic sovereignty toward cryptographic sovereignty.
Zero-Knowledge Architectures
If data is encrypted such that even the host cannot see it, the physical location of the server becomes legally irrelevant.
International Data Trusts
Creating “neutral zones” for data that are governed by multilateral privacy boards rather than single nations.
Recommended Framework for Future Data Governance
- Adoption of end-to-end encrypted infrastructures
- Development of interoperable international privacy standards
- Reduction of unilateral state control over user data
- Creation of multilateral oversight mechanisms
- Promotion of privacy-by-design technologies
VII. Conclusion
Digital sovereignty must not become a Trojan horse for state surveillance. In 2026, the challenge for legal scholars is to build a “Digital Passport” system for data—one that allows information to flow for innovation while carrying an unbreakable “privacy shield” that no single state can unilaterally pierce.
Final Observations
The future of digital governance depends on balancing national security interests with the preservation of individual liberty. As governments continue to reshape the internet through localisation mandates and sovereign infrastructure, the global legal community must ensure that privacy remains a universal right rather than a geographically limited privilege.
Written By: Krrish Seth – MAIMS IPU
