#119 The Data Sovereignty Dilemma

In this edition of Technopolitik, Colonel KPM Das writes about data governance and data sovereignty. Avinash Shet follows with a piece on the US’ investments in next-generation jet engines.

This newsletter is curated by Adya Madhavan.

---

Technopolitik: Data without borders?

— KPM Das

Introduction

In an increasingly interdependent digital global economy, data governance, sovereignty, and classification have emerged as critical frameworks for managing data responsibly. These concepts address how data is stored, processed, and transferred across borders while balancing legal, economic, and ethical considerations. This paper expands on the key definitions, stakeholder perspectives, and regulatory frameworks with a few recommendations for an incremental regulatory roadmap towards data sovereignty.

Data Governance : A Few Definitions

1. Data Sovereignty
   Data sovereignty refers to the principle that data is subject to the laws and governance structures of the nation or region where it originates or where its owner resides. This includes protections against external interference and mandates controls over data processing locations, service operators, and isolation from global systems. For example, the EU’s General Data Protection Regulation (GDPR) enforces data sovereignty by restricting cross-border data transfers unless privacy safeguards are guaranteed. This principle subsumes other definitions to follow.

2. Data Localisation or Data Residency
   Data localisation requires specific data sets (e.g., personal, sensitive, or classified information) to be stored and processed within a country or region. As examples, Russia's Federal Law 242-FZ mandates that citizen data be stored domestically, while India’s Draft Digital Personal Data Protection (DPDP) Act imposes similar residency requirements. Similarly, the RBI Notification gives directive towards data localisation.

3. Data Mirroring
   A subset of localisation, data mirroring involves maintaining a copy of data within national borders while allowing replicas to exist elsewhere. This balances compliance with global operational needs, as seen in hybrid cloud architectures.

4. Sovereign Cloud Service Providers (CSPs)
   Sovereign CSPs are locally trusted providers designated by authorities to meet national sovereignty requirements, often operating independently of global hyperscalers (e.g., AWS, Azure). Examples include government-owned CSPs or joint ventures like Thales/Google Cloud.

5. Air-Gapped Systems
   These are isolated environments disconnected from public networks, used for highly classified data (e.g., defence or intelligence sectors). They ensure full customer control over hardware and software.

6. Extraterritorial Data Access Laws
   Laws like the U.S. CLOUD Act allow governments to demand data from CSPs regardless of its physical location, creating jurisdictional conflicts. Such laws underscore tensions between national security and data sovereignty.

Stakeholder Perspectives

Industry. Industry stakeholders see three constraints; operational complexity in that there is a compliance overhead with divergent regulations that increases costs, often passed to consumers; data hoarding in the local context leads to over-restrictive localisation and can stifle data generativity, limiting cross-border analytics and innovation; and cost Implications arising from deploying sovereign cloud models and air-gapped systems require significant investment in infrastructure and staffing.

Regulator. The regulator, on the other hand, has three objectives: data security, where geo-fencing and residency laws aim to protect citizen data from foreign surveillance and leakage; economic motivation, where local CSPs and data-centres create jobs and retain economic value within borders; and performance metrics in that localised data reduces latency and improves service delivery for domestic users.

Civil Society. The civil society has some concerns related to access and equity; neocolonialism risks seen as dominance of global hyper-scalers who may marginalise local enterprises and governance norms; internet fragmentation by way of excessive localisation will threaten the global internet commons, creating “data silos” and reducing access; trust deficits by way of public skepticism about government or corporate agencies handling citizen data with no guardrails.

Data Taxonomy and Regulatory Frameworks. Imperatives of data governance and safeguards for stakeholder interests suggest that the governance framework acknowledges the constraints and builds an incremental model for regulation. This model consists of multiple steps, incremental in scope, each giving a certain assurance of data governance and risk management-related safeguards.

1. Baseline (Step A): Global cloud architecture with international certifications (e.g., ISO27001, SOC2) which is the norm for “As A Service” model.

2. Data Residency/Localization (Step B): This level mandates in-country storage (e.g., Saudi Arabia Cloud Regulations, China's IDC Licensing) of data in respect of its citizens.

3. Sovereign Cloud (Step C): Local CSPs which are regulated with due operational controls (e.g., EU's Gaia-X). Some customers in critical infrastructure sector expect classified scope for data and which require Classified Sovereign Clouds (Step D): This step will necessitate security clearances (e.g., Uk Govt Security Classifications).

4. Air-Gapped (Level E): This step is applied in case of highly critical and sensitive organisations; on-premises, customer-operated systems for top-secret data (e.g., defense sectors).

Regulatory Examples. Regulators around the world apply rules as needed in their context. A few early-adopter examples with comprehensive requirements in the scope are FedRAMP (U.S.) which standardizes cloud security for government agencies, Schrems II which invalidates EU-U.S. data transfers lacking GDPR-equivalent safeguards and EU’s CRA Cyber Resilience Act and EUCS that propose stringent sovereignty requirements for EU cloud providers.

Some Recommendations for Indian Regulations

• Adopt Flexible Localization Policies that allow data mirroring and hybrid clouds to balance compliance with global collaboration and need for data protection and privacy.

• Exempt non-sensitive data from strict residency mandates to preserve data utility and to reduce the cost and infrastructure operational overheads..

2. Strengthen International Cooperation

   • Harmonize standards (e.g.APEC Cross-Border Prvacy Rules s) to reduce compliance fragmentation.

   • Arriving at and waiting for a multilateral consensus on data sharing is an onerous exercise. Meanwhile, negotiate bilateral agreements (e.g., EU-US Privacy Shield) to address extraterritorial conflicts.

3. Invest in Sovereign CSP Ecosystems

   • Enable Indian local CSPs through infrastructure subsidies and encourage partnerships with global hyper-scalers to ensure competitiveness through sovereign cloud instances.

   • Prioritize certifications (e.g., Australia’s IRAP, Spain’s ENS) to build trust in sovereign cloud services.

4. Enhance Transparency and Public Trust

   • Mandate clear disclosures about data storage locations and access practices. These disclosures can be part of the Indian Trusted Source-Trusted Product mandate laid down in NSDTS.

5. Leverage Tiered Classification Models

   • Apply air-gapped systems only to highly classified data (Step E) to minimise time/efforts/costs.

   • Use standardised taxonomies (e.g., India’s DPDP Act) to simplify compliance across sectors. Draw out a tabular compliance scope for taxonomy item versus target infrastructure (eg. Transportation, Telecom, Govt, Power, Health)

Conclusion

Data governance and sovereignty are not merely technical challenges but multifaceted issues requiring collaboration across industries, governments, and civil society. By adopting nuanced policies that prioritize flexibility, international cooperation, and transparency, stakeholders can safeguard data rights while fostering innovation. The taxonomy defined here and incremental steps towards data sovereignty provide a pragmatic roadmap, but its success hinges on balancing localisation with the interconnected nature of the digital times.

---

---

Technopolitik: US Investment in Next-Gen Jet Engines

— Avinash Shet

In January 2025, the US Department of Defence announced fresh funding of USD seven billion for developing a next-generation aero engine. This would be the sixth generation, provided the US has the fifth-generation engine, the Pratt & Whitney F119-PW-100 Turbofan engine, which is the power source for the F-22 Raptor. Developing this engine is part of the Next Generation Adaptive Propulsion (NGAP) programme. It is designed to be equipped in the planned next-generation fighter aircraft under the Next Generation Air Dominance (NGAD) initiative.

The funding is divided into USD 3.5 billion each for General Electric (GE) and Pratt & Whitney (PW). This funding is for the work on technology maturation and risk reduction. Companies have to perform research design, analysis, build and test the prototype. The deadline of 13th July 2032 is given to both of the manufacturers.

The NGAP programme is derived from the previous initiative to develop Adaptive engines for F-35 under the Adaptive Engine Transition Program (AETP). The AETP was launched in 2016, and USD 4 billion was spent on the engines to produce prototypes by GE and PW each. Adaptive engines are capable of variable bypass ratio, which helps the engine to operate efficiently at various flight conditions. This helps in fuel efficiency, higher thrust, and better thermal management.

Dual Sourcing

The US has always gone forward with dual sourcing in defence procurement. This method is used in various defence technologies, such as fighter aircraft and missiles. This is one unique way to build the capability of private industries. This methodology helps in the competitive development of the technology, providing a cost-effective, innovative and optimised product. Having two capable designs and manufacturers leads to derisking the supply chain by reducing reliance on one supplier. This will help both companies enhance their R&D and manufacturing capability while designing cutting-edge technology, equipping them to produce technological products for exports.

Lessons for India

This development raises a lot of questions. Firstly, the quantum of money spent on developing the aero engine. India spent 787 million US dollars (adjusting to inflation) until 2010 to create the Kaveri engine, one-ninth of what was spent on NGAP and one-fifth of the AETP. Secondly, Indian private industries' capabilities are not comparable to those of their US counterparts. Hence, dual sourcing is not going to be an effective methodology in India at the moment. The dual sourcing can be considered with Hindustan Aeronautics Limited (HAL) or private industries coming together to form consortia. Another way would be to have public-private partnerships. Industries working with public entities like DRDO or HAL will help the industry partners to gain competency in either designing, developing, manufacturing or all. In conclusion, there are various ways India can accelerate the development of its indigenous engines. In some form or another, we can adapt and use the US way for developing the aero engine.

---

---