ABSTRACT
In the era of rapid digital globalization, data has emerged as both a vital economic asset and a subject of profound legal and ethical concern. This research examines the evolving tension between national sovereignty and the global demand for regulatory compliance, focusing on two pivotal data privacy frameworks: the European Union (EU)’s General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection (DPDP) Act, 2023. Through a comparative legal lens, the research explores how these jurisdictions navigate the complexities of safeguarding individual privacy rights while ensuring smooth cross-border data flows and technological innovation. The GDPR, with its expansive extraterritorial reach and rights-based jurisprudence, represents a supranational regulatory model that often challenges traditional notions of state sovereignty. In contrast, India’s DPDP Act embodies a more sovereignty-conscious framework, with a significant emphasis on data localization and executive-led oversight mechanisms. The research further delves into judicial interpretations, assessing how courts in the EU and India shape, limit, or expand regulatory mandates. By juxtaposing these legal architectures and their judicial trajectories, this research highlights the broader implications for international data governance, corporate compliance strategies, and emerging economies grappling with digital sovereignty. It concludes with normative suggestions for achieving a balanced regulatory landscape that respects sovereignty while embracing the global nature of data and privacy rights.
Keywords: Data Privacy, GDPR, DPDP, Sovereignty, Regulatory Compliance, Data Protection, Digital Governance, Cross-Border Data Flows, Data Localization
INTRODUCTION
The ascendance of data as a critical asset in the contemporary digital economy has catalyzed the emergence of data privacy as a fundamental legal and policy imperative. In an era characterized by ubiquitous surveillance, algorithmic decision-making, and cross-border data flows, the protection of personal data has transcended the bounds of mere regulatory compliance to become an essential component of individual autonomy and informational self-determination. Legal systems worldwide are now grappling with the normative and structural challenges of safeguarding privacy in digital contexts marked by asymmetries of power between individuals and data processors. The GDPR in EU& DPDP Act, 2023 in India represent two distinct yet consequential responses to this imperative, reflecting divergent legal traditions, institutional configurations, and socio-political priorities.[1]
However, the rise of such privacy frameworks has also brought to the fore a deeper conflict between the imperatives of globalization and the assertion of national sovereignty. As data increasingly traverses borders seamlessly, states have asserted regulatory control to protect citizens’ rights, economic interests, and national security, often through localization mandates, data export restrictions, and extraterritorial provisions. This regulatory assertiveness, while normatively justifiable, complicates global interoperability and creates friction between jurisdictions. The GDPR’s extraterritorial reach under Article 3, which purports to bind entities outside the EU, exemplifies how transnational regulatory ambitions may clash with domestic legislative autonomy.[2] Conversely, India’s emphasis on data sovereignty and the centralization of enforcement under the DPDP Act illustrates an inward-looking paradigm that prioritizes sovereign control over harmonization.
Thus, the evolving global data privacy landscape is not merely a contest over technical regulatory standards but reflects a deeper dialectic between cosmopolitan legalism and nationalistic legal pluralism. Judicial interpretations of privacy laws, especially in supranational frameworks like the EU and federal democracies like India, serve as critical battlegrounds where this tension is negotiated. Courts are increasingly called upon not only to interpret statutory language but also to delineate the permissible contours of state power, individual rights, and the global flow of information. Consequently, an examination of the jurisprudential trajectories under the GDPR and DPDP Act reveals not only how different systems conceptualize privacy but also how they reconcile, or fail to reconcile, the structural incompatibilities between sovereignty and global regulatory integration.
[1]Charru Malhotra & Udbhav Malhotra, Putting Interests of Digital Nagriks First: Digital Personal Data Protection (DPDP) Act 2023 of India, 70 Indian J. Pub. Admin. 516, (2024), https://doi.org/10.1177/00195561241271575.
[2] Claire Laybats& John Davies, GDPR, 35 Bus. Info. Rev. 81, XXXX (2018), https://doi.org/10.1177/0266382118777808.