Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

India's DPDP Act Has a Data Sovereignty Blind Spot — Aadhaar in Google Wallet Just Exposed It

India's DPDP Act can't stop the US CLOUD Act from compelling Aadhaar data held by American firms. Here's the structural sovereignty gap India must urgently fix.

D
DPDPBot Research Team
🕐 9 min read

#India's DPDP Act Has a Data Sovereignty Blind Spot — Aadhaar in Google Wallet Just Exposed It

India's data protection framework is more advanced than most people outside the legal profession realize. The Digital Personal Data Protection Act, 2023 governs consent, breach notification, data erasure, and cross-border flows. The Data Protection Board of India has its leadership. The Consent Manager framework is being operationalized right now. On paper, India has built a serious regime.

And yet, a June 27 analysis published by SCC Online — one of India's most authoritative legal databases — identified a structural gap that no amount of domestic rulemaking can fix on its own: the United States CLOUD Act. The analysis arrives two months after Google announced that Aadhaar digital credentials can now be stored in Google Wallet, routing the world's largest biometric identity database through an American company's ecosystem. The combination exposes what the authors term the "Mumbai Server Fallacy" — the widespread, incorrect assumption that storing data physically inside India places it beyond the reach of foreign law enforcement.


#What Happened: Aadhaar Enters Google Wallet

On April 28, 2026, Google announced that Indian users can store Aadhaar verifiable credentials in Google Wallet through a formal partnership with the Unique Identification Authority of India (UIDAI). The feature enables selective disclosure — users can share only the attributes an app or service needs, such as age verification, rather than their full Aadhaar details. Google and UIDAI have both emphasized privacy by design: credentials are stored on-device, not on Google's servers, and only the user controls what is disclosed.

The announcement was widely covered as a win for India's digital identity infrastructure. It builds on India Stack's existing strength, extends the reach of Aadhaar-based verification into everyday app interactions, and positions India as a leader in W3C-compliant verifiable credentials.

The privacy concerns are more subtle — and for that reason, more dangerous.

When a user stores Aadhaar credentials in Google Wallet, the credential itself may be device-bound. But the surrounding ecosystem is not. Google account session data, device identifiers, geographic timestamps, verification request logs, and behavioral patterns generated during credential presentations flow through Google's infrastructure. That infrastructure is ultimately owned and operated by an American corporation, subject to American law.

The question that the SCC Online analysis poses directly: what happens when US law enforcement knocks?


#The US CLOUD Act: What Indian Law Cannot Override

The Clarifying Lawful Overseas Use of Data Act, signed into US law in 2018, allows American law enforcement agencies to compel data from US-based technology companies regardless of where that data is physically stored. The operative standard is "possession, custody, or control" — not geography.

In practice, this means that if Google, Amazon Web Services, Microsoft Azure, or any other US company processes data as part of its service, a valid US court order or executive agreement can require that company to hand over the data even if the underlying servers are in Mumbai, Chennai, or Hyderabad.

Indian banks using AWS Mumbai infrastructure face exactly this exposure. The US parent company maintains control through encryption key management and administrative systems located in the United States, creating extraterritorial jurisdiction despite complete Indian data residency. RBI's payment data localization mandate — which requires that all payment system data be stored exclusively within India — addresses the physical location question. It does not address the control question.

For Aadhaar credentials, the stakes are higher than for payment data. Aadhaar encodes biometric data for approximately 1.4 billion people. The system's entire value proposition rests on it functioning as an unambiguous, tamper-proof identity anchor. Compromise at scale would not just affect individual privacy — it would undermine the infrastructure that India's welfare delivery, banking access, and digital government services run on.


#The "Mumbai Server Fallacy" and What India's DPDP Act Actually Covers

The SCC Online analysis is sharp on exactly this point. The authors distinguish between two concepts that are routinely conflated in India's policy discussions:

Data residency is a geographical concept. It refers to where data is physically stored. It is addressable through localization mandates, government procurement rules, and the kind of sovereign cloud policy MeitY issued in March 2026 — which restricts Aadhaar, UPI, and PAN data from being hosted on commercial public cloud platforms and requires government-backed infrastructure for critical systems.

Data sovereignty is a legal and political concept. It refers to who has supreme authority to govern data — who can access it, under what conditions, and through what legal mechanism. Physical residency contributes to sovereignty but does not guarantee it.

The Mumbai Server Fallacy is the assumption that achieving residency achieves sovereignty. It does not, and the CLOUD Act is the clearest proof.

India's DPDP Act is not designed to address this gap — and it was not designed to. Section 16 of the Act, operationalized through Rule 15 of the DPDP Rules 2025, governs voluntary cross-border transfers of personal data. It establishes a negative-list approach: data can flow to any country unless the Central Government specifically restricts that destination. As of July 2026, no restricted-country list has been published. The framework becomes operative only in May 2027.

But the CLOUD Act does not involve a voluntary transfer. It involves compelled disclosure. The DPDP Act's entire cross-border transfer architecture — consent requirements, purpose limitations, the negative list, government approval mechanisms — applies to Indian data fiduciaries making deliberate choices to send data abroad. It says nothing about what happens when an American company operating in India receives a US court order. That gap is not a drafting oversight. It is structurally outside the reach of India's domestic law.


#India's Existing Protections Are Real — But Insufficient

India has made serious moves toward data sovereignty in 2026. They deserve acknowledgment, because the sovereignty gap is not the product of regulatory neglect.

MeitY's March 2026 cloud framework mandates that top-secret and highly sensitive government systems — including Aadhaar and UPI infrastructure — be hosted exclusively on sovereign or government-controlled cloud providers, not commercial public cloud. The policy divides data into two categories: Category A systems (identity platforms, tax databases, core infrastructure) must use National Informatics Centre or State Data Centre infrastructure, while Category B systems may use private providers with safeguards.

For government-controlled data, this is a meaningful protection. But it does not address data that flows through consumer-facing integrations like Google Wallet, where the user's choice to adopt a foreign platform creates the exposure.

The DPDP Act also establishes a framework for future bilateral data access agreements. Rule 15 creates a mechanism by which the Central Government can designate trusted jurisdictions and negotiate arrangements that would give India reciprocal access to data held abroad. This is meaningful in the long term. In the short term, it requires those agreements to be negotiated and completed — which takes years.


#What India Needs: Three Paths Forward

The SCC Online analysis identifies three viable responses, and Indian policymakers would be wise to pursue all three in parallel.

First, technical controls. Customer-controlled encryption — specifically, Hold Your Own Key (HYOK) architectures — ensures that even if a US cloud company receives a compelled disclosure order, it cannot comply because it does not possess the decryption keys. Keys held exclusively in India, under Indian government control or by the data fiduciary, remain beyond the reach of the CLOUD Act. For Aadhaar-linked verifiable credentials, this requires building sovereign key management infrastructure, which UIDAI and NIC are positioned to develop.

Second, a bilateral India-US data access agreement. Negotiations between India and the United States on a CLOUD Act executive agreement have reportedly been ongoing since 2019. Such an agreement would provide India with a formal mechanism to challenge US requests for Indian citizens' data, require prior notification before compelled disclosure, and create a legal pathway for India to access US-held data through Indian courts rather than relying on informal law enforcement channels. The UK and Australia have such agreements. India does not. Given the scale of Indian data now flowing through US-headquartered platforms, closing this gap has become urgent.

Third, domestic blocking statutes. Several European jurisdictions have enacted legislation that penalizes companies for complying with foreign-country data disclosure orders without first exhausting domestic legal challenges. A similar framework in India would force US companies operating here to litigate CLOUD Act orders in Indian courts before complying, creating a legal buffer. The EU has demonstrated this model is enforceable in practice.


#What This Means for Indian Businesses Right Now

For most Indian businesses, the CLOUD Act is not an immediate operational risk. The Act is used primarily by US law enforcement in criminal and national security contexts — not to conduct corporate espionage or bulk data collection. A retailer using AWS for their customer database is not, today, facing realistic CLOUD Act exposure.

But the Aadhaar-Google Wallet integration reveals a category of exposure that is different in kind. When India's core identity infrastructure becomes entangled with foreign-controlled ecosystems, the risk is not just to individual users — it is to the integrity of the national identity architecture itself. That is a risk the DPDP Act was not designed to address and, in its current form, cannot.

Indian businesses handling sensitive personal data that touches US-controlled infrastructure — and that covers an enormous percentage of India's digital economy — should conduct a CLOUD Act audit: identify which data assets are processed by US-based vendors, assess whether HYOK or comparable architectures are available, and document the legal exposure clearly for leadership and boards.

For companies whose products interact with Aadhaar — and with the Google Wallet integration, that now includes every app that uses Aadhaar-based age verification or identity confirmation — the question of what data is generated during credential presentation, where that data goes, and who can compel its disclosure deserves explicit legal review.


#Conclusion: Residency Without Sovereignty Is Half a Policy

India's DPDP Act represents a genuine leap forward in data protection. The rules are clear, the timelines are running, and the Data Protection Board is now operational. India's March 2026 sovereign cloud policy shows the government takes data residency seriously. None of that is trivial.

But sovereignty requires more than residency. The Mumbai Server Fallacy — the idea that physical localization guarantees jurisdictional control — is a comfort that the US CLOUD Act reliably destroys. The Aadhaar-Google Wallet integration has made that gap visible in a way that previously abstract policy discussions did not.

India-US bilateral negotiations, HYOK encryption mandates for critical identity systems, and domestic blocking statutes are not optional additions to the DPDP framework. They are prerequisites for any serious claim to digital sovereignty over the country's most sensitive data infrastructure.

The time to act is before the next CLOUD Act order lands, not after.


Concerned about your organization's cross-border data transfer exposure under the DPDP Act? Visit our /resources section for compliance frameworks, or explore our /consent-manager tool to assess your current data flows.

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial