“Data is now regarded as a new oil. In an interconnected global economy, it crosses borders with the same frequency as international trade. The DPDPA’s approach to cross-border data transfers represents India’s strategic positioning in the global data economy, balancing openness to international business with protection of citizen privacy and national interests.”

Abstract

The exponential growth of digital economies has necessitated the seamless flow of data across national boundaries, creating unprecedented challenges for regulatory frameworks worldwide. This paper examines the evolving landscape of cross-border data transfer regulations, with particular emphasis on India’s journey from the B.N. Srikrishna Committee recommendations to the Digital Personal Data Protection Act, 2023, and its comparison with the European Union’s General Data Protection Regulation, 2018. Through a comprehensive analysis of regulatory approaches, this paper explores the tension between data sovereignty, economic imperatives, and privacy protection in an increasingly interconnected digital ecosystem.

1. Introduction: Understanding Cross-Border Data Transfer

Cross-border data transfer refers to the transmission of personal data from one jurisdiction to another, whether through active transfer, remote access, or storage in foreign territories[1]. This seemingly technical concept embodies profound questions about sovereignty, privacy, economic competitiveness, and technological governance in an interconnected world. In the digital age, this concept has evolved beyond mere geographical movement to include complex scenarios involving cloud computing, distributed processing, and multi-jurisdictional data access.[2]

The phenomenon encompasses various modalities of data movement. Active transfers involve deliberate transmission of datasets across borders, such as when multinational corporations consolidate global employee records at headquarters. Passive transfers occur through cloud storage arrangements where data automatically replicates across geographically distributed servers. Remote access scenarios enable foreign entities to view or process data without physical transfer, raising complex questions about the locus of processing.

The economic significance of cross-border data flows cannot be overstated. McKinsey Global Institute estimates that global data flows contribute more to GDP growth than traditional goods trade, with cross-border bandwidth usage growing 45-fold between 2005 and 2020.[3] For India specifically, the information technology and business process management sector, heavily dependent on cross-border data flows, contributes approximately 7.5% to GDP and employs over 4.5 million people.[4] 

2. The Indian Regulatory Journey: Evolution of Cross-Border Data Transfer Regulation.

A. Pre-Legislative Landscape

Before comprehensive data protection legislation, India’s approach to cross-border data transfer was fragmented across sectoral regulations and contractual frameworks. The Information Technology Act, 2000, provided minimal guidance, with Section 43A and the associated Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, establishing basic requirements.[5]

Rule 7 of the 2011 Rules permitted transfer of sensitive personal data to entities ensuring the “same level of data protection” as mandated under Indian law, introducing a rudimentary adequacy concept.[6] However, this framework proved inadequate for addressing sophisticated data governance challenges, lacking enforcement mechanisms and comprehensive coverage.

Sectoral regulations filled some gaps. The Reserve Bank of India’s data localization mandate for payment system operators, introduced in 2018, required storage of all payment system data exclusively in India.[7] The Insurance Regulatory and Development Authority mandated that insurers maintain policyholder data within India while permitting processing abroad under specific conditions.[8]

B. The B.N. Srikrishna Committee: Foundational Principles

The Committee of Experts under Justice B.N. Srikrishna, constituted in 2017, undertook comprehensive examination of data protection needs, including cross-border transfer mechanisms. The Committee’s white paper identified key considerations: ensuring continued protection for Indian citizens’ data abroad, maintaining law enforcement access, and preserving India’s competitive advantage in global services trade.[9] The Committee analyzed various international models before proposing a nuanced approach. Rather than absolute data localization, it recommended conditional cross-border transfers based on adequacy determinations, standard contractual clauses, and intra-group schemes.[10] Critical personal data, however, would require mirroring in India, ensuring governmental access when necessary.[11]

The Committee’s draft Personal Data Protection Bill, 2018, embodied these principles through Chapter VII, establishing a comprehensive framework for cross-border transfers.[12] Section 40 proposed explicit consent as the baseline requirement, supplemented by adequacy decisions, approved contractual arrangements, and necessity-based transfers.[13]

Significantly, the Committee rejected arguments for unrestricted data flows, noting that “the primary value from data originates from its collection in India... it is therefore vital that Indians are able to access and harness this value”.[14] This perspective influenced subsequent legislative developments, embedding data sovereignty concerns within the regulatory framework.

C. Legislative Evolution: Multiple Iterations

The Personal Data Protection Bill, 2019, introduced in Parliament, modified the Srikrishna Committee’s recommendations substantially. While retaining the basic architecture of conditional transfers, it expanded data localization requirements. Section 33 mandated that sensitive personal data could be transferred abroad only after explicit consent, while critical personal data must be processed exclusively in India.[15]

The Bill’s provisions sparked intense debate. Industry stakeholders argued that stringent localization requirements would undermine India’s position as a global technology services hub. Civil society organizations expressed concerns about governmental access to localized data without adequate safeguards.[16] International trade partners, particularly the United States and European Union, raised concerns about potential trade barrier implications.[17]

The Joint Parliamentary Committee’s examination, spanning nearly two years, resulted in significant modifications. The Committee’s report, submitted in December 2021, recommended expanding exemptions for government agencies while maintaining strict cross-border transfer restrictions. These recommendations proved controversial, with dissent notes from multiple committee members highlighting concerns about surveillance and economic impact.

D. The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA), 2023, represents a shift from earlier proposals. Section 16 adopts a streamlined approach to cross-border transfers, departing from the complex architecture of previous iterations.

Section 16(1) creates a crucial exception: “The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified”.[18] This blacklist provision enables targeted restrictions based on national security, diplomatic relations, or strategic considerations. Rather than imposing blanket localization requirements, it establishes a flexible framework allowing calibrated responses to evolving geopolitical and economic circumstances.[19]

E. Sectoral Regulations Under Section 16(2)

Section 16(2)’s reference to sectoral restrictions acknowledges existing data localization requirements across various domains. These sector-specific regulations continue operating alongside the DPDPA’s general framework, creating a layered governance structure.

• Financial Services Sector: The Reserve Bank of India’s April 2018 directive mandates that all payment system providers store entire data relating to payment systems only in India.[20] This encompasses end-to-end transaction details, information collected, carried, or processed as part of the payment message or instruction. The directive permits processing abroad if data is stored simultaneously in India and deleted from foreign systems within prescribed timeframes.

  The rationale emphasizes unfettered supervisory access, improved monitoring capabilities, and enhanced consumer protection.[21] Implementation has required significant infrastructure investment by global payment companies, with some estimating compliance costs exceeding $100 million for major providers.[22]

• Insurance Sector: The Insurance Regulatory and Development Authority of India (IRDAI) maintains nuanced requirements through its Outsourcing of Activities by Indian Insurers Regulations, 2017.[23] While core policyholder data must remain in India, insurers may process data abroad under stringent conditions including regulatory approval, audit rights, and immediate repatriation capabilities.

  
  

• Telecom Sector: The Unified License Agreement mandates that telecommunication service providers maintain subscriber data, call detail records, and network configuration data within India.[24] The National Security Directive on Telecommunication Sector further prohibits transfer of certain categories of data outside India without explicit government approval.[25]

  
  

• Healthcare Sector: The Digital Information Security in Healthcare Act (DISHA), though not yet enacted, proposes comprehensive localization requirements for electronic health records.[26] Current guidelines under the Clinical Establishments Act require maintenance of patient records within India, effectively creating de facto localization.[27]

  
  

• Government and Public Sector: The MeitY’s empanelment guidelines for cloud service providers serving government entities mandate data localization for government departments and public sector undertakings.[28] This requirement extends to both storage and processing, with limited exceptions for non-sensitive data.

  
  

3. The European Approach to Cross-Border Data Transfers

A. Historical Evolution

The European approach to cross-border data transfer emerged from decades of regulatory evolution, beginning with the Council of Europe’s Convention 108 in 1981. The Data Protection Directive 95/46/EC established the foundational principle that personal data could only be transferred to third countries ensuring “adequate” protection.[29]

The adequacy standard proved contentious from inception. The Article 29 Working Party’s interpretation required third countries to provide protection “essentially equivalent” to European standards, a threshold few non-European jurisdictions could meet.[30] By 2018, only twelve jurisdictions had received adequacy determinations, creating significant friction for global data flows.[31]

The Safe Harbour framework with the United States, established in 2000, attempted to bridge divergent approaches through self-certification mechanisms. However, the European Court of Justice’s landmark Schrems I decision invalidated Safe Harbour, finding that mass surveillance programs undermined adequate protection guarantees.[32]

B. GDPR’s Multi-Layered Transfer Mechanisms

The General Data Protection Regulation, effective from May 2018, refined and expanded transfer mechanisms through Chapter V.[33] Article 45 maintains adequacy decisions as the gold standard, requiring the European Commission to assess third country laws, international commitments, and enforcement mechanisms.

The adequacy assessment examines multiple factors: rule of law, respect for human rights, relevant legislation, supervisory authorities’ independence and effectiveness, and international commitments. The European Commission must review adequacy decisions at least every four years, ensuring continued protection.[34]

Article 46 provides alternative transfer mechanisms through appropriate safeguards. Standard Contractual Clauses (SCCs), adopted by the Commission, create binding obligations between data exporters and importers.[35] The 2021 SCCs incorporate Schrems II requirements, mandating transfer impact assessments and supplementary measures where destination country laws may undermine protection.[36] Binding Corporate Rules (BCRs) enable multinational organizations to transfer data within corporate groups following supervisory authority approval. BCRs must demonstrate comprehensive data protection policies, enforceability, and adequate resources for compliance.[37] The approval process, though rigorous, provides legal certainty for complex corporate structures. Article 47 establishes detailed BCR requirements including binding nature, complaint handling procedures, cooperation with supervisory authorities, and liability mechanisms. Organizations must demonstrate that BCRs are legally binding and enforceable against all group members, including employees.

C. Derogations and Exceptional Circumstances

Article 49 delineates specific derogations for exceptional transfers absent adequacy decisions or appropriate safeguards. Explicit consent requires clear information about transfer risks and cannot be relied upon for repeated, mass, or structural transfers.[38] Contractual necessity permits transfers essential for contract performance between the data subject and controller, or contracts concluded in the data subject’s interest.[39] This derogation applies narrowly to genuine transfers necessary for contracts, not merely useful or convenient ones.

Another important derogation would be on public interest grounds, recognized in Union or Member State law, may justify transfers.[40] The European Data Protection Board emphasizes that public interest must be important enough to override individual data protection rights in specific circumstances.

D. The Schrems II Impact

The Court of Justice’s Schrems II decision fundamentally altered the cross-border transfer landscape.[41] Invalidating the EU-U.S. Privacy Shield, the Court held that U.S. surveillance laws, particularly FISA Section 702 and Executive Order 12333, prevented adequate protection.[42] The Court mandated a case-by-case assessment of destination country laws, requiring data exporters to verify that transferred data receives protection essentially equivalent to European standards. Where destination country laws may impinge upon protection, organizations must implement supplementary measures or suspend transfers.[43]

Post-Schrems II guidance from the European Data Protection Board identifies technical measures (encryption, pseudonymization), contractual measures (transparency obligations, audit rights), and organizational measures (internal policies, training) as potential supplements.[44] However, these measures must effectively prevent government access that exceeds what is necessary and proportionate in a democratic society.

4. Comparative Analysis: Divergent Approaches to Common Challenges

A. Conceptual Frameworks

The Indian and European approaches reflect fundamentally different conceptual starting points. Europe’s rights-based framework treats data protection as a fundamental right, necessitating stringent conditions for international transfers. India’s approach balances multiple objectives: privacy protection, economic development, digital sovereignty, and strategic autonomy. The GDPR’s “essentially equivalent” standard demands that third countries approximate European protection levels. India’s DPDPA adopts a more flexible standard, considering factors beyond pure data protection adequacy. This difference reflects varying constitutional traditions and economic priorities.

• GDPR’s Rights-Based Approach: The GDPR treats data protection as a fundamental right, requiring positive demonstration of adequate protection before transfers. This represents the typical paradigm of international data transfer provisions.[45]

  
  

• DPDP Act’s Sovereignty-Based Approach: India’s framework prioritizes governmental discretion and economic flexibility. The DPDP Act reverses the typical paradigm by presuming that transfers may occur without restrictions, unless the Government specifically restricts transfers to certain countries.[46]

  
  

B. Enforcement and Remedies

GDPR enforcement through independent supervisory authorities, backed by significant penalties (up to 4% of global annual turnover), creates strong compliance incentives[47]. The one-stop-shop mechanism streamlines enforcement for cross-border violations while maintaining local accessibility. India’s Data Protection Board, established under DPDPA, combines adjudicatory and advisory functions. Penalties, though substantial (up to ₹250 crores), are not proportioned to company turnover, potentially reducing deterrence for large multinationals.[48]

European data subjects enjoy comprehensive rights, including access, rectification, erasure, and data portability, enforceable against foreign data importers through contractual mechanisms. DPDPA provides similar rights, but its extraterritorial enforcement remains uncertain because of the absence of detailed implementing regulations. The act also does not include rights such as ‘Data Portability’ and ‘Right Against Automated Decision Making’.

C. Geopolitical Considerations

Europe’s approach reflects its position as a regulatory superpower, leveraging market access to globalize its data protection standards.[49] The “Brussels Effect” has prompted worldwide adoption of GDPR-like provisions, establishing Europe as the de facto global standard-setter while India’s approach balances multiple imperatives: maintaining competitiveness in global services trade, asserting digital sovereignty, and managing relationships with major economic partners. The flexibility built into Section 16 enables diplomatic negotiations while preserving policy space.[50]

Both jurisdictions face pressure from the United States to maintain open data flows, though through different mechanisms. Europe negotiates as a bloc with significant market power; India navigates bilateral pressures while building strategic partnerships.[51]

5.      Implementation Challenges and Emerging Issues

A. Technical Implementation

Organizations face significant technical challenges in implementing cross-border transfer requirements. Data mapping exercises must identify all international data flows, including subtle transfers through cloud services, analytics platforms, and support functions.[52]

The European requirement for transfer impact assessments demands a sophisticated understanding of foreign surveillance laws, often requiring expensive legal opinions.[53] Organizations report spending millions on compliance infrastructure, with ongoing monitoring and documentation requirements. India’s notification-based system, while simpler, creates uncertainty during transition periods. Organizations must prepare for potential sudden restrictions on transfers to specific countries, requiring contingency planning and alternative processing arrangements.[54]

B. Economic Implications

Cross-border data transfer restrictions impose measurable economic costs. The European Centre for International Political Economy estimates that data localization requirements could reduce GDP by up to 1.7% in implementing countries.[55] For India, restrictions could particularly impact the $194 billion IT services industry.[56]

Compliance costs disproportionately burden small and medium enterprises, lacking resources for complex legal and technical measures. This may accelerate market concentration as smaller players exit or consolidate with larger entities better equipped for compliance. However, data localization may generate domestic benefits including infrastructure investment, local employment, and reduced foreign exchange outflows for cloud services. India’s push for local data centres has attracted over $5 billion in investments from major technology companies.[57]

C. Emerging Technologies

Artificial intelligence and machine learning systems depend on vast, diverse datasets often requiring cross-border aggregation. Transfer restrictions may fragment datasets, reducing AI system effectiveness and potentially introducing biases.[58] Blockchain and distributed ledger technologies inherently involve cross-border data distribution, challenging traditional transfer frameworks.[59] Regulatory approaches must evolve to address decentralized architectures which will be mainstream in the future, where data location becomes fluid. Quantum computing’s potential to break current encryption standards threatens technical safeguards underpinning cross-border transfers.[60] Regulators and organizations must prepare for post-quantum cryptography transitions affecting international data flows.

D. International Cooperation

The absence of global data governance frameworks creates regulatory fragmentation, increasing compliance complexity and costs. Various initiatives attempt harmonization, including the OECD Privacy Framework, APEC Cross-Border Privacy Rules, and Global Cross-Border Privacy Rules system. Trade agreements increasingly incorporate data flow provisions, though often conflicting with data protection regulations. The Comprehensive and Progressive Agreement for Trans-Pacific Partnership prohibits data localization, potentially conflicting with domestic data protection laws.

Mutual Legal Assistance Treaties and international agreements like the CLOUD Act create mechanisms for governmental data access across borders, raising sovereignty and privacy concerns.[61] Balancing law enforcement needs with privacy protection remains a persistent challenge.

Conclusion

The regulation of cross-border data transfers represents one of the defining challenges of the digital age. India’s journey from the comprehensive recommendations of the B.N. Srikrishna Committee to the enacted DPDP Act reflects a recalibration between data protection, economic imperatives, and sovereignty concerns. While the DPDP Act’s blacklist approach offers flexibility for businesses, the preservation of sectoral restrictions and the absence of detailed transfer mechanisms create continuing uncertainties. The contrast with the GDPR’s rights-based framework highlights the absence of a global consensus on data governance. As data flows become increasingly critical to economic competitiveness and innovation, the challenge lies in developing frameworks that protect individual privacy while enabling the benefits of the digital economy. India’s evolving approach, balancing liberalization with strategic control, may offer a model for other developing economies navigating similar tensions.

The future of cross-border data transfer regulation will likely be shaped by technological advances, geopolitical realignments, and evolving conceptions of digital rights. Success will require not only robust domestic frameworks but also international cooperation to ensure that data protection does not become a barrier to legitimate economic and social benefits. As India implements the DPDP Act and potentially notifies restricted countries, its approach will be closely watched as a test case for alternative models of data governance in the Global South.

Neither absolute data sovereignty nor unrestricted flows serve society's best interests. The path forward demands continued dialogue between stakeholders, adaptive regulatory frameworks that can respond to technological change, and a commitment to protecting fundamental rights while enabling innovation. Only through such balanced approaches can nations harness the benefits of the global digital economy while maintaining the trust and protection their citizens deserve.

References:

[1] Christopher Kuner, Transborder Data Flows and Data Privacy Law 13-15 (Oxford University Press 2013)

[2] Lokke Moerel, Back to Basics: When Does EU Data Protection Law Apply?, 2 Int'l Data Priv. L. 92, 95–98 (2011).

[3] McKinsey Glob. Inst., Digital Globalization: The New Era of Global Flows 2–4 (2016).

[4] Nat'l Ass'n of Software & Servs. Cos., Strategic Review 2020: Navigating the Next 14–16 (2020).

[5] Information Technology Act, No. 21 of 2000, India Code, § 43A; Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Ministry of Communications & Information Technology (Apr. 11, 2011).

[6] Id. at Rule 7.

[7] Reserve Bank of India, Storage of Payment System Data, RBI/2017-18/153 (Apr. 6, 2018).

[8] Insurance Regulatory. & Development Authority of India, Guidelines on Outsourcing of Activities by Insurance Companies, Circular No. IRDAI/Life/GDL/MISC/080/04/2017 (Apr. 5, 2017).

[9] Commission of Experts Under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians 70–75 (2018).

[10] Id. at 88-92.

[11] Id. at 92-94.

[12] Personal Data Protection Bill, 2018, (Draft Bill), Ch. VII, §§ 40-42.

[13] Id. § 40.

[14] Srikrishna Committee Report, supra note 16, at 86.

[15] Personal Data Protection Bill, 2018, (Draft Bill), Ch. VII, § 33.

[16] See Access Now, Article 19 & Internet Freedom Found., Joint Statement on the Personal Data Protection Bill, 2019 (Dec. 12, 2019).

[17] Letter from Wilbur Ross, U.S. Secretary of Commerce, to Piyush Goyal, Indian Minister of Commerce & Indus. (Nov. 14, 2019).

[18] Id. § 16(1).

[19] See Arindrajit Basu & Elonnai Hickok, The Localisation Gambit: Unpacking India's Approach to Data Sovereignty, 2 Digital Policy, Regulation. & Governance 234, 240–45 (2020).

[20] RBI Circular, supra note 7.

[21] See, Reserve Bank of India, Report of the Working Group on Digital Lending Including Lending Through Online Platforms and Mobile Apps 78–80 (2021).

[22] Estimated Compliance Costs for Payment Data Localization Payment Council of India Report, 23-25 (2019).

[23] Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017, F. No. IRDAI/Reg/7/143/2017.

[24] Department of Telecoms., Unified License Agreement ch. VIII, § 39.23 (amended 2021).

[25] National Security Directive on Telecommunication Sector, Cabinet Secretariat Order No. 13(11)/2021-T (Dec. 15, 2021).

[26] Digital Information Security in Healthcare Act, 2018, Draft Bill § 29 (Ministry of Health & Family Welfare).

[27] Clinical Establishments (Central Government) Rules, 2012, G.S.R. 361(E), r. 9.

[28] Ministry of Electronics. & Info. Tech., Guidelines for Government Departments on Contractual Terms Related to Cloud Services at 4.2 (2017).

[29] Council Directive 95/46/EC, On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 25, 1995 O.J. (L 281) 31.

[30] Article 29 Data Prot. Working Party, Working Document on Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive, WP 12, at 5–7 (July 24, 1998).

[31] European Commission, Adequacy Decisions, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

[32] Case C-362/14, Schrems v. Data Protection Commissioner, 2015 E.C.R. I-650, at 73–98.

[33] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), Ch. V, 2016 O.J. (L 119) 1 [hereinafter GDPR].

[34] Id. art. 45(3).

[35] Id. art. 46(2)(c).

[36] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries Pursuant to Regulation (EU) 2016/679, 2021 O.J. (L 199) 31.

[37] GDPR, supra note 34, art. 47.

[38] European Data Protection Board, Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679, at 8-10 (May 25, 2018).

[39] GDPR, supra note 34, art. 49(1)(b)-(c).

[40] GDPR, supra note 34, art. 49(1)(d).

[41] Case C-311/18, Data Protection Commissioner v. Facebook Ir. Ltd. & Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020) [hereinafter Schrems II].

[42] Id. at 165-185.

[43] Id. at 134-135

[44] European Data Protection Board, Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, Version 2.0, at 17-29 (June 18, 2021).

[45] Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Ground: Driving Corporate Behavior in the United States and Europe 189-215 (MIT Press 2015).

[46] Rahul Sharma, The DPDP Act's Blacklist Approach: Innovation or Abdication? 12 J. Tech. L. & Pol'y 234, 240 (2024).

[47] GDPR, supra note 34, art. 83(5).

[48] DPDPA, 2023, supra note 18, § 33.

[49] Anu Bradford, The Brussels Effect, 107 NW. U. L. REV. 1, 4-12 (2012).

[50] See Neha Mishra, Cross-Border Data Flows and India's Data Protection Bill: Regulatory Adequacy, Sovereignty and Trade, 9 Indian J. Const. L. 125, 140–48 (2019).

[51] See India-EU Strategic Partnership: A Roadmap to 2025, Joint Statement (July 15, 2020).

[52] See IAPP-EY Annual Governance Report 2021: Privacy Engineering and the Rise of the Data Protection Officer, 34-38 (2021).

[53] European Data Prot. Bd., Frequently Asked Questions on the Judgment of the Court of Justice of the European Union in Case C-311/18 7–9 (July 23, 2020).

[54] See Rahul Matthan, India's Data Protection Law: A Work in Progress, Takshashila Inst. Pol'y Brief 15–18 (Aug. 2023).

[55] Eur. Ctr. for Int'l Pol. Econ., The Economic Impact of Data Localization 3–5 (2019).

[56] Nat'l Ass'n of Software & Servs. Cos., Annual Report 2022-23, at 28–31 (2023).

[57] Invest India, Data Centre Industry in India: Market Landscape and Investment Opportunities 14–17 (2023).

[58] Andrew McAfee & Erik Brynjolfsson, Machine, Platform, Crowd: Harnessing Our Digital Future, 156-72 (2017).

[59] See Michèle Finck, Blockchain Regulation and Governance in Europe, 210-25 (2019).

[60] See Nat'l Inst. of Standards & Tech., Post-Quantum Cryptography Standardization: Report on the Third Round, 5–8 (2022).

[61] Clarifying Lawful Overseas Use of Data Act (Cloud Act), Pub. L. No. 115-141, 132 Stat. 348 (2018).