On April 28, 2026, Google announced that Indian users can store Aadhaar verifiable credentials in Google Wallet through a Unique Identification Authority of India (UIDAI) partnership. The world’s largest biometric database is being routed through an ecosystem subject to United States law - the CLOUD Act - at a moment when India has no operative cross-border data protection framework, no bilateral data access agreement with Washington and no legally defined concept of digital sovereignty.
A Harbr Data survey reported by the Financial Times on April 27, 2026 found that 61% of senior technology leaders at large UK companies cannot fully account for how their data is processed overseas by AI and the UK has both a data protection framework and a CLOUD Act bilateral agreement. India has neither.
Section 29(1) of the Aadhaar Act, 2016 is absolute on core biometric information. Section 29(3) bars requesting entities from misusing or onward-sharing identity information. Both reach only entities qualifying as ‘requesting entities’ under the Act and the Aadhaar Authentication Regulations, 2021. Google LLC has not been so determined by UIDAI, the Ministry of Electronics and Information Technology (MeitY) or any court. If it is, Section 29(3) binds it; if not, those protections do not apply. No Indian citizen whose credential sits in Google Wallet can presently know which regime governs them. UIDAI’s silence, in a partnership it has approved, is itself a regulatory failure. A petition in the Delhi High Court - Abhijit Mishra v. UIDAI - raised a cognate question on an earlier Google product. The structural question remains unanswered.
The verifiable credential model built on ISO 18013-5 and W3C standards uses selective disclosure: verifiers receive a signed attestation (‘over 18: yes’), not the underlying document. A credential held in a device’s Trusted Execution Environment under keys Google does not hold, may be cryptographically inaccessible to it. The CLOUD Act, 18 USC § 2713 compels US providers to produce data in their ‘possession, custody, or control’ but cannot override cryptographic non-possession. A low-exposure architecture is, therefore, buildable: with UIDAI signing issuance, attestation keys on device, revocation through a UIDAI-controlled status list and no credential-linked server telemetry, very little falls within Google’s reach.
Whether that is the architecture deployed turns on three questions. First, key custody: if Google participates in issuance, attestation, or revocation key custody, that participation may itself constitute ‘control’ under the CLOUD Act, regardless of where credential content resides. Second, metadata retention: presentation events, relying-party interactions and device identifiers may be logged server-side. To the extent such logs are retained and accessible to Google, that metadata layer falls within its possession and control. A warrant reaching it need not touch credential content to construct an identity-behaviour profile. Third, unlinkability: whether credential use generates persistent account-linked logs is an implementation question that materially changes legal exposure. Neither UIDAI nor Google has answered any of the three.
The DPDP Act 2023 governs cross-border transfers under Section 16 through a negative list - data flows freely unless the Central government restricts a country. Rule 15 of the DPDP Rules 2025 operationalises this, but the provisions are not operative until May 2027 and no negative list has been issued. Whether Google Wallet’s credential generation, metadata synchronisation and account-linking constitute ‘processing’ under Section 2(x) admits two readings. Narrowly, an on-device credential with no server-side transfer is no cross-border event; broadly, account-linked metadata processing by a US-established entity is. The government has stated no position; the Data Protection Board has not been constituted. The Draft IT Second Amendment Rules 2026 deepen the deadlock. Amended Rules 3(1)(g) and (h) require 180-day intermediary retention, conflicting with Section 8(7)’s right to erasure, while Section 38 asserts DPDP supremacy - a deliberate legislative standoff with no operative adjudicator.
In December 2013, a US magistrate issued a warrant under the Stored Communications Act, 18 USC § 2703 requiring Microsoft to produce emails on Dublin servers. Microsoft refused; the Second Circuit ruled 3–0 in its favour. The Department of Justice appealed in United States v. Microsoft Corp. Ireland’s amicus argued that the US–Ireland MLAT was the appropriate channel; bypassing it would place all data held by US companies globally within US reach. Congress responded by enacting the CLOUD Act in March 2018, reaching data ‘regardless of whether such information is located within or outside of the United States.’ The case was rendered moot. Ireland’s MLAT, EU law and amicus counted for nothing. As Jennifer Daskal observed in Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0 (Stanford Law Review Online, 2018), the Act expanded jurisdiction, not capability. It reaches only what a company can actually produce. That is precisely why the Section II questions are dispositive.
The CLOUD Act permits bilateral executive agreements with qualifying foreign governments, creating structured data-sharing channels and rights to challenge US orders. Only the United Kingdom (2019) and Australia (2021) have such agreements. Qualification requires US Attorney General certification of independent judicial oversight - a benchmark derived from the Budapest Convention on Cybercrime, which India has declined to accede to since 2001. As Mohanty and Srikumar argue in India and the Budapest Convention: Why Not? (ORF, 2017), the objection is sovereignty-based: cross-border data access without explicit state consent conflicts with India’s position on digital autonomy. India’s surveillance framework under Sections 69–69B of the IT Act analysed by Pranesh Prakash for the Centre for Internet and Society (How Surveillance Works in India, 2013) as falling short of Budapest benchmarks, compounds ineligibility. The instinct that keeps India outside the Convention is the same instinct that prevents the bilateral CLOUD Act agreement that would give Indian courts leverage over US data orders. The refusal meant to protect sovereignty has surrendered it.
First, the Article 21 question. Where a Google account links Wallet credential events to location data, a configuration is enabled by Google’s privacy policy, then a valid CLOUD Act order could compel production sufficient to re-identify an Aadhaar credential holder by location and behaviour pattern. The risk is conditional, not deterministic. What is not conditional is the obligation under KS Puttaswamy v. Union of India to assess foreseeable privacy risks in their fullest Article 21 dimension, including risks to physical safety before sanctioning such an integration. That assessment has not been published.
Second, the regulatory-independence question. On April 27, 2026, one day before the Wallet announcement, Google launched a 1 GW data data centre & AI hub in Visakhapatnam, among the largest single technology investments in India’s history. The proximity raises a legitimate administrative-law question: was UIDAI’s decision an independent regulatory determination, insulated from concurrent FDI objectives and subject to inter-ministerial scrutiny by the Ministries of Home Affairs and External Affairs? Regulatory capture does not require intent. It requires only the absence of documented independence.
Third, the sovereign-wallet question. DigiLocker is not a substitute for Google Wallet. It is a government-controlled document repository under the IT Act, 2000; Google Wallet is a credential presentation layer that proves attributes without revealing documents. India already possesses the foundational sovereign infrastructure - Aadhaar for identity and DigiLocker for documents - but lacks the credential-wallet layer implementing W3C verifiable credentials and selective disclosure on top of it. That layer is buildable. The MOSIP ecosystem, which India helped create through IIIT-Bangalore and which is deployed in the Philippines, Morocco, Ethiopia and Sri Lanka with W3C VC support documented in MOSIP’s 1.2 release notes (2023), demonstrates the capability today.
Reliance on Google Wallet is, therefore, a policy choice about who controls the credential layer, made without public-interest determination, foreseeable-risk assessment, or evident inter-ministerial scrutiny. The proportionality question under Puttaswamy is not ‘was there an off-the-shelf alternative?’ It is ‘was there a sovereign path India chose not to take?’ The answer, on current evidence, is yes.
Of the corrective measures available, a UIDAI determination on Google’s requesting-entity status, a published technical specification of key custody and metadata retention, a foreseeable-risk assessment under Puttaswamy, constitution of the Data Protection Board, issuance of the DPDP negative list before May 2027 and a GDPR Article 48-equivalent provision blocking unrecognised foreign data orders and the single indispensable step is commissioning a sovereign credential-wallet layer on India’s existing identity and document infrastructure. Every other measure is remedial; this one is structural.
India logged 265.52 million cyber threat detections in 2025 - almost 505 per minute. Ireland fought the Microsoft case for five years and lost when Congress rewrote the territorial rules. India, facing the same statute applied to Aadhaar credential infrastructure operated by Google, has neither MLAT nor EU-equivalent law operative today. As The Ken reported on April 27, the legal contradiction inside every US hyperscaler operating in India - which is either comply with the US warrant and violate Indian law, or refuse and violate US law - has not yet been tested in court. It will be. India should not wait for that moment to discover it filled a real technical gap with a foreign-controlled solution when a sovereign path was available. Sovereignty is not a word; it is a legal architecture. India has the word. It does not yet have the architecture.
Prasanth Raju is an advocate practicing before the Bombay High Court.