GOVERNING THE UNGOVERNED: A COMPARATIVE ANALYSIS OF DATA PROTECTION REGIMES IN SOUTH ASIA THROUGH THE LENS OF DIGITAL SOVEREIGNTY, CONSENT ARCHITECTURE, AND CONSTITUTIONAL GUARANTEES

The rapid digitisation of South Asian economies has precipitated an urgent need for coherent, rights-respecting data governance frameworks. Despite sharing constitutional traditions rooted in the common law and constitutional democracy, the nations of South Asia — India, Bangladesh, Sri Lanka, Pakistan, Nepal, and Bhutan — have pursued divergent legislative and regulatory approaches to personal data protection. This paper undertakes a comparative doctrinal and policy analysis of existing and emerging data protection regimes across the sub-continent, with particular emphasis on India's Digital Personal Data Protection Act, 2023, Bangladesh's Personal Data Protection Bill, 2022, and Sri Lanka's Personal Data Protection Act, 2022. The analysis examines the structural architecture of consent, purpose limitation, and data fiduciary obligations; the constitutional underpinnings of informational self-determination; the regulatory treatment of sensitive personal data including biometrics and children's data; and the governance challenges posed by cross-border data flows and data localisation mandates. The paper contextualises these legislative developments within the broader framework of global data governance norms, including the General Data Protection Regulation (GDPR), United Nations resolutions on the right to privacy in the digital age, and the emerging convergence between data protection and trade law under the World Trade Organization's Joint Statement Initiative on E-Commerce. Drawing upon a sovereignty-based analytical framework, the paper argues that South Asian states are navigating a contested trilemma between individual privacy rights, state surveillance imperatives, and market integration pressures. It concludes with recommendations for regional regulatory convergence, informed by the Sustainable Development Goals, particularly SDG 16 and SDG 17, to build accountable, transparent, and interoperable data governance institutions across South Asia.

Keywords: Data Protection, Digital Sovereignty, South Asia, Consent Architecture, Data Fiduciary