The DPDPA Obligation for Multinationals

The DPDPA applies to every entity that processes digital personal data of individuals within India. It does not matter where the processing occurs. Section 3(b) extends jurisdiction to organisations outside India if they process personal data in connection with offering goods or services to data principals within the territory.

This is not a dormant provision. If a multinational operates a website, application, SaaS platform, or service accessible to Indian users, and collects their personal data, that entity is a Data Fiduciary under Indian law. Physical presence is not required. A registered Indian entity is not required. What is required is that personal data of Indian data principals is being processed.

The consequence is straightforward. A global privacy team must construct a separate, India native compliance architecture. The DPDPA contains no mutual recognition provisions. GDPR compliance, SOC 2 certification, and ISO 27701 accreditation do not discharge the obligations under Sections 4 through 10. When the Board examines an organisation's compliance position, it will assess conformity with the DPDPA. Not with any other statute, in any other jurisdiction.

DPDPA consent is structurally different from GDPR consent. The differences are not cosmetic. They are architectural.

Under Section 6, consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Rule 3 prescribes that the consent notice must be available in English or any of the 22 languages listed in the Eighth Schedule to the Constitution. The notice must contain an itemised description of every processing purpose, the rights available to the data principal, and the mechanism for complaint to the Data Protection Board.

There is no legitimate interest basis in the DPDPA. Article 6(1)(f) of the GDPR, the processing ground upon which multinational privacy programmes rely most heavily, has no equivalent in Indian law. Every processing activity routed through legitimate interest in the global programme must be rearchitected to pass through consent or through one of the narrow legitimate uses under Section 7.

Bundled consent is prohibited. Pre checked boxes are prohibited. Consent obtained as a condition of service beyond what is necessary for the service is prohibited. The practical result is that between sixty and eighty percent of consent mechanisms designed for GDPR will fail DPDPA scrutiny on their first examination.

The DPDPA uses a negative list for cross border data transfers. This is the inverse of the GDPR's adequacy architecture. Under Section 16, the Central Government may notify countries to which transfers are restricted. Until such notification is issued, transfers are permitted to all jurisdictions not on the restricted list.

For multinationals, this creates a structural problem. Transfers are unrestricted today but can be restricted by executive notification at any time. The organisations that treat current permissibility as a permanent condition will find themselves operationally non compliant on the day the notification is published.

The approach that survives Board scrutiny is documentation. Map every cross border data flow. Identify every jurisdiction where Indian personal data is processed, stored, or accessed. Construct Data Processing Agreements under Section 8(2) that contain the DPDPA specific obligations. Not recycled GDPR Standard Contractual Clauses. The DPA must reflect Indian statutory terms. SCCs drafted under European law do not discharge obligations under Indian law.

Large multinationals processing substantial volumes of Indian personal data will face designation as Significant Data Fiduciaries under Section 10. The consequences are material: mandatory appointment of a Data Protection Officer resident in India, mandatory Data Protection Impact Assessments, mandatory data audits by an independent auditor, and periodic compliance reporting.

Rule 13 sets the classification criteria: volume and sensitivity of data processed, risk to data principal rights, potential impact on sovereignty and integrity, and risk to electoral democracy. Multinationals in financial services, healthcare, telecommunications, e commerce, and education are the most probable designees.

The designation does not include a transition period. Section 10 presupposes that the governance architecture exists on the date of designation. An organisation that begins constructing DPO functions, DPIA programmes, and audit mechanisms after the designation notification arrives is already in default. The statute does not distinguish between non compliance and late compliance.

When the Data Protection Board initiates proceedings under Section 28, the quality of the multinational's first response will determine the outcome of the entire enforcement cycle. This is not a negotiation. It is a formal legal submission.

Organisations that produce documentation assembled before the Board notice, including the evidence file, consent records, DPA library, breach protocol test results, and DPIA reports, receive compliance undertakings. Organisations that assemble documentation under pressure after the notice receive penalties. The Board will distinguish between pre existing compliance evidence and retrospective document assembly.

For multinationals, the practical implication is clear. The India compliance programme cannot operate as a subsidiary workstream managed from London or New York. It must be a standalone, India native programme with its own evidence trail, its own documentation, and its own legal adviser who understands the Board's adjudicatory approach and evidentiary expectations.