DPDPA's Long-Arm Jurisdiction: When Your Offshore Entity Becomes an Indian Data Fiduciary

Section 3(b) of the DPDPA extends India's data protection jurisdiction to any entity anywhere in the world that processes personal data in connection with offering goods or services to individuals in India. This extraterritorial reach is broader than GDPR Article 3(2) in one critical respect: it does not require the "monitoring of behaviour" test as an alternative trigger — the mere offering of goods or services suffices. For offshore SaaS providers, global e-commerce platforms, foreign financial services firms, and international law firms with India-facing practices, Section 3(b) creates full-spectrum DPDPA obligations without requiring any physical presence in India.

Section 3(b) triggers DPDPA jurisdiction when two conditions are met: (1) digital personal data is processed outside India, and (2) the processing is "in connection with" offering goods or services to Data Principals within India. The phrase "in connection with" is deliberately broad — it captures not just direct service provision but upstream processing activities (analytics, profiling, marketing) connected to the India offering. A US-headquartered SaaS company that processes Indian customer data on US servers for a product sold to Indian enterprises falls squarely within Section 3(b). So does a Singapore-based e-commerce platform that ships to Indian addresses and processes Indian payment credentials on Singapore infrastructure.

GDPR Article 3(2) has two extraterritorial triggers: (a) offering goods or services to EU data subjects, and (b) monitoring the behaviour of EU data subjects. The DPDPA has only one trigger under Section 3(b) — offering goods or services. This means that a foreign entity that monitors Indian user behaviour (tracking, profiling, analytics) without offering goods or services may not fall within Section 3(b). However, the monitoring entity may still be caught under Section 3(a) if the personal data was "collected within India" — which is arguable for data collected through cookies or device identifiers from India-based devices. The practical difference: GDPR requires a local representative under Article 27; DPDPA requires a local representative to be determined by the Rules. The enforcement mechanism also differs — GDPR uses supervisory authority cooperation; DPDPA relies on the Data Protection Board with powers under Section 27.

Five common corporate structures face Section 3(b) exposure. First, offshore SaaS providers with Indian enterprise clients — Salesforce, ServiceNow, Workday configurations serving Indian subsidiaries of global clients. Second, global e-commerce platforms — Amazon (US entity), Alibaba (Chinese entity) processing Indian consumer data offshore. Third, foreign financial services — offshore asset managers, insurance companies, and payment processors handling Indian investor/policyholder data. Fourth, international professional services — law firms, consulting firms, and audit firms processing Indian client data at offshore headquarters. Fifth, global social media and ad-tech platforms — processing Indian user data for behavioural advertising and content personalisation outside India. Each structure creates a different Fiduciary-Processor relationship under DPDPA, requiring specific compliance architecture.

An offshore entity caught by Section 3(b) must implement the full DPDPA compliance stack remotely: Section 5 notices for Indian Data Principals, Section 6 consent infrastructure calibrated to DPDPA standards (not GDPR standards), Section 8(2) processor contracts for any Indian processors, Section 8(6) breach notification to the Board and affected Indian Data Principals, Section 11-13 rights infrastructure for Indian users, and Section 9 children's data protections. The entity must also designate a point of contact for the Data Protection Board — while DPDPA does not explicitly require a "local representative" in the GDPR Article 27 sense, practical enforcement engagement necessitates an India-based contact. The penalty exposure is identical to an India-based entity: up to Rs 250 Cr under the Schedule. An offshore entity cannot claim foreign incorporation as a defence to Board proceedings.