Extraterritorial Applicability of the DPDPA

The DPDPA's extraterritorial trigger is the phrase "in connection with any activity related to offering of goods or services to Data Principals within the territory of India." This is a functional test, not a formal one. It does not require that the foreign entity targets India specifically, maintains an Indian domain, or accepts Indian payment methods. If the platform's services are accessible to individuals in India and personal data is processed in that connection, the DPDPA applies. The European Court of Justice's interpretation of similar language in GDPR Article 3(2) — examining factors such as language availability, currency options, and references to Indian customers — provides interpretive guidance, though the Indian Data Protection Board will develop its own jurisprudence.

For foreign companies, this creates an immediate compliance question: does your platform process the personal data of individuals located in India? If the answer is yes — whether through direct sales, free-tier access, B2B SaaS relationships with Indian enterprise clients, or data analytics that includes Indian user data — the DPDPA applies. The obligations are the same as those imposed on domestic Data Fiduciaries: valid consent, transparent privacy notices, security safeguards under Rule 6, breach notification within the prescribed window, and fulfilment of Data Principal rights. The only distinction is operational — the foreign Fiduciary must operationalise these obligations without the infrastructure advantages of an Indian presence.

Applicability Assessment

Every foreign company must conduct a structured assessment: does it process digital personal data in connection with offering goods or services to individuals in India? This analysis must examine all data processing touchpoints — including website analytics, marketing automation, customer support systems, and B2B SaaS relationships — to determine whether the DPDPA applies.

India-Specific Privacy Notice

Foreign Fiduciaries must provide privacy notices that satisfy Section 5 requirements — itemised descriptions of data collected, specific purposes, and retention periods. These notices must be available in English or any language specified in the Eighth Schedule of the Indian Constitution. A generic global privacy policy does not satisfy this obligation.

Security Safeguards Without Indian Infrastructure

The DPDPA requires reasonable security safeguards regardless of where the data is stored. Foreign companies processing Indian personal data on global infrastructure must demonstrate compliance with Rule 6 — encryption, access controls, audit logging — even though their servers are located outside India. The standard is the same; only the implementation geography differs.

Data Principal Rights Fulfilment

Indian Data Principals have statutory rights to access, correction, erasure, and grievance redressal. Foreign Fiduciaries must implement mechanisms to fulfil these rights within prescribed timelines, even though the requestor is in India and the processing infrastructure may be in another jurisdiction. This requires accessible request channels and operationally responsive fulfilment workflows.

Breach Notification Across Borders

When a breach affects the personal data of Indian Data Principals, the foreign Fiduciary must notify the Data Protection Board of India and affected individuals within the prescribed timeline. This obligation applies regardless of where the breach occurs. The notification must satisfy Indian regulatory requirements, which may differ procedurally from the Fiduciary's home jurisdiction obligations.

Enforcement and Jurisdictional Cooperation

The DPDPA empowers the Data Protection Board to adjudicate complaints against foreign entities. While cross-border enforcement mechanisms are still developing, foreign companies face reputational risk, potential market access consequences, and the possibility of coordinated enforcement with the Fiduciary's home jurisdiction regulator. Proactive compliance eliminates this exposure.

Operationalising Compliance Without an Indian Presence

The operational challenge for extraterritorial Fiduciaries is not understanding what the DPDPA requires — it is operationalising those requirements without the infrastructure of an Indian establishment. The recommended approach has four elements. First, appoint an India-based representative or engage Indian legal counsel who can serve as a regulatory liaison with the Data Protection Board. The DPDPA does not explicitly mandate a local representative (unlike some GDPR member states), but having one significantly reduces enforcement friction. Second, implement India-specific data processing records that demonstrate compliance with Sections 5, 6, and 8 — even if the processing occurs entirely outside India. Third, establish breach notification protocols that account for time-zone differences, jurisdictional coordination, and the specific procedural requirements of the Indian regulatory framework. Fourth, build Data Principal rights fulfilment workflows that are accessible from India and responsive within Indian regulatory timelines. The investment in India-specific compliance infrastructure is proportional to the commercial value of the Indian market. Companies that treat India as a material market but apply minimal compliance resources create an asymmetric risk profile that the Data Protection Board will eventually examine.

The DPDPA does not ask where your servers are. It asks where your users are. If the answer includes India, you are subject to Indian data protection law — regardless of your address, your incorporation, or your cloud provider's geography.

Does the DPDPA apply to a company that has no office or employees in India?

Yes. Section 3(b) of the DPDPA applies to any entity that processes digital personal data in connection with offering goods or services to individuals within the territory of India. Physical presence in India is not required. If the company's services reach Indian users and personal data is processed in that connection, the DPDPA applies.

How does the DPDPA determine if a foreign company is offering goods or services to India?

The test under Section 3(b) is functional. Relevant factors include whether the platform is accessible from India, whether services are marketed to Indian users, whether Indian payment methods are accepted, whether content is available in Indian languages, and whether the platform processes data of individuals located in India. A specific intent to target India is not necessarily required — the processing connection is sufficient.

Can the Data Protection Board enforce penalties against foreign companies?

The DPDPA empowers the Data Protection Board to adjudicate complaints and impose penalties regardless of where the respondent is incorporated. While cross-border enforcement mechanisms are developing, foreign companies face reputational consequences, potential market access restrictions, and the possibility of coordinated regulatory action with their home jurisdiction's data protection authority.

Must a foreign company appoint a representative in India?

The DPDPA does not explicitly mandate the appointment of a local representative. However, having India-based legal counsel or a designated representative significantly reduces enforcement friction, facilitates regulatory communication, and demonstrates good faith compliance — all factors that the Data Protection Board may consider in its adjudication.

Get Your Extraterritorial Compliance Assessment

Our Extraterritorial Compliance Toolkit includes a Section 3(b) applicability assessment framework, India-specific privacy notice template, cross-border breach notification protocol, and Data Principal rights fulfilment workflow — designed for companies operating outside India.