The India Digital Personal Data Protection Act (DPDP) extends its applicability to the processing of digital personal data outside India when it relates to offering goods or services to data subjects within India.

Text of Relevant Provision

DPDP Article 3(b):

"(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;"

Analysis of Provision

The DPDP Act extends its territorial scope beyond India's borders through Article 3(b). This provision specifically targets the "processing of digital personal data outside the territory of India" when it is connected to "offering of goods or services to Data Principals within the territory of India".

Key elements of this provision include:

1. Extraterritorial application: The law applies to data processing activities occurring outside India.
2. Connection requirement: The processing must be linked to activities related to offering goods or services.
3. Targeting Indian data principals: The goods or services must be offered to individuals within India.

This extraterritorial reach is designed to protect Indian residents' data even when processed by entities located outside the country. It ensures that foreign companies targeting the Indian market are subject to Indian data protection regulations, regardless of where their data processing occurs.

Implications

The extraterritorial application of the DPDP Act based on the "offering goods and services" factor has several implications for businesses:

1. Foreign companies targeting India: Non-Indian businesses that offer goods or services to individuals in India will need to comply with the DPDP Act, even if they have no physical presence in the country.
2. Online businesses: E-commerce platforms, digital service providers, and online marketplaces targeting Indian consumers will fall under the Act's scope, regardless of their server locations.
3. Compliance requirements: Companies must assess whether their activities constitute "offering goods or services" to Indian data principals and, if so, ensure compliance with all DPDP Act provisions.
4. Data localization considerations: While the Act applies to data processed outside India, companies may need to evaluate whether certain data processing activities should be localized within India to simplify compliance.
5. Marketing and advertising: Businesses engaging in targeted marketing or advertising to Indian consumers may be subject to the Act, even if their primary operations are outside India.
6. Language and currency indicators: The use of Indian languages or accepting payment in Indian rupees could be seen as indicators of offering goods or services to Indian data principals, potentially triggering the Act's applicability.
7. B2B services: Companies offering business-to-business services to Indian companies may also fall under the Act's scope if those services involve processing personal data of Indian data principals.