India Jurisdiction: Physical Location/Residency of Data Subject in Jurisdiction

The factor of Physical Location/Residency of the Data Subject in the jurisdiction is indirectly addressed in India's Digital Personal Data Protection Act (DPDP). The Act applies to the processing of digital personal data within India, as well as to processing outside India when it relates to offering goods or services to data subjects located within India.

Text of Relevant Provisions

DPDP Art.3(b):

"Subject to the provisions of this Act, it shall—

...(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;"

DPDP Art.3(a):

"Subject to the provisions of this Act, it shall—

(a) apply to the processing of digital personal data within the territory of India where the personal data is collected—

(i) in digital form; or

(ii) in non-digital form and digitised subsequently;"

Analysis of Provisions

• DPDP Art.3(b) extends the applicability of the Act to "processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India." This provision highlights that the law is concerned with the location of the data subject, referred to as "Data Principal," at the time of offering goods or services, rather than the physical location of the processing itself.
• The term "Data Principal" as used here typically refers to a natural person whose data is being processed. The provision emphasizes that the processing activities outside of India are subject to the DPDP Act if they are directed at individuals residing or physically present within India at the time of data collection or processing.
• DPDP Art.3(a), on the other hand, clarifies that the Act applies to the processing of personal data "within the territory of India" irrespective of the form in which the data is initially collected (digital or non-digital, provided it is digitized later). This makes clear that any data processing happening within India falls under the Act's scope, regardless of the physical presence or residency of the Data Principal.
• The interplay between Art.3(a) and 3(b) establishes that the DPDP Act applies to data processing based both on the physical location of the processing activity and the residency or physical presence of the data subject in India.

Implications

• For businesses, the inclusion of this factor means that any processing of personal data outside India, if related to offering goods or services to individuals in India, will be subject to Indian data protection laws. This ensures that Indian residents or those physically present in India are protected by the DPDP Act, even when their data is processed abroad.
• Companies operating internationally must therefore consider the Indian market's data protection regulations when offering goods or services to Indian residents or those present in India, regardless of where the data processing takes place. Failure to comply with the DPDP Act could result in legal and regulatory challenges, especially for businesses involved in e-commerce or digital services targeting Indian consumers.
• This factor effectively creates an extraterritorial reach of the DPDP Act, similar to the GDPR's approach, ensuring that Indian data subjects are protected even when engaging with foreign entities.