Skip to main content

Q1 - If an Indian user’s data is processed abroad (e.g., on AWS servers in the U.S.), is the foreign company also bound by DPDPA?

Answer

Yes. Under the Digital Personal Data Protection Act, 2023 (DPDPA), any foreign company that processes personal data of individuals located in India — even if the processing happens outside India — is legally bound by the DPDPA.

This includes cases where Indian user data is stored or processed on foreign cloud platforms like AWS, Google Cloud, or Azure located outside India.

Section 3(b)
The Act applies to processing of digital personal data outside the territory of India,
if such processing is in connection with any activity related to offering of goods or services to Data Principals within India.

In simple terms:
If a foreign organization offers products, apps, or services to people in India, and processes their data (even on overseas servers), it comes under DPDPA jurisdiction.

2. Key Implications

  • Foreign companies serving Indian users (for example, a U.S.-based e-commerce or fintech platform) must comply with all DPDPA provisions — including lawful processing, user consent, security safeguards, and breach notification.
  • The company may need to appoint an India-based representative or Data Protection Officer (DPO) if designated as a Significant Data Fiduciary (SDF).
  • Section 16(1) also empowers the Central Government to restrict cross-border transfers of personal data to specific countries or territories, if necessary for national security or public interest.

3. Example Scenarios

Example

A global e-commerce company headquartered in Singapore runs an Indian website and mobile app. Even though customer data is stored on servers in Singapore, it collects and processes data of Indian users. Since it offers goods and services to people in India, it is bound by DPDPA obligations — including consent, access rights, and breach reporting.

Example

A U.S.-based SaaS platform stores Indian business user data on AWS servers in the U.S. If that data is compromised or misused, the company must report the breach to the Data Protection Board of India and comply with Indian legal procedures — despite being outside India.

4. Exceptions and Clarifications

  • DPDPA does not apply if the data belongs to individuals outside India and is processed by an Indian company under a foreign contract (Section 17(1)(d)).
  • However, any entity (Indian or foreign) processing data of Indian residents or users in India must comply with DPDPA regardless of server location.

5. Key Takeaway

  • Server location does not exempt compliance.
  • If the data belongs to Indian users or relates to services offered in India, DPDPA applies — even when processed overseas.
  • The law ensures protection of Indian citizens’ digital data regardless of where it physically resides.

Referenced Provisions:

  • Section 3(b) – Extraterritorial applicability.
  • Section 16(1) – Restrictions on cross-border data transfers.
  • Section 17(1)(d) – Exemption for processing data of non-Indian individuals under foreign contracts.