Skip to main content

Q2 - What happens when Indian law conflicts with foreign privacy laws (like GDPR or CCPA)?

Answer
  • Companies must comply with both if they process data of individuals from both regions.
  • Where rules conflict, companies may need to adopt the stricter standard to remain safe.
  • DPDPA also allows the Central Government to restrict transfers to certain countries, even if those countries have strong privacy laws, if national security or sovereignty is at stake.
Example

A multinational e-commerce platform handling both Indian and European customers must comply with GDPR (EU) and DPDPA (India).
If GDPR requires data portability but DPDPA does not, the company must still provide portability to EU users while ensuring Indian users’ rights are respected under DPDPA.