Skip to main content

Q2 - What happens when Indian law conflicts with foreign privacy laws (like GDPR or CCPA)?

Answer

When Indian law — specifically the Digital Personal Data Protection Act, 2023 (DPDPA) — conflicts with foreign privacy frameworks such as the General Data Protection Regulation (GDPR) of the EU or the California Consumer Privacy Act (CCPA) of the U.S., the applicable law depends on where the data is being processed and which users the data belongs to.

In essence:

  • DPDPA governs data of Indian residents or users in India, regardless of where it is processed.
  • GDPR, CCPA, or other regional laws govern data of users from their respective jurisdictions.
    When the same company processes data of users from multiple regions, it must comply with all applicable laws simultaneously, and resolve conflicts by applying the stricter rule wherever possible.

1. Jurisdictional Boundaries

LawApplies ToTerritorial Reach
DPDPA (India)Processing of personal data of individuals located in IndiaApplies within and outside India, if offering goods or services to Indian users
GDPR (EU)Processing of data of EU residentsApplies globally to any entity offering goods/services to or monitoring EU users
CCPA (California, U.S.)Processing of data of California residentsApplies globally to businesses meeting thresholds and serving California consumers

Each law has extraterritorial effect — meaning companies can be simultaneously subject to multiple privacy regimes.

2. Priority of DPDPA for Indian Data

Section 3(b) of DPDPA extends the Act to processing outside India when it relates to offering goods or services to individuals within India.

This makes DPDPA mandatory for any company handling Indian user data, even if it’s based abroad.
If the same data processing activity is also subject to GDPR or CCPA, the organization must ensure its operations satisfy all frameworks.

3. When Conflicts Arise

Conflicts usually appear in three areas:

  1. Cross-border data transfers

    • GDPR restricts data transfers outside the EU unless the destination country ensures adequate protection.
    • DPDPA allows cross-border transfers except to countries restricted by the Indian government.
    • A company may therefore need to comply with both transfer restrictions simultaneously.

  2. User rights

    • GDPR provides rights such as data portability, which DPDPA does not.
    • DPDPA provides the Right to Nominate (post-death data control), which GDPR does not.
    • Companies serving both user groups must design systems that support the full combined set of rights.

  3. Breach notification timelines

    • GDPR requires breach reporting within 72 hours.
    • India’s CERT-In Directions (2022) require it within 6 hours.
    • The stricter timeline prevails to ensure global compliance.
Example

A multinational fintech company processes both Indian and EU user data on the same infrastructure hosted in Singapore.

  • It must comply with GDPR for EU users and DPDPA for Indian users.
  • If a data breach occurs, it must notify both EU regulators (within 72 hours) and the Data Protection Board of India (as soon as practicable or within the prescribed time).
  • If the laws differ, the company applies the stricter rule to ensure compliance in both jurisdictions.

4. How Companies Handle Dual Compliance

To avoid conflict and duplication, global organizations often:

  • Maintain separate data maps for each region (India, EU, U.S.).
  • Implement region-specific consent forms and privacy notices.
  • Design privacy policies that reference compliance under multiple frameworks.
  • Use modular compliance programs — one global baseline aligned with the strictest obligations (GDPR), extended to cover local variations (DPDPA, CCPA, etc.).

5. Government Coordination

DPDPA empowers the Central Government to issue guidelines or enter reciprocal arrangements with other jurisdictions to:

  • Facilitate cross-border data flows;
  • Prevent regulatory overlap; and
  • Promote interoperability of privacy frameworks (Section 40).

These arrangements are expected to work similarly to the EU’s adequacy decisions, harmonizing compliance between India and trusted jurisdictions.

warning

If an organization ignores DPDPA obligations on the assumption that GDPR or CCPA already cover them, it risks independent penalties under Indian law — including fines up to ₹250 crore for data breach or unlawful processing.

6. Key Takeaway

  • DPDPA applies to Indian users’ data, regardless of where it’s processed.
  • Companies serving multiple regions must comply with each applicable law.
  • In cases of overlap or conflict, organizations should follow the stricter or more protective standard to stay compliant globally.
  • The Central Government may later issue harmonization rules to simplify cross-border compliance.

Referenced Provisions:

  • Section 3(b) – Extraterritorial applicability of DPDPA.
  • Section 16(1) – Restrictions on cross-border data transfers.
  • Section 40(2) – Government’s power to harmonize with other laws.
  • Schedule (Entry 2) – Penalties for breach of security safeguards (up to ₹250 crore).