An international business collects personal data from Indian customers, transfers it to servers in the EU, and shares processing tasks with a third-party vendor in Dubai. Under India's evolving data protection regime, each of those steps now carries distinct legal obligations – and the window for compliance is narrower than many foreign operators assume. Getting the structure wrong from the outset means retrofitting consent mechanisms, renegotiating vendor contracts, and facing regulatory scrutiny at the worst possible moment.
Data protection in India is governed primarily by the Digital Personal Data Protection Act, India's dedicated data privacy legislation, which establishes obligations for every entity that processes the personal data of Indian residents. Businesses must identify their role as a data fiduciary (data controller) or data processor under the statute, implement lawful consent mechanisms, and observe cross-border transfer restrictions. Enforcement is administered through a Data Protection Board, and non-compliance can attract substantial financial penalties.
This page sets out the key instruments, procedures, timelines, and strategic considerations that international businesses need before operating in India's data environment – including cross-border implications for UAE and EU-based entities.
India's data protection regime: the regulatory setting
India's data protection legislation marks a decisive shift from a fragmented, sector-specific approach to a unified statutory regime. For years, privacy obligations were spread across technology legislation, financial sector rules issued by the Reserve Bank of India (RBI). Securities market directives from the Securities and Exchange Board of India (SEBI). Additionally, company law obligations under Companies Act 2013 provisions covering data-related disclosures. Each operated in isolation.
The new framework consolidates personal data obligations under a single statute. It applies to any entity that processes the personal data of individuals in India – regardless of where the entity is established. A business based in Dubai or Lisbon that operates an Indian e-commerce platform is subject to the same obligations as a Bengaluru-headquartered company. This extraterritorial reach is one of the most significant aspects for international clients to absorb early.
The legislation draws a clear distinction between the data fiduciary. the entity that determines the purpose and means of processing. and the data processor – the entity that processes data on behalf of the fiduciary. This mirrors the data controller/data processor model familiar from GDPR compliance frameworks, but the obligations and accountability mechanisms differ in important respects. Practitioners advising clients accustomed to EU data protection rules note that the Indian statute introduces its own consent architecture, notice requirements, and data principal rights that do not map cleanly onto the European model.
Sector-specific regulators retain parallel authority. The RBI's directives on data localisation for payment data remain in force. SEBI's cybersecurity circulars impose additional obligations on regulated entities in the capital markets. A business operating across those sectors must satisfy both the general statute and the applicable sectoral rules – a layering effect that frequently surprises foreign market entrants.
The Data Protection Board of India (DPB) is the primary enforcement authority. It adjudicates complaints, investigates breaches, and imposes penalties. The DPB is a digital-first body: filings, notices, and proceedings are conducted through an online portal. This is operationally convenient but also means that enforcement timelines can be shorter than those seen in comparable EU data protection authority (DPA) proceedings.
Core instruments: consent, notice, and data transfer obligations
The foundation of India's data protection system is the consent mechanism. A data fiduciary must obtain free, specific, informed, unconditional, and unambiguous consent from the data principal before processing personal data. Consent must be sought through a notice that is clear and plain-language – the statute specifically requires that notices be understandable to an ordinary person. Bundled or pre-ticked consent is not valid.
The notice must be provided before or at the time of collecting personal data. It must specify what data is being collected, the purpose of processing, the rights of the data principal, and the mechanism for withdrawing consent. Businesses that have relied on lengthy privacy policies embedded in terms and conditions should expect those documents to require complete restructuring before they meet the statutory standard.
The legislation also recognises certain grounds for processing without consent – analogous to legitimate interests and legal obligation under GDPR – but these are narrowly defined. Processing for compliance with a legal obligation, for medical emergencies, and for certain state functions is permitted. International clients sometimes assume that these carve-outs are broader than the statute allows. In practice, the overwhelming majority of commercial processing by private entities requires valid consent.
Data principal rights are enforceable from the moment the statute's relevant provisions come into force. These include the right to access information about processing, the right to correction and erasure, the right to grievance redressal, and the right to nominate a representative in the event of incapacity or death. Each right triggers an obligation on the data fiduciary to respond within a defined period. Failure to respond adequately is itself a separate ground for a DPB complaint.
Cross-border data transfer is among the most operationally consequential aspects of the regime. The legislation restricts transfers of personal data to countries or territories not notified by the central government as permitted destinations. As of the current regulatory position, the permitted-country list is being developed by the government. International businesses with existing data flows to EU processors or UAE-based vendors must monitor this list actively and be ready to restructure transfer arrangements if their destination country is not included. For businesses already investing in AI and technology law in India, data transfer obligations intersect directly with model training, cloud storage, and API-based processing architectures.
Significant data fiduciaries – those processing large volumes of data or data of a sensitive nature, as classified by the government – face additional obligations. These include appointing a data protection officer, conducting data protection impact assessments, and engaging independent auditors. The threshold criteria for significant data fiduciary status have not been fully specified in secondary legislation, which creates planning uncertainty for large-scale operations.
To receive an expert assessment of your data compliance posture in India, contact us at info@ferrazwhitmore.com.
Practical pitfalls for international operators
The most consistent error seen in cross-border mandates is assuming that GDPR-compliant documentation satisfies Indian law. The two regimes share a conceptual lineage but diverge at critical points. A consent notice that meets EU standards may still fail the Indian plain-language requirement. A data processing agreement drafted for a European processor may not address the Indian fiduciary's obligations to the data principal. Retrofitting compliant documentation after the statute becomes fully operational is significantly more disruptive than building it correctly at the outset.
A second common pitfall involves the treatment of employee data. Many businesses implement consumer-facing compliance measures but overlook their obligations as employers processing the personal data of Indian employees. Employment data – payroll records, performance evaluations, health information – falls within the statute's scope. The absence of a separate employee data exemption (a feature of some other jurisdictions) means that Indian employment processing requires its own consent and notice architecture.
Data breach notification is another area where international clients underestimate the operational demands. The statute requires notification of personal data breaches to the DPB and affected data principals without delay. The precise timeline will be set out in implementing rules, but practitioners across comparable regimes note that breach notification windows are typically measured in hours to days – not weeks. Organisations that lack a tested incident response plan before a breach occurs invariably face the most difficulty in meeting notification requirements.
The interaction between data protection obligations and the Arbitration and Conciliation Act is a practical concern for businesses with arbitration clauses in their data processing agreements. If a dispute arises between a data fiduciary and a processor – whether domestic or cross-border – the arbitration clause determines the forum. However, the DPB retains jurisdiction to investigate and penalise data protection violations independently of any private arbitration outcome. A business cannot arbitrate its way out of a regulatory penalty.
Penalties under the statute are substantial. Different categories of violation attract different maximum penalty levels, with the most serious breaches – failure to implement adequate security measures, processing children's data unlawfully – attracting penalties at the higher end of the scale. The DPB's ability to impose penalties without requiring proof of actual harm to a data principal distinguishes this regime from some civil litigation contexts. The risk of a penalty proceeding is therefore decoupled from whether any individual suffered demonstrable loss.
Children's data deserves particular attention. The statute treats minors – persons under 18 – as a protected category. Processing their personal data requires verifiable parental consent. Tracking, behavioural monitoring, and targeted advertising directed at children is restricted. Platforms that serve a general consumer audience but have a significant minor user base must implement age-verification mechanisms. The technical and legal challenges of doing so reliably are not trivial.
Cross-border strategy: UAE and EU dimensions
For businesses operating simultaneously across India, the UAE, and the EU, data protection compliance requires a coordinated multi-jurisdiction strategy rather than three parallel single-jurisdiction exercises. The same data flow – a customer record created in India, processed by a vendor in Dubai, and analysed by a team in Lisbon – engages all three regimes at once.
The UAE's data protection legislation, now operational across the mainland and in the Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), imposes its own obligations on processors handling data received from India. The data fiduciary in India remains accountable for the processor's compliance. Contractual protections – data processing agreements, standard clauses, audit rights – are not optional risk management tools. They are the mechanism through which the Indian data fiduciary discharges its statutory accountability. For a comparative view of the UAE obligations that counterpart processors carry, see our analysis of data protection in the UAE.
The EU dimension is equally important. EU-based entities that receive personal data originating from India do not automatically fall within India's outbound transfer rules – those rules govern the Indian fiduciary's ability to send data. However, EU entities that independently process Indian residents' data while targeting them with goods or services may themselves be subject to the Indian statute's extraterritorial provisions. This creates a situation where both the Indian and EU regimes apply to the same processing activity – each with its own consent standards, data principal rights, and breach notification requirements.
Businesses should also consider how the Indian regime interacts with sector-specific rules in both the UAE and the EU. A financial institution regulated by the RBI in India and by the Central Bank of the UAE in the UAE. Additionally. Passporting into the EU, must satisfy data protection requirements layered with financial regulation requirements in each jurisdiction. The points of interaction – particularly around data sharing for anti-money laundering and know-your-customer purposes – require careful mapping to avoid a compliance solution in one jurisdiction creating a violation in another.
The practical structure for most international clients involves a data governance matrix: a document mapping each category of personal data to the processing activity. The applicable legal basis in each jurisdiction, the transfer mechanism, the retention period, and the accountability structure. Building this matrix before operations scale is substantially more cost-effective than reconstructing it under regulatory pressure.
Dispute resolution strategy also belongs in the cross-border planning conversation. If a data subject complaint escalates to enforcement proceedings in India, the DPB process operates on its own procedural timetable. Parallel proceedings before a EU supervisory authority or a UAE data protection regulator are possible if the same data flow is involved. International businesses that have not mapped their exposure across all three regimes may find themselves responding to three separate regulatory processes simultaneously – each requiring local engagement and each carrying its own penalty exposure.
For a tailored cross-border data protection strategy covering India, the UAE, and the EU, reach out to info@ferrazwhitmore.com.
Self-assessment checklist before operating in India's data environment
The following checklist reflects the conditions under which a business needs active legal structuring before processing personal data of Indian residents.
The Indian data protection statute applies to your operations if:
- You collect, store, use, or share personal data of individuals located in India, regardless of where your entity is incorporated.
- You operate a digital platform accessible to Indian residents and offer goods or services to them.
- You engage third-party processors – anywhere in the world – to handle data received from India.
- You process employee data for Indian staff, even if payroll and HR systems are managed from outside India.
Before processing begins, verify that:
- Your consent notices meet the plain-language standard and cover all required disclosures.
- Your data processing agreements with vendors and processors include the clauses required under the statute.
- Your cross-border transfer destinations are on the government's permitted list or a compliant transfer mechanism is in place.
- You have implemented a documented incident response plan with breach notification timelines.
- If children's data is in scope, age-verification and parental consent mechanisms are operational.
A business that can answer affirmatively on all five verification points is substantially better positioned than one that defers compliance until after a complaint or investigation is initiated. The cost differential between proactive structuring and reactive remediation is consistently significant. For a detailed overview of how company formation interacts with data governance obligations from day one, the practical steps are set out in our guide to company formation in India.
Frequently asked questions
Q: How long does it take to build a compliant data protection programme for operations in India?
A: The timeline depends on the scale and complexity of processing. A mid-sized business with a defined product offering can typically complete a compliance review, redraft consent documentation, and implement a data governance matrix within two to four months. Businesses with complex cross-border data flows or significant data fiduciary status require longer. Starting before launch, rather than after, avoids the most costly delays.
Q: Is it a common misconception that GDPR compliance is sufficient for India?
A: Yes – this is among the most frequent errors made by international clients. GDPR compliance provides a useful baseline, but India's data protection legislation has its own consent architecture, notice standards, and data principal rights that do not map directly onto the EU model. A business that has invested in GDPR compliance will need a gap analysis and targeted remediation before it meets Indian requirements. Assuming equivalence without verification creates regulatory exposure.
Q: What happens if a data breach occurs before a formal compliance programme is in place?
A: The obligation to notify the Data Protection Board and affected data principals arises from the breach itself – it is not conditional on having a pre-existing compliance programme. An organisation without a documented incident response plan will face the notification deadline with no established process, which substantially increases the risk of procedural non-compliance in addition to the underlying breach. Engaging a lawyer in India with cross-border data protection experience before a breach occurs allows the organisation to build notification protocols, breach escalation procedures, and regulator communication templates in advance.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international businesses operating in India, the UAE, the EU. Additionally. Across Asia-Pacific markets. combining Portuguese civil law expertise with English common law tradition to deliver cross-border data compliance solutions that work across multiple regulatory regimes simultaneously. As a law firm in India-facing mandates, we advise on consent architecture, cross-border transfer structuring, data processing agreements, breach response, and regulatory proceedings before the Data Protection Board. Our attorneys have advised on data governance matters spanning civil law and common law systems, and our Lisbon base provides direct access to EU regulatory frameworks alongside our Asia-Pacific practice. The firm's data protection team includes practitioners with experience in both EU supervisory authority proceedings and emerging-market data regime implementation. To discuss how India's data protection obligations apply to your specific operations, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.