I’m a US Citizen Providing Services to Indians. Am I Covered Under the DPDP Act?
The short answer is — Yes, very likely.
The DPDP Act, 2023 is not limited to organisations or individuals based in India. Its reach is intentionally extraterritorial, designed to protect Indian individuals regardless of where the entity collecting their data is located.
What Does the Act Say?
The Act applies to the processing of digital personal data in two scenarios:
Within India — Any personal data collected in digital form (or digitised from non-digital form) within the territory of India.
Outside India — Any processing of digital personal data outside India, if such processing is in connection with offering goods or services to individuals in India.
This second provision is what covers you directly as a US-based service provider.
Does This Apply to Me?
Ask yourself these questions:
Do you collect personal data of individuals located in India? If yes — names, email addresses, phone numbers, payment details, usage behaviour — you are processing personal data of Indian Data Principals.
Do you offer goods or services to individuals in India? If your platform, app, or service is accessible to and targeted at Indian users — even if your servers are in the US — you fall within the scope of the Act.
Do you receive payment or registrations from Indian users? If Indian individuals are signing up, subscribing, or transacting with you, you are offering services to Data Principals within India.
If your answer to any of the above is yes, the DPDP Act applies to you.
What Are Your Obligations?
As a Data Fiduciary operating from outside India, you must:
- Obtain free, informed, and unambiguous consent from Indian users before collecting their data
- Provide a clear notice describing what data is collected and why
- Use the data only for the stated purpose
- Implement reasonable security safeguards to prevent breaches
- Delete the data once the purpose is served or consent is withdrawn
- Report breaches to the Data Protection Board of India and affected users promptly
Are There Any Restrictions on Sending Data Back to the US?
Yes, potentially. The Central Government has the power to restrict transfer of personal data to specific countries. If India notifies the US as a restricted destination, additional compliance steps may apply before you can transfer or store Indian users’ data on US servers.
What Happens If You Don’t Comply?
Non-compliance exposes you to penalties imposed by the Data Protection Board of India — up to ₹250 crore for security failures and up to ₹200 crore for failure to report a breach. The Board has jurisdiction over processing that affects Indian Data Principals, regardless of where you are based.
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.
Karthik & Sunil 