The Framework

Enacted in August 2023, India’s Digital Personal Data Protection Act (DPDP Act) governs the processing of digital personal data within India, and also applies to processing outside India if connected to offering goods or services to individuals within the country.[1] The Act is built on principles requiring data fiduciaries (entities determining the purpose and means of processing) to obtain clear, affirmative consent from data principals (individuals) before processing their data, except for certain specified “legitimate uses.”[2] It grants data principals rights, including the right to access, correct, and erase their data, and to have grievances redressed. The Act allows cross-border transfer of personal data to any country unless specifically restricted by the central government.[3] It mandates the establishment of a Data Protection Board (DPB) to adjudicate non-compliance and imposes significant financial penalties, up to ₹250 crore (approximately USD$30 million) per instance, for violations.[4] Certain entities may be designated as “significant data fiduciaries” (SDFs) based on the volume and sensitivity of data processed and other factors, subjecting them to additional obligations.[5]

Implications for U.S. Technology Companies

Major U.S. technology companies operating extensively in India are more likely to be classified as SDFs under the DPDP Act.[6] This designation triggers enhanced compliance requirements, including appointing a Data Protection Officer based in India, conducting annual Data Protection Impact Assessments (DPIAs), and undergoing regular independent data audits.[7] All data fiduciaries, particularly large platforms, face the significant task of re-engineering systems to manage consent effectively (ensuring it is specific, informed, and easily withdrawable) and fulfill data principal rights requests promptly. Restrictions on processing children’s data (under 18), such as requiring verifiable parental consent and prohibiting targeted advertising, necessitate further operational adjustments.[8] While the framework for cross-border data transfers is more permissive than earlier localization proposals, the central government’s power to blacklist countries creates regulatory uncertainty for global data flows.[9] The substantial penalties for non-compliance represent a major financial risk, demanding significant investment in legal, technical, and operational measures to ensure adherence.

How China Benefits

The DPDP Act’s complex compliance requirements and significant potential penalties disproportionately affect large U.S. technology companies due to their scale and extensive data processing activities in India. Given the already intense global competition between American and Chinese tech firms, this regulatory weakening of U.S. companies specifically within the critical Indian market risks eroding their market share. By hindering the operational capacity and diverting the resources of leading U.S. platforms, the Act potentially clears the path for competitors from China to gain ground and influence in India as their American rivals grapple with unfair regulatory burdens.

Endnotes