Scope of data protection laws relevant to cross-border investigations
What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
In 2023, the Indian legislature passed the country’s first comprehensive data privacy legislation – the Digital Personal Data Protection Act 2023 (DPDPA). Although notified in the Official Gazette as ‘law’, the DPDPA, as at April 2025, has not been officially implemented. The relevant government department will notify the date of implementation of the DPDPA (different dates may be appointed for different provisions) in due course once delegated legislation provided for under the DPDPA is also notified and the Data Protection Board of India (the regulatory authority under the DPDPA) is instituted.
On 5 January 2025, the government published the said delegated legislation, the Draft Digital Personal Data Protection Rules 2025 (the DPDP Rules) for a public consultation exercise, wherein feedback from the public was invited on its provisions until March 2025. The DPDP Rules provide further clarity on a lot of the implementational and procedural aspects of the DPDPA.
Once implemented, the DPDPA will regulate, among other things, the processing of ‘digital’ personal data in India. (‘Processing’ itself is defined in a similar fashion to the General Data Protection Regulation (GDPR) and subsumes ‘collection’ of personal data as well.)
The DPDPA defines data fiduciaries (that is, entities determining the purpose and means of processing of personal data – akin to ‘data controllers’ under the GDPR); data processors (that is, entities processing personal data, including those on behalf of data fiduciaries) and data principals (that is, individuals to whom the personal data relates to – akin to ‘data subjects’ under the GDPR), and outlines their obligations, rights and duties. Further, the DPDPA also provides the Indian government the power to regulate transfers of personal data outside India, which is relevant for cross-border investigations.
