The Passport to Regulate Foreign Jurisdiction: The Personal Data Protection Bill, 2019 on its Extraterritorial Application

Abstract

The Indian Personal Data Protection Bill, 2019 (PDP Bill) was formulated from the Recommendations of the Justice Srikrishna Report. This Bill was the first portkey for India’s exclusive data protection regime. Notably, there is an urgent need to establish a strong legal framework for data protection in India as this would be the only safehouse for protecting every individual’s personal data, including sensitive and critical data. The EU’s General Data Protection Regulation (GDPR) serves as a yardstick for global data protection regulation due to its architecture that places a great onus of compliance on foreign entities. This resolute extraterritorial nature that GDPR thatches on itself has inspired several upcoming worldwide data protection regimes. Consequently, the Joint Parliamentary Committee, which is tasked with reviewing India’s PDP Bill, has the responsibility to upgrade its stance to be tenacious and more obstinate, as well as ensure that the Bill has a strong extraterritorial foundation. This requirement comes with a plethora of challenges under international law as questions on cross-border jurisdictions are inevitable. This paper compares the PDP Bill with the GDPR and Brasil’s Lei Geral de Proteção de Dados (LGPD) and analyzes the key challenges emerging from the extraterritorial scope of these legislations through the lens of international law. Its main objective is to identify the possible and plausible solutions to these extraterritorial jurisdictional issues and highlight how the fundamental construction of India’s PDP Bill can be improved to effectively address the extraterritorial concerns.