The Passport to Regulate Foreign Jurisdiction: The Personal Data Protection Bill, 2019 on its Extraterritorial Application


  • Vasishtan P Hidayatullah National Law University, Raipur, India



law, technology law, data protection, information technology law, GDPR, Data Privacy,


The Indian Personal Data Protection Bill, 2019 was formulated from the Recommendations of the Justice Srikrishna Report. This Bill was the first portkey for India's exclusive data protection regime. The need for protecting the personal data of every Indian becomes essential, as India quite lacks awareness of the importance of every personal, sensitive and critical data. In the absence of personal awareness, a strong framework of data protection law becomes the only safe house to protect every individual's best interests.

The EU's GDPR serves as a famous yardstick for global data protection regulation. This is largely due to the architecture on which GDPR was built. Formulated with the sole intent to protect every EU's individual's best interests, the GDPR imposes a great onus of compliance on foreign entities that process their personal data. This resolute extraterritorial nature that GDPR thatches on itself, has commanded several jurisdictions and global entities to comply with it. There are worldwide new data protection regimes being formulated, based on the GDPR's model

This places a burden on the Joint Parliamentary Committee that is reviewing India's PDP Bill to upgrade its stance to be tenacious, more obstinate and laid on a strong extraterritorial foundation. This requirement comes with a plethora of challenges in international law, as questions on cross-border jurisdictions may arise. This paper will compare PDP Bill with the GDPR and Brasil's LGPD and analyse the key challenges emerging from the extraterritorial scope of these legislations through the lens of international law. Due academic research is also applied in this study. The paper will strive to identify the possible and plausible solutions to these extraterritorial jurisdictional issues and highlight where India's PDP Bill could improve in terms of its fundamental construction on its extraterritorial aspect.

Keywords: Data Protection, PDP Bill, Extraterritorial Application, GDPR, LGPD.

Author Biography

Vasishtan P, Hidayatullah National Law University, Raipur, India

Vasishtan is an Indian Lawyer who is presently an LL.M. (Technology and Law) candidate at the Hidayatullah National Law University, Raipur, India. Vasishtan is also a Technology Law and Policy Fellow at Daksha Fellowship.




Marko Milanovic, “Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy†(OUP 2011).

James Crawford, “Brownlie’s Principles of Public International Law†(8th edn, OUP 2012).

W Bowett, ‘Jurisdiction: Changing Patterns of Authority Over Activities and Resources’ (1982)

Oppenheim, International Law, Chapter 1, s.143.

Jack Goldsmith and Tim Wu, “Who Controls the Internet? Illusions of a Borderless Worldâ€, Oxford University Press, 2006.

Christopher Kuner, “Data protection law and international jurisdiction on the Internet (Part 2)â€, International Journal of Law and Information Technology, Oxford University Press 2010.


Vienna Convention on Diplomatic Relations 1961, Done at Vienna on 18 April 1961. Entered into force on 24 April 1964. United Nations, Treaty Series, vol. 500.

The United States of America’s Helms Burton Act.

The Personal Data Protection Bill, 2019.

The General Data Protection Regulation 2016/679.

The General Personal Data Protection Law 13709/2018.

The Recommendations of the Justice Srikrishna Report.

Lei Geral de Proteção de Dados.

International Court of Justice.

Universal Declaration of Human Rights.

International Covenant on Civil and Political Rights.

Personal Data Protection Act, 2012 of Singapore.

Privacy Act 1988 of Australia

Foreign Corrupt Practices Act of 1977 of the United States of America.

China's Personal Information Protection Law.

Commission Decision 2001/497 of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC, 2001 O.J. (L 181/19).


SS ‘Lotus’ (France v Turkey) (1927) PCIJ Ser A, No 10.

UK vs. Norway (North Atlantic Fisheries Case), [1951] ICJ Rep.116.

Nottebohm Case (Liechtenstein v. Guatemala); Second Phase, International Court of Justice (ICJ).

Google v. Spain, Court of Justice of the European Union [CJEU], ILEC 060 (CJEU 2014).


Jean-Baptiste Maillart, “The limits of subjective territorial jurisdiction in the context of cybercrimeâ€, ERA Forum (2019)

Harish Walia and Supratim Chakraborty, “Indian Data Protection Lawâ€,, Data Protection 2020 | Laws and Regulations | India | ICLG.

Bioni, Bruno. R. (2014). A produção normativa a respeito da privacidade na economia da informação e do livre fluxo informacional transfronteiriço. Direitos e novas tecnologias: XXIII National Meeting of Conpedi, 1, 59-82. internet-sectoral-overview-xi-2-privacy-7-11.pdf (

Comparing GDPR v. LGPD, OneTrust DataGuidance, B.Luz, Advocates. gdpr_lgpd_report.pdf (

FRANCKE, Glory. Time to Update Your Privacy Statement For GDPR. Law 360.

Christian Perrone, Privacy and Data Protection - From Europe To Brazil,

Dan Jerker B. Svantesson, The Extraterritoriality of EU Data Privacy Law – Its theoretical Justification and Its practical Effect on U.S. Businesses, (2014) 50 Stanford Journal of International Law, 53, p. 58.

Leung, Ricky. (2018). Navigating the GDPR’s extraterritorial applicability to processors: a perspective from the non-EU cloud service provider.

Adèle Azzi, The Challenges Faced by the Extraterritorial Scope of the General Data Protection Regulation

Cedric Ryngaert, "The Concept of Jurisdiction in International Law", Utrecht University,

Indriana Pramesti and Arie Afriansyah, “Extraterritoriality of Data Protection: GDPR and Its Possible Enforcement in Indonesiaâ€, Advances in Economics Business and Management Research, 3rd INCLAVE 2019, Volume 130, Atlantis Press,


The Internet and extra-territorial effects of laws Internet Society Concept Note, The Internet and extra-territorial application of laws_FINAL-EN (

Nicole Lindsey, "Understanding the GDPR Cost of Continuous Compliance," CPO Magazine,

Forbes Technology Council, "15 Unexpected Consequences of GDPR," Forbes,

David Ingram, Joseph Menn, Exclusive: Facebook CEO stops short of extending European privacy globally, Exclusive: Facebook CEO stops short of extending European privacy globally | Reuters.

Jeffrey Batt, “Reputational Risk and the GDPR: What's at Stake and How to Handle I†Brink News,



How to Cite

P, V. (2022). The Passport to Regulate Foreign Jurisdiction: The Personal Data Protection Bill, 2019 on its Extraterritorial Application. Brawijaya Law Journal, 9(1).