The European Parliament adopted GDPR in April 2016, replacing an outdated data protection directive from 1995, and it came into force on May 25, 2018. But the question remains, why does a law enacted in Europe affect: (a) businesses operating in India; and (b) individuals located in India? To answer the first part of this question – GDPR has extra-territorial jurisdiction. However, before we get into the territorial scope of GDPR, it is important to understand what GDPR is and what it seeks to regulate. Any business operating out of India that targets persons from the EU and consequently controls and processes personal data of a person in the EU needs to comply with GDPR. Moving on to the second part of the initial question – how does a law enacted in Europe affect individuals located in India? In fact, it doesn’t. At least not by design. The impact of GDPR on Indian individuals is an outcome of the approach adopted by businesses around the world. In their effort to update their privacy policies and comply with GDPR, businesses around the world (including India) have decided not to limit these changes to their users located in EU.

(Economic Times)