Spice Route Legal
Regional Data Watch – South Asia Data Protection Playbook
A Pivotal Moment in South Asia
Over the last few years, South Asia has undergone a quiet but significant transformation in its approach to data protection. Once marked by fragmented or outdated regulatory regimes, the region is witnessing a deliberate shift towards comprehensive and modern data governance frameworks. India, Sri Lanka, Pakistan, and Nepal have either passed new laws or introduced major overhauls to existing frameworks, though in many cases implementation is still in progress or subject to further regulatory clarification.
This period of transition presents a unique challenge for businesses that operate in or engage with the region. On one hand, regulatory uncertainty persists: final rules are awaited in India, key amendments are pending in Sri Lanka, Pakistan’s draft law is still under review, and Nepal’s frameworks remain disjointed.
On the other, the direction is clear: governments are embracing stronger privacy standards, sectoral oversight, and cross-border data controls, often drawing inspiration from the EU’s GDPR.
For companies navigating this evolving landscape, the imperative is to watch and prepare. This update note intends to provide privacy practitioners with a snapshot of regional data protection requirements.
Processing of personal data is regulated under the Information Technology Act, 2000 (more specifically, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”)). The SPDI Rules is a consent-centric regulation that requires all companies to obtain written consent from individuals prior to processing their “sensitive personal data or information” or “SPDI”, a subset of personal data that includes passwords, financial information, physical, physiological, and mental health conditions, sexual orientation, medical records and history, and biometric information.
In August, 2023, the Indian Parliament passed the Digital Personal Data Protection Act, 2023 (“DPDPA”) which is intended to replace and supersede the SPDI Rules and act as the national data protection framework. The law introduces substantial changes to the existing legal framework in relation to the processing of personal data.
LEGAL LANDSCAPE
Data Fiduciaries and Processors:
The DPDPA introduces the concept of data fiduciaries, which are entities that determine the means and purposes for processing personal data. Data fiduciaries are responsible for complying with the law in relation to their processing activities. Any third parties that process personal data on their behalf are termed as “data processors”. The DPDPA does not regulate data processors.
Legal Bases for Processing:
Data fiduciaries must identify an appropriate legal basis prior to processing personal data. The law prescribes two primary legal bases of processing personal data:
(i) a data subject’s consent or
(ii) for certain “legitimate uses” which includes processing of data based on the voluntary provision of personal data by the individual for a specified purpose, for employment related purposes, and to respond to medical emergencies.
Cross-Border Data Transfers:
Data fiduciaries cannot transfer personal data to countries that form a part of a “negative list” that will be published by the central government. At this stage, the DPDPA does not prescribe adequacy thresholds to determine the constituents of this list, nor has the government has released the list. Considerations are likely to be driven by India’s geopolitical considerations. Separately, the law does not impose any data localisation requirements, though sectoral localisation norms will continue to apply.
Significant Data Fiduciaries:
The law permits the government to categorise certain data fiduciaries as significant data fiduciaries based on factors that include the volume of data that is processed, number of customers, and risks posed to individuals by processing activities. Significant data fiduciaries must comply with additional obligations such as conducting annual data protection impact assessments and audits and appointing a data protection officer who must be based in India. The government has not issued lists of significant data fiduciaries.
Penalties:
Data fiduciaries may be fined up to USD 30 million for a breach of the DPDPA.
KEY HIGHLIGHTS
Implementation of the law
The Indian government released the first draft iteration of rules under the DPDPA in early 2025 for public consultation. These rules sought to provide additional on certain operative provisions under the law. The final version of the rules is expected to be released in the second half of 2025. Informal reports indicate that the DPDPA will be implemented within 18 to 24 months after the rules are published.
Prescriptive security obligations
Draft rules under the DPDPA specify mandatory security obligations that will act as a minimum standard for all data fiduciaries. For instance, the rules require data fiduciaries to encrypt all personal data and maintain logs for a minimum period of 1 year. Data fiduciaries may need to invest in cybersecurity and storage infrastructure to ensure compliance. However, companies are well advised to wait for the final iteration of the rules before implementing these changes.
Consent management
Consent is the primary basis for processing personal data under the law. Standards are similar to those specified under the GDPR; however, grounds such as legitimate interests and contractual obligations are not recognised under the DPDPA. Companies will need to ensure that consent collection methods are carefully mapped and implemented.
In addition to English, consent forms will also need to be translated to 22 Indian languages.
Sectoral requirements
Obligations under the DPDPA will act in addition to sector-specific requirements. Specifically, data localisation and security measures prescribed by financial sector regulators like the RBI, IRDAI, and SEBI ought to be accounted for while preparing for compliance.
Companies that operate in regulated sectors (either due to the nature of their services or due to contractual obligations) ought to undertake a holistic data protection compliance exercise.
Children’s data: A priority
Data fiduciaries will need to obtain parental consent prior to processing children’s data in any capacity. The law does not provide exemptions for companies that do not intend to offer their services to children. Internal processes and website/app interfaces will need to be reevaluated to ensure that appropriate age verification and parental consent collection mechanisms are implemented.
Companies may face challenges implementing these measures for general websites and services that do not involve a user onboarding journey.
The Personal Data Protection Act, 2022 (“PDPA”), which is intended to be Sri Lanka’s primary data protection law, was passed in the Parliament of Sri Lanka and certified by the speaker on March 19, 2022. The PDPA applies extraterritorially – entities based outside Sri Lanka that offer goods or services to data subjects in Sri Lanka are also subject to its requirements.
In August 2023, the Data Protection Authority of Sri Lanka (“DPA”) was established to regulate the processing of personal data and safeguard individuals’ privacy. The DPA intends to foster growth and innovation in Sri Lanka’s digital economy, and aims to ensure that digital transactions and communications are safe and trusted.
Certain parts of the PDPA were supposed to enter into force on March 18, 2025. These parts include data processing requirements, rights of data subjects, data protection obligations of controllers, and penalties. The obligations set out in these parts will now be operationalised in September 2025.
Separately, in March 2025, the Cabinet of Ministers approved the Personal Data Protection (Amendment) Bill for presentation before the parliament, where it will be considered for enactment. These amendments are intended to embrace greater technology choices to support both public and private sector adoption of digital technologies while appropriately addressing the rights of data subjects.
KEY AMENDMENTS
Data subject requests:
Controllers are now required to respond to data subject requests within 1 month from the date of receipt of the request. If a controller requires more time to respond to a request, it may extend the response period for a further period of 2 months (without exceeding 3 months from the date of the request) by notifying the data subject.
Cross border data transfers:
The concept of an “adequacy decision” has been removed from the PDPA. Entities may transfer personal data outside the territory of Sri Lanka
(i) if they comply with their data protection obligations under the PDPA, and
(ii) by adopting such instruments as may be specified under a directive issued by the DPA.
Data protection impact assessments:
Controllers are no longer required to submit all their data protection impact assessments (“DPIA”) to the DPA, and must submit DPIAs only when requested to do so.
Data protection officer:
Entities may now appoint a third party to act as their data protection officer.
KEY OBLIGATIONS
In addition to the Amendment Rules, the DPA published the draft Personal Data Protection (Personal Data Breach Notification) Rules in October 2024 (“Draft Rules”). A summary of the key obligations of controllers under the Draft Rules follows.
NOTIFICATION TO THE DPA
Controllers must provide the following information to the DPA:
- The timing and nature of the personal data breach
- The categories and approximate number of data subjects affected by the breach
- The name and contact details of the DPO or any other representative
- The likely consequences of the data breach
- A summary of the risk assessment
- Description of the manner in which the controller will notify data subjects (if required)
- Description of the measures taken or proposed to be taken by the controller or its processors to address the data breach, and
- A declaration that all the information provided by the controller is true.
NOTIFICATION TO DATA SUBJECTS
Controllers must provide the following information to the DPA:
- The timing and nature of the personal data breach
- The categories and approximate number of data subjects affected by the breach
- The name and contact details of the DPO or any other representative
- The likely consequences of the data breach for affected data subjects
- Description of the measures taken or proposed to be taken by the controller to address the data breach
- Measures that data subjects must undertake to mitigate the possible risks of harm from the data breach, and
- The link to the website on which further information will be made available.
BREACH NOTIFICATION
Controllers must:
- Notify the DPA of any personal data breach that has occurred or is reasonably likely to have occurred, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects, and
- Notify affected data subjects of a personal data breach that is likely to result in a high risk to their rights and freedoms. Generally, such notifications should be made within 72 hours of becoming aware of the data breach. Where notifications within the 72-hour timeline are not feasible, controllers should provide reasons for delays. Controllers may also submit amended notifications to the DPA if they become aware of additional information.
Data protection in Nepal is primarily regulated by the Individual Privacy Act, 2018 (the “Privacy Act”), the Individual Privacy Regulation, 2020 (the “Privacy Regulation”), the Data Act, 2022 (“Data Act”), and various criminal laws. However, there is currently no single comprehensive law that consolidates all aspects of data protection. Key obligations under these laws follow:
Consent
The Supreme Court has clarified that personal information cannot be disclosed without explicit legal justification. Under the Privacy Act, consent serves as the sole legal basis for processing personal data. Consent must be obtained in writing prior to disclosing or publishing personal data stored electronically. Similarly, under the Data Act, government agencies must secure written consent before sharing personal information with anyone outside authorised bodies or using it as evidence in legal matters.
Extraterritorial Application
As Nepal’s internet services market continues to grow, questions about the extraterritorial application of Nepali data protection laws continue to remain. The Privacy Act and Privacy Regulation are silent on whether foreign businesses are bound by these laws when processing data of Nepalese residents. As a result, many global businesses have proceeded with transferring and processing data abroad, relying consent obtained from users. However, the legislative intent to either permit or restrict this practice remains unclear.
This lack of clarity places businesses in a difficult position, uncertain about the legal framework governing such activities. While the current absence of specific rules has led to the interpretation that businesses may process Nepalese data as long as consent is obtained and sectoral compliance requirements are met, it remains uncertain whether the government will provide clearer guidelines on this matter. Until such clarification is made, businesses are left navigating a grey area.
Data Transfers and Sector-Specific Requirements
The Privacy Act restricts the transfer of certain sensitive personal data abroad without explicit consent. This includes data related to medical examinations, income, property, employment, family matters, biometric data, political affiliations, and professional or business details. These categories of data are considered highly sensitive and require heightened protection.
Additionally, there are emerging sectoral data localisation requirements. For example, the 11th Amendment to the National Broadcasting Regulation, which came into effect in March 2022, mandates that Over-the-Top (“OTT”) service providers store customer data on servers located within Nepal. This requirement applies specifically to OTT services, which include media streaming delivered via the internet without cable or satellite television. However, the regulation does not yet specify how or whether this data can be transferred outside Nepal. Market practice in this regard has been to store a copy of such information within Nepal, while transferring the information freely outside Nepal.
Nepal’s data protection landscape is evolving, but several uncertainties remain, particularly with respect to the extraterritorial application of laws and sector-specific data localisation requirements. For businesses operating or planning to operate in Nepal, it is essential to stay informed and ensure compliance with both general data protection regulations and any sector-specific requirements. As the regulatory framework matures, clearer guidance and enforcement mechanisms are likely to emerge, offering businesses more certainty in navigating these complex issues.
Pakistan presently lacks a comprehensive data protection legal framework. Currently, the Prevention of Electronic Crimes Act, 2016 is the primary law that regulates the transmission of electronic data in Pakistan; however, its focus is on the prevention of cyberterrorism and unauthorised access to electronic data, and not on the establishment of data protection and governance principles.
That is not to say that the country is not assessing a new federal law. The Draft Personal Data Protection Bill, 2023 (“Draft Bill”) was introduced in 2023 and was intended to create a new data protection framework. Largely modelled on the European Union’s General Data Protection Regulation, the Draft Bill categorises entities that process personal data as data controllers and processors based on the nature of their processing activities. The proposed law applies extraterritorially – entities based outside Pakistan that offer goods or services within the country will also be subject to its requirements. Aspects such as grounds for processing, data subject rights, and breach notification requirements remain similar to those under the GDPR.
Pakistan’s Ministry of Information Technology and Telecommunications (“MITT”) was tasked with the finalisation of the proposed law. After nearly two years of legislative limbo, the Senate has reportedly requested the MITT to reopen the Draft Bill and finalise its contents. Reports indicate that the MITT is in the process of evaluating certain technical aspects within the law before its final avatar is circulated for due consideration from the Senate.
Coming in the wake of continuous data leaks, a potential governance structure to address this concern is welcome news. While it remains unclear whether the Pakistani government will introduce significant amendments to the current draft, key highlights from the Draft Bill follow.
KEY HIGHLIGHTS
Data Localisation Requirements
The Draft Bill requires “critical personal data”, which includes data that has been categorised as critical by the Commission or sector-specific regulators, to be stored within Pakistan. This category is likely to include information that may affect the security of the country or cause a public emergency, if compromised.
Registration Requirements
Foreign data controllers and processors that offer services in Pakistan are required to register with the National Commission for Personal Data Protection (“Commission”). The Commission will act as the supervisory body under the law and publish rules on registration processes. At this stage, it is likely that the law will require companies to have a local presence in Pakistan to apply for registration.
Security Measures
The Draft Bill imposes non-prescriptive security obligations on data controllers. Security measures must be commensurate with the company’s processing activities and in line with general global standards. Sector-specific requirements will need to be factored in while determining these measures.
Cross Border Data Transfer Restrictions
The Draft Bill permits entities to transfer data from Pakistan to another country with the explicit consent of data subjects or on the basis of a binding agreement with the recipient of data. It is unclear whether the agreement is akin to standard contractual clauses under the GDPR or if a data processing agreement will be adequate. In any case, cross border transfer restrictions appear to be relatively light-touch.
Penalties
Penalties for unlawful processing of personal data under the law extend up to USD 500,000. However, the Commission has the power to impose fines of up to 1% of a company’s annual gross revenue if such company fails to comply with enforcement orders issued by the Commission.
