Research Series · No. 05
Foreign Universities, Indian Students & the DPDP Act
Why every institution that recruits, admits or enrols a student in India is now a Data Fiduciary under India's Digital Personal Data Protection Act, 2023, and what compliance demands.
Inside this report
Table of Contents
Five parts, from the scale of Indian outbound study through the law's extraterritorial reach to a practical compliance roadmap for foreign institutions.
From the practice
India's students crossed a border. So did India's law.
More than 1.3 million Indians are studying in higher education abroad, and a foreign university now collects a remarkable amount of personal data about each of them long before they ever leave the country.
A transcript, a passport scan, a sponsor's bank statement, a biometric photograph, a statement of purpose. These are gathered at education fairs in Bengaluru, through agent networks in Punjab, and on application portals opened from a bedroom in Hyderabad. The student is, at every step of that journey, physically and legally in India.
For two decades that data sat in a regulatory gap. The Digital Personal Data Protection Act, 2023 has closed it. The Act applies to the processing of personal data outside India whenever it is connected to offering goods or services to people within India. Recruiting and enrolling Indian students is exactly that.
The institutions affected are sophisticated. They comply with the GDPR in Europe and FERPA in the United States. But Indian law is not a copy of either. Its definition of a child reaches to eighteen, catching most undergraduate applicants. It requires notice in a choice of twenty-two languages. It has no broad legitimate-interest basis. And its penalties run to two hundred and fifty crore rupees, around US$26 million, or roughly €23 million or £20 million.
This report sets out the scale of the opportunity, the precise reach of the law, and the work that compliance now requires. We publish it as we practise: practical, measured, and useful on a Monday morning to a registrar, a general counsel and a board alike.
Executive Summary
A large market, and a law that already covers it.
A foreign university that recruits in India is a Data Fiduciary under the DPDP Act, the student is a Data Principal, and the core obligations crystallise on 13 May 2027. This is not a future risk to monitor; it is a compliance programme to build.
- i
The reach is settled, not speculative
Section 3(b) applies the Act to processing outside India that is connected to offering services to people in India. Recruitment is squarely within it.
- ii
The children's regime is the sharp edge
A "child" is anyone under 18. Most undergraduate applicants qualify, triggering verifiable parental consent and a ban on behavioural tracking.
- iii
GDPR compliance is a head-start, not a defence
Five DPDP-specific gaps survive an existing GDPR or FERPA programme. They must be closed before May 2027.
The question is no longer whether Indian law reaches a campus in Toronto or Manchester. It is whether that campus can show its consent, its notice and its safeguards working. The central finding · Sections 05–07
The Outbound Surge
A decade of growth, now measured in millions.
The number of Indians in higher education abroad roughly doubled between 2019 and 2024. On the Ministry of External Affairs' broader count, 18.8 lakh Indians are now studying across 153 countries, the largest internationally mobile student population in the world.
The MEA publishes two figures that are not interchangeable. The headline mobility number, students in higher education abroad, was 13.36 lakh in 2024. A broader count of all Indian students abroad across every level and 153 countries reached 18.82 lakh in December 2025; it includes school-age children of resident Indians, particularly in the Gulf. This report uses the higher-education figure for the market and flags the all-levels figure where minors are in view.
The Geography of Indian Study Abroad
Five countries hold two in every three students.
Canada, the United States, the UAE, Australia and the United Kingdom together host the bulk of Indian students abroad. Each line below is a flow of data, not just of people: applicant records collected in India and carried to servers overseas.
331,602 Indian students in 2023/24, a record and a 35% jump, the year India overtook China as the largest source of international students.
About 107,500 Indian entrants in 2023/24, roughly nine times the 2017/18 level; India has been the largest sending nationality for three years running.
Extraterritorial Scope · Section 3
A campus abroad, a duty in India.
Section 3(b) of the DPDP Act applies to the processing of digital personal data outside India "if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India."
Education is a service. A foreign university that markets to, recruits, processes applications from and admits students who are in India is offering a service to Data Principals within India. The decisive fact is that the applicant is physically and legally in India at the moment the university targets them and collects their data, through education fairs, India-facing websites and advertising, in-country agent networks, and online application portals. The law, in the firm's published view, is purpose-driven rather than location-based: it does not distinguish between Indian and foreign entities where the activity has a nexus with India.
- A
The recruitment phase is not contestable
Marketing, lead capture, application intake, offer-making, fee and visa processing are all directed at and performed on individuals in India. There is no serious argument that this falls outside Section 3(b).
- B
The university is the Data Fiduciary
It alone determines the purpose and means of processing (Section 2(i)). In-country agents act on its behalf as Data Processors, and under Section 8(1) the university remains responsible for their processing irrespective of any agreement to the contrary.
- C
Relocation does not switch the duty off
The trigger is the offering activity, fixed at the point of collection in India. The only genuinely open margin is processing that occurs purely on-campus after the student has left; the prudent reading keeps the originating relationship in scope.
Core Obligations · Sections 5–14
Eight duties, across the whole student journey.
Personal data is collected at every stage of recruitment, and a distinct set of duties attaches to each. The heat map shows where collection is heaviest; the obligations below apply throughout.
- 5
Notice in clear, multilingual form
A standalone, itemised notice (Section 5, Rule 3) stating the data collected and the purpose, with the means to withdraw consent, exercise rights and complain to the Board, available in English or any of 22 Eighth-Schedule languages.
- 6
Consent that is free, specific and withdrawable
Consent (Section 6) must be unambiguous, limited to the data needed, and as easy to withdraw as to give. There is no broad legitimate-interest basis; Section 7's consent-free grounds are a narrow, largely State-facing list.
- 8
Fiduciary duties: accuracy, security, erasure, breach, grievance
Section 8 requires accurate decision-data, reasonable security safeguards, erasure on withdrawal or purpose-completion, breach notification, and a working grievance mechanism, for the university and its processors alike.
- 11–14
Data-principal rights, with a published response path
Access, correction, completion, updating, erasure, grievance redressal and nomination (Sections 11–14). The Rules require the university to publish how these rights are exercised and to resolve grievances within a stated period not exceeding 90 days (Rule 14).
Children's Data · Section 9
In India, an applicant is a child until eighteen.
This is the single sharpest divergence from the rules foreign universities already know. The Act sets the age of a "child" at 18, higher than the GDPR or COPPA, and most undergraduate applicants are 17 or 18 when their data is first collected.
- i
Verifiable parental consent
Before processing a child's data, the university must obtain verifiable consent of a parent or guardian (Section 9(1), Rule 10).
- ii
No tracking, no targeted ads
Behavioural monitoring of children and advertising directed at them are prohibited outright (Section 9(3)), regardless of parental consent. Retargeting pixels and look-alike audiences of prospective students are caught.
- iii
A bright line, no mature-minor doctrine
A child is simply anyone who has not completed 18 years (Section 2(f)). A programme calibrated to "16 or 13 is fine" systematically under-protects the cohort.
The Rules do carve out a narrow exemption (Rule 12 with the Fourth Schedule): for a listed class such as an educational institution, Sections 9(1) and 9(3) are relaxed, but only for tracking or monitoring tied to the institution's own educational activities or to a child's safety, and subject to conditions. It does not reach a foreign university's commercial recruitment marketing, which still requires verifiable parental consent, and the ban on targeted advertising to children continues to bite for any marketing use. The prudent posture is not to assume the carve-out covers lead generation.
Are you in scope?
Most undergraduate applicants are children under the Act. Take our 60-second check to see whether India’s new data-protection law reaches your institution, and where.
Cross-Border Transfer & Section 10
The data leaves India. The obligation follows it.
Applicant data collected in India and routed to a university's home-country servers, cloud or shared-service centre is a cross-border transfer, governed by Section 16 of the Act.
A permissive baseline, with limits. Section 16 uses a negative-list model: transfer is permitted to any country except those the Central Government restricts by notification. As of mid-2026 no operative blacklist appears to have been notified, so flows to a university's home jurisdiction are not blocked on that ground. But Section 16(2) preserves stricter cross-border rules under other Indian laws, so sector-specific localisation, for example RBI rules on payment data, continues to bind fee and financial data irrespective of the DPDP baseline.
The Significant Data Fiduciary tier. Under Section 10 the Government may notify a fiduciary as "significant" based on the volume and sensitivity of data and the risk to data principals. A large university or recruitment aggregator handling high volumes of Indian applicant data, with passports, financial and sponsor records and biometric photographs, could be designated. Designation triggers an India-based Data Protection Officer (Section 10(2)), an independent data auditor, and a periodic Data Protection Impact Assessment and audit at least once every twelve months (Rule 13).
The university must be able to identify, document and justify every flow of Indian student data out of the country: which categories, to which systems, under which contracts. A data map is the precondition for every other control in this report.
Penalties · The Schedule
Fixed maxima, no turnover cap to dilute them.
Penalties are set in rupees, per contravention, and may be imposed cumulatively. They are adjudicated by the Data Protection Board of India, with appeals to the Telecom Disputes Settlement and Appellate Tribunal.
The provisions establishing the Data Protection Board are in force, but the Board is not yet operational: its Chairperson and members had not been appointed as of mid-2026, with applications invited only in May 2026, so its complaint and inquiry machinery is not yet live. The bulk of substantive obligations, notice and consent standards, the children's regime, security safeguards, breach reporting, SDF duties and the cross-border rules, come into force on 13 May 2027, eighteen months after the Rules were notified. That is the deadline by which a foreign university's programme must be operational, not merely planned.
The Compliance Gap
A head-start is not the same as a defence.
An existing GDPR or FERPA programme provides real muscle, notice, access, erasure and breach-response. But five DPDP-specific gaps survive it, and each must be closed before May 2027.
| Issue | GDPR / FERPA | DPDP Act (stricter / different) |
|---|---|---|
| Age of a "child" | GDPR 16, down to 13; COPPA 13 | Under 18 (Sec 2(f)) — catches most undergraduate applicants; parental consent and a ban on tracking and targeted ads |
| Lawful basis | GDPR includes a broad "legitimate interests" balancing test | No broad legitimate-interest basis; Section 7 is a closed, narrow list. Recruitment rests on consent (Sec 6) |
| Notice language | "Clear and plain language", no multilingual mandate | Notice, and the consent request, in English or any of 22 Eighth-Schedule languages (Sec 5(3) and 6(3)) |
| Cross-border transfer | Whitelist / adequacy, SCCs, BCRs | Negative-list model (Sec 16); but Sec 16(2) preserves stricter Indian sectoral laws |
| Penalty exposure | Up to €20m or 4% of global turnover | Fixed maxima up to about US$26m (₹250 crore · €23m / £20m) per contravention, cumulative, no turnover dilution |
A university calibrated to "sixteen is fine" will systematically under-protect its Indian applicants, lawfully everywhere else, and unlawfully in India.
The Road to Compliance
Six steps, in the order that actually works.
Compliance is sequential. Institutions that skip the data map and rush to consent banners rebuild twice. This is the order our practice recommends for a foreign university with a finite runway to May 2027.
Map the India data flows Weeks 1–6
Inventory what is collected from applicants in India, by whom, including agents, where it is stored and to which countries it flows.
Fix the lawful basis Weeks 4–10
Move recruitment processing onto consent (Section 6); identify the under-18 cohort and design the verifiable parental-consent path for it.
Build notice & consent Weeks 8–18
Stand up a standalone, itemised, multilingual notice and a consent layer that can capture, version, withdraw and evidence across every India-facing surface.
Open the rights channel Weeks 12–20
Publish how rights are exercised and a stated response time, with a resourced grievance officer who resolves complaints within 90 days.
Govern agents & transfers Weeks 14–24
Re-paper agent and processor contracts to Section 8(1) standard; document and justify every cross-border flow; prepare for possible SDF duties.
Rehearse the breach Ongoing
Test the incident runbook against the two-tier breach timeline before you need it, and keep records that demonstrate the programme working.
Privacy & Data Protection at KSK
Counsel that closes the gap to operations.
King Stubb & Kasiva (KSK) is a full-service Indian law firm advising leading domestic and international organisations across litigation, banking and finance, real estate, corporate, intellectual property and regulatory practice, from seven offices in New Delhi, Mumbai, Bengaluru, Chennai, Hyderabad, Pune and Kochi.
Our Privacy & Data Protection practice works where the law meets the operating model. For institutions recruiting in India we advise on DPDP Act applicability, notice and consent design, children's-data and parental-consent flows, agent and processor contracts, cross-border transfer structuring and breach response.
Speak to the practice
Start with an honest applicability assessment.
A focused assessment tells you exactly which of your India recruitment activities the Act reaches, where your GDPR or FERPA programme falls short, and what a costed, sequenced path to 13 May 2027 looks like.
Three steps to take before 13 May 2027
Share your India recruitment footprint, the fairs, agents, application portals and volumes, and we map which activities the Act reaches.
We benchmark your existing GDPR or FERPA controls against the five DPDP gaps and the under-18 applicant cohort.
A sequenced, budgeted roadmap your admissions, IT and legal teams can execute against the deadline.
Book a complimentary 45-minute DPDP applicability briefing for your leadership. We will tell you candidly which of your India activities are in scope, and what closing the gap involves.
Write to privacy@ksandk.comPrivacy & Data Protection
This report is provided for general information and does not constitute legal advice. Please seek specific counsel on your institution's circumstances.
Strictly Private & Confidential
Research report · figures sourced to MEA, RBI, IIE, HESA and the DPDP Act & Rules · Save as PDF to export an A4 print version.