#FactCheck-Phishing Scam-LPG dealership of Hindustan Petroleum

Modern international trade heavily relies on data transfers for the exchange of digital goods and services. User data travels across multiple jurisdictions and legal regimes, each with different rules for processing it. Since international treaties and standards for data protection are inadequate, states, in an effort to protect their citizens' data, have begun extending their domestic privacy laws beyond their borders. However, this opens a Pandora's box of legal and administrative complexities for both, the data protection authorities and data processors. The former must balance the harmonization of domestic data protection laws with their extraterritorial enforcement, without overreaching into the sovereignty of other states. The latter must comply with the data privacy laws in all states where it collects, stores, and processes data. While the international legal community continues to grapple with these challenges, India can draw valuable lessons to refine the Digital Personal Data Protection Act, 2023 (DPDP) in a way that effectively addresses these complexities.

Why Extraterritorial Application? 

Since data moves freely across borders and entities collecting such data from users in multiple states can misuse it or use it to gain an unfair competitive advantage in local markets, data privacy laws carry a clause on their extraterritorial application. Thus, this principle is utilized by states to frame laws that can ensure comprehensive data protection for their citizens, irrespective of the data’s location.  The foremost example of this is the European Union’s (EU) General Data Protection Regulation (GDPR), 2016,  which applies to any entity that processes the personal data of its citizens, regardless of its location. Recently, India has enacted the DPDP Act of 2023, which includes a clause on extraterritorial application.

The Extraterritorial Approach: GDPR and DPDP Act

The GDPR is considered the toughest data privacy law in the world and sets a global standard in data protection. According to Article 3, its provisions apply not only to data processors within the EU but also to those established outside its territory, if they offer goods and services to and conduct behavioural monitoring of data subjects within the EU. The enforcement of this regulation relies on heavy penalties for non-compliance in the form of fines up to €20 million or 4% of the company’s global turnover, whichever is higher, in case of severe violations. As a result, corporations based in the USA, like Meta and Clearview AI, have been fined over  €1.5 billion and €5.5 million respectively, under the GDPR. 

Like the GDPR, the DPDP Act extends its jurisdiction to foreign companies dealing with personal data of data principles within Indian territory under section 3(b). It has a similar extraterritorial reach and prescribes a penalty of up to Rs 250 crores in case of breaches. However, the Act or DPDP Rules, 2025, which are currently under deliberation, do not elaborate on an enforcement mechanism through which foreign companies can be held accountable. 

Lessons for India’s DPDP on Managing Extraterritorial Application 

1. Clarity in Definitions: GDPR clearly defines ‘personal data’, covering direct information such as name and identification number,  indirect identifiers like location data, and, online identifiers that can be used to identify the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person. It also prohibits revealing special categories of personal data like religious beliefs and biometric data to protect the fundamental rights and freedoms of the subjects. On the other hand, the DPDP Act/ Rules define ‘personal data’ vaguely, leaving a broad scope for Big Tech and ad-tech firms to bypass obligations. 
2. International Cooperation: Compliance is complex for companies due to varying data protection laws in different countries. The success of regulatory measures in such a scenario depends on international cooperation for governing cross-border data flows and enforcement. For DPDP to be effective, India will have to foster cooperation frameworks with other nations. 
3. Adequate Safeguards for Data Transfers: The GDPR regulates data transfers outside the EU via pre-approved legal mechanisms such as standard contractual clauses or binding corporate rules to ensure that the same level of protection applies to EU citizens’ data even when it is processed outside the EU. The DPDP should adopt similar safeguards to ensure that Indian citizens’ data is protected when processed abroad.
4. Revised Penalty Structure: The GDPR mandates a penalty structure that must be effective, proportionate, and dissuasive. The supervisory authority in each member state has the power to impose administrative fines as per these principles, up to an upper limit set by the GDPR. On the other hand, the DPDP’s penalty structure is simplistic and will disproportionately impact smaller businesses. It must take into regard factors such as nature, gravity, and duration of the infringement, its consequences, compliance measures taken, etc.
5. Governance Structure: The GDPR envisages a multi-tiered governance structure comprising of   

• National-level Data Protection Authorities (DPAs) for enforcing national data protection laws and the GDPR, 
• European Data Protection Supervisor (EDPS) for monitoring the processing of personal data by EU institutions and bodies,  
• European Commission (EC) for developing GDPR legislation
• European Data Protection Board (EDPB) for enabling coordination between the EC, EDPS, and DPAs

In contrast, the Data Protection Board (DPB) under DPDP will be a single, centralized body overseeing compliance and enforcement. Since its members are to be appointed by the Central Government, it raises questions about the Board’s autonomy and ability to apply regulations consistently. Further, its investigative and enforcement capabilities are not well defined.

Conclusion 

The protection of the human right to privacy ( under the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights) in today’s increasingly interconnected digital economy warrants international standard-setting on cross-border data protection. In the meantime, States relying on the extraterritorial application of domestic laws is unavoidable. While India’s DPDP takes measures towards this, they must be refined to ensure clarity regarding implementation mechanisms. They should push for alignment with data protection laws of other States, and account for the complexity of enforcement in cases involving extraterritorial jurisdiction. As India sets out to position itself as a global digital leader, a well-crafted extraterritorial framework under the DPDP Act will be essential to promote international trust in India’s data governance regime.

Sources

• https://gdpr-info.eu/art-83-gdpr/ 
• https://gdpr-info.eu/recitals/no-150/ 
• https://gdpr-info.eu/recitals/no-51/ 
• https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf 
• https://www.eqs.com/compliance-blog/biggest-gdpr-fines/#:~:text=ease%20the%20burden.-,At%20a%20glance,In%20summary 
• https://gdpr-info.eu/art-3-gdpr/ 
• https://www.legal500.com/developments/thought-leadership/gdpr-v-indias-dpdpa-key-differences-and-compliance-implications/#:~:text=Both%20laws%20cover%20'personal%20data,of%20personal%20data%20as%20sensitive. 

‍

Introduction

The Department of Telecommunications (DoT) changed course just 48 hours after the directive dated December 1, 2025,  sparked controversy. On December 3, 2025, the department publicly reversed its directive to smartphone manufacturers to pre-install the Sanchar Saathi app starting in March of the following year. The withdrawal marked the ending of a tumultuous, quick-paced event that highlighted how dynamic digital policy can be in a democracy. 

‍

The DoT explained its move in calculated terms. The government said that the first mandate was no longer necessary due to an abrupt increase in voluntary app downloads brought on by the public furore. The agency stated , “The mandate to install the app was meant to accelerate the process because the number of users has been growing rapidly.”

‍

The app in question is not new. When it was first introduced in 2023, it was intended to be a public safety where people could report suspicious calls, identify numbers registered in their name, block stolen devices using their IMEI, confirm the authenticity of their handset, and report fraudulent international calls that were disguised as Indian numbers. The platform has quietly expanded over the past two years with features like utilities to check mobile connections, as well as Chakshu for reporting fraud. When used freely, it has helped numerous people in navigating the increasingly complex web of online scams. 

‍

Balancing Protection and Personal Freedom

In India, there isn’t much precedent for requiring all phones to have a certain government backed app installed. While operators supported TRAI’s DND app in 2018 and emergency numbers were integrated during the pandemic, they did not go into the territory of compulsory pre-installation.

‍

Legal experts have time and again pointed out that although the government can control telecommunications for security reasons, any mandatory action pertaining to personal devices may be subject to constitutional review under the right to privacy, as stated in the Puttaswamy ruling. Not because the app is flawed in and of itself, but rather because every transition from voluntary adoption to mandatory compliance necessitates a higher standard of necessity, proportionality, and protections.  

‍

The Pulse of the Policy

The DoT’s stated rationale was clear: fake, duplicated or spoofed IMEIs represent a major cyber-security threat. India currently faces some of the world’s highest levels of SIM misuse, digital impersonation, online extortion, and device cloning crimes. Even a small fraction of compromised devices can do great harm in a nation with over a billion active mobile users.

‍

The DoT’s AI and Digital Intelligence Unit, a small seven-person team in charge of SIM security, fighting illicit telecom setups, and collaborating with financial regulators on quickly changing fraud patterns, issued the Sanchar Saathi directive as part of a larger set of security-focused measures. One order required platforms such as WhatsApp to make sure that web sessions were terminated after six hours and that accounts only functioned when the registered SIM card was present in the device.

‍

When taken as a whole, these orders indicate a clear strategic goal, the government is working to close systemic gaps that organised crime, particularly identity theft and device-level fraud, exploits. However, they also highlight the complex relationship between public opinion and security requirements. The government’s quick reversal in the Sanchar Saathi case demonstrated a crucial realization: digital safety mechanisms can only be effective when people feel educated, valued, and in charge. 

‍

CyberPeace Perspective & The Middle Path

CyberPeace stated that whenever a digital tool comes into contact with identity, data, or mobile access, public concern is inevitable. However, it is also emphasised that Sanchar Saathi is not a surveillance tool, instead can empower citizens. 

Even with the rolled back mandate, it is reaffirmed that cornerstones of digital trust are accountability, openness, audits, and unambiguous permissions. India can maintain both safety and rights through responsible implementation, ethical design, and open communication. 

‍

References

1. https://www.thehindu.com/sci-tech/technology/what-is-the-sanchar-saathi-app-why-is-the-government-mandating-its-pre-installation/article70350322.ece
2. https://theprint.in/opinion/sharp-edge/sanchar-saathi-app-modi-govt/2797917/ 
3. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2198110&reg=3&lang=2 
4. https://sancharsaathi.gov.in/SancharSaathiDocuments/ImportantDocuments/DoT%20issues%20directions%20for%20pre-installation%20of%20Sanchar%20Saathi%20App%20in%20mobile%20handsets%20to%20verify%20the%20genuineness%20of%20mobile%20handsets.pdf 
5. https://cyberpeace.org/resources/blogs/sanchar-saathi-portal-a-solution-for-mobile-phone-theft-and-data-protection
6. https://cyberpeace.org/resources/blogs/chakshu-and-dip-shielding-citizens-from-online-frauds
7. https://cyberpeace.org/resources/blogs/financial-risk-indicator-launched-by-dot-to-strengthen-cybersecurity

‍

Background

‍

Cyber slavery and online trafficking have become alarming challenges in Southeast Asia. Against this backdrop, India successfully rescued 197 of its citizens from Mae Sot in Thailand on November 10, 2025, using two Indian Air Force flights. The evacuees had fled Myanmar’s Myawaddy region in October after intense military operations forced them to escape. This was India’s second rescue effort within a week, following the November 6 mission that brought back 270 nationals from similar conditions. The operations were coordinated by the Indian Embassy in Bangkok and the Consulate in Chiang Mai, with crucial assistance from the Royal Thai Government.

‍

The Operation and Bilateral Cooperation

‍

The operation was carried out with the presence and supervision of Prime Minister Anutin Charnvirakul of Thailand and Indian Ambassador Nagesh Singh, who were both present at the ceremony in Mae Sot. This way, the two countries have not only proved but also cemented their bond to fight the crimes which were mentioned before and more than that, they have even promised to facilitate communication between their authorities. Prime Minister Charnvirakul thanked India for the quick intervention and added that Thailand would be giving the needed support for the repatriation of the other victims as well.

“Both parties reaffirmed their strong commitment to the fight against cross-border crimes, including cyber scams and human trafficking, in the region and to improving cooperation among the relevant agencies in both countries.”, Embassy of India, Bangkok.

‍

The Cyber Scam Network

‍

The Myawaddy area in Myanmar has made a quick shift to become a hotspot for the entire world of cybercrimes. Moreover, the crimes are especially committed by the organised criminal groups that take advantage of foreign nationals. After the Myanmar military imposed a restriction in late October, over 1,500 people from 28 nations moved to Thailand because of the KK Park cyber hub and other centres being raided.

A UN report (2025) indicated that this fraud activity is part of a larger network that extends the countries populated with very low-tech criminals who target the most naïve, and they are the very ones who end up being tortured. The trafficked persons often belong to the local population or come from neighbouring countries and are recruited with the promise of high salaries as IT or customer service agents, only to be imprisoned in a compound where they are forced to perform phishing, investment fraud, and cryptocurrency scams aimed at the victims all over the globe. These centres operate in border territories having poor governance, easy-to-cross borders, and little police presence, hence making human trafficking a major factor contributing to cybercrime.

‍

India’s Response and Preventive Measures

‍

The Indian Embassy in Thailand worked hand in hand with the Thai government to facilitate bringing back and repatriating the Indian citizens who had entered Thailand illegally when they were escaping Myanmar.

The embassy was far from helpless in the matter. In the case of the embassy's advisory, they suggested to the citizens that:

• It is mandatory to check the authenticity of the job offers and the agents before securing employment in other countries.
• Such employment by means of tourist or visa-free entry permits should be avoided, as such entries allow only for a short-duration visit or tourism.
• Be careful of ads claiming high pay for online or remote work in Southeast Asia.

‍

The embassy reiterated the Government of India’s commitment to ensuring easy access to assistance for citizens overseas and to addressing the growing intersection between cyber fraud and human trafficking.

‍

CyberPeace Analysis and Advisory

‍

The case of Myawaddy demonstrates that cybercrime and human trafficking have grappled to become a complicated global threat. The scam centres gradually come to depend on the trafficked labour of people who are being forced to commit the fraud digitally under coercion. This underlines the requirement for the cybersecurity measures that consider the rights of humans and the protection of the victims, not only the technical defence.

‍

1. Cybercrime–Human Trafficking Convergence: 

Cybercrime has moved up to the level of a human trafficking operation. The unwilling victims of such fraud schemes are scared for their very lives or even more, not of a reliable way out. This situation is such that one cannot tell where cyber exploitation ends and forced labour begins.

2. Cross-Border Enforcement Challenges:

To effectively carry out their unlawful acts, the criminals use legal and jurisdictional loopholes that are present across borders. Dismantling such networks requires the regional cooperation of India, Thailand, and ASEAN countries.

3. Socioeconomic Vulnerability:

The situation with unemployment being stagnant and the public not being educated about the situation makes people, especially the youth, very prone to scams of getting hired overseas. Thus, to prevent this uneducated flocking to the fraudsters, it is necessary to constantly implant in them the knowledge of online literacy and the importance of verification of job offers.

4. Public–Private Coordination: 

The scammers’ mode of operation usually includes online recruitment through social media and encrypted platforms where their victims can be found and contacted. In this regard, cooperation among government institutions, tech platforms, and civil society is imperative to put an end to the operation of these digital trafficking channels.

‍

CyberPeace Expert Advisory

To lessen the possibility of such incidents, CyberPeace suggests the following preventive and policy measures:

‍

Individuals:

‍

• Trust but verify: Before giving your approval to anything, always verify the job offer by official embassy websites or MEA-approved recruiting agencies first.
• Watch out for red flags: If a recruiter offers a very high salary for almost no work, asks for tourist visas, or gives no written contract, be very careful and pull out immediately.
• Protect your documents: Give a trusted person the responsibility of keeping both digital and physical copies of your passport and visa, and also register your travel with the MADAD portal.
• Report if in doubt: If an agent looks suspicious, contact the nearest Indian Embassy or Consulate or report it to cybercrime.gov.in or the 1930 Helpline.

‍

Policymakers and Agencies:

‍

• Strengthen Bilateral Task Forces: Set up armed forces of cyber and human trafficking enforcement units in South and Southeast Asian countries.
• Support Regional Awareness Campaigns: In addition to targeted advisories in local languages, the most vulnerable job seekers in Tier-2 and Tier-3 cities should also receive such awareness in their languages.
• Overseas Employment Advertising should be regulated: All digital job postings should be made to meet transparency standards and fraudulent recruitment should be punished with heavy fines.
• Invest in Digital Forensics and Intelligence Sharing: Create common databases for monitoring international cybercriminal groups.

‍

Conclusion

‍

The return of Indian citizens from Thailand represents a significant humanitarian and diplomatic milestone and highlights that cybercrime, though carried out through digital channels, remains deeply human in nature. International cooperation, well-informed citizens, and a rights-based cybersecurity approach are the minimum requirements for a global campaign against the new breed of cybercrime that is characterised by fraud and trafficking working hand in hand. CyberPeace reminds everyone that digital vigilance, verification, and collaboration across borders are the most effective ways to prevent online abuse and such crimes.

Reference

‍

• https://www.ndtv.com/india-news/197-indians-repatriated-from-thailand-by-special-indian-air-force-flights-9611934
• https://www.thehindu.com/news/national/india-airlifts-citizens-who-worked-in-myanmar-cybercrime-hub-from-thailand/article70264322.ece
• https://www.mea.gov.in/Images/attach/03-List-4-2024.pdf

‍