Cross-Border Data Transfer Rules Under DPDPA 2023: What Indian Businesses Must Know

In today's globalised economy, personal data routinely crosses national borders through cloud services, international partnerships, and global supply chains. For Indian businesses, understanding how the Digital Personal Data Protection Act 2023 (DPDPA) regulates cross-border data transfers is critical, whether you are a startup using international cloud infrastructure, a multinational operating in India, or an Indian company with overseas clients. The DPDPA takes a notably different approach from both the GDPR's adequacy framework and India's own earlier draft proposals, adopting a model that is broadly permissive but carries significant compliance requirements. Getting this right protects your business from regulatory penalties and ensures uninterrupted international operations.

Section 16 of the DPDPA establishes a blacklist approach to cross-border data transfers, meaning personal data can flow freely to any country or territory outside India except those specifically restricted by the Central Government. This is a significant departure from India's earlier regulatory proposals: the 2018 draft Personal Data Protection Bill proposed strict data localisation requiring all personal data to be mirrored in India, and the 2022 draft shifted to a whitelist system allowing transfers only to government-approved countries. The final DPDPA 2023 took a more business-friendly approach. Rule 14 of the DPDP Rules 2025 specifies that any entity processing personal data within India, or outside India in connection with offering goods or services to Indian data principals, may transfer data to foreign states provided it complies with any restrictions imposed by the Government. For Significant Data Fiduciaries (SDFs), additional obligations apply: certain categories of personal data and traffic data, as designated by the Central Government, must be processed exclusively within India and cannot be transferred outside the country. Importantly, several sector-specific data localisation requirements from bodies like the RBI and SEBI remain in effect alongside the DPDPA.

For businesses transferring data internationally, the practical steps are clear. First, monitor the Central Government's notifications for any countries added to the restricted list, as transfers to those jurisdictions will be prohibited. Second, if you operate in regulated sectors such as banking, insurance, or securities, comply with existing sector-specific data localisation requirements from the RBI, IRDAI, and SEBI in addition to the DPDPA. Third, review all your data processing agreements with international vendors and service providers to ensure they include appropriate protections and comply with DPDPA requirements. Fourth, maintain a comprehensive record of all cross-border data flows, including the nature of data transferred, destination countries, and the purpose of transfer. Certain categories of processing are exempt from cross-border restrictions, including processing necessary for enforcing legal rights, court functions, offence investigation, contracts with persons outside India, and court-approved corporate restructurings. If your organisation is likely to be designated as a Significant Data Fiduciary, begin preparing for stricter data localisation requirements now.

The cross-border data transfer framework under the DPDPA represents a significant shift toward a business-friendly model, but uncertainties remain. The Government has not yet published criteria for restricting transfers to specific countries, and no countries have been blacklisted as of March 2026. The designation of Significant Data Fiduciaries, expected in 2026, will trigger additional localisation obligations for major data processors. Most DPDPA provisions have an 18-month implementation window from November 2025, but companies should not wait until the deadline to begin compliance. The Sansa Kanoon Pranali Partners team advises businesses on cross-border data transfer compliance, data localisation strategy, and international data processing agreements. Whether you are navigating sector-specific requirements or preparing for SDF designation, we can help you build a compliant and efficient data transfer framework.