Cross-Border Data Transfer Under DPDPA: What Indian Businesses Need to Know

For Indian businesses that use cloud services, employ overseas vendors, or serve international customers, the rules governing cross-border transfer of personal data under the Digital Personal Data Protection Act, 2023 (DPDPA) are among the most critical provisions to understand. As data flows across jurisdictions in the normal course of business operations, companies must know where their data is stored, processed, and transferred, and whether any restrictions apply. The DPDP Rules notified in November 2025 have provided the operational framework for these transfers, but important uncertainties remain that require careful legal planning.

Section 16 of the DPDPA adopts a negative list or blacklist approach to cross-border data transfers. This means personal data can be freely transferred to any country or territory outside India except those specifically restricted by the Central Government through official notification. As of March 2026, no country has been placed on this blacklist, which means businesses may currently transfer personal data internationally without requiring specific mechanisms such as standard contractual clauses or adequacy determinations that are common under the European Union's GDPR. However, the Central Government retains unfettered discretion to restrict transfers to any country at any time without transparent criteria or advance notice, creating a layer of regulatory uncertainty. Additionally, sector-specific data localisation requirements continue to apply separately. The Reserve Bank of India mandates that payment system data be stored in India, and SEBI has its own data storage requirements for regulated entities.

Businesses must take several practical steps to manage cross-border data transfer compliance. First, conduct a thorough data mapping exercise to identify where personal data is stored and processed, including by third-party vendors, cloud service providers, and overseas subsidiaries. Second, monitor government notifications for any additions to the restricted country list, as transfers to blacklisted jurisdictions would need to cease immediately. Third, Significant Data Fiduciaries face heightened obligations and may be required to ensure that certain categories of personal data and associated traffic data are not transferred outside India at all, as specified by the Central Government. Fourth, ensure that all cross-border transfers are covered by appropriate contractual protections, even though the DPDPA does not currently mandate standard contractual clauses, because vendor agreements should address data security, breach notification, and compliance with Indian law requirements.

The DPDPA's approach to cross-border transfers is notably more permissive than the GDPR at this stage, but this may change as the regulatory framework matures. The government's power to restrict transfers without prior notice means businesses must build flexibility into their data architecture. The phased implementation timeline, with full compliance required by May 2027, provides a window to prepare. Companies should also consider whether exemptions apply to their processing activities, including processing necessary for enforcing legal rights, processing by courts or regulatory bodies, and processing of data of individuals located outside India pursuant to contracts. Sansa Kanoon Pranali Partners advises businesses on data transfer compliance strategies, data localisation assessments, and contractual frameworks for international data flows under the DPDPA.