The Digital Personal Data Protection Act 2023, in force from a date to be appointed by the Central Government, ends the regulatory uncertainty that surrounded the predecessor IT Rules 2011 on data transfer outside India. The Act introduces a framework that is, by design, simpler than the GDPR adequacy regime and more permissive than the Personal Data Protection Bill 2019 would have been. Section 16 of the DPDP Act establishes the cross-border transfer rule. The DPDP Rules, notified in April 2025 and now in force, supply the operational detail.
The result is a regime that, in practice, permits cross-border transfer to most jurisdictions by default but reserves to the Central Government a notification power to restrict transfer to specified countries or territories. For commercial counsel advising Indian fiduciaries and processors, the practical question shifts from “is this transfer permitted” to “have we built the compliance architecture that lets us respond when the negative list changes”.
The Statutory Framework
Section 16(1) of the DPDP Act 2023 reads, in substance, that the Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. The drafting is deliberately negative. Transfer is permitted by default. Restriction applies only where the Government acts.
Section 16(2) carves out a saving for any law in force in India that provides for a higher degree of protection on transfer outside India. The most relevant such law, for practitioners, is the RBI’s data localisation directive of 2018 which requires payment-system data to be stored only in India. The DPDP Act does not relax that requirement. Where sector-specific law is stricter, the sector-specific law governs.
The Rules: Operational Detail
The DPDP Rules 2025 supply the procedural detail that Section 16 does not. Three operational requirements follow.
One. Notice and consent under Section 5 of the Act remain the foundation. Where personal data is collected with the data principal’s consent, the notice that accompanies the consent request must specify, in clear and plain language, the categories of personal data being collected, the specific purpose, and the manner in which the data principal may exercise the rights under the Act including the right to grievance redress. Cross-border transfer should be addressed in the notice where it is contemplated.
Two. The notification mechanism for restricted countries is administered by the Ministry of Electronics and Information Technology. The Government has not, as at the date of this article, issued a notification under Section 16 restricting any country. Counsel should expect the first notifications to be specific and narrow, targeted at jurisdictions with poor enforcement records or particular geopolitical considerations, rather than a blanket adequacy assessment in the GDPR mode.
Three. Significant Data Fiduciaries, designated under Section 10 of the Act, carry additional obligations. The list of Significant Data Fiduciaries, when issued by the Government, will cover entities by reference to volume of personal data processed, sensitivity of the data, and risk to electoral democracy or sovereignty of India. Significant Data Fiduciaries must appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments, and engage an independent data auditor. Cross-border transfer by a Significant Data Fiduciary is permitted, but the audit and DPIA documentation must explicitly cover such transfers.
The Compliance Architecture an Indian Fiduciary Needs
The practical compliance architecture, for an Indian Data Fiduciary engaged in cross-border transfer, sits on six pillars.
First, a Data Protection Notice that satisfies Section 5(1) of the Act, calls out cross-border transfer where applicable, and is presented before the personal data is collected.
Second, a Records of Processing Activities (RoPA), maintained by the Data Fiduciary, that captures the categories of personal data, the purposes, the recipients including overseas recipients, the retention period, and the safeguards applied.
Third, a Cross-Border Transfer Register that tracks the receiving country, the recipient entity, the categories transferred, the legal basis under the receiving country’s law, and the contractual safeguards.
Fourth, Standard Contractual Clauses or Data Processing Agreements with overseas recipients. These do not replace consent under the Act, but they discharge the Data Fiduciary’s accountability obligation under Section 8.
Fifth, a Notification Watch process. Where the Government issues a Section 16 notification restricting transfer to a particular country, the Data Fiduciary must, within a reasonable period, suspend transfer to that country and re-route through an alternative jurisdiction. The contract with the overseas recipient should carry an early-termination right tied to such notification.
Sixth, a Grievance Redress Mechanism under Section 8(10) of the Act that data principals can access without recourse to the Data Protection Board in the first instance.
Commercial Implications
The DPDP framework on cross-border transfer is materially friendlier to Indian businesses, particularly outsourced-services and SaaS providers, than the equivalent GDPR adequacy regime would be. The default-permitted approach reduces the legal due diligence cost of entering new markets and of integrating with overseas platforms. For Indian start-ups offering SaaS to enterprise customers in the United States, the United Kingdom, the European Union, Singapore, Australia, and the Gulf, the architecture is straightforward.
The commercial risk concentrates in three areas. First, the unpredictability of the Section 16 notification power. The Government has discretion to restrict transfer to any country at any time. Contracts with overseas recipients should accommodate this risk. Second, sector-specific overlay. Banking, insurance, healthcare, and certain telecom data carry sectoral data localisation requirements that survive the DPDP regime. Third, the Significant Data Fiduciary designation. Once a fiduciary is so designated, the audit and DPIA discipline becomes mandatory and operational compliance costs increase materially.
Practitioner Checklist
- Has the Notice been redrafted to satisfy Section 5(1) of the DPDP Act 2023 with specific cross-border language?
- Is the Records of Processing Activities up to date with overseas recipients identified?
- Is the Cross-Border Transfer Register established and maintained?
- Are Standard Contractual Clauses or DPAs in place with all overseas recipients?
- Is there a Notification Watch process to monitor MeitY publications under Section 16?
- Is the Grievance Redress Mechanism documented and accessible to data principals?
- If the Data Fiduciary is likely to be designated as Significant, are DPO, DPIA, and data auditor arrangements in train?
Conclusion
The DPDP Act 2023 cross-border transfer framework is permissive by design and procedural in execution. The work for counsel and compliance officers is not to obtain ex ante approval but to build the compliance architecture that can respond when the Government, exercising its Section 16 power, restricts transfer to a particular country. The architecture is documentation-heavy, contract-driven, and watch-list aware. Indian Data Fiduciaries that build it now are well-positioned for the next phase of the regime.
Endnotes
1. Digital Personal Data Protection Act 2023, Sections 5, 8, 10, and 16.
2. Digital Personal Data Protection Rules 2025, as notified by the Ministry of Electronics and Information Technology.
3. RBI Notification dated 6 April 2018, Storage of Payment System Data (DPSS.CO.OD No. 2785/06.08.005/2017-18).
4. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, superseded in the relevant respects by the DPDP Act.