Cross‑Border Data Transfers under the DPDP Act 2023
- Blog|Company Law|
- 4 Min Read
- By Taxmann
- |
- Last Updated on 4 May, 2025
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), cross-border data transfers refer to the transmission of personal data by a Data Fiduciary from India to any country or territory outside India. Section 16 of the DPDP Act governs these transfers, adopting a "negative list" approach. By default, cross-border transfers are permitted, unless the Central Government specifically restricts transfers to certain countries or territories through official notification.
Table of Contents
- Introduction
- Legislative Text
- Assessing Adequacy – Draft Criteria (Expected)
- Conditions Precedent to Export
- Data‑Localisation Requirements Outside the DPDP Act
- Intra‑group Transfers – Binding Corporate Rules (BCR)
- Government Access & Cross‑Border Compliance
- Practical Checklist
- Penalty Exposure
- Conclusion
Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.
1. Introduction
Global supply chains, cloud hosting and offshore analytics make cross‑border data transfers routine. Section 16 of the Digital Personal Data Protection Act takes a “black‑list” approach – cross‑border data transfers are permitted unless the Central Government notifies a country or territory as restricted. This article explains the legal mechanics, future rule‑making and practical safeguards.
2. Legislative Text
“The Central Government may, after an assessment… restrict the transfer of personal data by a Data Fiduciary to any country or territory outside India.” — Section 16(1)
Key Implications –
- Default position – allowed (no consent‑based localisation).
- Negative‑list power – list published via Gazette notification.
- Applies to all personal data – the Act does not distinguish “sensitive” or “critical” tiers; sectoral regulators may do so.
3. Assessing Adequacy – Draft Criteria (Expected)
Factor | Possible Metrics |
Legal Framework | Existence of a comprehensive privacy law and an independent regulator. |
Enforcement | Penalty mechanisms, mutual legal‑assistance treaties (MLAT). |
Data‑security environment | CERT‑equivalent, breach reporting norms. |
Reciprocity & Diplomacy | Trade negotiations and data adequacy requests from foreign governments. |
Sovereignty/National‑security risk | Foreign surveillance laws and geopolitical alignment. |
The MEITY White‑Paper (Nov 2024) suggests a risk‑tier model (Green/Amber/Red countries). Expect formal Rules in 2025 Q3.
4. Conditions Precedent to Export
Even where the destination is not black‑listed, a Data Fiduciary must still—
- Have a lawful basis – consent or Section 7 legitimate use.
- Provide notice of transfer in the privacy policy.
- Implement contractual safeguards (“DPDP SCCs”) ensuring onward protection and breach‑notification parity.
- Mapping transfers in the DPIA (mandatory for Significant Data Fiduciaries).
- Maintain an audit trail of data categories, purpose and destination.
5. Data‑Localisation Requirements Outside the DPDP Act
Sector Regulator |
Instrument | Local‑storage Mandate |
Interaction with DPDP |
RBI | Payment Data Circular (2018) | End‑to‑end processing and storage of payments data in India (copy abroad for analysis after 24 hrs). | Continues – DPDP does not override stricter sectoral law. |
IRDAI | Health Insurance Regulations | Policyholder data to be “maintained in India”. | Coexists. |
DOT | Unified Licence | Subscriber databases in India. | Coexists. |
Fiduciaries must comply with both DPDP and sectoral localisation where applicable.
6. Intra‑group Transfers – Binding Corporate Rules (BCR)
Large multinationals may file BCRs with DPB once a template is notified. These rules –
- Describe global privacy policy, security standards, and dispute mechanisms.
- Bind all affiliates & processors.
- After approval, transfers within that corporate group to non‑black‑listed jurisdictions proceed without separate SCCs.
7. Government Access & Cross‑Border Compliance
Foreign regulators or litigants may subpoena Indian Fiduciaries for data stored abroad. Nothing in Section 16 prohibits compliance, provided the transfer is not to a black‑listed state and another Indian law doesn’t bar disclosure (e.g., RBI secrecy).
8. Practical Checklist
Step | Action | Status |
1 | Map outbound data flows (app‑by‑app, vendor‑by‑vendor). | □ |
2 | Classify destination country risk (await the Govt list). | □ |
3 | Draft DPDP‑compliant SCC addendum for all export contracts. | □ |
4 | Update privacy notice – “We store data on AWS Singapore…” | □ |
5 | Implement transfer‑logging & breach relay from foreign processor. | □ |
9. Penalty Exposure
An unapproved transfer to a restricted country = breach of any other provision ₹50 crore max per incidence, plus order to cease transfers. If the breach also leads to a security incident, higher fines (₹250 crore) may be imposed.
10. Conclusion
Until the negative list issues, international transfers remain lawful with consent and safeguards. Future-proof contracts are now in place, so only an annex update is needed when the Government publishes restrictions.
Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Scope and Key Definitions Under DPDP Act
Rights of Data Principals under the DPDP Act 2023
Lawful Processing and Consent under DPDP Act 2023
Obligations of Data Fiduciaries under DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals
Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.
The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:
- The statutory material is obtained only from the authorized and reliable sources
- All the latest developments in the judicial and legislative fields are covered
- Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
- Every content published by Taxmann is complete, accurate and lucid
- All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
- The golden rules of grammar, style and consistency are thoroughly followed
- Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied