Transferring personal data outside India comes with restrictions under DPDPA. We explain the rules, exemptions, and how to set up compliant transfer mechanisms.
Section 16 of DPDPA adopts a "negative list" approach to cross-border data transfers: personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is a departure from GDPR's adequacy-based framework and creates a different set of compliance considerations for multinational organisations.
How the Negative List Works
Unlike GDPR, where transfers are restricted by default and you need a legal mechanism to justify each transfer, DPDPA allows transfers to all countries unless the government specifically blocks a destination. As of now, no countries have been placed on the restricted list. However, organisations should plan for the possibility that restrictions could be introduced with limited notice.
Practical Compliance Steps
Even though transfers are currently unrestricted, prudent organisations should maintain a clear record of all cross-border data flows including destination countries, categories of data transferred, the purpose of transfer, and the receiving entity. This documentation will be essential if restrictions are introduced and will demonstrate compliance during audits regardless.
Review your vendor contracts to ensure they include appropriate data protection clauses. While DPDPA does not mandate specific contractual mechanisms like GDPR's Standard Contractual Clauses, your agreements should clearly define the processor's obligations regarding data security, breach notification, and data deletion.
Preparing for Change
The government may introduce country-specific restrictions based on geopolitical or security considerations. Build flexibility into your infrastructure by identifying which data processing activities depend on cross-border transfers and developing contingency plans for localising processing if specific destinations are restricted. Organisations that proactively design for data localisation options will be better positioned to respond quickly when regulations change.
