Executive Summary
India's DPDP Act introduces a unique "negative list" approach to cross-border data transfers - permitting transfers to all countries except those specifically restricted by the Central Government. As of January 2026, no countries have been restricted. This article analyzes the framework, compares it with global approaches, and provides compliance guidance for businesses managing international data flows.
Key Points:
- Section 16 permits transfers unless to "restricted territory"
- No restricted territories notified yet (all transfers currently permitted)
- Sectoral regulations may impose additional restrictions (RBI, SEBI, IRDAI)
- Government processing may have stricter localization requirements
- Framework may evolve as Data Protection Board becomes operational
Introduction
Data flows don't respect borders. Indian businesses process EU customer data, US cloud providers host Indian health records, and global supply chains share employee information across dozens of countries.
DPDP's Section 16 addresses this reality with a permissive default: transfer freely, unless restricted. This contrasts sharply with GDPR's restrictive default requiring adequacy decisions or safeguards.
Understanding this framework is essential for compliance planning.
Section 1: Legal Framework
Section 16: Transfer of Personal Data Outside India
"The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data."
Key Elements:
- Government Notification Power: Central Government determines permissible destinations
- Assessment-Based: Factors to be considered not prescribed in Act
- Negative List Model: Transfers allowed unless to notified restricted territory
- Data Fiduciary Focused: Obligation on transferor, not recipient
What Section 16 Does NOT Require
Unlike GDPR, DPDP does not require:
- Adequacy assessments of recipient country
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Transfer Impact Assessments
- Supplementary measures
Current Status (January 2026)
Restricted Territories Notified: NONE
Practical Effect: All cross-border transfers currently permitted under DPDP Act.
Caveat: Sectoral regulations may impose stricter requirements (see Section 4).
Section 2: The Negative List Concept
How It Works
DPDP Transfer Framework:
Question: Is destination on restricted list?
│
├─ NO → Transfer permitted (no conditions)
│
└─ YES → Transfer prohibited (or conditions apply)
Current Status:
Restricted List = [ ] (empty)
Result: All transfers permitted
Comparison with Other Approaches
| Jurisdiction | Approach | Default Position |
|---|---|---|
| India (DPDP) | Negative List | Permitted |
| EU (GDPR) | Adequacy + Safeguards | Restricted |
| China (PIPL) | Government Approval + Assessment | Restricted |
| Russia | Localization + Notification | Restricted |
| Brazil (LGPD) | Adequacy + Safeguards | Restricted |
| Japan (APPI) | Consent + Safeguards | Restricted |
Why India Chose This Approach
Arguments For Negative List:
- Business Friendly: Reduces compliance burden for international trade
- Practical: India is net data exporter; restrictions hurt own businesses
- Diplomatic: Avoids politically sensitive adequacy assessments
- Flexible: Government can act quickly if specific risks emerge
- Implementation Reality: No infrastructure for case-by-case assessment
Arguments Against:
- Weak Protection: No assurance of adequate protection abroad
- Sovereignty Concerns: Indian data freely accessible to foreign governments
- Reciprocity Issues: Other countries may not reciprocate openness
- Future Litigation: Data subjects have limited recourse if foreign breach occurs
Section 3: Potential Restricted Territory Criteria
Factors Government May Consider
While not prescribed in the Act, likely assessment factors include:
1. National Security Concerns
- Countries designated as threats
- Surveillance-heavy jurisdictions
- Lack of judicial oversight
2. Adequacy of Data Protection
- Existence of data protection law
- Independent supervisory authority
- Effective enforcement mechanisms
3. Diplomatic Considerations
- Trade relationships
- Bilateral agreements
- Retaliatory measures
4. International Commitments
- WTO obligations
- Trade agreement data provisions
- Mutual Legal Assistance Treaties
Speculative Restricted List
Based on global trends, potential future restrictions (speculative):
| Risk Level | Potential Territories | Basis |
|---|---|---|
| High | North Korea | Sanctions, no rule of law |
| Medium | Countries with no data protection law | Inadequate protection |
| Conditional | Countries with concerning surveillance | Conditional restrictions |
Important: This is speculative. No official indication of planned restrictions exists.
Section 4: Sectoral Overlay Regulations
RBI Data Localization (Payments)
Circular: April 2018 (Updated)
| Requirement | Details |
|---|---|
| Scope | Payment system data |
| Mandate | Store in India within 24 hours |
| Transfers | Permitted for processing, not storage |
| Enforcement | Strict; audit requirements |
Practical Effect: Payment processors must localize regardless of DPDP permissive approach.
SEBI Data Localization (Capital Markets)
Requirements:
- Stock exchange data: India storage required
- KYC records: Local retention mandatory
- Trading data: Cannot be primarily stored abroad
IRDAI (Insurance)
Requirements:
- Policyholder data: India storage preferred
- Claims data: Local processing for most categories
- Reinsurance: International transfers permitted with safeguards
NPCI (Payments Infrastructure)
UPI Data:
- Transaction data must reside in India
- Foreign payment apps must comply
- Audit mechanisms mandated
Telecom Data
DoT Requirements:
- CDR data: India storage mandatory
- Subscriber data: Local retention required
- Network data: Restrictions on foreign access
Consolidated Sectoral Matrix
| Sector | Regulator | Localization Required | DPDP Overlay |
|---|---|---|---|
| Payments | RBI | Yes (strict) | Sectoral prevails |
| Capital Markets | SEBI | Yes (moderate) | Sectoral prevails |
| Insurance | IRDAI | Partial | DPDP may apply to gaps |
| Telecom | DoT | Yes (CDR/subscriber) | Sectoral prevails |
| Healthcare | None specific | No | DPDP governs |
| E-commerce | None specific | No | DPDP governs |
| IT Services | None specific | No | DPDP governs |
Section 5: Government Data Special Provisions
Processing for State Functions
Section 7(b): Processing for performance of State functions permitted as legitimate use.
Section 17: Central Government may exempt government agencies from DPDP provisions.
Government-to-Government Transfers
Likely Treatment:
- International treaties and agreements may govern
- MLATs (Mutual Legal Assistance Treaties) provide framework
- Intelligence sharing governed by separate frameworks
- DPDP may not restrict government-to-government transfers
Public Sector Procurement
Emerging Practice:
- Government tenders increasingly require India hosting
- Localization becoming de facto requirement for government contracts
- Not DPDP mandated but procurement policy driven
Section 6: Practical Compliance Framework
Step 1: Map Data Flows
Data Flow Mapping Template:
Data Category: [Customer Data / Employee Data / Operational Data]
│
├─ Source: India
├─ Destination Countries: [List]
├─ Purpose: [Processing / Storage / Backup]
├─ Volume: [Records per year]
├─ Sensitivity: [High / Medium / Low]
├─ Sectoral Regulation: [RBI / SEBI / IRDAI / None]
└─ Current Legal Basis: [Contract / Consent / Legitimate Use]
Step 2: Check Sectoral Requirements
Decision Tree:
Is data subject to sectoral regulation?
│
├─ YES (Payments) → Apply RBI localization rules
├─ YES (Securities) → Apply SEBI requirements
├─ YES (Insurance) → Apply IRDAI guidelines
├─ YES (Telecom) → Apply DoT requirements
│
└─ NO → DPDP Section 16 governs (currently permissive)
Step 3: Monitor Restricted List
Recommended Actions:
- Subscribe to Government Notifications: Track MeitY/DPA announcements
- Industry Association Alerts: CII, NASSCOM, FICCI provide updates
- Legal Counsel Updates: Periodic compliance reviews
- Automated Monitoring: News alerts for "DPDP restricted territory"
Step 4: Prepare for Future Restrictions
Proactive Measures:
Preparation Checklist:
□ Identify critical data flows by destination
□ Assess business impact if each destination restricted
□ Identify alternative processing locations
□ Review contracts for restriction clauses
□ Build data localization capability (even if not required)
□ Document transfer justifications
□ Create rapid response plan for new restrictions
Section 7: Contractual Safeguards (Voluntary)
Why Use Safeguards Without Legal Requirement?
- Business Continuity: If restrictions come, you're prepared
- Customer Assurance: Demonstrates commitment to protection
- GDPR Compliance: Needed anyway for EU data
- Risk Management: Reduces liability if foreign breach occurs
- Competitive Advantage: Privacy-conscious customers prefer safeguarded transfers
Recommended Contractual Provisions
Data Processing Agreement Clauses:
CROSS-BORDER TRANSFER PROVISIONS
1. TRANSFER LOCATIONS
Processor may transfer Personal Data to: [List countries]
2. SAFEGUARDS
Processor shall implement:
(a) Encryption in transit and at rest
(b) Access controls limiting personnel access
(c) Breach notification within 24 hours
(d) Data subject rights cooperation
3. SUBPROCESSOR CONTROLS
Any subprocessor must:
(a) Be located in approved territory
(b) Execute equivalent safeguard commitments
(c) Be disclosed to Data Fiduciary
4. AUDIT RIGHTS
Data Fiduciary may audit transfer safeguards annually
5. REGULATORY CHANGE
If destination becomes restricted territory:
(a) Processor shall notify within 48 hours
(b) Parties shall negotiate alternative arrangements
(c) Data Fiduciary may terminate if no alternative viable
Standard Contractual Clauses (India Version)
No official Indian SCCs exist. Options:
- Adapt EU SCCs: Modify GDPR SCCs for India context
- Industry Templates: NASSCOM/CII may develop templates
- Custom Drafting: Bespoke provisions per relationship
- Wait for Guidance: Data Protection Board may issue templates
Section 8: International Agreements Impact
Trade Agreements with Data Provisions
India-UAE CEPA (2022):
- Facilitates data flows
- No localization mandates
- Cross-border services enabled
India-Australia ECTA (2022):
- Digital trade chapter
- Data flow facilitation
- Source code protection
RCEP (Not Signed by India):
- India opted out partly due to data concerns
- Shows sensitivity to unrestricted data flows
Bilateral Data Sharing Arrangements
India-US:
- No comprehensive data agreement
- Case-by-case cooperation
- CLOUD Act implications uncertain
India-EU:
- No adequacy decision for India
- SCCs required for EU → India transfers
- Trade agreement negotiations ongoing
Impact on DPDP Implementation
Trade commitments may influence:
- Which countries get restricted
- Conditions attached to transfers
- Reciprocal treatment expectations
Section 9: Future Scenarios
Scenario 1: Status Quo Continues
Assumption: No restricted territories notified for 2-3 years
Implications:
- Business as usual for international operations
- Focus on sectoral compliance
- Voluntary safeguards differentiator
- Monitor for changes
Scenario 2: Targeted Restrictions
Assumption: Specific countries restricted based on security concerns
Implications:
- Quick assessment of affected data flows
- Identify alternative processing locations
- Update contracts and notices
- May need data repatriation
Scenario 3: Adequacy-Like System
Assumption: India adopts positive list (like GDPR adequacy)
Implications:
- Fundamental shift in approach
- SCCs/BCRs may become necessary
- Significant compliance investment
- Detailed guidance needed
Scenario 4: Reciprocity-Based Restrictions
Assumption: Restrictions based on how India data treated abroad
Implications:
- US Section 702 surveillance concerns
- China data security law impact
- Geopolitically driven decisions
- Business caught in diplomatic crossfire
Section 10: Compliance Recommendations
For Indian Companies with Global Operations
Priority Actions:
1. IMMEDIATE
□ Map all cross-border data flows
□ Identify sectoral regulation applicability
□ Verify current compliance with RBI/SEBI/IRDAI
□ Document legitimate purpose for each flow
2. SHORT-TERM (3-6 months)
□ Update privacy notices to disclose transfers
□ Review processor agreements for transfer provisions
□ Build monitoring mechanism for restricted list
□ Train relevant teams on transfer requirements
3. MEDIUM-TERM (6-12 months)
□ Assess data localization feasibility
□ Develop restriction response plan
□ Consider voluntary safeguards implementation
□ Engage with industry associations on guidance
For Multinational Companies Operating in India
Priority Actions:
1. IMMEDIATE
□ Audit India → HQ data flows
□ Confirm DPDP registration requirements
□ Appoint India Grievance Officer
□ Check sectoral applicability
2. SHORT-TERM
□ Update global privacy framework for India
□ Ensure GDPR SCCs cover India transfers
□ Review intra-group data sharing agreements
□ Implement India-specific consent mechanisms
3. MEDIUM-TERM
□ Consider India data center for localization readiness
□ Build India-specific compliance dashboard
□ Engage local counsel for ongoing monitoring
□ Participate in industry consultation processes
For Startups and SMEs
Priority Actions:
1. ESSENTIALS
□ Understand where your data goes
□ Check if RBI/SEBI rules apply
□ Basic privacy notice with transfer disclosure
2. GROWTH PHASE
□ Processor agreements with transfer clauses
□ Consider India cloud hosting for simplicity
□ Monitor restriction announcements
3. SCALE PHASE
□ Formal data mapping exercise
□ Global compliance framework
□ Dedicated compliance resource
Section 10A: Judicial Precedents on Cross-Border Data and International Cooperation
While DPDP's cross-border provisions are new, Indian courts have addressed related issues of international data sharing, privacy in cross-border contexts, and regulatory authority over data transfers.
1. Justice K.S. Puttaswamy v. Union of India (2017) - Constitutional Foundation
| Aspect | Details |
|---|---|
| Citation | Writ Petition (Civil) No. 494 of 2012 |
| Bench | Nine-Judge Constitution Bench |
| Date | 24-08-2017 |
Relevance to Cross-Border Transfers:
The Puttaswamy judgment establishes that informational privacy is a fundamental right under Article 21. This has significant implications for cross-border data transfers:
"Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well."
Key Principles for Cross-Border Context:
- Any transfer that exposes Indian citizens' data to foreign surveillance must be justified
- Proportionality test applies: legitimate aim, necessity, least restrictive means
- Government must demonstrate that restrictions (or permissions) serve constitutional objectives
DPDP Section 16 Implication: The negative list approach must be exercised consistently with constitutional privacy protections. Unrestricted transfers to surveillance-heavy jurisdictions may face constitutional challenge.
2. Union of India v. Suhas Chakma (2016) - MLAT and Cross-Border Legal Cooperation
| Aspect | Details |
|---|---|
| Citation | WP(C)/5086/2010 |
| Court | High Court of Delhi |
| Date | 01-04-2016 |
Facts: The Central Information Commission ordered disclosure of a Commission Rogatoire (formal request for judicial assistance) received from a Swiss court under the India-Switzerland Mutual Legal Assistance Treaty (MLAT).
Holding: The Delhi High Court quashed the CIC order:
"Information related to mutual legal assistance and ongoing investigations is exempt under Section 8(1)(h) of the RTI Act. The MLAT provisions establishing confidentiality in cross-border legal cooperation must be respected."
Key Principles:
- International treaties on data/information sharing create binding confidentiality obligations
- Cross-border legal cooperation requires protection from casual disclosure
- Government may restrict access to information shared under MLATs
- Diplomatic sensitivity is a legitimate consideration
DPDP Relevance: This judgment supports the government's power to impose restrictions on data transfers based on treaty obligations and diplomatic considerations - informing how the Section 16 restricted list may be developed.
3. Union of India v. R. Jayachandran (2014) - Third Party Personal Information Protection
| Aspect | Details |
|---|---|
| Citation | W.P.(C) 3406/2012 |
| Court | High Court of Delhi |
| Judgment Importance | Land Mark Judgment |
| Date | 19-02-2014 |
Facts: The CIC ordered the Ministry of External Affairs to provide passport copies and identity documents of third parties without following the third-party notice procedure.
Holding: The Delhi High Court set aside the CIC order:
"The CIC failed to follow the mandatory third party procedure under Sections 11 and 19(4) of the RTI Act before ordering release of personal information. Personal data of individuals cannot be disclosed without examining whether larger public interest justifies such disclosure."
Key Principles:
- Third party personal information requires procedural protection before disclosure
- Public interest test must be applied to data sharing decisions
- Identity documents (passport, birth certificates) are protected personal information
- Systemic safeguards (notice, hearing) are mandatory before cross-border or any disclosure
DPDP Relevance: Establishes the principle that personal data transfers - whether domestic or international - require procedural safeguards and public interest justification.
4. Lotus Pay Solutions v. Union of India (2022) - RBI Regulatory Authority
| Aspect | Details |
|---|---|
| Citation | W.P (C) 8215/2020 |
| Court | High Court of Delhi |
| Date | 15-09-2022 |
Facts: Payment aggregators challenged RBI's 2020 Guidelines mandating authorization, net-worth requirements, and escrow accounts for payment system operators.
Holding: The Delhi High Court upheld RBI's regulatory authority:
"Payment aggregators are 'designated payment systems' under the Payment and Settlement Systems Act, 2007. RBI's guidelines on authorization, capital adequacy, and data handling are within statutory powers and serve public interest."
Key Principles:
- Sectoral regulators (RBI, SEBI, IRDAI) have valid authority over data within their domains
- Payment data localization requirements are constitutionally valid
- Functional analysis, not formal labels, determines regulatory coverage
- Public interest justifies reasonable restrictions on data handling
DPDP Relevance: Confirms that DPDP's permissive cross-border approach is subject to sectoral overrides. RBI data localization requirements prevail regardless of Section 16's general permissiveness.
5. Shiva Kant Jha v. Union of India (2009) - Treaty-Making Power and Data Sharing
| Aspect | Details |
|---|---|
| Citation | WP (C) No. 1357 of 2007 |
| Court | High Court of Delhi |
| Date | 11-11-2009 |
Facts: A PIL challenged the executive's power to enter into Double Taxation Avoidance Agreements (DTAAs) and information exchange arrangements without parliamentary approval.
Holding: The Delhi High Court upheld executive treaty-making power:
"Executive treaty-making under Article 73, supported by Section 90 of the Income Tax Act, is constitutionally permissible. Parliamentary approval is required only when a treaty impinges on citizens' fundamental rights."
Key Principles:
- Executive has broad power to enter international data-sharing agreements
- Information exchange treaties (tax, legal assistance) are valid without parliamentary legislation
- Judicial intervention limited to cases affecting fundamental rights
- Government has flexibility in managing international data cooperation
DPDP Relevance: The government's power to develop the Section 16 restricted list and enter data-sharing arrangements with other countries rests on similar executive authority. Challenges will succeed only if fundamental rights (including privacy per Puttaswamy) are infringed.
Summary: Judicial Framework for Cross-Border Data Transfers
| Principle | Source | DPDP Application |
|---|---|---|
| Privacy as Fundamental Right | Puttaswamy (2017) | Transfers must respect constitutional privacy |
| Treaty Confidentiality | Suhas Chakma (2016) | MLAT obligations affect transfer decisions |
| Third Party Protection | Jayachandran (2014) | Procedural safeguards required for transfers |
| Sectoral Override | Lotus Pay (2022) | RBI/SEBI localization prevails over Section 16 |
| Executive Treaty Power | Shiva Kant Jha (2009) | Government has broad power for data agreements |
Conclusion
DPDP's negative list approach to cross-border transfers creates a permissive environment for international data flows - at least for now. Key takeaways:
| Aspect | Current Status | Future Outlook |
|---|---|---|
| General Transfers | Permitted to all | May see some restrictions |
| Sectoral Data | Localization applies | Unlikely to relax |
| Government Data | Case-by-case | May tighten |
| Safeguards | Voluntary | May become mandatory |
| Restricted List | Empty | Will eventually populate |
Strategic Recommendation:
- Enjoy current flexibility but don't build dependencies on unrestricted access
- Maintain sectoral compliance as the binding constraint today
- Build localization capability even if not currently required
- Implement voluntary safeguards for competitive advantage and future-proofing
- Monitor actively for restriction announcements
The negative list approach is elegant in theory but its effectiveness depends on how the Government exercises notification power. Until clarity emerges, businesses should maintain flexible architectures capable of adapting to future requirements.