← All articles · 10 May 2026 · compliance.hjlabs.in

Cross-Border Data Transfer Rules Under DPDPA

India's previous draft data protection bills (PDPB 2019, DPDP Bill 2022) included aggressive data localisation requirements that worried global businesses. The final DPDPA, 2023 took a much more permissive approach: cross-border transfer is allowed by default. But "by default" has nuances. Here's how Section 16 actually works.

Section 16 in plain English

The text reads, in effect: a Data Fiduciary may transfer personal data outside India, except to such country or territory outside India as the Central Government may, by notification, restrict.

So:

This is genuinely simpler than GDPR for most businesses.

Sectoral overlays still apply

The DPDPA does not displace existing sectoral rules:

If you operate in any of these sectors, the DPDPA's permissive default does not give you a free pass — sectoral rules still bind you.

Which countries might get blacklisted?

As of 2027, no country has been formally restricted under Section 16. The Government has signaled that any restrictions will be:

Countries that could see future restriction: jurisdictions where Indian data has been shown to be inadequately protected, or where geopolitical tensions are high. Watch MeitY notifications.

Practical implications for your stack

If you use AWS, GCP, Azure

You can use any region. Many businesses default to ap-south-1 (Mumbai) for latency reasons, but DPDPA does not force this. If you have a global footprint, multi-region deployment is fine.

If you use Cloudflare, Fastly, Akamai

CDN edge caching of personal data is fine. Cloudflare's Workers run globally — also fine.

If you use Stripe, Razorpay, payment processors

Razorpay is India-based, so no transfer issue. Stripe processes data globally — RBI's payment data localisation may apply if you handle Indian card data through Stripe; check your specific flow.

If you use OpenAI, Anthropic, Gemini

Sending user prompts to a US-based LLM is a cross-border transfer. Allowed by default under DPDPA. But check: are you sending personal data? If so, your privacy policy must disclose this, and your consent must cover AI processing.

If you use SendGrid, Mailgun, Postmark

Email service providers based outside India — allowed. List as sub-processor in your privacy notice.

What you must document

Even though transfers are permissive, you must:

  1. List all foreign sub-processors in your privacy policy and an internal RoPA
  2. Have a Data Processing Agreement (DPA) with each foreign processor that flows down DPDPA obligations
  3. Monitor MeitY notifications for new restrictions and have a contingency plan to migrate restricted-country processing back to India
  4. Disclose transfers in the privacy notice per Section 5

Comparing DPDPA cross-border to GDPR

AspectGDPRDPDPA
DefaultRestrictedAllowed
AdequacyEU Commission decisionNot required
SCCsMandatory if no adequacyNot required
BCRsFor intra-group transfersNot required
DPIA for transfersOften requiredNot specifically required

The defensible cross-border posture

Even with permissive defaults, the smart approach is:

  1. Inventory all cross-border data flows
  2. Categorise by sensitivity (general account data, financial, health, biometric)
  3. Have signed DPAs with all foreign processors
  4. Disclose foreign processors transparently in the privacy notice
  5. Have a 30-day migration plan for any flow that becomes restricted

This is the same hygiene as GDPR — minus the SCC paperwork.

Bottom line

Section 16 is the part of the DPDPA where India chose business-friendliness over data localisation absolutism. Use that flexibility, but document everything and monitor for changes. Checklist item 12 walks the operational steps. Our generator includes the cross-border disclosure language by default.

Generate your DPDPA privacy policy

Free. Two minutes. Section-by-section references. English & Hindi.

Open the generator →

More from the blog