Cross-Border Data Transfer Rules Under DPDPA
India's previous draft data protection bills (PDPB 2019, DPDP Bill 2022) included aggressive data localisation requirements that worried global businesses. The final DPDPA, 2023 took a much more permissive approach: cross-border transfer is allowed by default. But "by default" has nuances. Here's how Section 16 actually works.
Section 16 in plain English
The text reads, in effect: a Data Fiduciary may transfer personal data outside India, except to such country or territory outside India as the Central Government may, by notification, restrict.
So:
- Default allowed — every country, every cloud provider, every SaaS vendor
- Government can blacklist — by gazette notification
- No whitelist requirement — unlike GDPR's adequacy regime, you do not have to point to a positive determination
- No SCCs / BCRs requirement — unlike GDPR, there is no mandated transfer mechanism
This is genuinely simpler than GDPR for most businesses.
Sectoral overlays still apply
The DPDPA does not displace existing sectoral rules:
- RBI — payment data localisation circular (Apr 2018) requires payment data to be stored in India
- IRDAI — insurance customer data localisation rules
- SEBI — certain categories of broker/depository data must remain in India
- National Health Mission — health data localisation (proposed)
If you operate in any of these sectors, the DPDPA's permissive default does not give you a free pass — sectoral rules still bind you.
Which countries might get blacklisted?
As of 2027, no country has been formally restricted under Section 16. The Government has signaled that any restrictions will be:
- Reciprocity-driven (countries that block Indian data flows)
- National security-driven (countries with hostile intelligence interest)
- Specific to data categories (rather than blanket bans)
Countries that could see future restriction: jurisdictions where Indian data has been shown to be inadequately protected, or where geopolitical tensions are high. Watch MeitY notifications.
Practical implications for your stack
If you use AWS, GCP, Azure
You can use any region. Many businesses default to ap-south-1 (Mumbai) for latency reasons, but DPDPA does not force this. If you have a global footprint, multi-region deployment is fine.
If you use Cloudflare, Fastly, Akamai
CDN edge caching of personal data is fine. Cloudflare's Workers run globally — also fine.
If you use Stripe, Razorpay, payment processors
Razorpay is India-based, so no transfer issue. Stripe processes data globally — RBI's payment data localisation may apply if you handle Indian card data through Stripe; check your specific flow.
If you use OpenAI, Anthropic, Gemini
Sending user prompts to a US-based LLM is a cross-border transfer. Allowed by default under DPDPA. But check: are you sending personal data? If so, your privacy policy must disclose this, and your consent must cover AI processing.
If you use SendGrid, Mailgun, Postmark
Email service providers based outside India — allowed. List as sub-processor in your privacy notice.
What you must document
Even though transfers are permissive, you must:
- List all foreign sub-processors in your privacy policy and an internal RoPA
- Have a Data Processing Agreement (DPA) with each foreign processor that flows down DPDPA obligations
- Monitor MeitY notifications for new restrictions and have a contingency plan to migrate restricted-country processing back to India
- Disclose transfers in the privacy notice per Section 5
Comparing DPDPA cross-border to GDPR
| Aspect | GDPR | DPDPA |
|---|---|---|
| Default | Restricted | Allowed |
| Adequacy | EU Commission decision | Not required |
| SCCs | Mandatory if no adequacy | Not required |
| BCRs | For intra-group transfers | Not required |
| DPIA for transfers | Often required | Not specifically required |
The defensible cross-border posture
Even with permissive defaults, the smart approach is:
- Inventory all cross-border data flows
- Categorise by sensitivity (general account data, financial, health, biometric)
- Have signed DPAs with all foreign processors
- Disclose foreign processors transparently in the privacy notice
- Have a 30-day migration plan for any flow that becomes restricted
This is the same hygiene as GDPR — minus the SCC paperwork.
Bottom line
Section 16 is the part of the DPDPA where India chose business-friendliness over data localisation absolutism. Use that flexibility, but document everything and monitor for changes. Checklist item 12 walks the operational steps. Our generator includes the cross-border disclosure language by default.
Generate your DPDPA privacy policy
Free. Two minutes. Section-by-section references. English & Hindi.
Open the generator →