Top 10 operational impacts of India’s DPDPA – Cross-border data transfers
This article provides comparative analysis with India's DPDPA, the GDPR and other major data privacy laws.
Contributors:
Rahul Matthan
Partner
Trilegal
Shreya Ramann
Senior Associate
Trilegal
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
This article is part of a series that explores components of the DPDPA.
India's Digital Personal Data Protection Act is a simple, principle-based law. The Digital Personal Data Protection Rules supplement the DPDPA, providing details and specifics on requirements set out under the act. The DPDPA has been introduced in a staggered manner. While some administrative provisions have been brought into force, such as the establishment of the Data Protection Board of India, entities have 12 to 18 months to comply with the substantive provisions.
The act introduces various obligations on data fiduciaries, entities or organizations equivalent to data controllers under the EU General Data Protection Regulation, and provides data principals, individuals equivalent to data subjects under the GDPR, with several rights and duties. The newly established DPBI enforces the law and articulates a set of principles to define the nature of data protection regulation.
The government's approach to data localization in relation to cross-border transfers of personal data has evolved over the course of deliberations and consultations around the law. India's approach shares certain similarities with other jurisdictions but diverges in key areas — most notably from the GDPR.
Data localization
Contributors:
Rahul Matthan
Partner
Trilegal
Shreya Ramann
Senior Associate
Trilegal