Top 10 operational impacts of India’s DPDPA – Cross-border data transfers
This article provides comparative analysis with India's DPDPA, the GDPR and other major data privacy laws.
Published: 19 Oct. 2023
Last updated: 20 Jan. 2026
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's Digital Personal Data Protection Act is a simple, principle-based law. The Digital Personal Data Protection Rules supplement the DPDPA, providing details and specifics on requirements set out under the act. The DPDPA has been introduced in a staggered manner. While some administrative provisions have been brought into force, such as the establishment of the Data Protection Board of India, entities have 12 to 18 months to comply with the substantive provisions.
The act introduces various obligations on data fiduciaries, entities or organizations equivalent to data controllers under the EU General Data Protection Regulation, and provides data principals, individuals equivalent to data subjects under the GDPR, with several rights and duties. The newly established DPBI enforces the law and articulates a set of principles to define the nature of data protection regulation.
The government's approach to data localization in relation to cross-border transfers of personal data has evolved over the course of deliberations and consultations around the law. India's approach shares certain similarities with other jurisdictions but diverges in key areas — most notably from the GDPR.
Data localization
Section 40 of the first draft of India's data protection legislation, the Personal Data Protection Bill, 2018, required a copy of all personal data to be stored within the territory of India at all times. A wide cross-section of stakeholders stridently objected to this data localization approach as it fundamentally disrupts the way online business is conducted.
As a result, subsequent versions of the law, namely Section 17 of the Digital Personal Data Protection Bill, 2021, progressively diluted this stance. The first step was permitting transfers of personal data to certain "white-listed" countries that the government would identify.
This was further diluted in the version that was finally enacted into law. Section 16 of the DPDPA permits personal data to be freely transferred to all countries or territories outside India, except those specifically designated by the central government.
With that, a law that initially looked like it would impose an absolute prohibition on the cross-border transfer of data ended up taking a "blacklist" approach, limiting transfers to specifically enumerated countries or territories.
Basis for permitted data transfers
Under the GDPR, data transfers are permitted where the jurisdiction or entity receiving the data offers a level of protection that is sufficient to safeguard personal data. Thus, data transfers are permitted to countries the European Commission determined ensure an adequate level of protection in Article 45, between entities in jurisdictions that are subject to binding corporate rules in Article 47, or where appropriate safeguards are established in Article 46. These provisions set out principles for assessing the permissibility of cross-border data transfers.
The DPDPA, on the other hand, offers no framework for determining countries to which data transfers will be prohibited. The act only states that such countries will be listed, without requiring any justification of adequacy or offering mechanisms — such as standard contractual clauses or binding corporate rules —that would permit data transfers to entities in those jurisdictions.
Significant data fiduciaries
The DPDPA also introduced the concept of a significant data fiduciary — an entity that is subject to a higher threshold of compliance on account of it processing high volumes of data, processing high-risk data or operating in a politically sensitive industry.
Significant data fiduciaries must conduct a data protection impact assessment and verify its technical measures to process personal data do not pose a risk to individuals' rights.
The central government can specify certain categories of personal data that significant data fiduciaries must only process in India along with the associated traffic data.
Exemptions
Even as the DPDPA lays the groundwork for country-specific restrictions on data transfers, Section 17 clarifies that these restrictions may not apply in relation to certain processing activities. Examples of such exempted processing activities, along with indicative use cases where such exemptions may be utilized by both the government and private entities, include:
- Prevention, detection, investigation or prosecution of offenses under India’s law.
Even where cross-border transfer restrictions apply, police and law enforcement agencies are exempt when acting on international criminal investigations or extradition mandates. Arguably, private companies could also avail this exemption when data needs to be transferred in relation to ongoing internal investigations or fraud. - Enforcement of a legal right or claim.
Restrictions on the cross-border transfer of personal data to a specified jurisdiction will not come in the way of transfers that are necessary to enforce legal rights, such as property disputes, matrimonial disputes, immigration cases, financial claims, etc. - Processing pursuant to a contract with a foreign entity.
Restrictions on the cross-border transfer of personal data will not apply to any processing pursuant to a contract with a foreign entity. This is particularly relevant to the portion of India's outsourcing industry that primarily handles non-Indian personal data on behalf of foreign clients. - Processing pursuant to legally approved mergers, demergers, acquisitions and other such arrangements between companies.
Any entity within India that enters into such an arrangement with a foreign company may use this exemption to transfer employee information and other personal data to such foreign company, even if it is located in a jurisdiction where data transfers are otherwise prohibited. - Processing to ascertain the financial position of a defaulter to a financial institution.
The fact that the cross-border transfer of personal data has been prohibited to a specified jurisdiction will not operate to prevent such transfers where financial institutions need to ascertain financial assets and liabilities of defaulting customers.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Top 10 operational impacts of India’s DPDPA – Cross-border data transfers
This article provides comparative analysis with India's DPDPA, the GDPR and other major data privacy laws.
Published: 19 Oct. 2023
Last updated: 20 Jan. 2026
Contributors:
Rahul Matthan
Partner, Trilegal
Shreya Ramann
Senior Associate, Trilegal
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's Digital Personal Data Protection Act is a simple, principle-based law. The Digital Personal Data Protection Rules supplement the DPDPA, providing details and specifics on requirements set out under the act. The DPDPA has been introduced in a staggered manner. While some administrative provisions have been brought into force, such as the establishment of the Data Protection Board of India, entities have 12 to 18 months to comply with the substantive provisions.
The act introduces various obligations on data fiduciaries, entities or organizations equivalent to data controllers under the EU General Data Protection Regulation, and provides data principals, individuals equivalent to data subjects under the GDPR, with several rights and duties. The newly established DPBI enforces the law and articulates a set of principles to define the nature of data protection regulation.
The government's approach to data localization in relation to cross-border transfers of personal data has evolved over the course of deliberations and consultations around the law. India's approach shares certain similarities with other jurisdictions but diverges in key areas — most notably from the GDPR.
Data localization
Section 40 of the first draft of India's data protection legislation, the Personal Data Protection Bill, 2018, required a copy of all personal data to be stored within the territory of India at all times. A wide cross-section of stakeholders stridently objected to this data localization approach as it fundamentally disrupts the way online business is conducted.
As a result, subsequent versions of the law, namely Section 17 of the Digital Personal Data Protection Bill, 2021, progressively diluted this stance. The first step was permitting transfers of personal data to certain "white-listed" countries that the government would identify.
This was further diluted in the version that was finally enacted into law. Section 16 of the DPDPA permits personal data to be freely transferred to all countries or territories outside India, except those specifically designated by the central government.
With that, a law that initially looked like it would impose an absolute prohibition on the cross-border transfer of data ended up taking a "blacklist" approach, limiting transfers to specifically enumerated countries or territories.
Basis for permitted data transfers
Under the GDPR, data transfers are permitted where the jurisdiction or entity receiving the data offers a level of protection that is sufficient to safeguard personal data. Thus, data transfers are permitted to countries the European Commission determined ensure an adequate level of protection in Article 45, between entities in jurisdictions that are subject to binding corporate rules in Article 47, or where appropriate safeguards are established in Article 46. These provisions set out principles for assessing the permissibility of cross-border data transfers.
The DPDPA, on the other hand, offers no framework for determining countries to which data transfers will be prohibited. The act only states that such countries will be listed, without requiring any justification of adequacy or offering mechanisms — such as standard contractual clauses or binding corporate rules —that would permit data transfers to entities in those jurisdictions.
Significant data fiduciaries
The DPDPA also introduced the concept of a significant data fiduciary — an entity that is subject to a higher threshold of compliance on account of it processing high volumes of data, processing high-risk data or operating in a politically sensitive industry.
Significant data fiduciaries must conduct a data protection impact assessment and verify its technical measures to process personal data do not pose a risk to individuals' rights.
The central government can specify certain categories of personal data that significant data fiduciaries must only process in India along with the associated traffic data.
Exemptions
Even as the DPDPA lays the groundwork for country-specific restrictions on data transfers, Section 17 clarifies that these restrictions may not apply in relation to certain processing activities. Examples of such exempted processing activities, along with indicative use cases where such exemptions may be utilized by both the government and private entities, include:
- Prevention, detection, investigation or prosecution of offenses under India’s law.
Even where cross-border transfer restrictions apply, police and law enforcement agencies are exempt when acting on international criminal investigations or extradition mandates. Arguably, private companies could also avail this exemption when data needs to be transferred in relation to ongoing internal investigations or fraud. - Enforcement of a legal right or claim.
Restrictions on the cross-border transfer of personal data to a specified jurisdiction will not come in the way of transfers that are necessary to enforce legal rights, such as property disputes, matrimonial disputes, immigration cases, financial claims, etc. - Processing pursuant to a contract with a foreign entity.
Restrictions on the cross-border transfer of personal data will not apply to any processing pursuant to a contract with a foreign entity. This is particularly relevant to the portion of India's outsourcing industry that primarily handles non-Indian personal data on behalf of foreign clients. - Processing pursuant to legally approved mergers, demergers, acquisitions and other such arrangements between companies.
Any entity within India that enters into such an arrangement with a foreign company may use this exemption to transfer employee information and other personal data to such foreign company, even if it is located in a jurisdiction where data transfers are otherwise prohibited. - Processing to ascertain the financial position of a defaulter to a financial institution.
The fact that the cross-border transfer of personal data has been prohibited to a specified jurisdiction will not operate to prevent such transfers where financial institutions need to ascertain financial assets and liabilities of defaulting customers.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
Global AI Law and Policy Tracker
US State Privacy Legislation Tracker
IAPP Global Legislative Predictions 2026
