Cross-Border Data Transfers Under the DPDPA 2023

The Digital Personal Data Protection Act, 2023 permits the transfer of personal data outside India, subject to restrictions that the Central Government may notify from time to time. Section 16 of the Act empowers the Government to restrict transfers to certain countries or territories, effectively creating a whitelist or blacklist approach to cross-border data flows. Until such restrictions are notified, organisations may transfer personal data internationally, provided they comply with all other obligations under the Act — including obtaining valid consent and implementing adequate security safeguards.

Earlier drafts of India's data protection legislation — the Personal Data Protection Bill, 2019 and the Data Protection Bill, 2021 — had proposed stringent data localisation requirements, mandating that certain categories of sensitive and critical personal data be stored exclusively within India. The DPDPA 2023 represents a significant departure from this approach, adopting a more flexible framework that prioritises enabling cross-border data flows while reserving the Government's power to impose restrictions where necessary for national security or public interest. This shift has been broadly welcomed by the technology and business community.

For multinational organisations that transfer personal data from India to overseas affiliates, cloud service providers, or data processors, the DPDPA's cross-border transfer provisions have important practical implications. Organisations must ensure that their data transfer agreements and privacy notices accurately reflect the countries to which data may be transferred. They must also monitor Government notifications regarding restricted territories and be prepared to adjust their data flows accordingly. Intra-group data transfer agreements and standard contractual clauses — familiar concepts from GDPR compliance — may serve as useful models for structuring compliant cross-border transfers under the DPDPA.

While the DPDPA itself does not impose blanket data localisation requirements, several sector-specific regulations in India continue to mandate local storage of certain categories of data. The Reserve Bank of India requires payment system data to be stored exclusively in India. The Insurance Regulatory and Development Authority and the Securities and Exchange Board of India have issued similar directives for their respective sectors. Organisations operating in these regulated sectors must navigate the intersection of the DPDPA's cross-border transfer framework and these sector-specific localisation mandates, which may require maintaining separate data infrastructure for regulated data categories.

Organisations engaged in cross-border data transfers should take several practical steps to ensure compliance. First, conduct a data mapping exercise to identify all personal data flows across borders, including transfers to cloud service providers and third-party processors. Second, review and update privacy notices to disclose cross-border transfers and the countries involved. Third, ensure that data processing agreements with overseas processors include appropriate contractual protections. Fourth, establish a monitoring mechanism to track Government notifications regarding restricted territories and respond promptly to any changes. Finally, document all cross-border transfer decisions as part of your broader data governance framework.