Navigating DPDPA: A Practical Guide to Cross-Border Data Transfers

In today’s interconnected global economy, cross-border data flows are a fundamental aspect of business operations for many Indian entities, from startups leveraging global cloud infrastructure to multinational corporations serving customers worldwide. India’s Digital Personal Data Protection Act, 2023 (DPDPA) introduces a new paradigm for regulating the transfer of personal data outside India, shifting away from previous, more complex proposals towards a “negative list” approach.

While seemingly simpler, this framework carries its own set of uncertainties and requires careful planning by Data Fiduciaries and their Data Processors. This article provides a practical guide to understanding the DPDPA’s provisions on cross-border data transfers and the steps businesses need to take to ensure compliance.

Understanding DPDPA’s Cross-Border Transfer Regime

The DPDPA governs the transfer of personal data outside India. It establishes the core principle for how such transfers will be regulated.

The “Negative List” Approach: Default Allow

The DPDPA generally permits the transfer of personal data by a Data Fiduciary for processing to any country or territory outside India. However, this is subject to a crucial caveat: the Central Government may, by notification, restrict the transfer of personal data to specific countries or territories.

This is often referred to as a “negative list” or “blacklist” approach. Unless a country is on this restricted list, transfers are, in principle, allowed, provided all other DPDPA obligations (like consent, notice, security safeguards for the processing activity involving transfer) are met. This is a significant departure from regimes that require pre-approved “whitelists” of countries deemed adequate for data transfers.

Role of the Central Government

The power to identify and notify these restricted countries or territories rests solely with the Central Government. The DPDPA itself does not specify the criteria the Government will use for such notifications. Factors could potentially include the adequacy of data protection laws in the destination country, geopolitical considerations, or reciprocity agreements. Businesses must keenly await these notifications.

Prevailing Stricter Sectoral Laws

It is critical to note that the DPDPA clarifies that nothing in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India.

This means that existing sectoral regulations mandating data localisation or imposing stricter conditions on cross-border transfers (e.g., by the Reserve Bank of India for payments data, or specific rules in the insurance or securities sectors) will continue to prevail and must be adhered to, even if the destination country is not on the DPDPA’s “negative list.”

Navigating Uncertainties and Potential Future Requirements

While the “negative list” approach appears straightforward, several uncertainties and potential future requirements (stemming from the Draft DPDP Rules) need consideration:

The Unknown “Negative List”

The most significant uncertainty is which countries or territories will eventually be placed on the restricted list and the basis for such decisions. This lack of clarity makes long-term planning for data infrastructure and vendor selection challenging, especially for businesses heavily reliant on data transfers to specific global hubs.

Potential Additional Requirements

The Draft Digital Personal Data Protection Rules, 2025 introduce a provision stating that a Data Fiduciary shall meet such requirements as the Central Government may specify for making personal data available to any foreign State or entity. This “wildcard” provision could potentially reintroduce elements similar to adequacy assessments or require additional contractual safeguards for transfers even to non-restricted countries. The scope and nature of these potential requirements are yet to be defined and will be crucial for businesses to monitor.

Specific Considerations for Significant Data Fiduciaries (SDFs)

As per the Draft Rules, Significant Data Fiduciaries (SDFs) may be subject to specific government directions (based on committee recommendations) restricting the transfer of certain personal data and related traffic data outside India. This creates an additional layer of potential data localisation or transfer restrictions specifically for SDFs, even if the destination country is not on the general “negative list.”

Implications for Data Fiduciaries and Data Processors (Cloud Services)

Both Data Fiduciaries and their Data Processors, particularly cloud service providers, play vital roles in ensuring compliant cross-border data transfers.

Responsibilities of Data Fiduciaries

Data Fiduciaries are primarily responsible for ensuring that any cross-border transfer of personal data complies with the DPDPA and any prevailing sectoral laws. This includes:

• Ensuring a lawful basis (typically consent) for the processing activity that involves the transfer.
• Providing clear notice to Data Principals if their data is likely to be transferred outside India.
• Undertaking due diligence on the data protection practices of the recipient entity in the foreign jurisdiction, especially if the Draft Rules impose specific requirements.
• Implementing robust contractual safeguards with any Data Processors involved in the transfer.

The Critical Role of Data Processors (especially Cloud Providers)

While the DPDPA primarily places direct obligations for cross-border transfers on Data Fiduciaries, processors are impacted and have key responsibilities:

• Contractual Support: Processors must have contractual agreements (Data Processing Agreements - DPAs) with Data Fiduciaries that clearly define responsibilities related to cross-border transfers, including adherence to the Fiduciary’s instructions and implementation of appropriate security measures during transit and storage abroad.
• Enabling Fiduciary Compliance: Cloud providers and other processors need to offer services and configurations that allow Data Fiduciaries to meet their DPDPA obligations. This might include options for data residency in specific regions or tools for managing data access based on jurisdictional requirements.
• Impact of “Negative List”: If a country where a cloud provider has significant infrastructure is added to the restricted list, it could severely impact their ability to serve Indian Data Fiduciaries who rely on that infrastructure. Processors need to plan for such contingencies and offer flexibility.
• Transparency: While processors might not directly notify Data Principals, transparency with their Data Fiduciary clients about data storage locations and sub-processor involvement is crucial.
• Security Safeguards: Regardless of location, processors must implement “reasonable security safeguards” as per their contractual obligations with the Data Fiduciary to protect personal data being transferred and processed.

It’s also worth noting, while an offshore enterprise service provider acting purely as a Data Processor for an Indian Data Fiduciary might not be directly offering services to Indian Data Principals (potentially impacting direct DPDPA applicability for certain processing actions), in such instances, the Indian Data Fiduciary ought to remain fully bound by the transfer provisions for any transfers they initiate or authorise to that offshore processor.

Practical Steps for Businesses

To prepare for DPDPA’s cross-border transfer regime, businesses should:

1. Map Your Data Flows: Understand and document where personal data is collected, processed, stored, and to which countries or territories it is transferred. Identify all vendors (Data Processors) involved.
2. Assess Jurisdictional Risks and Monitor Notifications: Identify reliance on transfers to jurisdictions that might be considered “high-risk” or could potentially feature on a future “negative list.” Closely monitor official government notifications regarding restricted countries and any additional requirements under the Draft Rules.
3. Review and Update Contracts (DPAs): Ensure your contracts with Data Processors and other third parties include robust clauses addressing cross-border data transfers, security obligations, audit rights, and cooperation in meeting DPDPA requirements. Specify responsibilities in case a transfer destination becomes restricted.
4. Evaluate and Adhere to Sectoral Mandates: Identify and comply with any stricter data localisation or transfer requirements under applicable sectoral laws (e.g., RBI, SEBI, IRDAI).
5. Build in Flexibility: Design data management architectures and vendor relationships with flexibility in mind to adapt to changes in the “negative list” or the introduction of new transfer requirements.

Conclusion: A Simplified Framework with Evolving Details

The DPDPA’s “negative list” approach to cross-border data transfers aims to simplify the regulatory landscape compared to more prescriptive regimes. However, the current uncertainty surrounding which countries will be restricted, and the potential for additional conditions under the forthcoming Rules, means businesses must adopt a proactive and vigilant stance.

Data Fiduciaries need to take primary responsibility for compliance, while Data Processors, especially global cloud service providers, play an indispensable role in enabling these transfers securely and in line with contractual and regulatory obligations. By understanding the framework, preparing for various scenarios, and staying informed, businesses can navigate India’s evolving rules for international data flows.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023, and the Draft DPDP Rules, which are subject to change. For advice on specific legal issues, please consult a qualified legal professional.