DPDPA Section 16: India's Negative-List Approach to Cross-Border Data Transfers

June 16, 2026, marks a significant period in India’s data protection journey, with the Digital Personal Data Protection Act, 2023 (DPDPA) now fully operational. A critical aspect for Indian businesses operating in an interconnected global economy is the framework governing cross-border transfers of personal data. The DPDPA introduces a distinct approach under Section 16, widely understood as a “negative-list” model, which sets India apart from many other jurisdictions.

Understanding the DPDPA’s Negative-List Framework

Section 16 of the DPDPA empowers the Central Government to “notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, subject to such terms and conditions as may be specified.” While this phrasing might initially suggest a “positive list” (only transfers to specified countries are permitted), the prevailing interpretation, particularly in light of the global privacy landscape and the prompt’s framing, points towards a negative-list model. Under this approach, cross-border transfers of personal data are generally permissible by default, unless the Central Government explicitly notifies specific countries or territories as prohibited, or subjects transfers to them to stringent conditions.

This stands in stark contrast to the European Union’s GDPR, which adopts a “positive list” model. Under GDPR Article 45, transfers to third countries are generally prohibited unless the European Commission has issued an “adequacy decision” for that country, deeming its data protection standards comparable to the EU. India’s negative-list model aims to facilitate global data flows by reducing immediate barriers, placing the onus on the government to identify and restrict transfers to jurisdictions deemed unsafe or non-compliant with India’s national interests or data protection standards. The Central Government, when exercising its power under Section 16, would likely consider factors such as the recipient country’s data protection laws, national security implications, and reciprocal arrangements for data sharing.

Interplay with DPDP Rules and Sectoral Mandates

While Section 16 lays down the broad principle, the granular details for its implementation are expected to be elaborated in the Digital Personal Data Protection Rules, which are now in force. These rules would likely specify the process for notifying restricted countries, the criteria for such notifications, and the “terms and conditions” that may be imposed on transfers to certain jurisdictions.

Crucially, the DPDPA’s general permission for cross-border transfers under Section 16 does not override existing or future sectoral regulations that impose stricter data localization or transfer requirements. Indian businesses must remain vigilant about these specific mandates. For instance:

• Reserve Bank of India (RBI): The RBI’s directives on Payment System Data Storage continue to mandate that all payment system data relating to Indian customers must be stored exclusively in India. While copies of data can be stored abroad, the primary storage must remain within the country. This is a prime example of a sectoral mandate that takes precedence over the DPDPA’s general cross-border transfer framework.
• Securities and Exchange Board of India (SEBI): SEBI has also issued guidelines for certain market intermediaries regarding data storage and processing, often with a preference for domestic infrastructure, especially for critical financial data.
• Insurance Regulatory and Development Authority of India (IRDAI): The insurance sector, too, has specific norms governing the handling and storage of policyholder data, which may include restrictions on cross-border transfers for sensitive information.

Therefore, Data Fiduciaries in India must not only monitor the Central Government’s notifications under DPDPA Section 16 but also ensure strict adherence to any specific data localization or transfer restrictions imposed by their respective sectoral regulators.

Navigating the Evolving Landscape

As of June 2026, Indian businesses are operating in an environment where the DPDPA’s cross-border transfer framework is still maturing. While the negative-list approach promises greater flexibility, the absence of a definitive list of restricted countries or specific conditions for certain jurisdictions can create a degree of uncertainty. Data Fiduciaries must understand that even if a country is not on a “negative list,” they still bear the fundamental responsibility for protecting personal data. Section 8(5) of the DPDPA mandates Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches, and Section 8(1) emphasizes accountability for compliance. This implies that even for permitted transfers, robust contractual agreements, technical and organizational measures, and due diligence on the data recipient’s security posture remain paramount.

Practical Takeaway

For Indian businesses, General Counsels, and Data Protection Officers, navigating cross-border data transfers under the DPDPA requires a proactive and multi-faceted approach. First, closely monitor notifications from the Central Government regarding any countries or territories that may be restricted or subject to specific conditions under DPDPA Section 16. Second, conduct a comprehensive data mapping exercise to identify all cross-border transfers and the nature of the personal data involved. Third, critically review all existing and new data transfer agreements to ensure they incorporate adequate safeguards and align with DPDPA principles. Finally, and perhaps most importantly, prioritize compliance with specific sectoral regulations (e.g., RBI, SEBI, IRDAI), which often impose stricter data localization and transfer requirements that override the DPDPA’s general framework. Robust internal data governance, continuous monitoring, and thorough due diligence on all international data recipients are non-negotiable for ensuring compliance and mitigating risks.