India's Cross-Border Data Transfers: Navigating the DPDPA's Negative List
With the Digital Personal Data Protection Act, 2023 (DPDPA) now fully in force and its accompanying rules finalised as of May 07, 2026, Indian businesses are grappling with a new era of data governance. A pivotal aspect for India’s globally integrated digital economy is the framework for cross-border transfers of personal data. The DPDPA introduces a distinctive “negative-list” model under Section 16, setting India apart from many global privacy regimes and presenting unique opportunities and challenges for Data Fiduciaries.
A New Paradigm for Data Mobility
Unlike the European Union’s General Data Protection Regulation (GDPR), which largely operates on a “positive-list” or “adequacy” model requiring specific safeguards for transfers outside its jurisdiction, the DPDPA adopts a fundamentally different approach. Section 16 of the DPDPA establishes a default position that allows for the transfer of personal data outside India. This permission, however, is not absolute. The Central Government retains the power to restrict such transfers to specific countries or territories by notifying them in the Official Gazette. This means that, by default, personal data can be transferred globally, unless a destination country is explicitly placed on a “negative list” by the government.
This framework, detailed in Section 16(1) and 16(2) of the DPDPA, reflects a policy choice aimed at fostering ease of doing business and promoting India as a global data processing hub, while simultaneously retaining sovereign control over data flows for national interest considerations.
Understanding the Negative-List Framework
The core principle of the negative-list model is its permissive default. Data Fiduciaries in India do not need to demonstrate specific safeguards or obtain prior approvals for transferring personal data abroad, provided the recipient jurisdiction is not on the Central Government’s restricted list. This contrasts sharply with the GDPR’s Article 45 (adequacy decisions) and Article 46 (appropriate safeguards like Standard Contractual Clauses or Binding Corporate Rules), which require a proactive assessment and implementation of transfer mechanisms.
For Indian businesses, this means a potentially reduced initial compliance burden when establishing international data flows. Instead of negotiating complex contractual clauses or undergoing lengthy adequacy assessments, their primary obligation concerning cross-border transfers under Section 16 is to monitor the Central Government’s notifications for any additions to the negative list. This shift places the onus of identifying and restricting problematic jurisdictions squarely on the government, rather than on individual Data Fiduciaries.
Implications for Data Fiduciaries and Sectoral Compliance
While the negative-list model simplifies the mechanism of cross-border transfers, it does not absolve Data Fiduciaries of their broader responsibilities under the DPDPA. Any transfer, whether domestic or international, must still adhere to fundamental principles such as obtaining valid consent (Section 7) or relying on legitimate uses (Section 8), purpose limitation (Section 9), data minimisation, accuracy (Section 10), security safeguards (Section 11), and accountability measures (Section 8). Data Fiduciaries must ensure that personal data, even when transferred abroad, remains protected in accordance with the DPDPA’s standards.
Furthermore, the DPDPA operates in conjunction with existing sectoral regulations. For instance, the Reserve Bank of India (RBI) has specific guidelines on data localisation for payment system operators, which may restrict the cross-border transfer of certain financial data regardless of the DPDPA’s negative list. Similarly, the Securities and Exchange Board of India (SEBI) or the Insurance Regulatory and Development Authority of India (IRDAI) may issue their own directives concerning data handling and transfers for entities under their purview. Data Fiduciaries must therefore navigate both the DPDPA’s general framework and any specific requirements imposed by their respective sectoral regulators or the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, where applicable.
The Central Government’s Discretion and Future Landscape
The effectiveness and predictability of the negative-list model heavily depend on how the Central Government exercises its power under Section 16. The criteria for designating a country or territory on the negative list are not explicitly detailed in the Act itself, likely to be elaborated in the DPDPA Rules or through subsequent policy pronouncements. Potential considerations could include the recipient country’s data protection laws, national security implications, reciprocity in data sharing, and geopolitical relations.
The dynamic nature of such a list, subject to government notifications, introduces an element of uncertainty. Businesses will need to establish robust internal processes to continuously monitor official gazettes and government advisories. Transparency in the government’s decision-making process for designating restricted territories will be crucial for maintaining business confidence and enabling proactive compliance planning.
Practical Takeaway
For Indian businesses, General Counsels, and Data Protection Officers, the DPDPA’s negative-list model for cross-border transfers requires a strategic shift. First, establish clear data flow mapping to understand exactly where personal data is being transferred. Second, diligently monitor official notifications from the Central Government regarding any additions to the negative list. Third, while the transfer mechanism is simplified, ensure that all other DPDPA obligations – particularly those related to consent, security, and accountability – are rigorously met for all data, irrespective of its location. Finally, remain vigilant regarding specific sectoral guidelines from regulators like RBI, SEBI, or IRDAI, which may impose additional restrictions or conditions on data transfers relevant to their domain. Proactive monitoring and robust internal governance will be key to navigating this evolving landscape.