Navigating Cross-Border Data Transfers: India's Negative-List Approach Under DPDPA Section 16

The Digital Personal Data Protection Act, 2023 (DPDPA), now fully operational with the DPDP Rules 2025 in effect, marks a pivotal moment for data governance in India. For Indian enterprises operating in a globalized economy, one of the most keenly watched provisions is Section 16, which governs cross-border transfers of personal data. Unlike many international regimes, the DPDPA adopts a distinctive “negative-list” model, signaling both opportunities and specific compliance considerations for Data Fiduciaries.

The Negative-List Model: Freedom by Default, Restriction by Exception

Section 16(1) of the DPDPA establishes a foundational principle: Data Fiduciaries are generally permitted to transfer personal data outside India. This freedom, however, is not absolute. The Central Government retains the power to restrict such transfers to specific countries or territories by notification. This mechanism creates a “negative list” – a roster of jurisdictions to which personal data transfers from India would be prohibited.

This approach stands in stark contrast to the “positive-list” or “adequacy” models seen in other major privacy frameworks, such as the European Union’s General Data Protection Regulation (GDPR). Under GDPR Article 45, data transfers to third countries are permitted only if the European Commission has deemed that country to offer an “adequate level of protection,” or if specific “appropriate safeguards” (like Standard Contractual Clauses or Binding Corporate Rules) are in place. India’s DPDPA, by default, assumes transfers are permissible unless explicitly restricted. This offers Indian businesses a degree of flexibility, reducing the immediate administrative burden of conducting individual adequacy assessments or implementing complex contractual mechanisms for every international transfer, provided the destination is not on the prohibited list.

Interplay with Sectoral Regulations and DPDP Rules

While Section 16(1) provides a broad framework, its application is not entirely unconstrained. Section 16(2) explicitly states that the provisions of Section 16(1) operate “without prejudice to any other law for the time being in force.” This is a critical carve-out, particularly for highly regulated sectors in India.

For instance, the Reserve Bank of India (RBI) has long-standing data localization norms, especially for payment system operators, mandating that all payments data relating to Indian customers must be stored in India. Similarly, the Securities and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI) have specific guidelines regarding data residency and outsourcing for financial and insurance sector entities. These sectoral regulations, being “other laws for the time being in force,” will continue to take precedence. A Data Fiduciary operating in the financial sector, therefore, cannot rely solely on the absence of a country from the DPDPA’s negative list if an RBI directive or SEBI regulation prohibits the transfer of specific data types.

The DPDP Rules 2025 are expected to provide further clarity on the operationalization of the negative list. While the DPDPA itself does not detail the criteria for inclusion on this list, the Rules could potentially outline factors such as a country’s data protection laws, its enforcement mechanisms, its national security policies, or even reciprocal arrangements with India. Data Fiduciaries will need to closely monitor these rules and any subsequent notifications from the Central Government, likely through the Ministry of Electronics and Information Technology (MeitY), which will specify the restricted jurisdictions.

Operationalizing Compliance for Indian Businesses

The negative-list model necessitates a proactive and vigilant approach from Indian businesses. Data Fiduciaries, as defined under Section 2(i) of the DPDPA, must maintain a comprehensive inventory of their data processing activities and data flows, as mandated by Section 8(2). This includes identifying where personal data originates, where it is processed, and where it is ultimately stored or transferred.

The primary compliance task will be to continuously monitor the official notifications regarding the negative list. Any changes to this list will directly impact existing or planned cross-border data transfers. Businesses must ensure that their third-party vendors, cloud service providers, and international affiliates are not located in, or do not transfer data to, any jurisdiction on the prohibited list. This requires robust vendor management and contractual clauses that allow for adjustments in data processing locations if a country becomes restricted.

Furthermore, for data categories subject to sectoral regulations, Data Fiduciaries must ensure compliance with the strictest applicable standard. Where a sectoral regulator mandates data localization, that requirement overrides the DPDPA’s general permission for transfers to non-restricted countries. This multi-layered compliance environment demands a sophisticated understanding of India’s legal landscape.

Practical takeaway

Indian businesses, General Counsels, and Data Protection Officers must make data mapping and inventory exercises (as per DPDPA Section 8(2)) a continuous priority. Stay abreast of all notifications from MeitY regarding the negative list of countries for cross-border data transfers. Critically, always prioritize compliance with stricter sectoral regulations from bodies like RBI, SEBI, or IRDAI, as these mandates override the DPDPA’s general permission for transfers. Implement robust due diligence and contractual agreements with all international data processors and sub-processors to ensure they do not transfer data to restricted jurisdictions and can adapt quickly to changes in the negative list. Regular data protection impact assessments (DPIAs) for all cross-border data flows are essential to identify and mitigate risks.