Navigating India's Negative List: Cross-Border Data Transfers Under DPDPA
As India solidifies its position as a global digital economy powerhouse, the operationalisation of the Digital Personal Data Protection Act, 2023 (DPDPA) marks a pivotal moment for data governance. With the Act and its accompanying rules now fully in force as of July 2026, Indian businesses, particularly those engaged in global operations, are keenly focused on the regime governing cross-border data transfers. Section 16 of the DPDPA introduces a distinctive “negative list” model, a significant departure from global norms, setting a unique trajectory for how personal data can move in and out of India.
The DPDPA’s Departure: A Negative List Approach
Unlike data protection frameworks such as the European Union’s General Data Protection Regulation (GDPR), which adopt an “adequacy decision” model (a positive list of approved jurisdictions), the DPDPA operates on a principle of default permissibility. Under Section 16(1) of the DPDPA, a Data Fiduciary is generally permitted to transfer personal data outside India. This broad allowance is, however, subject to a crucial caveat: such transfers are prohibited to any country or territory that the Central Government may, by notification, restrict. This establishes the “negative list” – a framework where transfers are allowed everywhere except to specified restricted jurisdictions.
This approach reflects India’s sovereign interest in regulating data flows without imposing an immediate, blanket restriction on international data transfers. It places the onus on the Central Government, likely through the Ministry of Electronics and Information Technology (MeitY), to proactively identify and notify countries deemed unsuitable for receiving Indian personal data. The underlying rationale for such restrictions could range from national security concerns, geopolitical considerations, or a lack of robust data protection frameworks and enforcement mechanisms in the recipient jurisdiction.
Unpacking the “Restricted Countries” Framework
The criteria for placing a country on the negative list, while not explicitly detailed in Section 16 itself, are expected to be elaborated upon in subsequent notifications or the DPDP Rules. We can anticipate factors such as the recipient country’s data protection laws, its track record in enforcing privacy rights, the existence of reciprocal arrangements, and potential risks to India’s strategic interests. This dynamic list will require continuous monitoring by Data Fiduciaries, as additions or removals could significantly impact existing data transfer arrangements.
The DPDPA’s general framework for cross-border transfers also interacts with existing sectoral regulations. For instance, the Reserve Bank of India (RBI) has long mandated data localization for payment system data. Similarly, the Securities and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI) have specific norms for financial and insurance data, respectively. The DPDPA, as a general law, complements these sectoral regulations. Where a sectoral regulator mandates stricter data localization or transfer conditions for specific types of data, those requirements would likely prevail, given the principle that special laws override general laws. Data Fiduciaries must therefore navigate both the DPDPA’s negative list and any existing or future sectoral-specific restrictions.
Compliance Challenges and Strategic Opportunities
For Indian Data Fiduciaries, the negative list model presents both challenges and opportunities. The primary challenge lies in the ongoing vigilance required to track government notifications regarding restricted countries. Businesses must establish robust internal processes to identify the jurisdictions to which they transfer personal data and continuously cross-reference these with the official negative list. Any existing data transfer agreements with entities in countries subsequently added to the list would necessitate immediate re-evaluation and potential re-architecture of data flows.
Beyond merely avoiding restricted countries, Data Fiduciaries remain obligated under DPDPA Sections 8 and 9 to ensure that personal data transferred abroad is handled with appropriate security safeguards and adheres to principles like purpose limitation and data retention. This implies conducting thorough due diligence on overseas data processors and service providers, even in “permitted” countries, to ensure their practices align with DPDPA standards. Global Capability Centres (GCCs) in India, which frequently transfer data to parent entities or affiliates abroad, will need to be particularly diligent, as their operational models could be significantly impacted if their parent company’s jurisdiction is ever restricted.
Conversely, the negative list approach offers strategic opportunities. By maintaining a default open stance, India signals its commitment to facilitating global data flows, making it an attractive hub for data processing and services for countries not on the restricted list. This could encourage foreign entities to establish data processing operations in India, leveraging its skilled workforce and evolving data protection framework.
Practical Takeaway
For Indian businesses, General Counsels, and Data Protection Officers (DPOs), proactive compliance is paramount. Develop an inventory of all cross-border personal data transfers, identifying the recipient jurisdictions and the types of data involved. Implement a robust system for monitoring official government notifications concerning the negative list. Review and update all existing data processing agreements and contractual clauses with international vendors and partners to ensure DPDPA compliance, including provisions for data security and accountability. Finally, integrate the DPDPA’s general requirements with any specific sectoral regulations that apply to your business, always prioritising the stricter standard to ensure comprehensive data protection.