AMLEGALSDPDPAVibe Data Privacy
HomeInsightsCross-Border Data Transfers Under DPDPA
InternationalVibe Data Privacy

Cross-Border Data Transfers Under DPDPA

Navigating the Negative List Framework and Sectoral Localisation

13 min
January 2026

"The Central Government may restrict transfer of personal data to such country or territory outside India as may be notified."

DPDPA Section 17
Cross-Border Data Transfers Under DPDPA

Unlike GDPR's adequacy-based framework requiring positive determination before transfers, DPDPA adopts a negative list approach—transfers are permitted except to jurisdictions specifically restricted. This article examines the transfer framework, sectoral localisation requirements, and contractual safeguards.

The Negative List Architecture

Section 17 inverts the GDPR model. Rather than requiring positive adequacy determination, DPDPA permits transfers unless restricted by Central Government notification. As of current date, no countries appear on the restricted list. However, this permissive position may evolve based on geopolitical considerations, bilateral arrangements, and reciprocity assessments.

Key Points

  • Default: Transfers permitted
  • Restriction: By Central Government notification
  • Monitoring: Gazette of India publications

Sectoral Localisation

DPDPA operates alongside existing sectoral requirements. RBI Payment Data Localisation Circular mandates storing payment system data in India. IRDAI imposes insurance data restrictions. SEBI requires securities data localisation. Telecom licensing conditions impose additional constraints. Organisations must map all applicable regimes before approving international transfers.

Contractual Safeguards

Absent restrictions, prudent organisations implement contractual safeguards regardless. Standard Contractual Clauses adapted from GDPR templates, binding corporate rules for intra-group transfers, and processing agreements with third-party recipients establish baseline protections against future regulatory tightening.

Key Points

  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Data Processing Agreements
  • Transfer Impact Assessments

Future Considerations

The Government retains discretion to impose additional conditions including localisation for sensitive categories and periodic audit rights over foreign processors. Organisations should architect systems permitting rapid data repatriation if transfer restrictions materialise. Cloud infrastructure contracts should address regulatory change scenarios.

Key Takeaways

1

Map all current cross-border data flows

2

Monitor Central Government notifications weekly

3

Implement contractual transfer safeguards proactively

4

Audit sectoral localisation compliance

5

Establish repatriation protocols for restriction scenarios

Statutory References

DPDPA Section 17RBI Payment Data Localisation CircularSEBI Data Localisation GuidelinesIT Act Section 69
PreviousSignificant Data Fiduciary Obligations
NextProcessing Children's Data Under DPDPA

Need Compliance Guidance?

Our data privacy practice provides tailored compliance assessments and implementation support.

Get in Touch