Section 16 of the DPDPA does not restrict cross-border data transfers by default. It restricts transfers to specific jurisdictions that the Central Government notifies. That notification has now arrived. And if your data flows through servers in any of the restricted jurisdictions, your compliance architecture changed overnight.
Most multinational compliance teams misread this provision. They assumed DPDPA would follow the GDPR adequacy model — a whitelist of approved jurisdictions. It did not. India chose a blacklist approach. Every jurisdiction is permitted unless specifically restricted.
What the notification actually says
The Central Government exercised its power under Section 16(1) to notify jurisdictions where transfer of personal data of Indian Data Principals is restricted. This is not a suggestion. It is a statutory prohibition. Transfer of personal data to a notified jurisdiction — whether direct or through intermediate processing — constitutes a contravention attracting penalties under The Schedule.
The notification applies to all Data Fiduciaries processing personal data of Indian Data Principals, regardless of where the Data Fiduciary is incorporated. If you are a multinational headquartered in Singapore processing Indian customer data through a subsidiary in a restricted jurisdiction, you are in scope.
The three architectural failures MNCs are making right now
- Failure 1 — Cloud region assumptions: Most organisations assume their cloud provider routes data through the contractually specified region. That assumption is wrong. Disaster recovery, content delivery networks, and AI processing layers frequently route data through secondary regions. If any secondary region falls within a restricted jurisdiction, the transfer is unlawful regardless of the primary hosting contract.
- Failure 2 — Vendor sub-processing chains: Your Tier 1 vendor may be compliant. Their sub-processor may not be. Section 8(2) makes the Data Fiduciary responsible for the entire processing chain. If your vendor's sub-processor routes Indian personal data through a restricted jurisdiction, the liability is yours.
- Failure 3 — Employee data transfers: Global HR platforms routinely centralise employee data in a single jurisdiction. If that jurisdiction is now restricted, every Indian employee's personal data is in violation. HR data is personal data under DPDPA. There is no employment exemption.
What to do this week
First: pull your Record of Processing Activities. Identify every processing activity that involves transfer of Indian personal data outside India. Map each transfer to its destination jurisdiction — not the contractual jurisdiction, the actual routing jurisdiction.
Second: issue a compliance questionnaire to every vendor and sub-processor. Ask one question: does any personal data of Indian Data Principals transit through or get stored in any of the notified restricted jurisdictions? Require a signed declaration within fourteen days.
Third: review your cloud service agreements. Identify every disaster recovery, CDN, and AI processing clause. If any clause permits routing through unspecified regions, renegotiate. If renegotiation is not possible, migrate.
"Cross-border compliance is not about where you intend to send data. It is about where data actually goes. The gap between intention and routing is where the penalty lives."
— Anandaday Misshra
The penalty for unauthorised cross-border transfer under The Schedule reaches up to ₹250 Crores. That is not a theoretical risk. It is a statutory exposure that activated the moment the notification was published.