Cross Border Data Transfer Framework

Section 16 of DPDPA takes a negative list approach to cross border data transfers. This is quite different from European adequacy based frameworks. Under this approach, personal data may be transferred to any country outside India except those specifically notified by the Central Government as restricted destinations.

This framework gives multinational companies operational flexibility. You do not need adequacy determinations or standard contractual clauses for permitted jurisdictions. However, since restricted territory lists have not been published yet, planning becomes uncertain.

Organisations need to design transfer architectures that can be quickly reconfigured if notifications change the permitted destinations. Building in this flexibility from the start will save significant rework later.

The DPDPA framework operates alongside sector specific data localisation requirements. This creates a more complex compliance landscape than the statute alone might suggest.

Reserve Bank of India directions require payment system data to be stored exclusively in India. IRDAI guidelines impose similar requirements for insurance sector data. SEBI's evolving position adds another layer for securities market data.

These sectoral requirements work as overlays, not exceptions to DPDPA. Organisations must satisfy both the general DPDPA framework and any applicable sectoral restrictions. For entities operating across regulated sectors, this means detailed data classification and flow mapping. You need to ensure sectoral localisation requirements are honoured even when non regulated data categories take advantage of Section 16's permissive transfer regime.