Introduction
In an increasingly connected world, personal data rarely stays within national borders. Indian businesses use global cloud services, multinational companies process Indian customer data in their headquarters abroad, and outsourcing arrangements involve data flowing across jurisdictions. Section 16 of the DPDPA addresses this reality by establishing the framework for cross-border transfers of personal data - and its approach differs significantly from other major data protection laws.
The Negative List Approach
Unlike the EU's GDPR, which requires an 'adequacy decision' for each recipient country or specific safeguards like Standard Contractual Clauses, the DPDPA takes a simpler approach. Section 16 allows the Central Government to notify a list of countries to which personal data transfers are restricted. Transfers to any country not on this 'negative list' are permitted. This negative-list approach provides significant flexibility for businesses. Until the government publishes the restricted country list, transfers can proceed to any jurisdiction. However, this also creates uncertainty - businesses must be prepared to adjust their data transfer arrangements if the negative list is published or updated.
How This Differs from GDPR
Understanding the differences between the DPDPA and GDPR approaches to cross-border transfers is essential for organisations operating in both jurisdictions.
- GDPR requires a positive legal basis for each transfer (adequacy decision, SCCs, BCRs, or derogations). The DPDPA allows all transfers unless specifically restricted
- GDPR mandates data transfer impact assessments for transfers to non-adequate countries. The DPDPA does not currently require transfer-specific assessments
- GDPR allows international organisations to create Binding Corporate Rules as a transfer mechanism. The DPDPA does not include a similar concept
- GDPR's approach provides more certainty - organisations know exactly which countries are 'safe'. The DPDPA's approach is simpler but less predictable
Sector-Specific Restrictions
While Section 16 provides the general framework, organisations must also be aware of sector-specific data localisation requirements that may override or supplement the DPDPA's provisions. The Reserve Bank of India (RBI) mandates that payment system data be stored exclusively in India. The Insurance Regulatory and Development Authority of India (IRDAI) requires certain insurance data to be stored domestically. Telecom regulations impose data localisation requirements for subscriber data. These sectoral requirements operate alongside the DPDPA and may impose stricter obligations than the general cross-border transfer framework.
Practical Implications for Businesses
The DPDPA's cross-border transfer framework has several practical implications that businesses should address in their compliance planning.
- Audit current data flows to identify all instances where personal data leaves India - including cloud storage, SaaS applications, and third-party processing
- Map your cloud infrastructure to understand where data is physically stored and processed. Major cloud providers offer region-specific deployment options
- Review contracts with international vendors and service providers to ensure they can comply with potential restrictions if the negative list is published
- Build flexibility into your data architecture so that data can be redirected to domestic processing if specific country restrictions are imposed
- Monitor government notifications for updates to the restricted country list and be prepared to respond quickly
- Consider data minimisation - the less personal data that needs to cross borders, the lower your compliance risk
The Role of Data Localisation
Data localisation - the requirement to store and process data within national borders - is a related but distinct concept from cross-border transfer restrictions. The DPDPA itself does not mandate data localisation. It allows transfers to non-restricted countries, which is a more flexible approach. However, the government retains the power to impose localisation requirements through the rules notified under the Act. For Significant Data Fiduciaries, additional obligations may include localisation of certain categories of personal data. Businesses should design their data architecture with the possibility of future localisation requirements in mind, even if current regulations do not mandate it.
Compliance Strategy for Multinational Organisations
Multinational organisations face the unique challenge of complying with multiple data protection regimes simultaneously. A robust strategy should address the overlapping requirements of the DPDPA, GDPR, and any other applicable laws.
- Create a global data transfer map that identifies all cross-border data flows, their legal basis under each applicable law, and the safeguards in place
- Implement a unified consent framework that meets the highest standard across all applicable jurisdictions
- Use regional data processing options offered by cloud providers to minimise unnecessary cross-border transfers
- Establish a monitoring process for regulatory changes in all jurisdictions where you operate
- Designate clear responsibility for cross-border compliance within your data protection team
How Kraver.ai Manages Cross-Border Compliance
Kraver.ai's platform includes a dedicated cross-border data transfer module that maps all international data flows, identifies applicable legal requirements across jurisdictions, and continuously monitors compliance. Our AI engine automatically detects when data is being transferred to new jurisdictions and alerts compliance teams to assess the transfer against current restrictions. As the DPDPA's negative list evolves, Kraver.ai updates its compliance rules in real-time, ensuring your organisation stays ahead of regulatory changes without manual monitoring.