Section 16 - India's Approach to International Data Flows
Section 16 of the Digital Personal Data Protection Act, 2023, addresses one of the most consequential and debated aspects of modern data protection law - the transfer of personal data across national borders. In an interconnected global economy where data flows underpin international trade, cloud computing, outsourcing, and digital services, the rules governing cross-border data transfers have enormous practical and economic significance. India's approach under Section 16 departs significantly from both its earlier drafts and from the models adopted by the European Union and other jurisdictions. The 2019 Personal Data Protection Bill had proposed strict data localisation requirements, mandating that sensitive personal data be stored in India and critical personal data never leave the country. The DPDPA, 2023, abandons this prescriptive approach in favour of a more business-friendly 'negative list' model. Under Section 16, the transfer of personal data to countries outside India is permitted by default - unless the Central Government specifically restricts transfers to particular countries or territories through notification. This approach balances national security and sovereignty concerns with the practical needs of India's globally integrated economy.
The Statutory Framework: Default Permission with Government Override
Section 16(1) provides that the Data Fiduciary may transfer personal data of a Data Principal for processing to any country or territory outside India, subject to such terms and conditions as the Central Government may prescribe. Section 16(2) empowers the Central Government, by notification, to restrict the transfer of personal data to such country or territory outside India as may be notified. This two-part structure creates a permissive default with a government override. Unlike the GDPR, which requires an adequacy decision, standard contractual clauses, binding corporate rules, or other specific mechanisms before data can flow to a non-EU country, the DPDPA allows transfers to proceed without any specific authorisation mechanism - unless the destination country has been placed on the restricted list. The practical effect is that data can flow freely to the United States, United Kingdom, Singapore, Japan, and most other countries immediately upon the Act's commencement, provided the Data Fiduciary complies with the general terms and conditions that the Central Government may prescribe. Organisations should also ensure they have proper consent management frameworks in place for the data they transfer. Only when the Government affirmatively identifies a country as restricted do transfer barriers arise.
Factors for Government Restriction: National Security and Sovereignty
While Section 16 does not enumerate the specific factors the Central Government will consider when deciding to restrict transfers to a particular country, the legislative context and parliamentary discussions indicate that the following considerations will guide decisions. National security is the primary factor - transfers may be restricted to countries with which India has adversarial relationships or where intelligence agencies may access personal data of Indian citizens without adequate safeguards. The MeitY data protection framework provides additional context on the Government's approach. Sovereignty and integrity of the State encompasses concerns about foreign governments using personal data to influence Indian affairs, conduct surveillance, or undermine democratic processes. Friendly relations with foreign States involve diplomatic considerations - restricting data transfers to a country is a significant geopolitical signal and will be weighed against bilateral relationships. Maintenance of public order includes concerns about data being used to incite violence, spread disinformation, or disrupt social harmony. The Government may also consider whether the destination country has an adequate data protection framework, whether bilateral or multilateral agreements regarding data protection exist, and whether the country has a track record of respecting the privacy of foreign nationals' data.
- National security - risk of foreign surveillance or intelligence access
- Sovereignty and integrity of the State - foreign interference concerns
- Friendly relations with foreign States - diplomatic implications
- Public order - risk of data misuse causing social disruption
- Adequacy of destination country's data protection framework
- Bilateral and multilateral data protection agreements
Comparison with GDPR Chapter V: Adequacy and Transfer Mechanisms
The DPDPA's approach to cross-border transfers contrasts sharply with the GDPR's elaborate framework under Chapter V. The GDPR requires one of several specific mechanisms before personal data can leave the European Economic Area. Adequacy decisions by the European Commission certify that a third country provides an 'essentially equivalent' level of data protection - a process that can take years and has been granted to only a handful of countries. In the absence of an adequacy decision, organisations must implement appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or certification mechanisms. Post the Schrems II decision, organisations must also conduct Transfer Impact Assessments to evaluate whether the destination country's laws undermine the effectiveness of these safeguards. The DPDPA eliminates this complexity. There are no adequacy decisions, no SCCs, no BCRs, and no mandatory Transfer Impact Assessments. The Government simply decides whether a country is on the restricted list or not. This approach is simpler and more business-friendly but provides less granular protection. It also means that Indian Data Principals have fewer guarantees about how their data will be protected once it leaves India - a tradeoff that has drawn criticism from privacy advocates who argue that the negative-list approach provides insufficient safeguards for individuals' fundamental right to privacy.
Interaction with Sectoral Data Localisation Requirements
Section 16's permissive approach to cross-border transfers does not exist in isolation. Several sectoral regulators in India have imposed their own data localisation requirements that continue to apply alongside the DPDPA. The Reserve Bank of India (RBI) requires that payment system data be stored exclusively in India. RBI Circular DPSS.CO.OD.No.2785/06.08.005/2017-18 mandated that all system providers ensure that the entire data relating to payment systems operated by them is stored in a system only in India. This applies to banks, payment processors, card networks, and digital wallet providers. The Insurance Regulatory and Development Authority of India (IRDAI) has guidelines requiring certain insurance data to be stored domestically. The Securities and Exchange Board of India (SEBI) has KYC data localisation requirements. The Telecom Regulatory Authority of India (TRAI) and the Department of Telecommunications have restrictions on telecom subscriber data. These sectoral requirements override Section 16's permissive default for the specific categories of data they cover. An organisation must therefore conduct a comprehensive mapping of all applicable data localisation requirements - not just the DPDPA - before transferring personal data outside India. Compliance with Section 16 alone is insufficient if sectoral regulations prohibit the transfer.
- RBI mandates storage of all payment system data exclusively in India
- IRDAI has guidelines for domestic storage of certain insurance data
- SEBI requires KYC data localisation for capital market participants
- Telecom regulators restrict cross-border transfer of subscriber data
- Health data localisation may emerge under sector-specific regulations
- Sectoral requirements override Section 16's permissive default for covered data types
Practical Compliance for Multinational Corporations
For multinational corporations (MNCs) operating in India, Section 16 is one of the most operationally significant provisions of the DPDPA. MNCs routinely transfer personal data across borders for centralised HR processing, global customer relationship management, cloud-based data storage and analytics, centralised cybersecurity monitoring, and intra-group shared services. Under Section 16, MNCs can continue these transfers by default - a significant relief compared to the localisation-heavy approach of the earlier draft bills. However, MNCs must prepare for the possibility that certain destination countries may be restricted in the future and build contingency plans accordingly. Practical compliance steps include maintaining a comprehensive data transfer map documenting what personal data flows where, to which entities, and for what purposes. MNCs should identify which transfers are operationally critical versus discretionary and develop fallback plans for critical transfers if a destination country is restricted. Contractual arrangements with group entities and third-party processors should include provisions for data rerouting if transfers to a specific country become restricted. MNCs should also monitor Government notifications regarding restricted countries and conduct periodic reviews of their transfer practices against the evolving regulatory landscape.
Data Transfer Impact Assessments: Not Required but Recommended
Unlike the GDPR post-Schrems II, the DPDPA does not mandate Transfer Impact Assessments (TIAs) for cross-border transfers. However, conducting voluntary TIAs is strongly recommended as a matter of best practice and risk management. A TIA evaluates the risks associated with transferring personal data to a specific destination, considering the legal framework of the destination country, the potential for government access to the data, the security measures in place during transfer and at the destination, and the enforceability of contractual protections. Even though Section 16 does not require TIAs, the Data Protection Board may consider the absence of any risk assessment when evaluating compliance in the context of a complaint or breach investigation. If personal data is transferred to a country with weak data protection standards and a breach occurs, the Board may question whether the Data Fiduciary exercised reasonable diligence in selecting the transfer destination. For Significant Data Fiduciaries required to conduct Data Protection Impact Assessments under Section 10(2)(c), cross-border transfers should be a key component of those assessments. The DPIA should evaluate transfer risks alongside other processing risks and document the safeguards implemented to mitigate them.
- TIAs are not legally mandated but are strongly recommended as best practice
- Assess the destination country's legal framework and government access risks
- Evaluate security measures during transfer and at the destination
- Document transfer risks and mitigation measures for Board inquiries
- Integrate transfer risk assessment into broader DPIAs for Significant Data Fiduciaries
Government Terms and Conditions: Anticipating the Rules
Section 16(1) references terms and conditions that the Central Government may prescribe for cross-border transfers. While these rules are awaited, organisations should anticipate several likely requirements based on international practice and the DPDPA's overall structure. The Government may require Data Fiduciaries to maintain records of cross-border transfers, including the categories of data transferred, the destination countries, the recipients, and the purposes of transfer. There may be requirements for contractual protections between the Indian Data Fiduciary and the foreign recipient, ensuring that the recipient handles the data in accordance with the DPDPA's principles even though they are not directly subject to Indian jurisdiction. The Government may prescribe notification requirements - either to the Board or to the Data Principals - regarding significant cross-border transfers. For Significant Data Fiduciaries, additional conditions such as periodic reporting on transfer volumes and destinations may be imposed. Organisations should familiarise themselves with the penalty schedule for non-compliance and begin building their transfer documentation and contractual frameworks now, so that when the rules are published, they can quickly calibrate their existing practices to meet the specific requirements rather than building from scratch.
Future Outlook: The Restricted Countries List
The most significant unknown regarding Section 16 is which countries the Central Government will place on the restricted list. As of this writing, no countries have been notified. The Government's approach will likely be influenced by geopolitical considerations, bilateral relationships, and the data protection standards of potential restricted countries. Countries with which India has tense diplomatic or security relationships may be early candidates for restriction. Countries that have been involved in surveillance controversies or that lack data protection legislation may also face scrutiny. Conversely, countries with strong bilateral ties and robust data protection frameworks - such as EU member states, Japan, Singapore, and Australia - are unlikely to be restricted. The United States presents an interesting case, given its lack of a comprehensive federal privacy law but its deep economic integration with India. The Government may adopt a graduated approach - restricting transfers to certain countries entirely, imposing additional conditions for others, and leaving transfers to most countries unrestricted. Organisations should build flexibility into their data architecture and contractual arrangements to accommodate changes in the restricted list without significant operational disruption. Understanding the penalty framework is essential for quantifying the risk of non-compliance with transfer restrictions.
How Kraver.ai Helps
Kraver.ai's cross-border data transfer module provides comprehensive support for Section 16 compliance and readiness. Our data transfer mapping tool automatically discovers and documents personal data flows across your organisation, identifying every cross-border transfer - including transfers through cloud services, SaaS platforms, and intra-group sharing - and mapping them by data category, destination country, recipient entity, and processing purpose. The compliance dashboard provides a real-time view of your cross-border transfer posture, flagging transfers to countries on the Government's restricted list as soon as notifications are issued. Our regulatory intelligence engine continuously monitors Government notifications, sectoral localisation requirements, and international developments, alerting you to changes that affect your transfer practices. For organisations that choose to conduct voluntary Transfer Impact Assessments, Kraver.ai provides a structured assessment framework with pre-populated country risk profiles, guiding you through the evaluation of legal, security, and operational risks. The contractual compliance module generates and manages data transfer agreements with foreign recipients, ensuring alignment with anticipated Government terms and conditions. For MNCs, our multi-entity management features allow centralised visibility across all Indian entities and their transfer activities. Start mapping and managing your cross-border data transfers with Kraver.ai today. Contact our team to schedule a demo of our cross-border compliance module.