For several years, one of the most significant questions surrounding India’s data protection framework was whether the country would adopt a stringent data localization regime similar to certain global jurisdictions or permit the free movement of personal data across borders. With the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the gradual operationalisation of the Digital Personal Data Protection Rules, 2025 (DPDP Rules), India has provided much-needed clarity on this issue.
Contrary to earlier expectations, the DPDP framework adopts a comparatively liberal approach to cross-border data transfers, signalling a conscious policy shift towards facilitating global data flows while retaining the government’s ability to impose restrictions where necessary.
The Shift from Data Localization to a Negative List Regime
Cross-border transfers of personal data are principally governed by Section 16 of the DPDP Act, 2023. The provision permits the transfer of personal data outside India to any country or territory except those specifically restricted by the Central Government through notification.
This approach is commonly referred to as a “negative list” or blacklist model, under which international transfers are permissible by default unless expressly prohibited.
The distinction is particularly significant when compared to the European Union’s General Data Protection Regulation (GDPR). Under the GDPR, cross-border transfers are generally prohibited unless the destination country has received an adequacy decision or appropriate safeguard; such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are implemented. The DPDP Act adopts the opposite approach by permitting transfers unless a destination has been specifically notified as restricted.
This represents a more business-friendly compliance framework for organisations that rely on global cloud infrastructure, multinational operations, and cross-border data processing.
Current Position Under the DPDP Framework
As of mid-2026, the Central Government has not issued any notification identifying countries or territories that are restricted under Section 16 of the DPDP Act. Accordingly, there are presently no statutory restrictions preventing organisations from transferring personal data to any particular jurisdiction under the DPDP framework.
However, organisations should exercise caution before treating this position as permanent. Since the cross-border transfer provisions are being operationalised in a phased manner, the government retains the authority to notify restricted jurisdictions in the future. Any such notification is expected to become effective from the date of its publication, potentially requiring organisations to promptly reassess existing data transfer arrangements. Businesses that currently route substantial volumes of personal data through overseas cloud regions or international affiliates should therefore continue monitoring regulatory developments and maintain sufficient visibility over their cross-border data flows to ensure they can respond efficiently to any future changes.
What the DPDP Act Does Not Require
One of the distinguishing features of India’s data protection framework is that it deliberately refrains from incorporating several transfer mechanisms that are central to the GDPR. At present, the DPDP Act does not require organisations to execute Standard Contractual Clauses (SCCs), implement Binding Corporate Rules (BCRs), or undertake Transfer Impact Assessments (TIAs) as a condition for transferring personal data outside India. These mechanisms remain specific to the European regulatory framework and currently have no direct statutory equivalent under Indian law.
Nevertheless, the absence of transfer-specific safeguards should not be interpreted as a relaxation of the broader compliance obligations imposed under the Act. Personal data must continue to be processed on a valid legal basis. In most commercial scenarios, this will ordinarily be the consent of the Data Principal under Section 6 of the DPDP Act. Correspondingly, the consent notice should adequately inform the Data Principal about the proposed cross-border transfer, including the recipient country or region and the purpose for which the personal data will be transferred. Accordingly, while the mechanism governing international transfers is comparatively less prescriptive, organisations must continue to ensure that their processing activities satisfy the Act’s transparency and consent requirements.
Continuing Applicability of Sector-Specific Localisation Requirements
The comparatively liberal approach adopted under Section 16 does not override India’s existing sector-specific regulatory requirements relating to data localisation. This remains an important compliance consideration for organisations operating within regulated industries.
For example, the Reserve Bank of India (RBI) continues to require payment system operators and regulated payment entities to store specified payment system data within India. Similarly, regulatory requirements issued by the Securities and Exchange Board of India (SEBI) require certain regulated intermediaries to maintain specified securities market and investor-related data within Indian jurisdiction. The Insurance Regulatory and Development Authority of India (IRDAI) has also prescribed localisation requirements applicable to insurers with respect to policyholder information.
Section 16(2) of the DPDP Act expressly preserves the applicability of such sector-specific laws and regulatory directions. Consequently, organisations operating in regulated sectors are required to comply not only with the DPDP framework but also with the localisation requirements imposed by their respective regulators. In practice, this creates a layered compliance framework in which the DPDP Act establishes the general rule while sectoral regulations continue to prescribe stricter obligations wherever applicable.
Practical Considerations for Businesses
The current regulatory framework provides organisations with considerable operational flexibility, particularly those that rely on multinational cloud infrastructure, Software-as-a-Service (SaaS) platforms, international vendors, or globally distributed operations. The absence of blanket localisation requirements and transfer-specific contractual mechanisms simplifies compliance for many businesses when compared to other international data protection regimes.
At the same time, organisations should not regard the current regulatory position as eliminating the need for proactive compliance. A comprehensive understanding of where personal data is stored, processed, and transferred including cloud regions, vendors, subprocessors, and overseas affiliates will remain essential as India’s data protection framework continues to evolve. Businesses that establish robust data mapping and governance practices today will be significantly better positioned to respond efficiently should the Central Government introduce restrictions on transfers to specific jurisdictions in the future.
With the phased implementation of the DPDP framework expected to continue through 2027, organisations should continue monitoring regulatory developments and periodically reviewing their cross-border data transfer practices to ensure ongoing compliance with both the DPDP Act and applicable sector-specific requirements.



