Skip to main content

Rule 14: Processing of Personal Data Outside India (Cross-Border Transfers)

Rule 14 clarifies how personal data belonging to individuals in India can be processed outside the country. The principle is that cross-border data transfers are permitted, but the Central Government retains the authority to restrict them if necessary.

Key points include:

  • Personal data may be transferred and processed outside India unless the Central Government notifies specific countries or territories as restricted.
  • Such restrictions may be imposed where the government believes that sending data to a particular country could pose risks to national security, public order, or the rights of Data Principals.
  • Even when transfers are permitted, the Data Fiduciary remains responsible for ensuring that the personal data receives a comparable level of protection in the receiving country.
Critical Point

Cross-border transfers are allowed by default but not unconditional.
The government may restrict specific jurisdictions, and Data Fiduciaries remain fully accountable under Indian law even when data is processed abroad.

Example Scenarios

Example 1

A pharmaceutical company in India may send anonymized clinical trial data to its global research center in Germany for further analysis. This is permitted as long as Germany is not on the restricted list and adequate safeguards are in place.

Example 2

A crypto trading platform based in Mumbai may process user identity documents through servers in Singapore. This is allowed, but if the Indian government later restricts transfers to Singapore, the platform must immediately bring processing back within approved jurisdictions.

Example 3

A retail e-commerce company may store order histories and customer addresses on cloud servers located in the United States. The company remains accountable under Indian law, even though the servers are abroad.

The objective of Rule 14 is to maintain flexibility for businesses that rely on global operations while safeguarding national interests and protecting the rights of Indian citizens. It allows India to remain integrated into the global digital economy, but with clear limits where risks are deemed unacceptable.