Q4 - Can Indian companies continue to use global cloud service providers (AWS, Google Cloud, Azure)?
Yes — Indian companies can continue to use global cloud service providers such as AWS, Google Cloud, Microsoft Azure, or others under the Digital Personal Data Protection Act, 2023 (DPDPA). The Act does not prohibit or restrict using foreign-owned or global cloud platforms, as long as the personal data of Indian users is processed lawfully, securely, and within permitted jurisdictions.
1. Legal Position
Section 16(1) —
The transfer of personal data outside India is permitted except to countries or territories restricted by the Central Government for reasons of national interest.
This means Indian companies are free to host or process data on global cloud servers, as long as:
- The data is stored or processed in countries not on the restricted list, and
- The company ensures all DPDPA obligations (consent, safeguards, breach notifications, etc.) are followed.
As of now, no countries have been restricted, so global cloud platforms remain fully usable.
2. Role of Cloud Providers Under DPDPA
Cloud platforms (like AWS, Azure, GCP) typically act as Data Processors, meaning they process data on behalf of Indian clients (Data Fiduciaries).
The Indian company remains primarily responsible for compliance — not the cloud provider — but must ensure that the processor:
- Implements strong technical and organizational security controls (as required under Section 8(5)).
- Processes data only under written contract or instruction from the company.
- Assists in reporting breaches to the Data Protection Board if any occur.
3. Security and Compliance Expectations
To remain compliant while using global cloud providers, Indian companies must:
- Review Data Processing Agreements (DPAs) — Ensure they cover DPDPA-specific obligations like lawful processing, breach reporting, and data deletion.
- Enable Encryption and Access Controls — Maintain confidentiality and integrity of data during transfer and storage.
- Store Backups Securely — Especially for sensitive or regulated sectors (BFSI, healthcare, etc.).
- Monitor Data Location — Confirm that data is not transferred to any future “restricted” country.
- Verify Breach Notification Clauses — Ensure the cloud provider promptly alerts you of any incident affecting your data.
A fintech startup in Mumbai hosts its applications on AWS’s Singapore data center. It processes Indian customers’ payment data under consent, applies encryption, and follows breach-reporting norms. Since Singapore is not a restricted territory and the startup maintains compliance, this setup is fully legal under DPDPA.
If, in the future, the Government restricts certain countries for security reasons, companies will need to shift their data or services to allowed regions. Failing to comply after such notification could attract penalties under Section 33, up to ₹250 crore.
4. Sector-Specific Rules Still Apply
While DPDPA allows foreign cloud usage, sectoral regulators may impose additional conditions:
- RBI requires certain payment and financial data to be stored within India.
- IRDAI and SEBI have similar expectations for sensitive customer data.
Companies must therefore comply with both DPDPA and their sector regulator’s rules.
5. Key Takeaway
- Yes, Indian companies can continue using global cloud providers.
- Compliance responsibility lies with the Indian company (Data Fiduciary).
- Data transfers are allowed except to restricted countries.
- Security, encryption, and contractual safeguards are essential.
- Sectoral regulators may impose additional localization requirements.
Referenced Provisions:
- Section 3(b) – Extraterritorial applicability.
- Section 8(5) – Security safeguards and breach-reporting obligations.
- Section 16(1) – Cross-border data transfer permissions.
- Section 33(1) – Penalties for non-compliance (up to ₹250 crore).