Skip to main content

Q5 - What is the government’s role in regulating cross-border transfers?

Answer

Under the Digital Personal Data Protection Act, 2023 (DPDPA), the Central Government plays the primary and exclusive role in regulating cross-border transfers of personal data. While companies (Data Fiduciaries) may freely transfer personal data outside India, the Government can restrict or prohibit such transfers to specific countries or territories if it considers doing so necessary for reasons of sovereignty, integrity, security, or public interest.

Section 16(1)
The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary to such countries or territories outside India as it may specify.

This clause gives the Government the power to define where Indian citizens’ personal data may or may not be sent.
Until such notifications are issued, cross-border transfers remain unrestricted — meaning Indian companies can use global cloud providers and international service partners freely.

2. Current Status

  • As of now, the Government has not restricted any country.
  • Therefore, all personal data transfers abroad are permitted as long as:
    • Processing is lawful and based on consent or legitimate use, and
    • The receiving entity maintains reasonable security safeguards under Section 8(5).

However, once the Government issues a restriction list, data transfers to those countries must immediately stop, unless special exemptions are granted.

3. Purpose Behind Government Oversight

The intent of Section 16 is to ensure that India retains control over how its citizens’ data is protected when processed overseas.
Government oversight helps to:

  • Prevent misuse of Indian citizens’ data by entities in countries lacking strong privacy laws;
  • Safeguard national security interests;
  • Ensure reciprocal arrangements or adequacy partnerships with trusted jurisdictions (similar to GDPR adequacy decisions).
Example

If India and Singapore sign a data protection agreement recognizing equivalent safeguards, Indian companies can freely transfer personal data to Singapore-based processors without additional approvals. But if a country is later deemed insecure or hostile, the Government can restrict transfers there via official notification.

4. How These Restrictions Work

Once a restriction is notified:

  1. Data Fiduciaries must cease transferring data to that country immediately.
  2. They may request the Government or the Data Protection Board of India for specific exemptions, such as for critical business or compliance needs.
  3. Violating these transfer restrictions can lead to penalties under Section 33(1) — up to ₹250 crore, depending on severity.

5. Relation to Other Frameworks

  • DPDPA’s cross-border model is more flexible than the GDPR, which allows transfers only to “adequate” countries.
  • India instead uses a “negative list” approach — transfers are allowed everywhere except restricted countries.
  • This ensures ease of business while preserving national control.

6. Key Takeaway

  • The Central Government controls cross-border data flow policy under DPDPA.
  • Transfers are allowed by default, unless a country is specifically restricted.
  • The Government can issue bilateral or multilateral adequacy arrangements with trusted nations.
  • Companies must stay updated on official notifications to avoid unlawful data transfers.

Referenced Provisions:

  • Section 16(1) – Government’s authority to restrict cross-border data transfers.
  • Section 8(5) – Duty to ensure security safeguards.
  • Section 33(1) – Penalties for violation of restrictions (up to ₹250 crore).
  • Section 40(2) – Power of the Central Government to make detailed rules and notifications.