Skip to main content

Cross-Border Data Transfers under DPDPA

One of the most debated questions in data protection is: Can personal data leave the country? The Digital Personal Data Protection Act (DPDPA), 2023 addresses this directly. India has chosen a balanced path — allowing cross-border transfers but retaining the power to restrict them when necessary.

Under the Act, organizations are generally permitted to transfer personal data outside India. This is important because businesses today rely on global operations, cloud providers, and analytics platforms that may be based in other countries.
For example, a company like ABC Fintech Pvt. Ltd. may use servers in Singapore or Ireland to store and analyze customer data.

However, the government has reserved the right to impose restrictions on transfers to specific countries or regions. If a country is considered risky — perhaps because it lacks strong privacy laws, has poor cybersecurity standards, or poses a threat to India’s national interests — the government can issue an official notification banning or limiting transfers there.

The rules also recognize the importance of contractual and technical safeguards. Data Fiduciaries transferring information abroad are expected to ensure that the receiving entity provides the same level of protection required under Indian law. This may involve:

  • Data transfer agreements
  • Standard contractual clauses
  • Organizational certifications that guarantee adequate safeguards
Critical Point

Transfers are allowed by default, but not unconditional.
The government acts as the gatekeeper, able to block transfers to jurisdictions that are not trustworthy.
Businesses must remain accountable even when data is stored or processed outside India.

Example Scenario

Imagine XYZ HealthTech in Bangalore is collaborating with a U.S.-based partner for AI-driven medical research. It may send anonymized patient datasets abroad for analysis. This is permitted, but if the data included identifiable personal details and the U.S. was ever restricted by the Indian government, the transfer would become unlawful unless exemptions applied.

This flexible system is meant to balance two goals: protecting the privacy of Indian citizens and supporting India’s position in the global digital economy. By not opting for complete data localization, India avoids isolating itself, while still retaining control over national security and sensitive data flows.

In short, cross-border transfers under DPDPA are permitted but regulated, requiring organizations to remain alert, compliant, and ready for sudden changes in government policy.