Vishwaas AIVishwaas AIDocs
Thought Leadership · 6 min read · Jul 2026

Cross-Border Data Transfers Under DPDP

W3 B1.pngCross-Border Data Transfers Under DPDP

How India's Negative-List Model Changes Cloud, SaaS And Global Ops

Published by Vishwaas.ai | DPDP Series

1. Why Cross-Border Data Matters Under DPDP

Most modern products are quietly global. Customer records sit in one region, analytics in another, backups in a third, and support tools somewhere else in the cloud. Under DPDP, those invisible journeys of personal data matter.

Section 16 of the DPDP Act and Rule 15 of the DPDP Rules 2025 create India's new framework for cross-border data transfers. It is a deliberate move away from blanket localisation, and toward a more flexible but sovereignty-conscious model.

For product and compliance teams, this means cross-border architecture is now a regulated design choice, not just a technical convenience.

2. The Negative-List Approach: Allowed Unless Restricted

One of the most important features of DPDP is its negative-list approach to cross-border data transfers. In simple terms, transfers of personal data outside India are permitted by default, unless the Central Government specifically notifies certain countries or territories as restricted.

This is different from adequacy or whitelist models used in some other jurisdictions, where data can only leave once a destination has been formally approved. India's model assumes global flows are acceptable, and then gives the Government power to close specific doors if they become risky.

As of today, no restricted-country list has been notified, which means the legal position is that cross-border transfers remain broadly allowed, subject to other DPDP obligations.

3. What Data Fiduciaries Must Still Do Before Export

Even when no country is restricted, Data Fiduciaries cannot treat cross-border transfers as a free pass. Several conditions still apply.

In practice, organisations need to:

  • Have a clear lawful basis for processing and transfer - typically consent or legitimate use where applicable.

  • Reflect transfers in notices and privacy policies, so users are not surprised to learn their data is stored abroad.

  • Implement contractual safeguards with overseas processors or affiliates, aligning security, breach reporting and rights handling with DPDP.

  • Maintain a map of data flows and destinations, including which services and processors sit in which jurisdictions.

These steps turn cross-border transfers from an informal habit into a documented, defensible practice.

4. Significant Data Fiduciaries Face Extra Controls

For Significant Data Fiduciaries, cross-border governance is more demanding. Recent analyses of Rule 12 highlight obligations around algorithmic accountability, annual DPIAs and audits, and additional restrictions on certain categories of personal data.

In particular, the Rules anticipate that the Central Government may specify certain personal data and related traffic data that Significant Data Fiduciaries must not transfer outside India at all. This creates a stricter layer of localisation for specific high-risk data.

In short: while the negative list applies to everyone, SDFs may face deeper cross-border constraints than other organisations.

5. Sectoral Rules Can Override The General DPDP Position

DPDP's cross-border framework operates alongside sectoral rules. In areas like payments, banking, securities or insurance, regulators such as RBI, SEBI and IRDAI can impose stricter localisation or routing requirements that override the general DPDP position.

That means a transfer that is permissible under DPDP may still be prohibited or heavily constrained under sector-specific regulations, especially for payment data, certain financial records or regulated market infrastructure.

Organisations in regulated sectors therefore have to read DPDP together with their own regulator's circulars, not instead of them.

6. What A Good Cross-Border Compliance Posture Looks Like

A mature cross-border posture under DPDP usually has three layers: architecture, contracts and evidence.

Key characteristics include:

  • Clear diagrams or inventories showing which systems and processors sit in which countries.

  • Contracts that embed DPDP-aligned obligations for security, breach support, rights handling and deletion.

  • Policies that explain cross-border use in plain language.

  • Logs and artefacts showing that no data is transferred to any future restricted countries once notified.

This posture gives organisations a better chance of satisfying the Data Protection Board if cross-border practices ever come under scrutiny.

7. Practical Risks To Watch For

The negative-list model is business-friendly, but it also carries practical risks if not managed well.

Common issues include:

  • Unclear visibility into where sub-processors actually host data.

  • Data being copied from an allowed country to a future restricted country via third parties.

  • Difficulty migrating data out of a jurisdiction if it is later added to the negative list.

  • Weak tracking of legal bases for each transfer.

These risks can be reduced with better mapping, stricter vendor selection and more disciplined contracting.

8. Preparing For A Future Negative List

Because the Government has not yet published a list of restricted countries, organisations have a window to prepare. The smartest use of that time is to build systems that can adapt quickly.

That typically means:

  • Keeping an up-to-date registry of all cross-border data flows.

  • Designing architectures that can be re-routed or re-hosted if a jurisdiction becomes restricted.

  • Avoiding excessive dependence on single-country hosting for very sensitive data sets.

  • Monitoring official Gazette notifications and regulator guidance for early signals of change.

This preparation turns future restrictions into a manageable migration problem instead of a sudden crisis.

9. What Product And Ops Teams Should Do Now

Product, operations, security and legal teams all touch cross-border decisions in different ways. Under DPDP, they need to collaborate more deliberately.

Practical starting steps include:

  • Identifying which key features rely on offshore infrastructure.

  • Checking whether notices, consent flows and contracts reflect cross-border use.

  • Reviewing whether erasure, correction and access rights can be honoured cleanly when data sits abroad.

  • Setting up an internal owner for tracking cross-border developments and updating designs accordingly.

This makes cross-border compliance part of everyday product and ops work, not an occasional legal review.

10. Where Vishwaas.AI® Fits

Cross-border governance is difficult to manage in spreadsheets. As DPDP moves toward full enforcement, organisations will need platforms that can track data flows, attach legal bases to each stream, and surface risks when regulations change.

Vishwaas.AI® can help by giving teams a structured view of where personal data travels, which obligations apply, and how rights, breach workflows and retention rules extend across borders.

In the long run, companies that treat cross-border design as a trust decision - not just a hosting choice - will be better placed to navigate India's evolving privacy landscape.

(c)Vishwaas.ai | DPDP Compliance Made Simple

Last updated 06 Jul 2026, 13:05 IST · published 06 Jul 2026, 13:05 IST