How Does the DPDP Act, 2023 Regulate Cross-Border Data Transfers?
Yes. The DPDP Act permits personal data to be transferred outside India, subject to certain conditions. In general, such transfers are allowed unless the Government of India issues an official notification restricting transfers to specific countries or territories.
In today’s digital world, personal data such as names, phone numbers, health records, and financial details is often processed through global platforms and cloud services. This means your data may be stored or handled on servers located outside India.
Can Indians’ personal data be transferred abroad? The answer lies in the Digital Personal Data Protection (DPDP) Act, 2023 and the related government rules, providing an overview of what the law provides regarding cross-border transfers of personal data, the possible restrictions, and the implications for individuals and businesses.
What Is Cross-Border Transfer of Personal Data?
Cross-border transfer of personal data means sending or allowing personal data collected in India to be stored or processed in another country, such as the United States, Singapore, or European countries.
In today’s global digital economy, this is very common. Many Indian companies use cloud services like Google Cloud, Microsoft Azure, or Amazon Web Services, which operate data centers across the world. As a result, transferring data across borders is a normal part of how modern digital services function.
Can Personal Data Be Transferred Outside India Under the DPDP Act?
Yes. The DPDP Act permits personal data to be transferred outside India, subject to certain conditions. In general, such transfers are allowed unless the Government of India issues an official notification restricting transfers to specific countries or territories.
This is called a “blacklist” system. It means data can be sent to most countries by default. The government does not approve countries in advance. Instead, it can block certain countries if it believes there is a risk.
In short, personal data can be transferred outside India, but the government has the power to impose restrictions.
|
Scenario |
Is Transfer Permitted? |
Why? |
|
An
Indian e-commerce company stores its customer information on servers located
in Singapore. |
Yes |
No
government notification restricts transfers to Singapore. |
|
An
Indian fintech company relies on a cloud service provider whose servers are
located in the United States. |
Yes |
Transfers
are generally permitted unless a country is officially restricted. |
|
The
Government issues an official notification restricting data transfers to
“Country X” due to security concerns. |
No |
Once
officially notified, data cannot be transferred to that country. |
Who Determines Which Countries Are Restricted?
The Central Government of India decides which countries are restricted for data transfers. Section 16 of the DPDP Act says personal data can be transferred outside India, except to countries that the government officially notifies as restricted.
The law does not clearly explain the criteria for selecting these countries. The government has broad powers to make this decision through official notifications, and detailed rules may be issued later.
In simple terms, no country is automatically banned. A country becomes restricted only if the government formally notifies it.
Has the Government Issued a List of Banned Countries?
Section 16(2) of the DPDP Act and Rule 15 of the DPDP Rules state - So far, the government has not published any official list of restricted or banned countries for data transfers under the DPDP Act.
This means:
- Indian companies are currently allowed to transfer personal data to servers abroad, unless the government issues a specific restriction.
- There is no public list of countries where data transfers are prohibited under the Act (as of late 2025).
However, the government can issue such a list at any time, and organizations must watch official notifications to remain compliant.
Does the DPDP Act Require Data Localization?
No. The DPDP Act does not require all personal data to be stored in India.
“Data localization” means keeping data within India’s borders. Unlike some earlier proposals, the DPDP Act does not make this mandatory for all personal data. Instead, it allows data to be transferred abroad, unless the government restricts certain countries.
This approach balances privacy protection with the needs of global digital business.
However, there are exceptions. Other sector-specific laws may require localization. For example:
- The RBI requires certain payment system data to be stored in India.
- SEBI has conditions on cloud usage and data processing locations.
- Other regulators may impose similar rules in regulated industries.
While the DPDP Act itself does not mandate general localization, other laws may still require it in specific sectors.
Do My Rights Still Apply If My Data Is Transferred Outside India?
Yes. Your rights under the DPDP Act continue to apply even if your personal data is stored or processed outside India.
This means you still have rights such as access, correction, erasure, grievance redressal, and the ability to withdraw consent. These protections travel with your data; they do not end just because the data is transferred to another country.
However, enforcing your rights may be more difficult in practice if the data is stored in a country with weaker privacy laws.
That is why data fiduciaries must put proper contracts, safeguards, and security measures in place to ensure your data remains protected in line with Indian law, even when processed abroad.
What Are the Obligations on Companies (Data Fiduciaries)?
When a company collects and processes digital personal data in India, it becomes a Data Fiduciary under the DPDP Act (if it meets certain size or risk thresholds).
For cross-border transfers, key responsibilities include:
- Check legality: Ensure the destination country is not restricted by the Government. If a country is later banned, transfers must stop.
- Protect the data: Put safeguards in place, such as contracts, encryption, and security controls, to protect data even when it is processed abroad.
- Follow other laws: Comply with sector-specific rules (such as RBI or SEBI requirements), where applicable.
- Respect user rights: Ensure individuals can exercise their rights (access, correction, erasure, etc.) regardless of where the data is stored.
Companies classified as Significant Data Fiduciaries (SDFs) may have additional obligations, such as impact assessments or extra compliance measures, which could include location-related requirements if prescribed by future rules.
Why Does Cross-Border Data Regulation Matter?
Cross-border data rules are important for many reasons:
a. Privacy Protection
When data is transferred outside India, it may be subject to foreign laws. The DPDP Act ensures that your privacy rights continue to apply, even if your data is processed abroad.
b. National Security
The government can restrict transfers to certain countries to protect sensitive data and national interests.
c. Business and Innovation
Allowing data transfers helps Indian companies use global cloud services, technology tools, and digital platforms while staying accountable under the law.
d. Consumer Trust
Clear rules give people confidence that their data is protected, even when it moves across borders.
Practical Advice for Individuals and Businesses
Individuals should be mindful of the personal data they share, read privacy policies to understand how their data is used or transferred abroad, and exercise their rights under the DPDP Act if they suspect misuse.
Businesses should monitor government notifications on restricted countries, implement strong data protection policies and safeguards (especially with foreign service providers), comply with sector-specific regulations like RBI or SEBI rules, and stay updated on evolving DPDP compliance requirements.
Conclusion
The Digital Personal Data Protection Act, 2023, places India among countries with modern privacy laws. On cross-border data transfers, it takes a balanced approach.
Personal data can be transferred outside India; there is no general ban or mandatory localization under the Act. However, the Central Government can restrict transfers to specific countries through official notifications. As of late 2025, no such restricted list has been published.
Importantly, your privacy rights continue to apply even if your data is processed abroad, and organizations must ensure those rights are protected.
As digital services expand globally, this framework aims to balance individual privacy with the practical needs of businesses operating in a connected world.
Key Takeaways
1. Cross-Border transfers are allowed - The DPDP Act permits personal data to be transferred outside India. There is no prohibition on sending data abroad.
2. Government can restrict certain countries - The Central Government can issue notifications to restrict or prohibit data transfers to specific countries or territories.
3. No restricted list so far - As of now, no official list of banned or restricted countries has been published under the DPDP Act.
4. No general data localization requirement - The Act does not require all personal data to be stored only in India. However, sector regulators like the RBI may require localization for certain types of data.
5. Your rights continue even if data goes abroad - Your rights, including access, correction, erasure, and grievance redressal, remain applicable even if your personal data is processed outside India.