Understanding cross-border data transfer restrictions and guidelines under Indian law.

Introduction

As global digital interactions grow, the cross-border transfer of personal data has become an integral part of business operations. Whether it’s a tech company outsourcing customer support to another country, or a payment processor transmitting user data across borders for real-time transaction processing, seamless data flow is critical. However, such flows raise crucial concerns about privacy, misuse, jurisdiction, and national security.

India’s data protection framework — particularly through the Digital Personal Data Protection Act (DPDPA) 2023, operational as of 2025 — introduces a structured and legally enforceable approach to regulate cross-border transfers of personal data. These rules aim to strike a balance between enabling international business and protecting the rights and privacy of Indian citizens, known legally as Data Principals.

This article explores the meaning, restrictions, conditions, and compliance requirements for cross-border data transfers under Indian law, with examples and interpretations to help businesses and professionals understand their obligations.

Meaning of Cross-Border Data Transfer

Cross-border data transfer refers to the transmission of digital personal data from servers or systems located within India to servers or entities outside India. This may include:

  • Storing customer data on foreign servers (e.g., cloud storage in the US or Europe)

  • Sharing employee data with overseas headquarters

  • Outsourcing data processing functions (analytics, marketing, payroll) to third-party vendors abroad

While such transfers are often essential for operational efficiency, they expose data to different legal systems and potentially lesser data protection standards, prompting the need for a regulatory safeguard.

Evolution of Cross-Border Data Regulation in India

India has long debated data localization and transfer rules:

  • 2017–2018: The Justice Srikrishna Committee proposed strict localization for sensitive personal data.

  • 2019 PDP Bill: Proposed that sensitive personal data must be stored in India, though copies could be transferred abroad with conditions.

  • 2023 DPDPA (final law): Took a more practical and business-friendly approach, removing the mandatory localization requirement but still introducing selective restrictions.

Key Provisions on Cross-Border Data Transfers Under DPDPA 2025

Unlike earlier drafts, the DPDPA 2023/2025 does not outright restrict all data transfers, nor does it require mandatory data localization. Instead, it allows cross-border data transfers by default, subject to certain government-issued restrictions.

The relevant features of the law are:

1. Government-Notified “Restricted Countries” Clause
Section 16 of the DPDPA empowers the Central Government to restrict the transfer of personal data to certain countries or territories based on considerations such as:

  • National security

  • Friendly relations with that country

  • Risk of misuse

  • Data protection standards in the receiving country

If a country is notified as “restricted”, then data transfers to that country will be prohibited.

However, as of now, no country list has been officially notified, meaning cross-border transfers are currently allowed unless and until specific countries are blacklisted.

2. Consent and Purpose Limitation
Even if transfers are permitted:

  • They must be based on valid user consent

  • The user must be informed in advance that their data may be transferred internationally

  • The transfer must adhere to the purpose for which data was originally collected

For example, if a travel booking platform is collecting passport and payment data for booking international tickets, it must inform users during consent that their data may be shared with global airlines or payment gateways abroad.

3. Contractual Safeguards
Although the DPDPA doesn’t mandate this, it is a best practice (and often required by foreign laws like the GDPR) to include Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) in contracts with foreign vendors. These clauses should:

  • Define how data will be handled

  • Restrict data misuse

  • Require security standards

  • Mandate breach notification protocols

4. Protection of Data Principal Rights
Regardless of where data is transferred, the Indian citizen’s rights (such as right to withdraw consent or correct data) must be enforceable and respected. This means that organizations must ensure their foreign partners have mechanisms to support such rights.

5. Role of Data Protection Board of India (DPBI)
If any cross-border data transfer leads to a breach, misuse, or violation of rights, the Data Protection Board can initiate an investigation, and the originating company in India can be held liable, even if the actual misuse happened abroad.

6. Special Rules for Government Data
Data related to government contracts, strategic infrastructure, or critical sectors (like defense, healthcare, telecom) may be subject to sectoral restrictions or national security guidelines, even if not specifically restricted under DPDPA. These restrictions are often issued under separate rules or government orders.

7. Sensitive Personal Data (SPD) and Children’s Data
While DPDPA treats all personal data under the same umbrella, businesses should treat sensitive personal data (such as biometric, health, financial, and children’s data) with additional caution. Cross-border transfers of such data should be conducted only when:

  • The receiving entity has adequate safeguards

  • User rights are contractually protected

  • Proper encryption and anonymization are used

Illustrative Example: How Cross-Border Transfer Works

Example 1: E-commerce Platform

A company named Shopora India Pvt. Ltd., based in Mumbai, uses an email marketing service hosted in Ireland to send personalized promotional emails to its Indian customers. It collects user data (email, purchase history, browsing behavior) and shares it with the Irish platform.

To comply with DPDPA:

  • Shopora must inform users that their data may be processed outside India

  • It must take consent at the time of sign-up

  • It must ensure the foreign service provider has proper data security and privacy protocols

  • If Ireland is later designated as a restricted country, Shopora must stop transferring data there and find an alternate solution

Example 2: Indian Fintech Sharing Data with US Analytics Partner

An Indian fintech company shares customer transaction patterns with a US-based AI company for predictive analytics.

They must:

  • Get user consent

  • Ensure data is pseudonymized or encrypted

  • Enter into a binding agreement with the US partner on handling of data

  • Comply with sectoral RBI guidelines if applicable

  • Be ready to stop transfer if US is notified as a restricted country

Challenges in Cross-Border Transfers

Several businesses face operational challenges while ensuring cross-border compliance:

  • Lack of clarity on which countries may become restricted in the future

  • Inconsistent international laws (e.g., difference between Indian law and EU’s GDPR)

  • Difficulty in monitoring third-party data usage once transferred

  • Legal uncertainty when data is moved via global cloud platforms (like AWS, Azure)

To overcome these, organizations should:

  • Maintain a map of all international data flows

  • Limit transfers to countries with strong privacy laws

  • Use strong contracts and data processing agreements

  • Choose cloud regions and vendors based on data protection standards

Comparison with Global Laws

Let’s look at how DPDPA’s stance compares with other countries:

GDPR (EU): Allows transfers only to countries with adequate data protection, or via SCCs or Binding Corporate Rules. Very strict.

CCPA (California): Less restrictive, but requires disclosures and opt-outs for sale of personal data.

Singapore PDPA: Allows cross-border transfers if the receiving party ensures comparable protection.

India’s DPDPA: More flexible, permits transfer by default unless restricted. Places emphasis on consent and government control rather than adequacy assessments.

This shows that while India is adopting a liberal transfer model, it retains sovereign control by reserving the right to blacklist specific countries.

Conclusion

India’s DPDPA 2025 introduces a modern, globally-aligned yet India-first approach to cross-border data flows. It avoids blanket restrictions and allows transfers by default, while enabling the government to step in if necessary. For businesses, this means greater freedom — but also the responsibility to manage consent, partner contracts, user rights, and security across borders.

Organizations must treat cross-border data not just as a technical task, but as a legal obligation. They should audit their data flow, evaluate risks, and build policies that align with India’s emerging privacy regime. As the Central Government starts notifying restricted countries and more specific rules, compliance will shift from voluntary to mandatory. Early preparation is key to ensure business continuity, consumer trust, and legal safety in a world increasingly dependent on global data exchange.

Priya Mehta

Posts