Skip to content
checkDPDP

Guide

Cross-border data transfers under DPDP — what the negative list approach means for your stack

DPDP took the opposite path from GDPR — instead of approving destinations, it blocks specific ones. The Rules promise a notified 'negative list' of restricted countries. Here's what to do while waiting for that list, and how to keep your AWS / GCP / OpenAI stack legal.

20 May 2026 · 7 min read

Section 16 of the DPDP Act takes a permissive default with restrictive overrides: cross-border transfers of personal data are generally allowed, except to countries or territories the Central Government notifies as restricted. This is a 'negative list' approach — the opposite of GDPR's 'adequacy decision' system, where transfers are blocked unless the destination is on the approved list.

In practice, that means an Indian fintech can ship logs to AWS us-east-1 today without a separate transfer mechanism — unless and until MeitY notifies the United States as restricted (highly unlikely for the next several years given the strategic relationship). The negative list, when it lands, is widely expected to target jurisdictions India views as hostile or unreliable for enforcement cooperation; mainstream cloud destinations are not in scope.

But — and this is the part people miss — sector-specific regulators can be stricter than DPDP. RBI's localisation circulars for payment data still require domestic storage for payment systems. IRDAI has its own data-residency notes. The DPDP Act's Section 16 is a floor, not a ceiling: where a sector law mandates local processing, that obligation stands regardless of DPDP being permissive.

Practical playbook: (1) inventory every cross-border data flow today — every processor, every sub-processor, every region. (2) Map each flow to a sector regulator (RBI, IRDAI, SEBI, MoH&FW) if one applies. (3) For flows that touch a sector-regulated category, default to India-resident processing or a documented justification. (4) For everything else, document the destination and the processing purpose — if MeitY later notifies a country as restricted, you'll need to migrate within the notified grace period.

Most CMP and privacy platforms now offer India-region deployment — Skyflow, Securiti, Sprinto, Scrut, OneTrust, Cookiebot all support some India residency option. If you're picking infrastructure today, picking the India region by default costs nothing extra and protects you from a future negative-list shock.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts