Skip to content
checkDPDP

Cross-border

Cross-border data transfers under DPDP.

DPDP follows a blacklist approach: transfers out of India are allowed unless the Government specifically restricts a country. Here's what to do about it right now.

The position today

Section 16 of the DPDP Act lets the Central Government restrict the transfer of personal data to specified countries or territories by notification. Until a country is notified, transfers are allowed by default. This is the opposite of an EU-style "adequacy" regime, and far more permissive than the earlier draft bills that proposed sectoral whitelists.

No country has been notified yet. But sector regulators (RBI, IRDAI, MeitY for non-personal data and certain SDFs) can — and in some cases already do — impose localisation requirements that override the default.

What this means for your stack

  • Cloud hosting — your AWS/GCP/Azure region choice is currently a business decision, not a DPDP one. But it must be disclosed.
  • Analytics & ads — Google Analytics, Meta, LinkedIn pixels and similar tools transfer data abroad. You still need consent under DPDP, and the transfer must be in your notice.
  • SaaS & CRM — HubSpot, Salesforce, Zendesk, Notion, Linear etc. often host outside India. Acceptable today, must be disclosed, contractually governed.
  • Payment & banking data — RBI's 2018 directive on storage of payment system data still applies. If you handle payments, that's your real cross-border constraint.

What to do right now

  1. Map your data flows. Make a one-page table: data category, processor, region, lawful basis, retention. Update it whenever you onboard a vendor.
  2. Inventory your processors. Every SaaS that touches user data is a Data Processor. Have a signed agreement; document subprocessors.
  3. Disclose transfers in your notice. Don't hide behind "we may share with service providers globally". Name the categories and where data goes.
  4. Have a relocation plan. If a country gets blacklisted later, you need to know how long it would take you to move workloads. For mission-critical systems, prefer India regions when available — they're a hedge, not a requirement.

If you operate in BFSI, healthcare or telecom: your sector regulators' localisation rules likely already exceed what DPDP requires. Don't loosen them on the back of DPDP's permissive default — sector rules win.

Want a deeper dive on a specific obligation? Read the full DPDP guide or run a free compliance scan.

Sources

What we read so you don't have to

  • · Digital Personal Data Protection Act, 2023, Section 16 (transfer of personal data outside India).
  • · Digital Personal Data Protection Rules, 2025 (notified by MeitY, 13–14 November 2025).
  • · RBI Notification DPSS.CO.OD No. 2785/06.08.005/2017-18 (storage of payment system data).