What this topic covers
Section 16 takes the opposite approach from GDPR — instead of requiring adequacy decisions before transfers are allowed, it permits them by default and lets the Central Government restrict specific destinations via a notified 'negative list'. As of the Rules 2025, no such list has been published. In practice this means an Indian fintech can ship logs to AWS us-east-1 today without a separate transfer mechanism, unless and until MeitY notifies the destination as restricted.
The part most cross-border videos miss: sector-specific regulators can be stricter than DPDP, and DPDP doesn't override them. RBI's payment-data localisation circulars still require domestic storage for payment systems. IRDAI has its own data-residency notes. Section 16 is a floor, not a ceiling — where a sector law mandates local processing, that obligation stands.
The practical playbook from a good explainer: inventory every cross-border data flow today, map each to a sector regulator if one applies, default sector-regulated flows to India-resident processing, and document everything else. If MeitY later notifies a country as restricted, you'll need to migrate within the notified grace period — the documented inventory is what makes that migration possible.
Points a complete video on this topic should cover
- Section 16 — permissive default with negative-list override
- Why the "negative list" approach is the opposite of GDPR adequacy
- How sector regulators (RBI, IRDAI, SEBI) override DPDP's permissive floor
- Inventory and documentation as the practical compliance baseline
- India-region deployment as the future-proof default
- How to plan for a future negative-list notification without paranoia
Relevant sections of the DPDP Act / Rules
- Section 16 (cross-border)
- Sector-regulator overlays (RBI, IRDAI, SEBI)