Cross-Border Data Transfers under the DPDP Act, 2023: Government’s Power to Whitelist and Blacklist Jurisdictions

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a controlled model for cross-border data transfers, departing from earlier localisation-heavy approaches. Instead of imposing blanket restrictions, the Act authorises the Central Government to notify jurisdictions where transfers may be either permitted (whitelisted) or restricted (blacklisted).

This discretionary power provides regulatory flexibility, but also creates uncertainty for businesses, particularly those dependent on global data flows. Unlike the GDPR’s structured adequacy decision framework, India’s model relies heavily on executive notification, with minimal statutory detail on criteria.

Introduction: The Global Stakes of Data Transfers

Modern businesses thrive on cross-border data flows. Cloud services, global HR systems, e-commerce, AI-driven analytics, and outsourcing models all depend on moving data seamlessly across jurisdictions. At the same time, governments are increasingly concerned about data sovereignty, privacy, and national security, leading to stricter regulations.

The DPDP Act seeks to balance India’s ambition to remain a global IT hub with its sovereign interest in regulating cross-border transfers. The Act introduces a government-controlled whitelist/blacklist regime for international transfers of personal data.

Statutory Framework under the DPDP Act

The Act provides that:

• Personal data may be transferred outside India to such countries or territories as may be notified by the Central Government.
• The Government retains discretion to restrict or allow transfers to specific jurisdictions.
• There is no statutory mandate for data localisation (i.e., requiring data to stay within India).
• This framework gives the Government sweeping powers to control cross-border data flows through notifications, without prescribing detailed criteria for decisions.

Government’s Power to Whitelist and Blacklist

Whitelisting: The Government may notify certain jurisdictions as approved for cross-border transfers. For example, transfers to countries with strong data protection frameworks (such as the EU, Japan, or Singapore) may be allowed.

Blacklisting: Conversely, jurisdictions may be restricted if considered lacking in safeguards, hostile, or geopolitically sensitive. For example, transfers to jurisdictions with weak privacy laws or inadequate cybersecurity may be restricted.

Absence of Criteria

Unlike GDPR’s adequacy mechanism, the DPDP Act does not specify:

• What benchmarks will guide approvals.
• Whether contractual clauses or corporate rules can substitute.
• Whether sector-specific exemptions may be carved out.
• This open-ended discretion provides flexibility but introduces uncertainty for businesses.

Comparison with Global Privacy Laws

GDPR (EU): Transfers permitted to jurisdictions with adequacy decisions by the European Commission. In absence of adequacy, Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) may be used. Criteria include rule of law, data protection framework, and enforceability.

LGPD (Brazil): Transfers allowed where the foreign country provides an adequate level of protection or where contractual safeguards exist.

PDPA (Singapore): Allows transfers if organizations ensure comparable protection abroad through contracts or certifications.

CCPA (California): Does not directly regulate international transfers but imposes strict obligations on sharing/sale of personal data, indirectly affecting cross-border flows. India diverges by not offering contractual mechanisms like SCCs/BCRs. Instead, businesses must rely solely on government notifications.

Sectoral Implications

IT and ITES: India’s IT outsourcing industry thrives on processing foreign data, but many operations also require sending data back overseas. Whitelist/blacklist uncertainty may complicate contractual negotiations with global clients.

Fintech and Banking: Cross-border transactions, credit scoring, and cloud-based payment gateways depend on seamless transfers. Restrictions on key jurisdictions (e.g., U.S. cloud servers) could disrupt services.

Healthcare and Pharma: Clinical trials, telemedicine, and global research collaborations involve transferring sensitive patient data abroad. Lack of clarity on permitted jurisdictions could stall collaborations.

Cloud Service Providers: Most major cloud servers are located outside India. A blacklist of certain jurisdictions could force costly migration and localisation efforts.

Global E-Commerce:  E-commerce platforms store and analyse consumer data globally for logistics, inventory, and personalization. Jurisdictional restrictions may fragment data operations.

Illustrative Scenarios

• Fintech: An Indian digital lender uses a U.S.-based credit analytics engine. If the U.S. is blacklisted, the lender must migrate analytics locally or to an approved jurisdiction, disrupting operations.
• Healthcare: A hospital in India participating in a multinational clinical trial transfers anonymised patient data to a research hub in Europe. If Europe is whitelisted, transfer continues; if restricted, trial compliance is jeopardised.
• Employment: A multinational company shares Indian employee data with its HR systems in Singapore. If Singapore is whitelisted, lawful transfer continues; otherwise, business must create India-specific infrastructure.

Risks of Uncertainty

• Policy Volatility: Government may alter whitelist/blacklist based on geopolitical or trade considerations.
• Business Unpredictability: Companies cannot plan long-term if transfer rules depend solely on notifications.
• Compliance Burden: Lack of contractual alternatives (like SCCs) means businesses must await government action.
• Trade Disputes: Restrictions on certain countries may trigger retaliatory measures affecting India’s IT exports.

Compliance Strategies for Businesses

1. Data Flow Mapping: Identify where Indian personal data is transferred and stored globally. Assess exposure to high-risk jurisdictions.

2. Localization Readiness: Maintain contingency plans for storing data within India if key jurisdictions are blacklisted.

3. Anonymisation: Use irreversible anonymisation to continue global analytics without triggering transfer restrictions.

4. Vendor Contracts: Include clauses requiring vendors to adapt to Indian transfer restrictions. Build flexibility to migrate services if required.

 5. Regulatory Engagement: Industry associations should engage with government to shape whitelist/blacklist policies.

Comparison of Flexibility vs. Certainty

India’s model provides flexibility to respond quickly to emerging threats or geopolitical risks. However, businesses prefer certainty, as seen in GDPR’s structured mechanisms. The absence of contractual alternatives in DPDP means organizations are entirely dependent on government notifications.

This places India somewhere between GDPR’s predictable adequacy model and more sovereignty-driven regimes that mandate outright localisation.

Conclusion & Key Takeaways

The DPDP Act’s cross-border transfer provisions grant the Indian Government discretionary control over which jurisdictions may receive Indian personal data. While this avoids rigid localisation and supports global commerce, it creates uncertainty for businesses.

Key takeaways for organizations:

• Map and monitor global data flows.
• Prepare contingency plans for jurisdictional restrictions.
• Use anonymisation where possible to mitigate transfer risks.
• Build contractual safeguards anticipating regulatory changes.
• Engage with industry groups to advocate for predictable and business-friendly policies.

In sum, India’s cross-border framework reflects a pragmatic yet sovereignty-driven approach. Businesses must remain agile, investing in compliance strategies that anticipate regulatory shifts and geopolitical considerations, ensuring continuity of operations in India’s evolving data protection landscape.

Contributed by – Aurelia Menezes