Data Localization vs. Cross-Border Flexibility – India’s Approach under the DPDP Act, 2023

Posted On - 22 October, 2025 • By - Jidesh Kumar

Executive Summary

India’s debates on data localization have shaped its privacy law journey for nearly a decade. Early proposals sought blanket localization of all sensitive data within India, but the Digital Personal Data Protection Act, 2023 (DPDP Act) has taken a more balanced approach. Instead of mandating storage in India, the DPDP Act permits cross-border transfers by default, subject to government power to restrict transfers to notified jurisdictions.

This hybrid approach seeks to balance national security and sovereignty concerns with India’s outsourcing and IT/ITES export economy. It contrasts sharply with China’s strict localization regime and sits closer to the EU’s adequacy model, albeit with executive discretion replacing structured adequacy decisions.

Introduction: The Data Localization Debate

The question of where personal data should reside has been contentious globally. Localization advocates argue it:

  • Enhances sovereignty and security.
  • Aids law enforcement access.
  • Promotes domestic industry development.

Opponents warn it:

  • Increases costs for businesses.
  • Creates data silos incompatible with global commerce.
  • Reduces cloud efficiency and innovation.

India’s initial proposals leaned heavily toward localization, but the DPDP Act reflects compromise and pragmatism.

Evolution of India’s Position

1. 2017 Justice Srikrishna Committee:

  • Proposed stringent localization for sensitive data.

2. 2019 PDP Bill:

  • Required sensitive personal data to be mirrored in India.
  • Critical personal data had to be stored only in India.

3. 2021 Joint Parliamentary Committee (JPC)

  • Recommended even stricter localization, citing sovereignty.

4. 2022 Draft DPDP Bill

  • Shifted to cross-border flexibility, subject to government “negative list.”

5. 2023 DPDP Act

Final framework: default free flow of data, except to jurisdictions restricted by government notification.

This marks a significant policy shift toward global interoperability.

DPDP Act Framework

General Rule: Personal data may be transferred outside India by fiduciaries.

Restriction Power: The Central Government may restrict transfers to specific countries or territories. No explicit requirement to store data in India.

Sectoral Carve-Outs: Sectoral regulators (e.g., RBI for payments, SEBI for market data) may impose stricter rules. DPDP does not override such sectoral mandates.

Comparison with Global Models

GDPR (EU)

  • Cross-border transfers permitted only to jurisdictions with adequacy decisions, or with contractual safeguards.
  • Structured, transparent process.

China

  • Strict localization for critical information infrastructure and sensitive data.
  • Outbound transfers require security assessments.

Singapore PDPA

  • Transfers allowed if recipient ensures comparable protection.

Brazil LGPD

  • Transfers allowed to countries with adequate protection or through safeguards.

India DPDP

  • Default flexibility with executive power to blacklist jurisdictions.
  • Simpler but more uncertain.

Sectoral Implications

Banking and Fintech

  • Already subject to RBI payment data localization.
  • Cross-border analytics for fraud detection may face scrutiny.

Healthcare and Health-Tech

  • Hospitals using global cloud services for patient data must monitor government notifications.
  • Cross-border clinical research requires careful contractual safeguards.

E-Commerce

  • Platforms using foreign servers must prepare contingency plans for sudden restrictions.

IT/ITES and Outsourcing

  • India’s outsourcing industry thrives on cross-border data flows.
  • The DPDP framework preserves competitiveness, but blacklisting could disrupt contracts.

Telecom

  • Subscriber data transfers to foreign vendors must align with TRAI guidelines and DPDP.

Hypothetical Case Illustrations

Case 1: Fintech Using U.S. Cloud Servers

  • An Indian fintech stores KYC data in U.S. servers.
  • If the U.S. is blacklisted by government notification, the fintech must repatriate data within a compliance window.
  • Costly migration and service disruption ensue.

Case 2: Hospital Outsourcing Analytics Abroad

  • A hospital sends anonymised genetic data to a European research lab.
  • If EU remains unrestricted, lawful transfer continues.
  • If EU is restricted, hospital must halt transfers or seek anonymisation exceptions.

Case 3: BPO Serving Global Clients

  • An Indian BPO processes EU customer data.
  • DPDP allows free transfer, but EU GDPR demands adequacy or safeguards.
  • Dual compliance requires EU Standard Contractual Clauses + DPDP alignment.

Case 4: Telecom Vendor Restriction

  • An Indian telecom uses a Chinese vendor for data analytics.
  • If China is blacklisted, immediate cessation required, forcing vendor switch.

Compliance Challenges

  1. Uncertainty: Businesses cannot predict which jurisdictions will be restricted.
  2. Contractual Complexity: Cross-border agreements must include repatriation clauses.
  3. Operational Disruption: Sudden blacklisting could force data migration within tight deadlines.
  4. Sectoral Conflicts: DPDP flexibility vs. RBI/SEBI localization mandates.

Compliance Strategies

  1. Data Mapping: Catalogue all cross-border transfers, destinations, and purposes.
  2. Contractual Safeguards: Include clauses requiring vendors to comply with DPDP and assist in repatriation if needed.
  3. Hybrid Storage Models: Store critical datasets locally while allowing analytical copies abroad.
  4. Government Monitoring: Track notifications for blacklisted jurisdictions.
  5. Contingency Planning: Develop exit and migration plans for critical transfers.

Risks of Non-Compliance

  • Regulatory Penalties: Up to ₹250 crore for unlawful transfers.
  • Contractual Breach: Failure to deliver services due to blacklisting.
  • Reputational Harm: Public backlash if sensitive data sent abroad unlawfully.
  • Operational Costs: Expensive, disruptive repatriation projects.

Conclusion & Key Takeaways

The DPDP Act takes a pragmatic middle path between strict localization and unfettered data free flow. By default, cross-border transfers are allowed, but government retains the power to restrict hostile or untrustworthy jurisdictions.

Key takeaways:

  • Cross-border flexibility supports India’s outsourcing economy.
  • Blacklist power introduces regulatory uncertainty.
  • Businesses must map transfers, embed contractual safeguards, and prepare contingency plans.
  • Sectoral rules (RBI, SEBI, IRDAI) may still mandate localization.

For Indian corporates, the message is clear: global data flows are welcome, but sovereignty trumps convenience. Compliance demands foresight, agility, and contractual readiness.

Contributed by – Aurelia Menezes