Cross-Border Data Transfers Under the DPDP Act, 2023 and DPDP Rules, 2025: Navigating India’s New “Negative List” Regime

Posted On - 14 November, 2025 • By - Jidesh Kumar

Introduction

India’s move towards a comprehensive, modern, rights-centric data protection regime has reached a defining moment with the publication of the Digital Personal Data Protection Rules, 2025 and the staggered operationalisation of the Digital Personal Data Protection Act, 2023 (DPDP Act) through the notification issued on 13 November 2025.

While the Act provides the legislative foundation for cross-border data transfers, it is Rule 15 of the DPDP Rules that operationalises this framework, marking a significant departure from global norms. India has chosen a “negative list” system instead of the more commonly adopted “adequacy” or “whitelist” mechanism that exists under GDPR and several other privacy regimes. Under this Indian model, cross-border transfers are permitted to any jurisdiction unless expressly prohibited by the Central Government.

This paradigm offers both opportunities and challenges. On one hand, it allows Indian start-ups, digital platforms, and multinational companies (MNCs) considerable flexibility for global operations and cloud-centric infrastructures. On the other hand, it introduces uncertainty because companies cannot predict when the Government may impose restrictions, whether based on geopolitical considerations, national security concerns, or sector-specific sensitivities.

Cross-border data transfers are governed primarily by Section 16 of the DPDP Act, 2023, which states that personal data may be transferred to any country except those restricted by the Central Government.

Unlike the GDPR, the Indian Act does not speak of:

  • adequacy assessments,
  • standard contractual clauses (SCCs),
  • binding corporate rules (BCRs), or
  • onward transfer controls.

Instead, it empowers the Central Government to issue specialized or general directions to restrict transfers to:

  • specific countries,
  • specific territories,
  • classes of data fiduciaries, or
  • specific sectors.

Thus, the Act itself creates a flexible, policy-driven, executive-led regime rather than a static legislative whitelist. This structure reflects India’s geopolitical and economic considerations, allowing the State to respond dynamically to emerging risks without legislative bottlenecks.

The Role of the Enforcement Notification (13 November 2025)

The cross-border transfer regime does not come into force immediately.
The Government’s notification dated 13 November 2025 activates different provisions on staggered dates:

  • Immediately: foundational and Board-related sections.
  • One year after publication: some significant fiduciary and consent provisions.
  • Eighteen months after publication: Section 16 (cross-border transfers) and all operational obligations.

This means that cross-border transfer compliance becomes fully operational only eighteen months after 13 November 2025, giving companies time to:

  • conduct data-mapping exercises,
  • restructure global data flows,
  • renegotiate contracts, and
  • upgrade technical controls.

Businesses must use this window proactively; failure to prepare could lead to sudden non-compliance when restrictions are announced.

Rule 15 of the DPDP Rules: Operationalising Section 16

Rule 15 of the DPDP Rules states: “A Data Fiduciary may transfer personal data outside India except where the Central Government restricts such transfer.” No additional mechanisms, conditions, technical evaluations, or contractual elements are mandated unless imposed through Government notification.

Key features of Rule 15 include:

1. Negative-list approach: Transfers are allowed globally unless banned. This is the opposite of restrictive adequacy regimes used elsewhere.

2. Government power to impose conditions: The Ministry of Electronics & Information Technology (MeitY) may:

  • impose security certifications,
  • mandate local storage for specific data categories,
  • restrict transfers to specific companies/entities, or
  • require risk assessments for certain sectors.

3. Applicability to all Data Fiduciaries: Whether an Indian startup, an MNC, or a government contractor, the rule applies uniformly.

4. Future-ready architecture: The rule anticipates rapid responses to geopolitical or sectoral risks. In practical terms, Rule 15 is intentionally flexible, but this flexibility places an increased burden on companies to be vigilant, contractually robust, and operationally agile.

5. Implications for Global Cloud Infrastructure: Most Indian companies especially fintech, e-commerce, healthtech, SaaS, and enterprise businesses depend heavily on multinational cloud service providers (AWS, GCP, Azure, Snowflake, Oracle, etc.). The negative list regime allows ongoing reliance on these services, but with three major caveats:

Caveat 1: Future restrictions could disrupt cloud architectures

If a major jurisdiction is added to the restricted list, organisations using cloud regions in that country may face:

  • immediate obligations to migrate,
  • data localisation for critical workloads, or
  • re-routing of APIs and services.

Caveat 2: Sectoral restrictions may emerge

Sensitive sectors like defence, energy, telecom, critical infrastructure, or digital ID may face tighter transfer restrictions.

Caveat 3: Cross-border DR/BCP architecture must evolve

Companies using offshore disaster recovery may need India-based fallback systems. Thus, while permissible today, cross-border cloud usage must be accompanied by restriction-ready architectural design, ensuring minimal disruption if the Government issues new notifications.

The SDF Oversight Layer: Implicit Constraints on Transfers

Section 10 of the DPDP Act governs Significant Data Fiduciaries (SDFs), who face higher accountability based on factors such as:

  • volume and sensitivity of data,
  • risk of harm,
  • impact on national security or public order.

The Rules (Rule 13) impose additional obligations on SDFs, including:

  • annual audits,
  • DPIAs,
  • algorithmic risk assessments,
  • independent data auditor oversight,
  • and restrictions on transfer of certain “specified” data categories.

This creates an implicit cross-border control leverage: Government may prohibit SDFs from transferring certain classes of personal data even if those data points are transferable by non-SDFs.

Thus, for SDFs including large telecom providers, banks, insurance companies, e-commerce majors, social networks, and hyperscale platforms cross-border transfer policies will be more heavily scrutinized.

Interaction with Other DPDP Rules Affecting Transfers

Cross-border transfers cannot be viewed in isolation. Multiple rules affect the compliance calculus:

  • Rule 6 (Security Safeguards): Cross-border transfers heighten cybersecurity vulnerabilities; Rule 6 mandates encryption, access controls, masking, monitoring, backup and log retention.
  • Rule 7 (Breach Notification): Offshore processors must support India’s strict breach reporting timeline and dual notification.
  • Rule 8 (Retention and Deletion): Deletion requests must propagate to offshore processors too, with audit trails.
  • Rule 14 (Rights of Data Principals): Cross-border processing must preserve access, correction, and erasure rights. Thus, “transfer compliance” is not only about the transfer itself but the end-to-end lifecycle of the data abroad.

The Government’s Power to Demand Information (Rule 23)

Rule 23 empowers the Government to demand information from Data Fiduciaries and intermediaries. When data is stored offshore, companies must ensure:

  • data can be retrieved promptly,
  • access is not impeded by foreign laws,
  • cloud contracts permit timely retrieval,
  • and data sovereignty mandates are respected.

This rule makes cross-border storage a more complex risk category for regulated sectors and government contractors.

Impact on Indian Startups, SaaS companies, and Technology Platforms

Startups and SaaS businesses often rely on:

  • global developer tools,
  • foreign cloud regions,
  • offshore analytics engines,
  • international CDNs,
  • outsourced development teams.

The negative list model is beneficial because it does not immediately require localisation. However, startups must:

  • track Government notifications,
  • maintain contingency architecture,
  • negotiate data portability with foreign vendors,
  • and document transfer risk in investor compliance reports.
  • VCs and international investors may increasingly evaluate “transfer resilience” as a due diligence parameter.

Impact on Multinational Companies (MNCs)

For MNCs with Indian operations, the DPDP regime requires alignment with global privacy programmes and local Indian nuances.

Five challenges MNCs must anticipate:

1. Conflicts of law: GDPR, DPDP, US state privacy laws, APAC legislation, and China’s PIPL may conflict in obligations, especially regarding government access and data mobility.
2. Data residency expectations: Even if unrestricted today, India may require localisation for critical sectors tomorrow.
3. Group entity transfers: Internal data flows to HQs must comply with Rule 15’s restrictions once issued.
4. Vendor risk: Foreign processors must be contractually compelled to support DPDP obligations.
5. Rapid-response architecture: MNCs should build routing flexibility to shift Indian data from one jurisdiction to another if prohibited.

Ultimately, MNC data governance models must integrate Indian cross-border risk just as they currently do for European, Chinese, and Middle Eastern markets.

Anticipated Future Restrictions: Where the Negative List May Apply

While no countries or sectors have yet been restricted under the DPDP Act, industry analysis suggests the negative list may first apply in the following areas:

1. National Security & Geopolitics: Countries with which India has strained diplomatic relations may be added.
2. Critical Infrastructure: Sectors involving telecom, energy, transport, and defence could face tighter rules.
3. Public Health & Digital ID: Aadhaar-related, healthcare, and biometric datasets may be protected more rigorously.
4. Public Sector and Welfare Systems: Data processed under Rule 5 for subsidies, licences, and permits may be localised.

Thus, while Rule 15 appears liberal today, the long-term arc of policy may favor regulated permissiveness with sectoral safeguards.

Contractual Considerations for Companies Engaged in Cross-Border Transfers

Under the DPDP Act and Rules, Data Fiduciaries remain responsible for the actions of Data Processors overseas. Every contract with an offshore recipient should address:

1. DPDP-aligned data processing terms: Including compliance with Rule 6, Rule 7, and Rule 8.
2. Termination & data retrieval rights: Mandatory in light of Rule 23.
3. Sub-processing restrictions: No onward transfer to a country that may become restricted.
4. Localisation fallback clauses: Contracts must allow re-routing without delay.
5. Breach notification timelines: Foreign processors must notify Indian entities sufficiently early for compliance.
6. Independent audit rights: Especially for SDFs and regulated entities.
7. Liability allocation: To cover penalties under the DPDP Act.

Companies must update their DPAs (Data Processing Agreements) accordingly; legacy GDPR-style SCC-based DPAs are insufficient for Indian compliance.

The Compliance Lifecycle: What Companies Must Do

Phase 1: Map & Assess (Months 1–6)

  • Inventory all personal data transfers.
  • Identify foreign vendors, cloud regions, API integrations.
  • Categorize data by sensitivity and volume.
  • Identify sector-specific risks (finance, telecom, health, etc.).

Phase 2: Design & Remediate (Months 6–12)

  • Architect fallback systems.
  • Localise critical backups if needed.
  • Strengthen contractual safeguards.
  • Implement enhanced cybersecurity and monitoring.

Phase 3: Monitor & Govern (Months 12–18)

  • Set up a real-time regulatory monitoring function.
  • Establish escalation protocols.
  • Train teams on updated SOPs.
  • Prepare DPDP compliance documentation for audits or DPB inspection.

Phase 4: Sustain & Optimise (Post-Go-Live)

  • Run cross-border DPIAs annually.
  • Evaluate AI/ML processing impacts (Rule 13).
  • Conduct vendor re-certification.
  • Ensure continuous risk assessment and board-level reporting.

This lifecycle should be embedded into enterprise-wide data governance frameworks.

Penalties and Board Enforcement Risk

Cross-border transfer violations may attract penalties under the Schedule to the DPDP Act, which go up to ₹250 crore for serious failures. The Data Protection Board (DPB) may also:

  • demand information (Section 36),
  • issue directions (Section 28),
  • conduct inquiries (Section 19),
  • or block platforms of repeat violators (Section 37).

Thus, a failure to conform to cross-border rules is both a financial and operational risk, especially for digital platforms.

Strategic Recommendations: Building a Cross-Border Transfer-Ready Enterprise

To operate confidently under the DPDP Act’s cross-border regime, companies both Indian and multinational, should adopt the following strategies:

1. Build “restriction-ready” data architectures: Ensure rapid switching from one jurisdiction or cloud region to another.
2. Use India-based redundancy systems: Local DR systems protect against sudden transfer restrictions.
3. Strengthen contracts with global vendors: Add DPDP-specific terms on localisation, retrieval, breach reporting.
4. Conduct annual Transfer DPIAs: Especially for SDFs handling large-scale or sensitive datasets.
5. Establish a regulatory tracking function: Monitor MeitY notifications to identify restricted countries early.
6. Integrate DPDP compliance with global privacy programmes: Ensure no contradictions with GDPR, PIPL, CPRA, or APAC frameworks.
7. Educate leadership: Boards and C-suite must understand transfer risks and obligations.
8. Embed cross-border risk into enterprise risk management (ERM): Treat it as a formal risk category for audits and governance.
9. Upgrade cybersecurity posture: Rule 6’s requirements must extend to all offshore processors.
10. Prepare a contingency migration plan: Companies must be ready to migrate data assets within 30–90 days if a jurisdiction is banned.

Conclusion

The DPDP Act, 2023, and the DPDP Rules, 2025, introduce a forward-looking, flexible, and sovereignty-conscious model for cross-border data transfers. India’s “negative list” approach reflects a pragmatic balance preserving operational freedom for businesses while granting the State the ability to act swiftly in response to national security, geopolitical, or systemic risks.

For Indian and multinational companies, the message is clear: cross-border transfers are permissible, but not guaranteed. The burden lies on enterprises to build resilient, adaptable, technically robust data ecosystems that can withstand regulatory shifts. The eighteen-month implementation window offers a rare opportunity to modernise data governance, strengthen contractual frameworks, redesign infrastructure, and embed global best practices.

In a world where digital sovereignty and data geopolitics are rapidly evolving, companies that take early, strategic steps toward DPDP-aligned cross-border compliance will not only mitigate risk but also gain competitive advantage in an increasingly privacy-conscious global marketplace.

Contributed by – Aurelia Menezes