Cross-Border Data Transfers

Every multinational enterprise, every cloud-hosted SaaS application, every outsourced payroll function, and every global customer database involves data crossing national borders. Cross-border data transfers are not an edge case in modern business — they are the baseline. The World Economic Forum estimates that data flows now contribute more to global GDP growth than the trade in physical goods, and the volume of cross-border data movement has grown more than forty-five-fold in the past decade.

For businesses operating in or with India, the stakes are particularly high. India is the world's largest outsourcing destination, hosting global capability centres (GCCs) for over 1,500 multinational corporations. Indian IT and BPO firms process personal data originating from every major jurisdiction. Simultaneously, Indian enterprises expanding abroad must comply with the data transfer restrictions of the EU, UK, China, and other markets where they operate.

The regulatory landscape is more fragmented than ever. At least 157 countries have enacted data protection legislation, and a significant majority impose some form of restriction on outbound personal data transfers. These restrictions range from the EU's highly prescriptive transfer mechanism regime under the GDPR to India's still-evolving whitelist approach under the Digital Personal Data Protection Act, 2023 (DPDPA), to China's outright requirement for security assessments before certain categories of data may leave the country.

Compliance failures carry serious consequences. Under the GDPR, fines for unlawful transfers can reach EUR 20 million or 4% of global turnover. The DPDPA empowers the Data Protection Board of India to impose penalties up to INR 250 crore (approximately USD 30 million) per instance. Beyond financial penalties, enforcement actions can disrupt data flows that are essential to business operations — as Meta discovered when the Irish DPC ordered the suspension of EU-US data transfers in 2023.

This guide provides a structured, jurisdiction-by-jurisdiction analysis of cross-border data transfer requirements, practical mechanisms for lawful transfers, and a compliance framework that organisations can implement regardless of where they are headquartered. It is designed for compliance officers, data protection officers, in-house counsel, and business leaders responsible for international data governance.

The Digital Personal Data Protection Act, 2023 (DPDPA) takes a fundamentally different approach to cross-border transfers compared with the GDPR's mechanism-based regime. Section 16 of the DPDPA adopts a government whitelist model: the Central Government will notify a list of countries and territories to which personal data may be transferred, and transfers to countries not on the list will be restricted or prohibited.

Section 16: The Whitelist Approach

Section 16(1) provides that the Data Fiduciary may transfer personal data to any country or territory outside India, except those notified by the Central Government as restricted. In effect, the default position is permissive — transfers are allowed unless the government specifically blocks a destination. This is an inversion of the GDPR model, where transfers are restricted by default and allowed only through specific mechanisms.

However, the practical operation of Section 16 depends entirely on the Central Government's notifications, which have not yet been issued as of February 2026. Until these notifications are published, there is regulatory ambiguity about whether all cross-border transfers are permitted or whether organisations should exercise caution.

Key Features of the DPDPA Transfer Regime

• No adequacy concept: Unlike the GDPR, the DPDPA does not require the government to conduct an equivalence or adequacy assessment of the destination country's data protection framework. The whitelist (or blacklist) will be a sovereign executive decision.
• No SCCs or BCRs: The DPDPA does not prescribe standard contractual clauses, binding corporate rules, or any other contractual mechanism as a basis for transfers. The lawfulness of a transfer depends solely on whether the destination country is permitted.
• Sectoral carve-outs expected: Industry observers anticipate that the government may issue sector-specific transfer restrictions — for example, requiring financial data to remain in India (aligning with existing RBI requirements) while permitting general commercial data to flow more freely.
• Government data restrictions: Section 17 separately addresses data processed by the State, and it is widely expected that government data will face stricter transfer controls.

Practical Implications for Organisations

Despite the absence of notified rules, organisations should not treat cross-border transfers from India as unregulated. The DPDPA's penalty framework is already enacted, and the Data Protection Board of India (DPBI) will have jurisdiction to investigate complaints about transfers once it is fully constituted. Prudent organisations are taking the following steps:

1. Maintaining a comprehensive inventory of all cross-border data flows originating from India.
2. Ensuring that transfers comply with any existing sectoral requirements (e.g., RBI data localisation for payment data, IRDAI requirements for insurance data, SEBI circular requirements for securities market data).
3. Including robust data protection obligations in contracts with overseas processors and group companies, modelled on GDPR-standard SCCs as a baseline — even though the DPDPA does not mandate them.
4. Monitoring government notifications closely and building flexibility into data architectures to redirect flows if a destination country is restricted.

Chapter V of the General Data Protection Regulation (Articles 44-50) establishes the most comprehensive and prescriptive cross-border data transfer regime in the world. The fundamental principle is that personal data may only be transferred outside the European Economic Area (EEA) if the level of protection guaranteed by the GDPR is not undermined. This principle applies regardless of whether the transfer is to a controller or a processor, and regardless of volume.

Adequacy Decisions (Article 45)

The European Commission may determine that a third country or territory ensures an adequate level of data protection. If an adequacy decision is in force, data may flow freely to that country without additional safeguards. As of early 2026, adequacy decisions exist for Andorra, Argentina, Canada (commercial organisations under PIPEDA), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (under the EU-US Data Privacy Framework).

India does not have an EU adequacy decision, and there is no indication that one is under consideration. This means that transfers from the EU to India require one of the alternative mechanisms described below.

Standard Contractual Clauses (Article 46(2)(c))

Standard Contractual Clauses (SCCs) are the most widely used transfer mechanism globally. The European Commission adopted the current set of SCCs on 4 June 2021 (Implementing Decision 2021/914), replacing the earlier 2001/2004/2010 clauses. The 2021 SCCs use a modular structure:

• Module 1: Controller to Controller (C2C)
• Module 2: Controller to Processor (C2P)
• Module 3: Processor to Processor (P2P)
• Module 4: Processor to Controller (P2C)

Each module addresses a different transfer scenario, with tailored obligations. The SCCs must be executed without modification to the core clauses, although the Annexes (which detail the specifics of the transfer, technical measures, and sub-processors) must be completed by the parties.

Critically, following the Schrems II judgment (Case C-311/18, 16 July 2020), SCCs alone are not sufficient. The data exporter must conduct a Transfer Impact Assessment (TIA) to evaluate whether the laws of the destination country provide essentially equivalent protection. If they do not — as the CJEU found in respect of US surveillance law — the exporter must implement supplementary measures to bridge the gap, or suspend the transfer.

Binding Corporate Rules (Article 47)

BCRs are internal data protection policies adopted by a group of undertakings for transfers within the group. They require approval by a lead supervisory authority through a cooperation procedure involving all concerned authorities. BCRs are resource-intensive to establish (typically 12-24 months) but provide a durable, group-wide transfer framework. They are discussed in detail in a dedicated section below.

Derogations (Article 49)

Where no adequacy decision exists and no appropriate safeguards have been implemented, Article 49 provides a narrow set of derogations, including:

• Explicit consent of the data subject (after being informed of the risks)
• Necessity for the performance of a contract with the data subject
• Important reasons of public interest
• Establishment, exercise, or defence of legal claims
• Vital interests of the data subject

The EDPB has consistently emphasised that derogations under Article 49 must be interpreted restrictively and cannot serve as the basis for systematic, large-scale, or repetitive transfers. They are appropriate for occasional, one-off transfers only.

The transatlantic data transfer relationship has been the most litigated and politically charged area of cross-border data protection. Understanding its history is essential for any organisation managing EU-US data flows.

From Safe Harbor to Privacy Shield to DPF

The original Safe Harbor framework (2000-2015) was invalidated by the Court of Justice of the European Union in Schrems I (Case C-362/14), which found that US surveillance programmes under Section 702 of FISA and Executive Order 12333 did not provide adequate protection for EU personal data. Its successor, the EU-US Privacy Shield (2016-2020), was similarly invalidated in Schrems II on essentially the same grounds — the US legal framework did not provide redress mechanisms equivalent to those required by EU law.

The current EU-US Data Privacy Framework (DPF), which received its adequacy decision from the European Commission on 10 July 2023, was designed to address the specific deficiencies identified by the CJEU. It rests on two pillars:

1. Executive Order 14086 (7 October 2022): Establishes binding limitations on US intelligence agencies' access to personal data, introduces a proportionality requirement, and creates the Data Protection Review Court (DPRC) as an independent redress mechanism.
2. DPF Principles: US organisations self-certify to the DPF through the Department of Commerce, committing to a set of privacy principles (notice, choice, accountability for onward transfer, security, data integrity, purpose limitation, access, and recourse/enforcement).

How It Works in Practice

Transfers from the EU/EEA to a DPF-certified US organisation are treated as transfers to an adequate country — no SCCs, BCRs, or TIAs are required. However, this only applies if the receiving US entity is actively certified and listed on the DPF List maintained by the Department of Commerce (dataprivacyframework.gov). If the US recipient is not DPF-certified, standard GDPR transfer mechanisms (typically SCCs) remain necessary.

Limitations and Risks

• Ongoing legal challenge: The French data subject advocacy group La Quadrature du Net filed a challenge to the DPF adequacy decision with the CJEU in 2023. A ruling is expected in 2026 or 2027. The DPF could be invalidated (a potential "Schrems III" scenario).
• Political risk: The DPF's legal foundation is an executive order, not legislation. A future US administration could amend or revoke EO 14086, undermining the adequacy decision.
• Scope limitation: The DPF applies only to transfers to certified US organisations. It does not cover transfers to the US government or to non-certified entities.
• UK and Swiss extensions: The UK Extension to the DPF and the Swiss-US DPF operate under separate but parallel frameworks, with their own adequacy decisions.

Practical Recommendation

Organisations relying on the DPF should maintain SCCs as a fallback mechanism. This dual-track approach ensures continuity if the DPF adequacy decision is suspended or invalidated. Many multinational organisations learned this lesson the hard way during the overnight invalidation of Privacy Shield in July 2020.

Following the UK's departure from the European Union on 31 January 2020 (with the transition period ending on 31 December 2020), the UK established its own data protection regime under the UK GDPR (the retained EU GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) and the Data Protection Act 2018.

EU Adequacy Decision for the UK

On 28 June 2021, the European Commission adopted an adequacy decision for the United Kingdom, permitting the free flow of personal data from the EU/EEA to the UK without additional safeguards. This adequacy decision includes a sunset clause and is subject to review every four years. The first review was conducted in 2025, and the adequacy decision remains in force — though the EU has signalled that any material divergence of UK data protection standards from the GDPR could lead to revocation.

UK Adequacy Regulations

The UK has issued its own adequacy regulations (equivalent to EU adequacy decisions) for transfers from the UK to third countries. As of early 2026, the UK recognises adequacy for countries including EU/EEA member states, Gibraltar, and a growing list of countries assessed under the UK's own framework. Notably, the UK has also recognised the US DPF through its UK Extension to the Data Privacy Framework, permitting transfers to DPF-certified US entities.

UK International Data Transfer Agreement (IDTA)

Where no UK adequacy regulation exists for a destination country, the UK offers two alternative safeguard mechanisms:

• International Data Transfer Agreement (IDTA): A standalone transfer agreement published by the ICO, serving the same function as EU SCCs but drafted specifically for UK law. The IDTA uses a single, comprehensive document rather than the EU's modular structure.
• UK Addendum to the EU SCCs: Organisations already using the 2021 EU SCCs may attach the International Data Transfer Addendum (UK Addendum) to extend their EU SCCs to cover UK data transfers. This is the more common approach for organisations with both EU and UK data flows.

Transfer Risk Assessments

Similar to the GDPR's TIA requirement post-Schrems II, the ICO expects organisations to carry out a Transfer Risk Assessment (TRA) when relying on the IDTA or UK Addendum. The ICO has published a TRA tool that is somewhat more pragmatic and risk-based than the EDPB's TIA guidance, reflecting the UK's post-Brexit regulatory divergence towards a more outcomes-focused approach.

Implications for India-UK Data Flows

India does not have a UK adequacy regulation. Transfers of personal data from the UK to India therefore require either the IDTA or the UK Addendum attached to EU SCCs. Given that many Indian organisations process data from both EU and UK data subjects, the most efficient approach is to use EU SCCs with the UK Addendum — a single contractual framework covering both jurisdictions.

The Asia-Pacific region presents a diverse landscape of transfer regimes, ranging from relatively permissive frameworks to highly prescriptive ones. Organisations with APAC operations must navigate jurisdiction-specific requirements rather than relying on a single regional standard.

Singapore — Personal Data Protection Act (PDPA)

Singapore's PDPA permits cross-border transfers provided that the receiving organisation is bound by legally enforceable obligations to provide a comparable standard of protection. This can be achieved through:

• Contractual arrangements (similar in concept to SCCs)
• Binding corporate rules or intra-group agreements
• The recipient being subject to comparable law or binding scheme (e.g., APEC CBPR certification)
• Consent of the individual (after being informed)

Singapore does not maintain an adequacy list and instead places the obligation on the transferring organisation to ensure comparable protection. The Personal Data Protection Commission (PDPC) takes an enforcement-oriented approach, focusing on whether the transferring organisation took reasonable steps.

Japan — Act on the Protection of Personal Information (APPI)

Japan's APPI (as amended in 2022) requires one of three conditions for cross-border transfers: (i) the recipient is in a country recognised by the Personal Information Protection Commission (PPC) as having equivalent protection (currently limited to the EU/EEA and the UK); (ii) the recipient has established a system conforming to APPI standards through contractual or internal rules; or (iii) the individual has given consent after being provided with specific information about the destination country's data protection regime, including whether it has a comparable law and the specific protections in place.

Japan's mutual adequacy arrangement with the EU (in force since January 2019) facilitates seamless EU-Japan data flows and is a model for bilateral data transfer agreements.

South Korea — Personal Information Protection Act (PIPA)

South Korea's PIPA was substantially amended in 2023, introducing more structured cross-border transfer rules. Transfers require either: (i) consent of the data subject (with specified information provided); (ii) compliance with conditions prescribed by presidential decree, including contractual safeguards; or (iii) certification under an approved international transfer framework. South Korea received an EU adequacy decision in December 2021, recognising the high standard of its data protection regime.

APEC Cross-Border Privacy Rules (CBPR) System

The APEC CBPR system is a voluntary, accountability-based framework that allows certified organisations to demonstrate compliance with APEC privacy principles. Participating economies include the US, Japan, South Korea, Canada, Singapore, Australia, the Philippines, Chinese Taipei, and Mexico. While CBPR certification is recognised as a transfer mechanism in several APAC jurisdictions (notably Singapore), it is not recognised by the GDPR and therefore does not replace EU SCCs for EU-origin data.

The CBPR system has evolved into the Global CBPR Forum, which seeks to expand the framework beyond APEC economies and position it as a global interoperability standard for data transfers. The UK joined the Global CBPR Forum in 2023.

Key Takeaway for APAC Operations

There is no single "APAC standard" for cross-border transfers. Organisations must assess each jurisdiction individually. However, the general trend across the region is towards contract-based mechanisms and mutual recognition, rather than the EU's more rigid adequacy-plus-mechanism model.

China's Personal Information Protection Law (PIPL), effective 1 November 2021, imposes the most restrictive cross-border transfer regime of any major economy. Unlike the GDPR, which provides multiple transfer mechanisms of relatively equal standing, the PIPL establishes a hierarchy in which government-supervised mechanisms take precedence.

Three Transfer Mechanisms

Article 38 of the PIPL requires personal information handlers (controllers) transferring personal information outside China to satisfy one of the following conditions:

1. Security Assessment by the Cyberspace Administration of China (CAC): Mandatory for (a) critical information infrastructure operators (CIIOs), (b) handlers processing personal information of more than one million individuals, (c) handlers that have cumulatively transferred personal information of 100,000 individuals or sensitive personal information of 10,000 individuals abroad since 1 January of the preceding year. The CAC security assessment is a government-administered review process with a statutory timeline of approximately 60 working days (extendable). Assessments are valid for two years and must be renewed.
2. Standard Contractual Clauses (China SCCs): Published by the CAC on 24 February 2023 (effective 1 June 2023), the China SCCs are available to handlers that do not meet the thresholds for mandatory security assessment. Importantly, the China SCCs must be filed with the local provincial-level cyberspace authority — they are not merely a private contractual arrangement. A Personal Information Protection Impact Assessment (PIPIA) must also be completed.
3. Personal Information Protection Certification: Administered by accredited certification bodies (such as the China Cybersecurity Review Technology and Certification Centre). This mechanism is primarily intended for intra-group transfers within multinational enterprises. It is the least-used mechanism in practice, as the certification infrastructure is still maturing.

Practical Challenges

• Broad scope: The PIPL applies to any personal information processing activity within China, as well as to offshore entities processing Chinese residents' personal information for the purpose of providing products/services to or analysing the behaviour of individuals within China.
• Data localisation baseline: CIIOs and handlers processing above certain volume thresholds must store personal information within China. Cross-border transfer is the exception, not the rule, for these categories.
• Enforcement uncertainty: While the CAC has published guidance and processing frameworks, the practical experience of undergoing security assessments is still limited. Turnaround times have been unpredictable, and some applications have been returned for additional documentation.
• Interaction with other laws: The PIPL operates alongside the Cybersecurity Law (2017) and the Data Security Law (2021). Important data and core data under the DSL face separate, stricter transfer restrictions, and the classification of data as "important" is still being defined across sectors.

Implications for India-China Data Flows

Indian companies with operations in China — particularly in manufacturing, pharmaceuticals, and technology — must map their personal information processing activities within China and determine which transfer mechanism applies. For most organisations processing data below the CAC security assessment thresholds, the China SCCs (with filing) will be the appropriate mechanism. Legal counsel with expertise in both Indian and Chinese data protection law is essential for structuring these flows.

Data localisation — the requirement that certain categories of data be stored and/or processed within the borders of a specific country — sits at the intersection of data protection, national security, and economic policy. While cross-border transfer mechanisms govern how data may leave a country, localisation mandates determine whether it may leave at all.

India: Sectoral Localisation

India does not impose a general data localisation requirement under the DPDPA. However, several sector-specific mandates create significant localisation obligations:

• RBI Payment Data Localisation (2018): The Reserve Bank of India's circular on Storage of Payment System Data (RBI/2017-18/153) requires that all data relating to payment systems operated in India be stored exclusively in India. This applies to all system providers authorised under the Payment and Settlement Systems Act, 2007 — including card networks (Visa, Mastercard), payment aggregators, and UPI operators. The RBI has enforced this strictly, including imposing restrictions on entities found to be non-compliant.
• IRDAI Health Data: The Insurance Regulatory and Development Authority of India has issued guidelines requiring that policyholder data be stored in India and that cross-border access be limited.
• SEBI: The Securities and Exchange Board of India has issued circulars requiring certain categories of market data and investor data to be maintained within India.
• Telecom Sector: The Department of Telecommunications has historically required that subscriber data and call detail records be stored in India.

Global Data Localisation Trends

Data localisation is a growing global trend, driven by concerns about surveillance, sovereignty, and economic leverage:

• Russia: Federal Law No. 242-FZ requires that personal data of Russian citizens be stored on servers physically located within Russia. Non-compliance led to the blocking of LinkedIn in Russia in 2016.
• China: As discussed above, CIIOs and high-volume processors must store personal information within China.
• Vietnam: The Personal Data Protection Decree (Decree 13/2023) requires local storage of personal data and impact assessments for outbound transfers.
• Indonesia: Government Regulation 71/2019 (as amended) requires public electronic systems to store certain categories of data locally, although requirements for private sector systems have been eased.
• Nigeria: The Nigeria Data Protection Regulation requires that personal data be processed and stored in Nigeria where practicable, with cross-border transfers permitted under certain conditions.

Practical Impact on Architecture

For multinational organisations, data localisation requirements fundamentally affect infrastructure decisions. A global cloud strategy must accommodate jurisdiction-specific storage requirements, which often necessitate regional data centres or cloud availability zones. Major cloud providers (AWS, Azure, Google Cloud) now offer India regions specifically to support localisation compliance. Organisations must build their data architectures with localisation requirements mapped and enforced at the infrastructure level — not merely as a contractual obligation.

Standard Contractual Clauses remain the workhorse of international data transfers. Despite the availability of other mechanisms, the overwhelming majority of organisations transferring personal data from the EU/EEA rely on SCCs. This section provides practical guidance on implementing the 2021 EU SCCs effectively.

Selecting the Right Module

The 2021 SCCs comprise four modules. Selecting the correct module depends on the roles of the parties:

Module	Data Exporter Role	Data Importer Role	Typical Use Case
Module 1	Controller	Controller	Sharing customer data between two independent businesses (e.g., joint marketing partners)
Module 2	Controller	Processor	Outsourcing to an Indian IT/BPO provider; using a non-EEA cloud SaaS
Module 3	Processor	Sub-processor	An EU processor sub-contracting to an Indian sub-processor
Module 4	Processor	Controller	An EU processor returning data to a non-EEA controller (e.g., an Indian company using an EU-based processor)

Completing the Annexes

The operative clauses of the SCCs are fixed and cannot be modified. However, the three Annexes must be completed by the parties:

• Annex I: List of parties, description of the transfer (categories of data subjects, types of personal data, frequency, purpose, retention period), and the competent supervisory authority.
• Annex II: Technical and organisational measures — must be specific and verifiable, not generic statements. Include encryption standards, access controls, incident response procedures, audit mechanisms, and data minimisation practices.
• Annex III: List of sub-processors (for Modules 2 and 3) — must be maintained and updated, with a mechanism for the data exporter to object to new sub-processors.

Transfer Impact Assessments (TIAs)

Since Schrems II, SCCs must be accompanied by a documented TIA. The EDPB's Recommendations 01/2020 on supplementary measures provide the six-step methodology:

1. Know your transfers: Map all transfers, including onward transfers by the importer.
2. Verify the transfer tool: Confirm SCCs are the appropriate mechanism.
3. Assess the law of the destination country: Evaluate whether the destination country's legal framework (particularly government access and surveillance laws) provides essentially equivalent protection to that guaranteed in the EU.
4. Identify supplementary measures: If the assessment reveals gaps, implement technical (e.g., encryption with exporter-held keys), contractual (e.g., transparency commitments, warrant canaries), or organisational (e.g., split processing) measures to bridge them.
5. Implement procedural steps: Adopt the supplementary measures through formal addenda or amendments.
6. Re-evaluate at appropriate intervals: TIAs are not one-time exercises. They must be updated when circumstances change (e.g., new legislation in the destination country).

TIA for India

When assessing India as a destination country, the TIA should consider: (a) the Information Technology Act, 2000 and its interception provisions (Section 69); (b) the Indian Telegraph Act, 1885 (lawful interception); (c) the DPDPA's data protection framework; (d) judicial oversight of surveillance (the Supreme Court's KS Puttaswamy right-to-privacy jurisprudence); and (e) practical enforcement patterns. Many organisations conclude that India presents moderate risk, addressable through robust technical and contractual supplementary measures.

Binding Corporate Rules (BCRs) are the gold standard for intra-group data transfers within multinational enterprises. While SCCs are a bilateral mechanism (governing a specific transfer between two parties), BCRs provide a comprehensive, group-wide data protection framework that covers all intra-group transfers once approved.

When to Use BCRs

BCRs are most appropriate when:

• The organisation is a large multinational group with entities in multiple jurisdictions, including outside the EEA.
• Personal data flows frequently and routinely between group entities (e.g., shared HR systems, global CRM, centralised analytics).
• The group wants a single, durable transfer framework rather than managing hundreds of bilateral SCC agreements.
• The group is prepared to invest 12-24 months and significant legal resources in the application and approval process.

Types of BCRs

• BCR-C (Controller): Cover transfers of personal data within the group where group entities act as controllers.
• BCR-P (Processor): Cover transfers where a group entity processes data on behalf of external clients. Particularly relevant for Indian IT/BPO companies processing EU-origin data for their clients.

Application Process

The BCR application process involves the following steps:

1. Draft the BCRs: Develop comprehensive internal policies covering all GDPR requirements (purpose limitation, data minimisation, accuracy, storage limitation, security, data subject rights, onward transfers, training, audit, complaint handling, cooperation with supervisory authorities, and liability).
2. Identify the lead supervisory authority: The lead authority is typically the authority in the EU member state where the group's EU headquarters or main establishment is located.
3. Submit the application: The lead authority reviews the BCRs and circulates them to concerned supervisory authorities for comment through the cooperation procedure.
4. Address feedback: Supervisory authorities may request amendments. This iterative process typically accounts for the majority of the timeline.
5. Approval: Once the lead authority and concerned authorities are satisfied, the BCRs are formally approved. The approval is recognised across the EEA.
6. Implementation: The approved BCRs must be made legally binding within the group (through intra-group agreements, employment contracts, or other binding instruments) and operationalised through training, audit, and monitoring programmes.

Advantages and Disadvantages

Advantages	Disadvantages
Single framework for all intra-group transfers	12-24 month approval timeline
Demonstrates strong data protection commitment	Significant legal and operational costs
Durable — no need to renegotiate per-transfer	Does not cover transfers to third parties outside the group
Recognised as best practice by regulators	Must be kept updated as group structure changes
Facilitates M&A integration	Ongoing compliance monitoring obligation

As of early 2026, approximately 180 multinational groups have approved BCRs. Notable examples include major technology companies, pharmaceutical groups, and financial institutions. Several Indian-headquartered multinationals with significant EU operations have either obtained or are in the process of obtaining BCR approval.

No transfer compliance programme can succeed without a clear, accurate, and current map of the organisation's data flows. Data flow mapping is the foundational exercise upon which all transfer mechanism decisions, TIAs, and compliance documentation depend.

Step 1: Data Inventory

Begin by cataloguing all categories of personal data processed by the organisation. For each category, document:

• The types of data subjects (employees, customers, vendors, prospects, patients, students, etc.)
• The categories of personal data (identifiers, contact details, financial data, health data, location data, behavioural data, etc.)
• Whether any data qualifies as sensitive/special category data under applicable laws
• The source of the data (collected directly, received from third parties, generated through processing)
• The legal basis for processing under each applicable law

Step 2: Transfer Mapping

For each category of personal data, identify every instance where data crosses a national border:

• Direct transfers: Data sent from one entity to another (e.g., EU subsidiary sharing employee data with Indian parent company's HR system)
• Indirect transfers: Data accessed remotely from another jurisdiction (e.g., Indian IT support team accessing EU customer database via VPN)
• Cloud transfers: Data stored in or processed through cloud infrastructure located outside the origin country (e.g., EU customer data hosted on AWS Mumbai or US regions)
• Onward transfers: Data received from one jurisdiction and then transferred to a third jurisdiction (e.g., Indian processor receiving EU data and sub-contracting to a Philippine call centre)
• Incidental transfers: Data that moves as part of system architecture without deliberate transfer decisions (e.g., global email systems, CDN caching, backup replication)

Step 3: Risk Assessment

For each identified transfer, assess the risk profile based on:

• Volume and sensitivity of the data
• Legal framework of the destination country
• Nature of the recipient (group entity, processor, sub-processor, independent controller)
• Purpose of the transfer and whether it is systematic or occasional
• Technical and organisational safeguards in place
• Whether the transfer triggers specific regulatory obligations (e.g., CAC security assessment in China, RBI localisation in India)

Step 4: Documentation

Maintain a living document — typically a structured register or database — that records each transfer with the following fields:

Field	Description
Transfer ID	Unique identifier for tracking
Data Exporter	Entity and jurisdiction sending the data
Data Importer	Entity and jurisdiction receiving the data
Data Categories	Types of personal data transferred
Data Subject Categories	Types of individuals whose data is transferred
Purpose	Business purpose of the transfer
Transfer Mechanism	Legal basis (SCCs, BCRs, adequacy, consent, etc.)
TIA Status	Whether a TIA has been completed and its findings
Supplementary Measures	Technical/contractual/organisational measures in place
Review Date	Next scheduled review of this transfer

A robust transfer compliance framework transforms one-time compliance exercises into a sustainable, repeatable governance programme. The framework should be integrated into the organisation's broader data governance and privacy management system.

1. Policies and Standards

Establish a formal Cross-Border Data Transfer Policy that sets out:

• The organisation's commitment to lawful cross-border data transfers
• Roles and responsibilities (DPO, legal, IT, procurement, business units)
• Approved transfer mechanisms and when each applies
• Procedures for initiating, approving, and documenting new transfers
• Escalation procedures for transfers to high-risk jurisdictions
• Incident response procedures for transfer-related breaches or enforcement actions

2. Transfer Impact Assessments

Institutionalise the TIA process so that every new cross-border transfer (and every material change to an existing transfer) triggers a documented assessment. The TIA should be:

• Proportionate: More detailed for high-volume, high-sensitivity, or high-risk transfers; streamlined for low-risk, routine transfers.
• Documented: Maintained as part of the organisation's accountability records, available for supervisory authorities upon request.
• Reviewed periodically: At least annually, or upon a material change in the legal or factual circumstances of the transfer.

3. Vendor and Third-Party Management

Cross-border transfer compliance is inextricably linked to vendor management. The framework should include:

• Due diligence: Privacy and security assessments of all vendors and processors that will receive personal data from the organisation.
• Contractual requirements: Ensure that all vendor agreements include appropriate transfer clauses (SCCs, IDTA, or equivalent), data processing terms, audit rights, breach notification obligations, and sub-processor management provisions.
• Ongoing monitoring: Regular reviews of vendor compliance, including audit exercises, certification checks, and security assessments.
• Exit management: Provisions for data return and deletion upon termination of the vendor relationship, ensuring that data does not remain in the destination country beyond the contractual period.

4. Monitoring and Audit

Implement monitoring mechanisms to detect unauthorised or non-compliant transfers:

• Data Loss Prevention (DLP) tools that flag outbound data transfers to unapproved destinations
• Cloud access security brokers (CASBs) that monitor data flows to and from cloud services
• Periodic audits of the data transfer register against actual data flows (network logs, system configurations, vendor inventories)
• Internal audit reviews of TIA documentation and transfer mechanism currency

5. Training and Awareness

Ensure that all relevant personnel understand cross-border transfer requirements. Training should be tailored to different audiences:

• Legal and compliance teams: Deep training on transfer mechanisms, TIA methodology, and regulatory developments.
• Procurement teams: Training on including transfer requirements in vendor assessments and contracts.
• IT and engineering teams: Training on data architecture implications, localisation requirements, and technical safeguards.
• Business units: Awareness training on when cross-border transfers arise and the obligation to follow internal approval procedures.

6. Regulatory Monitoring

The cross-border transfer landscape is evolving rapidly. Assign responsibility for monitoring:

• New adequacy decisions, DPF developments, and CJEU rulings
• DPDPA Section 16 notifications and DPBI guidance
• Changes in sectoral localisation requirements (RBI, IRDAI, SEBI)
• PIPL and CAC regulatory updates affecting China transfers
• UK adequacy decision reviews and ICO guidance updates

The following table provides a high-level comparison of cross-border data transfer mechanisms across six key jurisdictions. This is intended as a reference tool and should not substitute for jurisdiction-specific legal analysis.

Feature	India (DPDPA)	EU (GDPR)	UK (UK GDPR)	USA	Singapore (PDPA)	China (PIPL)
Primary Transfer Model	Government whitelist/blacklist (Section 16)	Mechanism-based (adequacy, SCCs, BCRs, derogations)	Mechanism-based (adequacy, IDTA/UK Addendum, derogations)	No federal restriction; sectoral rules apply	Comparable protection obligation	Government-supervised (security assessment, SCCs with filing, certification)
Adequacy / Whitelist	Pending government notification	Yes — 15 countries/territories recognised	Yes — EU/EEA + growing list	N/A (recipient, not sender, perspective)	No formal adequacy list	No adequacy mechanism
Standard Contractual Clauses	Not prescribed by DPDPA	2021 SCCs (4 modules)	IDTA or UK Addendum to EU SCCs	N/A at federal level	Contractual arrangements (flexible format)	China SCCs (CAC template, must be filed)
Binding Corporate Rules	Not provided for	Yes — approved by lead SA	Yes — approved by ICO	N/A at federal level	Recognised as contractual arrangement	Certification route (limited use)
Transfer Impact Assessment	Not mandated (recommended as best practice)	Required post-Schrems II	Transfer Risk Assessment (ICO guidance)	N/A at federal level	Not formally required	PIPIA required for SCC route
Government Approval Required	No (transfer is permitted unless destination is blacklisted)	No (except BCR approval)	No (except BCR approval)	No	No	Yes — security assessment for high-volume; filing for SCCs
Data Localisation	Sectoral (RBI payments, IRDAI, SEBI, telecom)	No general localisation	No general localisation	Sectoral (some state laws, federal banking/health)	No general localisation	Yes — CIIOs and high-volume handlers
Maximum Penalty for Unlawful Transfer	INR 250 crore (~USD 30M)	EUR 20M or 4% of global turnover	GBP 17.5M or 4% of global turnover	Varies by sector (FTC, state AGs)	SGD 1M per breach (up to 10% of turnover for certain breaches)	RMB 50M or 5% of prior year's turnover; personal liability for responsible individuals
Enforcement Maturity	DPBI not yet fully constituted	High — active enforcement by multiple SAs	High — ICO actively enforcing	Moderate — FTC and state AGs active	Moderate — PDPC issues enforcement decisions	Increasing — CAC enforcement actions growing

This comparison highlights the fundamental diversity in regulatory approaches to cross-border data transfers. Organisations operating across multiple jurisdictions must maintain a transfer compliance programme that is sufficiently flexible to accommodate each jurisdiction's requirements while remaining operationally manageable.

Key observations from the comparison:

• India's approach is uniquely permissive in design (whitelist/blacklist) but the lack of notified rules creates uncertainty that is, in practice, more restrictive than the design suggests.
• The EU remains the global benchmark for transfer regulation, and its mechanisms (particularly SCCs) have been adopted or adapted by multiple jurisdictions.
• China is the most restrictive, requiring government involvement in all transfer pathways and imposing data localisation as a baseline for significant processors.
• The US lacks a comprehensive federal framework, making it an outlier — but individual US states (notably California under the CCPA/CPRA) and federal agencies (FTC, SEC, HHS) impose sector-specific transfer-adjacent obligations.
• Singapore's pragmatic, contract-based approach is increasingly influential across APAC and may serve as a model for other emerging economies.