🌐 Cross-Border Data Transfers
The DPDP Act takes a 'blacklist' approach to cross-border data transfers — transfers are permitted to all countries EXCEPT those specifically restricted by the Central Government. This is the opposite of GDPR's 'whitelist' approach where transfers are blocked unless the destination has an adequacy decision or safeguards are in place.
Current Status
As of early 2025, the Central Government has NOT restricted any country from receiving personal data from India. This means, currently, personal data can be transferred to any country. However, this can change at any time through a government notification. Additionally, certain sectoral regulations (e.g., RBI's data localisation mandate for payment data) may impose stricter requirements.
💡 Consultant Guidance
As a consultant, advise your clients to: (1) Map all cross-border data flows (including cloud hosting locations). (2) Document the business necessity for each transfer. (3) Ensure DPAs are in place with all overseas processors. (4) Monitor government notifications for restricted country designations. (5) Be aware that sectoral regulators (RBI, SEBI, IRDAI) may have additional data localisation requirements that override the DPDP Act's general permission. (6) Consider data localisation as a risk mitigation strategy even if not legally required — storing data in India reduces regulatory complexity. (7) Plan for the possibility that key destination countries (e.g., China) may be restricted in the future.