Cross-Border Data Transfer Under India’s DPDPA: What the Law Actually Requires

The Digital Personal Data Protection Act, 2023 introduced a clearer statutory rule for overseas processing of personal data. The important shift is this: the Act does not say personal data may leave India only for “approved” countries. Instead, Section 16 says the Central Government may, by notification, restrict transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be notified. That means the statutory model is allow by default, subject to government restriction, while preserving stricter requirements under any other Indian law that gives a higher degree of protection or tighter transfer limits. 

For businesses, this matters because many teams still assume DPDPA copied the GDPR adequacy-first model. It did not. The legal architecture is different. The DPDPA also sits alongside sectoral and other Indian laws, so regulated entities should not assume Section 16 is the only rule that matters for outbound data flows. Section 16(2) expressly preserves stricter rules under other applicable Indian laws. 

As of the official materials reviewed for this post, the Act is in force and India Code shows the DPDPA framework, but the India Code page reviewed did not display any listed notifications under the Act’s “Notifications” section for country restrictions. That means organizations should monitor government notifications closely rather than rely on old market assumptions or borrowed GDPR language.

Section 16 of the Digital Personal Data Protection Act, 2023 states: the Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. Section 16(2) further states that nothing in that section restricts the applicability of any other Indian law that provides a higher degree of protection or restriction on transfer of personal data outside India in relation to any personal data, Data Fiduciary, or class thereof. 

That means three things legally. First, the DPDPA itself does not create a universal data localisation mandate for all personal data. Second, it does not establish a statutory requirement that transfers are permitted only to government-approved jurisdictions. Third, a company may still face stricter localisation or transfer restrictions under sector-specific or other Indian laws, because Section 16 does not override them. 

Also important: Section 6 of the Act is the consent section, not the cross-border transfer section. On the India Code page for the Act, Section 6 is listed as Consent, while cross-border processing appears at Section 16: Processing of personal data outside India. So any blog post or compliance guide that attributes cross-border transfer rules to Section 6 is citing the wrong section.