From Localisation Debates To A Negative List: Making Cross Border Data Transfers Work Under India’s DPDP Act

1. Introduction

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the emerging 2025–2026 Rules mark a clear shift in how cross border personal data flows are regulated. After several years of drafts that flirted with strict localisation and adequacy style whitelists, the final model is built around a broadly permissive baseline, tempered by the possibility of a sovereign “negative list” of restricted destinations.

For in house legal, privacy and technology teams, this creates both breathing space and new complexity. Transfers are not banned by default, but the combination of a future facing negative list, sectoral overlays from regulators like RBI, SEBI and IRDAI, and contractual expectations under DPDP means cross border data strategy has to be re designed rather than assumed.

2. From Localisation Debates To A Negative List

The Path From Localisation To A More Flexible Model

The earlier version of India's data protection system required all critical and sensitive personal data to stay within the country while allowing some data to be transferred under strict conditions and mirror data handling. Industry feedback consistently warned that rigid localisation would disrupt global cloud adoption, shared services models and cross border innovation, without necessarily delivering proportionate gains in privacy or security.

The DPDP Act takes a different route. It allows cross border transfers of personal data to any country or territory by default, subject to core DPDP obligations (consent, purpose limitation, security, rights, breach notification), unless the Central Government notifies that destination on a list of “restricted” jurisdictions. Instead of maintaining a whitelist of “adequate” countries, India has opted for a negative list where data flows are permitted unless a country is specifically blacklisted or subject to conditions.

How The Negative List Works In Practice

Under section 16 of the DPDP Act, the Government may, after assessment, notify countries or territories where transfers of personal data are either prohibited or allowed only under specified terms. Until such notifications are issued, organisations can transfer personal data to processors and sub processors abroad, provided they comply with DPDP’s general requirements and any applicable sectoral rules.

In practice, this means three things for companies designing data flows:

1. Today’s compliance focus is on getting the basics right such as consent, notices, security and contracts rather than on country by country permissions.
2. The negative list is a moving part. Once destinations are notified, existing transfers to those jurisdictions may need to be rerouted, re-contracted or, in some cases, discontinued.
3. Organisations must build the capability to quickly identify which workloads, vendors and sub processors rely on a country if it is later restricted.

So far, there is no public notification placing any country on the restricted list, but commentary from policymakers and experts suggests that national security, geopolitics and critical infrastructure concerns will shape future decisions.

What Could Drive Future Restrictions

Public discussions about previous legislation together with existing practices provide evidence for various factors that should serve as assessment criteria, even though the Government has not yet published official criteria.

National security and geopolitics: Jurisdictions perceived as hostile, subject to sanctions, or lacking basic cyber and rule of law safeguards may be early candidates for restrictions.

Critical infrastructure and public sector data: The transfer of telecom and power and transport and defence and public identity and benefits and welfare registers will face more stringent controls which require functional localisation.

Sensitive identity and health data: Data sets that can be used for profiling at scale such as Aadhaar linked records, financial risk scores, health and genetic information, may trigger destination specific conditions, even if not an outright ban.

For now, this is an area to watch rather than a reason to upend existing architectures overnight. But cloud, SaaS and outsourcing strategies that rely heavily on a small number of higher risk jurisdictions should be stress tested for a “negative list” scenario.

3. Sectoral Overlays

DPDP As Baseline, Sectoral Laws As Additional Layers

DPDP is a horizontal statute; it does not displace sector specific laws and regulations on data and technology. For many regulated industries, the real compliance picture will be DPDP plus sectoral “data protection layers”, particularly for cross border flows.

Financial services, capital markets, insurance and health are obvious examples. Regulators in these domains already have circulars on outsourcing, information security, business continuity and cross border processing, many of which effectively constrain where and how personal data can be stored or accessed.

Financial Sector Data

The RBI banking and payment systems mandate that regulated entities must maintain complete control over their data while their service providers must adhere to local security requirements and they must keep certain payment system information stored within India. Even where DPDP would otherwise allow transfers, these RBI norms can effectively localise core transaction and payments data by insisting on local storage, auditability and supervisory access.

SEBI requires capital markets entities to follow data residency requirements and secure data through encryption and access control measures when they utilize overseas service providers according to the cybersecurity and cloud outsourcing circulars which apply to brokers and mutual funds and depositories and market infrastructure institutions. Firms will need to reconcile DPDP’s relatively flexible cross border stance with SEBI expectations that certain investor and trading datasets be tightly controlled and, in some cases, retained onshore or in designated environments.

Insurance, Health And Public Health Data

IRDAI and health sector regulators are also signalling closer scrutiny of cross border handling of health and insurance data, including medical records, claim histories and wellness information. For insurers, TPAs and health tech platforms, this may translate into stricter localisation or ring fencing of particularly sensitive fields, even if other data points can continue to be processed abroad.

Public health and epidemiological datasets, which contain a mix of personal and non-personal data at large scale, exist between the DPDP rules that divide government operations from their requirements to keep certain data. Transfers in these areas are likely to be governed by bespoke programme specific rules rather than generic DPDP logic, and may be among the earliest candidates if a negative list starts to form around particular destinations.

4. Consent, Notices And Transparency For Cross Border Flows

What Needs To Change In Privacy Notices

Regardless of where processing occurs, DPDP keeps consent, purpose limitation and transparency at the centre of the framework. Data fiduciaries must tell data principals, in clear and plain language, the purposes of processing, the categories of personal data, and key details about recipients including those outside India.

For cross border transfers, privacy notices and consent flows should now:

1. Explicitly state that personal data may be processed in, or accessed from, other countries.
2. Identify, where feasible, the main categories of overseas recipients (global cloud/SaaS providers, group shared service centres, regional support teams, analytics and security vendors).
3. Avoid purely generic statements like “we may process your data globally” and instead anchor disclosures in actual data flow maps, at least at the level of regions or key jurisdictions.

This is not about listing every sub processor or backup location in a public policy. It is about making sure that data principals have a fair understanding that, for example, their HR, support or usage data may be routed through EU or Asia Pacific data centres operated by specific categories of vendors.

Data Principal Rights And Cross Border Access

DPDP rights including access, correction, deletion, grievance redress apply regardless of whether data is stored in India or on servers abroad. That, in turn, means Indian data fiduciaries must have sufficient technical and contractual hooks to exercise effective control over overseas processors.

Practically, this implies:

1. SLAs that require processors to support data subject rights requests within DPDP timelines, including search, extraction, rectification and deletion.
2. Audit trails and logs that allow the fiduciary to demonstrate, if challenged by the Data Protection Board, that rights were honoured even where data sat in another country.
3. Escalation paths for complex requests (for example, partial deletion where legal retention obligations apply) coordinated across multiple vendors in different jurisdictions.

Without these mechanisms, cross border models risk becoming administratively unworkable once DPDP enforcement gathers pace.

5. Contracting Strategies For Global Cloud And SaaS Deals

Using Contracts To Extend DPDP Obligations Overseas

Because DPDP does not currently prescribe standard contractual clauses, commercial contracts become the key instrument for extending Indian law obligations to overseas processors and sub processors. Data processing agreements (DPAs), annexures to MSAs and intra group arrangements will all need to be refreshed with DPDP in mind.

At a minimum, DPDP aligned contracts with overseas providers should address:

1. A clearly defined processing scope, with documented instructions from the Indian data fiduciary and limits on secondary use.
2. Security, incident response and breach notification obligations that align with DPDP and relevant sectoral guidelines.
3. Sub processor approval and flow down clauses, ensuring that all downstream vendors are bound by equivalent standards.
4. Data return or deletion commitments on exit and the ability to obtain evidence (certificates, logs) that deletion has occurred.
5. Reasonable audit and assessment rights, which may be exercised via certifications, third party reports or targeted reviews rather than full on site audits.

While Indian regulators have not yet issued EU style adequacy decisions or SCC templates, guidance from law firm and industry commentaries suggests that they will expect contractual protections to approximate DPDP’s standards, even when processing takes place abroad.

Dealing With Vendors In Potentially Restricted Jurisdictions

The negative list architecture introduces a new dimension to vendor risk management. Even if no country is yet restricted, companies should plan for the possibility that certain jurisdictions may become unattractive or off limits in the medium term.

Prudent steps include:

1. Avoiding concentration of critical workloads (core customer databases, payment rails, KYC repositories) in jurisdictions that may be politically or legally volatile.
2. Where such locations are unavoidable, negotiating “exit ramps “, contractual rights and technical capabilities to migrate data to alternative regions or providers within defined timeframes.
3. Leveraging regional hosting, data residency options, encryption and tokenisation to reduce the sensitivity of data that crosses borders, so that a later restriction triggers less disruption.

In essence, DPDP encourages organisations to treat cross border design as a strategic architecture question, not just an IT procurement detail.

6. HR Data, Outsourcing And Group Shared Services

Mapping And Ring Fencing HR And Employee Data

HR and employee data is often among the first categories to move cross border, thanks to global HR platforms, payroll providers and group analytics hubs. Under DPDP, this data is as protected as customer information, and in some contexts (whistle blower reports, health related benefits, performance files) may be particularly sensitive.

Companies should therefore:

1. Map which HR and employee datasets currently leave India, for what purposes and to which service providers or group entities.
2. Decide which fields should stay onshore (e.g., detailed health records), which can move subject to strong encryption or pseudonymisation, and which can be processed in clear form abroad.
3. Ensure that employment contracts, notices and internal policies accurately describe these flows and link to DPDP compliant privacy notices.

Vendor And Intra Group Agreements For Back Office Functions

Beyond HR, a large share of Indian enterprises rely on global shared services for finance, IT, customer support and analytics. Many of these arrangements were structured years before DPDP and contain only high level data protection language.

Those agreements should now be revisited to:

1. Clarify roles (who is the data fiduciary, who is the processor, and where sub processors enter the chain).
2. Add DPDP specific obligations on security, rights enablement, breach notification and cooperation with Indian authorities.
3. Build in flexibility to reroute or relocate processing if a particular country becomes restricted, without having to re-negotiate the entire commercial relationship.

7. What Should Indian Companies Do Now?

The implementation of DPDP has progressed to an advanced stage and cross border guidance has reached a developed state which requires Indian organizations to shift from theoretical discussions about localization to specific planning that accounts for restricted activities. The following steps will proceed as follows:

1. Map all cross border personal data flows of customer, employee, vendor and analytics, and identify key overseas dependencies, including cloud regions and shared service hubs.
2. Update privacy notices and consent flows to explain cross border transfers and overseas recipients in clear, specific language aligned with actual architectures.
3. Refresh vendor and intra group contracts with DPDP aligned processing, security, sub processor and exit clauses, prioritising critical workloads and higher risk jurisdictions.
4. Track Government notifications on the negative list and sectoral circulars from RBI, SEBI, IRDAI and health regulators, and bake these into cloud and outsourcing governance.
5. Brief the board and senior management on how DPDP’s cross border model interacts with business strategy, so future product and IT decisions are taken with data flow resilience in mind.

The negative list model of the DPDP Act provides Indian companies with a solution to maintain their advantages in global cloud and shared services ecosystems through work on a more deliberate, safer and defensive cross border systems than their previous designs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.