BACK TO DPDP ACT
DPDP Act 2023

Section 16

Transfer of Personal Data Outside India

THE STATUTE

Original Text

(1) A Data Fiduciary may transfer personal data of a Data Principal to a place outside India, subject to such terms and conditions as may be prescribed and in accordance with the provision of this Act. (2) The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may not transfer personal data of a Data Principal.

Simplified

[DPDP Rules 2025 — Rule 15 operationalises this section; in force 13 May 2027] Section 16 governs cross-border personal data transfers — one of the most commercially significant provisions for multinational companies, cloud service providers, and globally integrated businesses. India's approach is a 'blocklist' or 'negative list' model: data may be transferred to any country or territory EXCEPT those that the Central Government specifically restricts by notification. This is conceptually opposite to GDPR's 'whitelist' or adequacy model, where data can only flow to countries on an approved list of adequate protectors. The blocklist approach has significant practical implications. Before the restricted list is notified, there are no country-specific restrictions — data can flow anywhere subject to the general compliance obligations (the DPDP Act's requirements still apply to the exporting Data Fiduciary regardless of where data goes). Once the restricted list is notified, transfers to listed countries are prohibited or require special conditions. The Central Government has broad discretion on what factors it considers in assessing which countries to restrict — likely to include national security, diplomatic relations, and the destination country's data protection standards. In practice, this means India could restrict transfers to countries seen as geopolitical rivals or intelligence adversaries even if those countries have strong data protection frameworks, and could permit transfers to friendly countries even if their data protection laws are weak. DPDP Rules will specify the 'terms and conditions' for permitted transfers — likely to include standard contractual clauses, processor agreements, or other safeguards. Data localisation advocates had pushed for a strong localisation requirement; the final DPDP Act significantly relaxed this compared to earlier draft bills which required mandatory storage within India.

Common Queries

Yes, unless the US is added to the Central Government's restricted countries list under Section 16(2). Currently, no restricted list has been notified, so transfers may proceed subject to DPDP Rules and general compliance obligations.
Not as a general rule. Unlike earlier draft bills, the final DPDP Act 2023 does not mandate storing personal data within India. Data may be transferred abroad, with transfers to specific countries prohibited only after government notification.
The Data Fiduciary remains responsible for DPDP Act compliance regardless of where the data is processed. Outsourcing data to a foreign Data Processor does not transfer responsibility — the Data Fiduciary remains the accountable entity under Section 8(1).
GDPR uses a whitelist: data can only flow to countries the EU has declared 'adequate', with specific mechanisms (standard contractual clauses, binding corporate rules) required for other countries. India uses a blocklist: data can flow everywhere except countries specifically restricted by government notification — a significantly more permissive baseline.

Legal Context

Earlier drafts — the Personal Data Protection Bill 2019 and 2021 JPC Report — required mandatory data localisation for sensitive and critical personal data within India. This was strongly opposed by US and European tech companies. The final DPDP Act 2023 abandoned mandatory localisation in favour of a blocklist approach, a major policy shift that reflected diplomatic and commercial pressures. The approach is closer to the US model than the EU model.

Key Rules & Provisions

Blocklist model — data can flow anywhere except to notified restricted countries (opposite of GDPR adequacy whitelist).

Major policy shift from earlier bills — mandatory localisation dropped.

Central Government has discretion to restrict based on national security, diplomacy, and data protection standards.

DPDP Rules to specify terms and conditions for permitted transfers.

Rule 15 (DPDP Rules 2025): negative-list model confirmed — Central Government may specify requirements for transfers to foreign states/entities.

Rule 13(4) interaction: SDF localisation obligation for government-notified categories — absolute prohibition on those transfers.

Related Case Laws

Justice K.S. Puttaswamy v. Union of India (2017)

(2017) 10 SCC 1
RELEVANCE

The Puttaswamy judgment's emphasis on data protection as integral to the right to privacy was the constitutional foundation for Section 16's cross-border framework — ensuring Indian data subjects retain protection even when their data crosses borders.