Rule 8

Rule 8 implements DPDP Act Section 16's cross-border transfer framework — a permissive, negative-list model that is fundamentally different from GDPR's restrictive, positive-adequacy approach. Under DPDP Rule 8, personal data can be transferred to ANY country UNLESS that country appears on the Central Government's 'negative list'. No additional safeguards (SCCs, BCRs, binding corporate rules) are required for permitted transfers — the absence of a country from the negative list is sufficient authorisation. This permissive model is more business-friendly than GDPR but raises concerns about protection standards in destination countries. Contrast with GDPR: under GDPR Articles 44–49, transfers outside the EU are prohibited unless the destination country has an adequacy decision from the European Commission, or the data exporter has implemented appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules, or other Article 46 mechanisms). GDPR starts with 'no' and requires a positive justification; DPDP starts with 'yes' and only restricts where specifically prohibited. The negative list has not been notified as of the Rules' commencement (13 November 2025). This means, practically, that cross-border transfers are currently unrestricted — there are no countries on the negative list yet. The negative list is expected to include countries with poor data protection standards, geopolitical adversaries, or countries that have demonstrated risk of misusing Indian citizens' data. China, Pakistan, and other geopolitically sensitive jurisdictions are widely speculated candidates, but nothing has been officially announced. Even after the negative list is notified, transfers to non-blocked countries remain unrestricted — unlike GDPR which requires adequacy or safeguards regardless of destination.