Navigating Cross-Border Data Transfers Under India’s DPDPA and Draft Rules

Overview of the Digital Personal Data Protection Act

The Digital Personal Data Protection Act (DPDPA) 2023 is India's primary legislation governing the processing of personal data. It applies to any entity (Indian or foreign) processing the personal data of individuals within India. On  January 3, 2025, the Ministry of Electronics and Information released the Digital Personal Data Protection Draft Rules, 2025 (DPDPA Draft Rules), which outline the regulatory framework for compliance under the DPDPA.

Categorization of Entities Handling Personal Data Under DPDPA

Under the DPDPA, entities handling personal data are categorized as data fiduciaries or significant data fiduciaries.

1. Data Fiduciary: A data fiduciary determines the purpose and means of processing personal data.
2. Significant Data Fiduciary: Any data fiduciary or class of data fiduciaries may be designated as a significant data fiduciary by the central government based on factors such as:
   • the volume and ‘sensitivity of data processed’,
   • risks to data principal rights,
   • potential impacts on India’s sovereignty,
   • electoral democracy,
   • state security, and
   • public order.

Types of Personal Data Under DPDPA

The DPDPA defines personal data as “any data about an individual who is identifiable by or in relation to such data.”

At present, the DPDPA and its Draft Rules do not delineate specific categories of personal data, such as sensitive personal data or critical personal data. However, the inclusion of “sensitivity of personal data” as a criterion for classifying significant data fiduciaries suggests the potential for the recognition or introduction of sensitive personal data in the future.

Cross Border Data Transfers under DPDPA

The DPDPA empowers the central government to regulate cross-border personal data transfers by designating a "negative list" of restricted countries. The DPDPA does not provide the basis upon which data transfers may be restricted. Certain categories of processing are exempted from the government notification requirement. These include:

• Processing necessary for enforcing legal rights or claims.
• Processing by courts, tribunals, or regulatory bodies in India for judicial or quasi-judicial functions.
• Processing necessary for the prevention, detection, investigation, or prosecution of offenses or legal contraventions in India.
• Processing of personal data of data principals located outside India, pursuant to contracts with individuals outside the country by an Indian entity.
• Processing required for court-approved mergers, amalgamations, demergers, or other corporate restructurings.
• Processing to ascertain the financial status of individuals who have defaulted on loans, provided it complies with relevant disclosure laws.

The DPDPA's provisions on cross-border data transfers apply to all data fiduciaries, including startups, micro, small, and medium enterprises, and significant data fiduciaries. Additionally, the DPDPA does not override existing sector-specific laws for cross-border data transfer that provide greater protection, establishing DPDPA requirements as a baseline.

Data Localisation Requirement For Significant Data Fiduciaries

The DPDPA Draft Rules impose additional obligations on significant data fiduciaries to ensure that specific categories of personal and traffic data, as designated by the central government, are processed exclusively within India and are not transferred outside the country. This obligation strongly suggests the potential for future categorization of personal data into distinct types, such as sensitive personal data or critical data.

How Can Organizations Ensure Secure Cross-Border Data Transfer?

Despite the DPDPA’s framework for cross-border data transfers, significant uncertainty remains regarding its implementation. The lack of defined criteria for restricting transfers, the absence of a formalized adequacy assessment mechanism, and the potential for future amendments create compliance challenges for organizations. To navigate this landscape, we recommend that organizations take the following steps:

Cross-Border Data Transfer Compliance

• Determine whether they qualify as a data fiduciary, significant data fiduciary, or data processor. It is important to determine relevant obligations.
• Check if the destination country is on the ‘Negative List’. If a transfer is restricted, assess applicable exemptions.
• Ensure compliance with sector-specific laws governing data transfers.
• Stay updated on the anticipated categorization of data as personal data, sensitive data, or critical data.

Security Safeguards and Technical Controls

As required by the DPDPA, we advise organizations to implement appropriate technical and organizational measures to protect personal data during cross-border data transfers. This includes encryption, access controls, secure transfer protocols, and firewalls to safeguard data in transit and at rest. Additionally, we recommend that organizations should conduct:

• Data Transfer Impact Assessments (DTIA),
• Data Transfer Agreements (DTAs) with vendors and third-party processors, and
• Due diligence of foreign recipients.

Alignment with Global Standards

To align with global best practices, we recommend that organizations:

• Notify the data principal in detail before the commencement of the data transfer outside India.
• Execute relevant agreements (e.g., consent forms, contracts) and provide data principals with comprehensive notices before data transfers.
• Document consent/contracts for data transfer if executed.
• Maintain documentation of transfers to prepare for audits.

Stay Informed on Regulatory Developments

We advise organizations to actively monitor updates from the central government regarding restrictions on cross-border data transfers, industry certifications, and changes in the legal landscape.