## TL;DR Summary The DPDP Act restricts personal data transfers to jurisdictions not approved by the Central Government. Until the approved list is published, businesses must rely on contractual safeguards and risk assessments. We've helped 30+ organizations evaluate their cross-border flows—this guide shares our framework for compliance. --- ## About the Author **Arpit Garg** *Founder & Chief Privacy Officer, Complynz* Arpit has advised 30+ organizations on cross-border data transfer compliance, including multinational companies with complex data flows and Indian startups using global SaaS tools. Connect on [LinkedIn](https://linkedin.com/in/arpitgarg). *This guide reflects our cross-border compliance experience. AI assisted with organization; all frameworks are from real client engagements.* --- ## What Does DPDP Act Say About Cross-Border Transfers? ### The Basic Rule Section 16 of the DPDP Act states that personal data may be transferred outside India, except to countries or territories specifically restricted by the Central Government. ### Current Status (February 2026) - **Approved Jurisdictions:** List not yet published - **Restricted Jurisdictions:** List not yet published - **Default Position:** Transfers permitted with appropriate safeguards ### What This Means Practically Until the government publishes jurisdiction lists, businesses should: 1. Assess transfer risks 2. Implement contractual safeguards 3. Document transfer justifications 4. Monitor for regulatory updates --- ## Mapping Your Cross-Border Data Flows ### Step 1: Identify All Transfers Most organizations underestimate their cross-border flows. Common transfer scenarios: | Scenario | Example | Data Transferred | |----------|---------|-----------------| | Cloud Infrastructure | AWS US-East region | All hosted data | | SaaS Tools | Salesforce, HubSpot | Customer data | | Marketing Platforms | Mailchimp, Klaviyo | Email, behavior | | Analytics | Google Analytics | User behavior | | Support Tools | Zendesk, Intercom | Support tickets | | AI Services | OpenAI, Anthropic | Query content | | Payment Processing | Stripe (US) | Transaction data | | HR Systems | Workday, BambooHR | Employee data | ### Step 2: Document Transfer Details For each cross-border flow, document: | Field | Information Needed | |-------|-------------------| | Data Categories | What types of personal data? | | Data Subjects | Whose data (customers, employees)? | | Volume | How many records? | | Destination Country | Where does data go? | | Recipient | Who receives the data? | | Purpose | Why is transfer necessary? | | Legal Basis | Consent, contract, legitimate interest? | | Safeguards | What protections are in place? | --- ## Transfer Assessment Framework ### Risk Factors to Evaluate **1. Destination Country** | Consideration | Questions to Ask | |---------------|------------------| | Legal Framework | Does the country have data protection law? | | Government Access | Is there surveillance risk? | | Judicial Recourse | Can data subjects seek remedies? | | Enforcement | Are privacy rights enforced? | **2. Data Sensitivity** | Data Type | Transfer Risk | |-----------|---------------| | Public information | Low | | Contact details | Low-Medium | | Behavioral data | Medium | | Financial data | High | | Health data | High | | Biometric data | Very High | | Children's data | Very High | **3. Transfer Volume** | Volume | Consideration | |--------|---------------| | < 1,000 records | Lower scrutiny | | 1,000 - 100,000 | Standard assessment | | > 100,000 | Enhanced due diligence | --- ## Transfer Mechanisms and Safeguards ### 1. Standard Contractual Clauses Until India develops its own SCCs, consider: **Essential Clauses:** - Limitations on further transfers - Security obligations matching Indian requirements - Data subject rights support - Breach notification requirements - Audit rights - Termination and data return ### 2. Binding Corporate Rules For multinational groups: - Internal data protection policies - Binding on all group entities - Enforceable by data subjects - Regular compliance monitoring ### 3. Certification Mechanisms - ISO 27701 certification - SOC 2 reports - Industry-specific certifications ### 4. Technical Measures | Measure | Protection Offered | |---------|-------------------| | Encryption in transit | Prevents interception | | Encryption at rest | Protects stored data | | Pseudonymization | Reduces re-identification risk | | Data minimization | Reduces exposure | | Regional processing | Keeps data closer to source | --- ## Practical Scenarios and Solutions ### Scenario 1: Using US-Based SaaS (Salesforce, HubSpot) **Challenge:** Customer data transferred to US servers **Solution Framework:** 1. Review vendor DPA and security certifications 2. Negotiate data residency where available 3. Implement contractual safeguards 4. Document business necessity 5. Monitor for India region availability ### Scenario 2: Global Analytics (Google Analytics) **Challenge:** Website visitor data processed globally **Solution Framework:** 1. Consider Google Analytics 4 with data retention controls 2. Enable IP anonymization 3. Use consent before tracking 4. Consider privacy-focused alternatives (Plausible, Fathom) 5. Document processing locations ### Scenario 3: AI Services (OpenAI, Anthropic) **Challenge:** Customer queries may contain personal data **Solution Framework:** 1. Assess what personal data enters AI systems 2. Implement PII filtering before API calls 3. Review AI provider data use policies 4. Consider self-hosted alternatives for sensitive data 5. Document risk assessment ### Scenario 4: Cloud Infrastructure (AWS, Azure, GCP) **Challenge:** All application data hosted internationally **Solution Framework:** 1. Use India regions where available 2. For unavailable services, document necessity 3. Enable encryption and key management 4. Review provider certifications 5. Implement DPA with cloud provider --- ## Cloud Provider India Region Status | Provider | India Region | Services Available | |----------|--------------|-------------------| | AWS | Mumbai, Hyderabad | Most services | | Azure | Central, South India | Most services | | GCP | Mumbai | Core services | | Oracle | Mumbai, Hyderabad | Core services | | IBM | Chennai | Select services | **Note:** Not all services are available in India regions. Assess on a service-by-service basis. --- ## Employee Data Transfers Employee data often flows internationally for: - Global HR systems - Payroll processing - Benefits administration - Performance management **Additional Considerations:** - Employee notice required - Consent for non-essential processing - Enhanced protection for sensitive HR data - Retention aligned with employment law --- ## What to Do While Awaiting Government Guidance ### Short-Term Actions 1. **Inventory all cross-border flows** using the framework above 2. **Assess each transfer** for risk and necessity 3. **Implement contractual safeguards** with all international vendors 4. **Document decision-making** for audit defense 5. **Prioritize India regions** where available ### Prepare for Future Rules 1. **Track regulatory developments** from MeitY and Data Protection Board 2. **Identify high-risk transfers** that may need immediate action 3. **Build flexibility** into vendor contracts for rule changes 4. **Establish governance process** for transfer decisions --- ## Frequently Asked Questions ### Is data stored in Indian cloud regions considered "transferred"? Generally no, if processing stays within India. But review provider terms—some services may route through other regions. ### What about backup and disaster recovery in other regions? This counts as a transfer. Document the necessity and implement encryption for backup data. ### Can we use consent to legitimize any transfer? Consent helps but doesn't override government restrictions. Once restricted jurisdictions are notified, consent alone won't suffice. ### What if a vendor refuses to specify data location? This is a red flag. Negotiate transparency or consider alternatives. ### How do we handle transfers to multiple countries? Assess each destination separately. Some vendors process in multiple locations—understand the full flow. --- ## Conclusion Cross-border data transfers require proactive risk management. While awaiting final DPDP Act rules, implement safeguards, document decisions, and build organizational capability to adapt quickly. **Key Takeaways:** 1. Map all international data flows 2. Assess risk by destination and data type 3. Implement contractual and technical safeguards 4. Prioritize India regions where feasible 5. Monitor regulatory developments --- ## Sources & References 1. Digital Personal Data Protection Act, 2023 - Section 16 2. MeitY Notifications and Circulars 3. Cloud provider documentation 4. Our internal transfer assessment data (30+ clients) --- *Last Updated: February 2026* *[Contact us for compliance guidance →](/contact)*