The Digital Personal Data Protection Act (DPDPA) 2025 is India’s privacy and governance law for processing personal data. It is responsible for protecting the data rights of data principles. It applies to all Indian entities that process the personal data of individuals within Indian jurisdiction. Under the DPDPA, the entities that handle personal data are categorised as data fiduciaries or significant data fiduciaries (SDFs). These data fiduciaries manage the personal data of individuals, while the SDFs, including banks, e-commerce firms, etc, that are responsible for handling larger volumes of sensitive personal data and engage in activities with higher risks, leading to more stringent compliance obligations.
Under the DPDPA, the government has been given the authority to restrict cross-border data transfer to certain nations by maintaining a “negative list”. Under this list, the Indian entities are guided to comply with the data transfer requirements of DPDPA. This was framed using the Privacy Across Borders White paper by the Data Security Council of India (DSCI) to help organisations with the best practice recommendations for effective compliance with the laws.
Initial Laws on Cross-Border Data Transfer Under DPDP Rules
The initial drafts proposed under the DPDP bill contained very complex and stringent regulations around cross-border data transfers under DPDP. These were restrictions specific to transfer for defined subcategories of personal data. Here’s a glance at how the law could look:
- Local Storage for Sensitive Personal Data :
Under this, there was a requirement for the organisations to maintain a copy of all sensitive personal data to be stored locally in the country, even if they are being transferred abroad. This would have led to a massive expenditure for the local data centres, leading to an increased operational cost. Just imagine a multinational company having to duplicate its entire data storage infrastructure- the challenges, along with the expenses, would be immense in that case.
- Compliance for Cross-Border Data Transfers Under DPDP :
The 2019 draft also had very specific compliance requirements for the transfer of sensitive personal data across countries:
- Explicit consent should be taken from the data principal
- In case the transfer is being made subject to an intra-group scheme or contract, the contract should be approved by the Data Protection Authority (DPA) after consulting with the Central Government.
- The Central Government must conduct an adequacy determination to ensure that data should not be shared with any other foreign entities or agencies unless approved, or alternatively, a specific approval for the transfer could be granted by the Central Government or the DPA.
- Restrictions on Critical Data Transfer:
The prohibition on transferring critical personal data outside India was even more restrictive, with only a few exceptions. Critical personal data can be transferred only when it has been approved by the entities or during emergencies. The data transfer was specifically permitted for :
- Transfer to entities or countries that have already been approved through adequacy determination by the government to protect interests pertaining to national security.
- Prompt action scenarios in situations pertaining to health or emergency services.
Also Read : Top 9 Features in a Data Privacy Management Platform
The restrictions on transferring personal data outside India have now been left to rules under the DPDP Act, as well as sectoral regulators. The laws have definitely been tweaked a little as per the DPDPA 2025.
Also Read : Penalties Under DPDP: Fines, Breach Scenarios, and How to Reduce
Sector-Specific Law
According to the Digital Personal Data Protection Act, if there’s another law that offers more protection or has stricter rules on the transfer of personal data outside of the country, that particular law will take precedence over the DPDP Act. Several Indian laws impose even stricter requirements for data localisation across multiple sectors, such as insurance, finance, telecom, banking, and investment.
- RBI’s 2018 Circular on Storage of Payment System Data : Under this law, every data related to payment systems must be exclusively stored within the country. This not only includes transaction details but also includes payment-sensitive information and customer data. However, for transactions with their components outside India, the relevant data can be stored in a foreign nation if required.
- IRDAI (Maintenance of Insurance Records) Regulations 2015 :
This law mandates and ensures that every record about claims, policies, and records related to India should be held in data centres not just located but also maintained in India.
- RBI’s 2017 Directions on Outsourcing Financial Services by NBFCs :
According to Direction 7.3, all the original records concerning offshore financial services must only be maintained in India. Additionally, it is also required that these regulatory authorities of these offshore locations do not get access to the data related to the Indian operations of the NBFCs, simply on the grounds that the processing is taking place on those lands.
- IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017 :
It mandates that all the original policyholder records must be maintained in India.
- SEBI Advisory Regarding SaaS based Solutions :
The Securities and Exchange Board of India (SEBI) has issued an advisory for entities such as credit rating agencies, merchant bankers, debenture trustees, STP service providers, and other financial institutions utilising software as a service (SaaS) solutions. These organisations must store critical data such as liquidity risk data, system information, market risk data, system configuration data, supplier information, and network topography within India.
- Consumer Protection (Direct Selling) Rules, 2021 :
Under this rule, direct selling entities must store the sensitive personal data within the Indian territory.
Privy by IDfy, India’s first full-stack privacy governance platform, has been built to abide by Sectoral rules, such that entities do not waste time in figuring out which law to abide by. Privy’s Data Compass helps identify sensitive data, flag cross-border data flows in India as per sectoral regulations, mitigate compliance risks, and detect third-party transfers while assuring the stakeholders that data privacy has been adhered to.
Also Read : Top DPDP Platforms & Privacy Automation Tools in India (2025 Comparison)
How Should Indian Enterprises Prepare for the Future With Privy
With the DPDP rules out, Indian businesses must proactively monitor where their vendors, systems, and technology service providers are storing personal data outside India. They should also look out for the blacklisted countries, get an understanding of the sector-specific requirements, along with preparing for the potential new rules regarding data transfer mechanisms, such as binding corporate rules and standard contractual clauses.
Compliance begins once you have understood the law. Read about the DPDP compliance checklist to understand the DPDP rules and their penalties in depth, to have a strong foundational understanding of the law as it stands now.
Privy by IDfy helps the Data Fiduciaries meet the conditions of the government for cross-border data flow in India through its Consent Governance Platform (CGP), Consent Shield, and supporting modules.
- Clear Mapping of Data Processors and Cross-Border Data Flows in India :
Privy’s CGP lists all data processors and maps them to their processing purposes and data flows. This helps the Data Fiduciaries to identify which processor is located outside the country and ensure cross-border transfer under DPDP is tracked and documented properly.
- Automated RoPA (Records of Processing Activities) :
The CGP builds and maintains RoPA, including all the details of processors involved in the data transfer. Ensuring organisations have ready-to-share compliance documentation for the authorities to review the data transfer compliance in India.
- Consent Level Transparency for Data Sharing Outside India :
With the help of dynamically generated consent notices, enterprises can disclose when the personal data will be shared with foreign entities. This ensures users have full visibility as well as control over the movement of the data. All consents are stored in Privy Consent Shield immutably to support the regulatory and audit checks.
- Strong Integrity and Governance Controls :
Privy’s Consent Shield comes with cryptographic integrity checks, ensuring the authenticity and legality of the users’ permissions. This is super critical for cross-border data transfer audits under DPDP.
- Data Principal Rights and Transparency :
With the DPAR portal, users can request insights about the data processor- international or domestic- that is handling their data. Privy makes these disclosures verifiable as well as clear through automated data retrieval workflows.
- Support for DPDPA Data Transfer Rules :
DPDP rules require the Data Fiduciaries to comply with the government-specified requirements for making personal data available outside the country. Privy helps by managing consent artefacts and their versions, ensuring traceability of all outbound transfers to processors and managing consent artefacts and their versions.
Get in touch with us at shivani@idfy.com to take control over your data with India’s most trusted DPDP compliance platform. We will keep you updated on the latest developments regarding the DPDP rules and how they will impact your business. Stay glued to this space for more information on data, privacy, compliance, and all things DPDP.