DPDP Act19 May 2026 7 min read

DPDP Act Cross-Border Data Transfers: Restricted Countries

How the DPDP Act 2023 governs cross-border data transfers, the whitelist mechanism, what companies must do now, and how to build transfer-compliant cloud architecture.

Key Takeaways

Section 16 permits cross-border transfers to countries notified by the Central Government — a whitelist approach.
Unlike GDPR, there are no Standard Contractual Clauses or Binding Corporate Rules — the permitted countries list is the primary mechanism.
Restricted countries (those not on the whitelist) cannot receive personal data from Indian Data Fiduciaries.
The whitelist has not yet been published — until it is, companies must prepare architecture that can accommodate localisation if required.
Significant Data Fiduciaries face stricter transfer controls and possible data localisation mandates for sensitive data.

In this guide

The Cross-Border Transfer Framework Under Section 16
The Whitelist Mechanism: How It Works
No Adequacy Decisions or SCCs Under DPDP Act
Current Status: No List Published Yet
Stricter Restrictions for Significant Data Fiduciaries
Building Transfer-Compliant Cloud Architecture
Practical Steps While Awaiting the Whitelist

The Cross-Border Transfer Framework Under Section 16

Section 16(1) of the DPDP Act permits a Data Fiduciary to transfer personal data outside India to countries or territories notified by the Central Government. This is a whitelist (or "positive list") approach — transfers are permitted to listed countries and restricted to unlisted countries.

This is a departure from the earlier 2022 draft Bill, which proposed a default localisation requirement with exceptions for approved countries. The enacted Act flips the model: transfers are permitted unless the destination is explicitly restricted. However, the practical effect depends entirely on what the whitelist contains and what is omitted.

Section 16(2) empowers the Central Government to restrict transfers to specific countries on national security, diplomatic, or other grounds. This creates a dynamic list — countries may be added or removed over time. Companies transferring personal data internationally must maintain awareness of the list status.

The Whitelist Mechanism: How It Works

The Central Government, acting through MEITY, will notify a list of countries to which personal data transfers are permitted. The criteria for inclusion are not specified in the Act — the decision is entirely at the government's discretion, informed by diplomatic, commercial, and strategic considerations.

India's data diplomacy context: the government has been negotiating digital trade chapters in bilateral trade agreements with the UAE, UK, Australia, and others. The whitelist will likely reflect these relationships and may be used as a negotiating lever. The US and EU are high-priority partners but also have their own data protection expectations that will factor into negotiations.

Companies should not assume that all major cloud destinations — US, EU, Singapore, UK — will be on the whitelist from day one. Plan for a conservative whitelist scenario, especially for data residency decisions made now that will be operationally expensive to reverse.

No Adequacy Decisions or SCCs Under DPDP Act

GDPR provides multiple mechanisms for cross-border transfers: adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and derogations. The DPDP Act provides only one mechanism: the government whitelist. There is no provision for individual companies to conduct their own transfer impact assessments or enter into SCCs as an alternative to government approval.

This significantly reduces corporate flexibility. A company cannot contractually create a compliant transfer channel to a non-whitelisted country — only a change in the government notification can permit that transfer. This has implications for global enterprise companies with data flows to countries that may not be on the initial whitelist.

The absence of SCCs also means that for data flowing out of India to a parent company in a non-whitelisted country, there is no legal mechanism to make the transfer compliant — unlike under GDPR where BCRs can legitimise intra-group transfers. Indian subsidiaries of global companies may face data localisation constraints that create challenges for global operational models.

Current Status: No List Published Yet

As of April 2026, the Central Government has not published the list of countries to which transfers are permitted. The DPDP Rules 2025 (draft) do not specify the list — the whitelist is expected to be published as a separate notification after the Rules are finalised.

This means the cross-border transfer provisions are not yet in force. Companies can continue current international data flows during this interim period. However, this is the time to prepare — map all your cross-border data flows, understand which countries are involved, and assess which of those countries you expect to be on or off the whitelist.

Engage your cloud provider to understand the data residency options available for your workloads. AWS, Azure, and GCP all offer Indian regions (Mumbai, Pune) and regional data residency configurations. If you do not already have data residency controls deployed, now is the time to implement them before regulatory pressure forces rushed action.

Stricter Restrictions for Significant Data Fiduciaries

Section 10 and the envisaged Rules create additional transfer restrictions for Significant Data Fiduciaries. The Central Government may require SDFs to store certain categories of personal data exclusively in India, even to whitelist countries. This localisation mandate is expected to apply to high-sensitivity data — financial data, health data, biometric data — for companies classified as SDFs.

SDFs must factor data localisation costs into their technology architecture. This affects decisions about: which cloud regions to deploy primary workloads in; how to handle backup and disaster recovery (backup in a second Indian region vs. offshore backup); and whether to use global SaaS tools that do not offer India-only data residency.

The localisation requirement interacts with your vendor due diligence obligations. If you rely on a SaaS tool that stores data in non-Indian regions, and you are an SDF subject to localisation requirements for that data category, you must either migrate to a provider offering Indian data residency or cease using the tool for the relevant data.

Building Transfer-Compliant Cloud Architecture

Start with a data flow map: document every data transfer out of India — to cloud regions, to SaaS tools, to parent or affiliate companies, to service providers. For each flow, note: the destination country, the data categories, the volume, the business purpose, and the technical mechanism (API call, replication, backup, etc.).

For critical or sensitive personal data flows, evaluate Indian-region alternatives now. AWS Mumbai (ap-south-1), AWS Hyderabad (ap-south-2), Azure Central India, Azure South India, and GCP Mumbai are all available. Major SaaS tools (Salesforce, ServiceNow, SAP) offer India data residency configurations for enterprise customers.

For flows that cannot be eliminated or redirected to India — such as dependencies on global SaaS tools without Indian data residency — document the business necessity and prepare a migration plan in case the whitelist does not cover that destination. The time to plan a migration is now, not after a regulatory deadline.

Practical Steps While Awaiting the Whitelist

Complete a cross-border data transfer inventory this quarter. You need to know your current state before you can plan. Use your cloud infrastructure configs, data flow diagrams, vendor contracts, and API integration documentation to map all outbound data flows.

Engage your DPO candidate or data protection counsel to draft your data transfer policy. This policy should address: permitted destinations (whitelist only, once published), approval process for new transfers, contractual requirements for Data Processors in other countries, and periodic review of transfer compliance.

AuditPath's vendor management module helps you track which of your third-party vendors process personal data outside India, their data residency configurations, and their compliance posture — making it easier to manage your transfer exposure as a control in your DPDP compliance programme.

Frequently Asked Questions

Can we currently transfer personal data of Indian users to our AWS US-East servers?

Yes — the cross-border transfer provisions are not yet in force as the whitelist has not been published. However, prepare now: map these transfers, evaluate Indian region alternatives, and plan for compliance once the whitelist is published. The US is expected to be on the whitelist given India-US digital trade priorities, but this is not guaranteed.

Does using a CDN that caches content globally constitute a cross-border transfer?

This is a grey area. CDN edge caching of static content (images, scripts) that does not contain personal data is not a personal data transfer. However, if your CDN processes request logs that contain IP addresses or personalised content, those logs are personal data and their geographic distribution may constitute a cross-border transfer.

Our group company is headquartered in Singapore. Is our data transfer from India to Singapore restricted?

Singapore's status on the whitelist is unknown until the list is published. Singapore is a major digital hub with its own Personal Data Protection Act (PDPA), making it a strong candidate for whitelist inclusion. However, do not assume it — map the transfer and prepare contingency plans.

How does the DPDP Act's transfer framework interact with RBI's data localisation requirements?

They are separate requirements. RBI's 2018 circular requires payment data to be stored only in India. The DPDP Act adds a separate, broader cross-border transfer control for all personal data. Companies subject to RBI localisation must comply with both regimes — the more restrictive requirement (full localisation for payment data under RBI) takes precedence for that data category.

If our SaaS vendor only stores data in US/EU regions, can we still use them?

Once the whitelist is published, you can use vendors in whitelisted countries. For non-whitelisted destinations, you would need either (a) the vendor to offer Indian data residency, or (b) to cease using the vendor for personal data processing. This is a significant vendor management risk to assess now while you have time to plan.