Cross-Border Data Transfers Under DPDP: What Indian Businesses Need to Know

As global digital operations expand, Indian businesses from SaaS startups to e-commerce platforms routinely process and store data across borders. But with the Digital Personal Data Protection Act (DPDP), 2023 and its Rules (2025) now enforceable, these cross-border data transfers come under strict scrutiny.

‍

What the DPDP Act Says About Cross-Border Transfers

Under Section 16 of the DPDP Act, 2023, the Central Government has the authority to “notify countries or territories outside India to which personal data may be transferred.”

This means:

• Cross-border data transfers are not banned, but they’re selectively permitted.

• The government will publish a whitelist a list of jurisdictions where Indian personal data can be processed lawfully.

• Any transfer to non-notified countries is a violation and can lead to significant penalties under Section 33 of the Act.

Key takeaway: You can’t send personal data to just any country. It must be an approved jurisdiction.

Who Is Affected?

If your business collects or processes personal data of Indian users, and uses cloud platforms, analytics tools, customer support services, or data hosting providers located abroad, you are subject to cross-border compliance rules.

This includes:

• SaaS companies storing data on AWS servers in Singapore or the US

• Indian e-commerce firms using third-party CRMs hosted in Europe

• Startups outsourcing customer support to teams abroad

• Ed-tech, fintech, or health tech platforms using global analytics or AI tools

Conditions for Cross-Border Transfers Under DPDP

The DPDP Rules, 2025 further clarify cross-border data compliance. While the final list of allowed countries is yet to be notified, businesses must prepare for the following:

1. Consent Must Be Explicit
   If personal data is being transferred abroad, the consent notice must clearly mention the nature of transfer and the destination.

2. Only Approved Countries Allowed
   You can only transfer personal data to jurisdictions explicitly notified by the Central Government under Section 16.

3. Purpose Limitation Applies
   You must not use the data for any purpose beyond what was consented to, even if it’s processed overseas.

4. Verifiable Consent Required
   You must be able to prove that the user knowingly consented to the data being sent outside India, ideally with time-stamped consent logs.

5. Reasonable Safeguards Must Be in Place
   You must ensure reasonable technical and organizational safeguards are applied during the transfer, as required under Rule 11 (Security Safeguards).

What Are the Penalties for Non-Compliance?

If your business transfers personal data to a non-notified country or fails to meet the DPDP’s safeguards, you could face:

• Fines of up to ₹150 crore under Section 33(d) (cross-border rule violations)

• Additional fines of up to ₹250 crore for failing to implement data security safeguards

Moreover, such violations can trigger audits, user complaints, and reputational damage.

What Indian Businesses Should Do Now

Until the government notifies the list of approved countries, here’s how you can prepare:

1. Conduct a Data Flow Audit

Map out all third-party vendors and platforms processing your data outside India.

2. Update Consent Notices

Explicitly disclose if data is processed overseas and obtain purpose-specific consent.

3. Implement Consent Management Tools

Ensure every data transfer is tied to verifiable user consent, with proper logs and audit trails.

4. Vet Your Vendors

Ensure your processors and service providers implement reasonable security safeguards.

5. Stay Alert

Track updates from the MeitY (Ministry of Electronics & IT) on approved countries and Rule updates.

Blutic: Stay DPDP-Compliant, Wherever Data Goes

Managing international data flows is complex but non-compliance is costly.
Blutic helps Indian businesses stay ahead with:

• Verifiable consent logs and purpose-based tracking

• Customisable consent notices with cross-border disclosures

• Real-time compliance alerts for risky data transfers

• DPDP-ready audit logs and consent APIs

• Plug-and-play integration with global platforms

Whether you operate across domains or borders, Blutic is your privacy infrastructure ally for the DPDP era.

‍