Introduction

In a digitally connected world, businesses routinely transfer data across borders—for cloud storage, customer service, analytics, and more. However, such cross-border data transfers raise significant legal concerns, especially around individual privacy, national security, and compliance with global regulations.

The Digital Personal Data Protection Act, 2023 (DPDP Act) has brought much-needed clarity on India’s position. This article explains the legal framework governing cross-border data transfers for Indian companies, and how to ensure compliance while scaling globally.

1. What Are Cross-Border Data Transfers?

   A cross-border data transfer occurs when digital personal data of Indian citizens is transferred to or accessed by an entity located outside India—either through cloud infrastructure, remote access, outsourcing, or storage.

   Examples:

   • Hosting data on a server located in Singapore or the US

   • Outsourcing customer service to a BPO in the Philippines

   • Sharing data with international analytics or marketing partners

     
     

2. Cross-Border Transfers Under the DPDP Act, 2023

   The DPDP Act introduces a permissive approach, shifting from earlier proposals of data localisation:

   • Allowed by default, unless the Central Government notifies specific countries to which transfers are restricted.

   • The Act empowers the Government to restrict transfers in the interest of national security, public order, or sovereignty.

This means:

• Indian companies can send personal data abroad, subject to reasonable security practices.

• Transfers to countries blacklisted by the Government will be prohibited.

3. What About Sensitive Personal Data?

   Unlike earlier drafts of the Personal Data Protection Bill, the DPDP Act does not distinguish between sensitive and non-sensitive personal data in terms of cross-border transfer restrictions.

   However, sector-specific laws may still impose stricter norms. For example:

   • RBI requires financial data to be stored in India (payment systems data localisation directive).

   • IRDAI may impose conditions for health and insurance-related data.

     
     

4. Best Practices for Cross-Border Data Transfers

   To ensure lawful and secure transfers, businesses should:

   1. Include Data Transfer Clauses in Contracts

      Use Data Processing Agreements (DPAs) with international vendors that include:

      • Purpose of data processing

      • Data retention duration

      • Security safeguards

      • Rights and remedies in case of breach

        
        

   2. Perform Transfer Impact Assessments

      Evaluate:

      • The legal regime of the recipient country

      • The technical and organisational measures in place

      • Likelihood of government surveillance or unlawful access

        
        

   3. Ensure Individual Consent

      Explicitly disclose in your privacy policy that personal data may be transferred outside India and obtain clear consent for the same.

      
      

   4. Apply Adequate Security Measures

      Use:

      • End-to-end encryption

      • Pseudonymisation or anonymisation before transfer

      • Access controls and audit logs

        
        

5. Cross-Border Transfers Under Global Frameworks

   If you handle data of EU, UK, or US citizens, you may also need to comply with:

Indian companies must harmonise DPDP compliance with these regulations if they operate internationally.

6. Penalties for Unlawful Transfers

   Under the DPDP Act, non-compliant cross-border transfers can attract:

   • Penalty up to ₹250 crore for failure to take reasonable safeguards

   • Additional penalties for breach, consent failure, or non-cooperation with the Data Protection Board of India

     
     

7. How Apar Law Can Help

   We advise Indian businesses on:

   • Drafting compliant DPAs and international data transfer contracts

   • Creating global-ready privacy policies and consent mechanisms

   • Conducting transfer impact assessments

   • Managing regulatory risks across jurisdictions

   • Responding to cross-border data access or investigation requests

Conclusion

Cross-border data transfers are a commercial necessity—but they come with legal strings attached. With the DPDP Act providing a framework and future notifications likely to impose restrictions, Indian businesses must plan their data flows strategically and legally.

Expanding globally? Need help with data transfer compliance? Apar Law helps Indian startups and corporates draft compliant data transfer frameworks and international contracts. Contact us for an initial consultation.