Scope of India's international data transfer regime — Digital Personal Data Protection Act, obligations for data fiduciaries and processors
India's international data transfer regime is governed primarily by the Digital Personal Data Protection Act, 2023 (DPDP Act), which became law on 11 August 2023 and represents the country's first comprehensive personal data protection statute. The DPDP Act establishes requirements for entities classified as "data fiduciaries" (a body or individual who determines the purpose and means of data processing, Sec. 2(i)) and "data processors" (entities that process data on behalf of data fiduciaries, Sec. 2(k)), closely paralleling the controller/processor distinction in the GDPR.
Territorial scope: The DPDP Act applies to the processing of digital personal data within the territory of India, as well as to processing outside India if it is in connection with offering goods or services to individuals within India (Sec. 3(a)-(b) DPDP Act). This extraterritorial reach is similar to GDPR Art. 3(2) but is narrowly focused on the nexus to the provision of goods or services within India.
International transfers: The transfer of personal data outside India is covered by Sec. 16 of the DPDP Act, which provides that the Central Government may notify countries or territories to which data fiduciaries are permitted to transfer personal data (Sec. 16(1)), and may impose conditions or restrictions on such transfers. Until such notifications are issued, there is no blanket prohibition or approval process for cross-border transfers, but data fiduciaries remain responsible for compliance with general DPDP Act obligations regardless of location (Sec. 8(2), 16(1)). Sensitive or critical personal data rules remain to be defined — earlier drafts contemplated stricter regimes, but these do not appear in the 2023 text.
Supervisory Authority: The Data Protection Board of India (DPBI) is designated as the enforcement authority for the Act (Sec. 18(1)), empowered to inquire into breaches and impose penalties. As of July 2024, the Board is in the process of appointment and operationalization. No regulatory guidance or notifications regarding approved transfer destinations have been published as of this writing.
Future notification of approved transfer countries and practical compliance steps pending Central Government designation
The Digital Personal Data Protection Act, 2023 (DPDP Act) introduced a mechanism for cross-border transfer of personal data in Section 16, under which the Central Government is authorized to formally designate specific countries or territories to which personal data transfers are permitted. As of July 2024, the Central Government has not yet published any formal notifications specifying approved countries, nor has it issued additional guidance on the process for designation or required contractual safeguards (such as model clauses analogous to the EU SCCs) to support transfers to non-designated countries.
Practical impact: Until notifications are issued under Sec. 16(1), data fiduciaries (controllers) and data processors remain subject to the general requirements of the DPDP Act for cross-border transfers, without a requirement for explicit government pre-approval or restriction. There is, however, a continued obligation to ensure that all processing (including transfers outside India) complies with the principles set out in the DPDP Act (see, e.g., Sec. 8(2), which makes clear that the obligations in the Act apply regardless of where processing occurs). Unlike the GDPR or South Korea PIPA, there is no statutory requirement or official guidance on binding corporate rules, standard contractual clauses, or supplementary transfer impact assessments as of this date.
Enforcement risk: Since the Data Protection Board of India (DPBI) is not fully operational and no transfer country list has been notified, the immediate enforcement risk on international transfers is low for technical noncompliance with a non-existent list, but entities remain exposed to penalties for breaches of DPDP Act principles on accountability, purpose limitation, and data security regardless of transfer destination (Sec. 8, 33, 35). Organizations should closely monitor forthcoming notifications and be prepared to adjust transfer documentation and operational safeguards promptly when the first transfer country designations are published.