In short: Under India’s DPDP cross-border data transfer framework, your company can send personal data abroad by default — unless the Central Government restricts a specific country. No restricted-country list has been published yet, and the full framework kicks in only in May 2027.
Key points
- Section 16 of the Digital Personal Data Protection Act, 2023 and Rule 15 of the DPDP Rules, 2025 together establish a permissive default: personal data may flow abroad unless the Central Government explicitly restricts a country.
- India has adopted a “blacklist” or “negative list” model — the opposite of the EU’s whitelist approach — meaning no adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules are required under current Indian law.
- The Central Government has not yet published the list of restricted countries. Until it does, the practical impact of Rule 15 remains unclear.
- Cross-border transfer obligations under Rule 15 will only become enforceable in May 2027 (Phase III of the phased rollout).
- Until May 2027, the existing IT Act, 2000 and SPDI Rules, 2011 continue to govern sensitive personal data transfers — these remain live obligations today.
- MeitY has mapped the rollout across three implementation phases: November 2025, November 2026, and May 2027.
What is the DPDP Act and when does it actually apply to your business?
The Digital Personal Data Protection Act, 2023 (DPDP Act) was published on 11 August 2023 and is India’s first comprehensive personal data protection statute. It replaced years of piecemeal protection under the Information Technology Act, 2000.
The Digital Personal Data Protection Rules, 2025 were notified by the Ministry of Electronics and Information Technology (MeitY) on 14 November 2025. Together, the Act and the Rules form the new compliance landscape — but not all at once.
MeitY has structured the rollout in three phases, and most obligations affecting day-to-day business — including cross-border transfers — do not land until the third and final phase.
The phased implementation timeline at a glance
| Phase | Effective Date | What Comes Into Force |
|---|---|---|
| Phase I | 13 November 2025 | Definitions, Board establishment, administrative and procedural provisions (Rules 1, 2, 17–21) |
| Phase II | 13 November 2026 | Registration and obligations of Consent Managers (Rule 4) |
| Phase III | 13 May 2027 | Core operational obligations including cross-border transfer conditions, data principal rights, and most compliance duties (Rules 3, 5–16, 22, 23) |
If your business is sharing personal data with a foreign vendor, subsidiary, or platform right now, Phase III is the date you should be building toward — but the SPDI Rules are the law you must comply with today.
How does DPDP cross-border data transfer actually work?
The “negative list” or “blacklist” model explained
Section 16 of the DPDP Act sets the rule simply: personal data may be transferred outside India to any country except those that the Central Government restricts.
Rule 15 of the DPDP Rules echoes this: a Data Fiduciary may transfer personal data outside India except where the Central Government restricts such transfer. There are no additional mechanisms required — no contractual clauses, no technical assessments, no bilateral approvals — unless the government imposes them through a separate notification.
This is a deliberate policy choice. Earlier draft bills from 2019 and 2022 proposed strict data localisation requirements or whitelist systems, where transfers were blocked unless a country was affirmatively approved. The final 2023 Act reversed that logic entirely.
How is this different from the EU’s GDPR approach?
The contrast with Europe’s General Data Protection Regulation is significant. Under GDPR, transferring data abroad requires an adequacy decision from the European Commission, or alternative safeguards such as Standard Contractual Clauses or Binding Corporate Rules.
India’s framework under Rule 15 requires none of that. The Central Government retains the power to restrict specific countries by general or special order — without needing Parliament’s involvement each time. Until such an order is issued, the transfer is permitted.
This gives the government considerable executive flexibility, and it means the rules of the road can change relatively quickly once the blacklist is notified.
Is the restricted-country list out yet?
No. As of the date of this article, the Central Government has not published the list of countries to which transfers are restricted or prohibited.
Cross-border transfer provisions under Rule 15 are scheduled to take effect in May 2027. Legal experts have noted that until the government publishes the restricted list, it is difficult to fully understand the practical impact Rule 15 will have on businesses operating internationally.
Practically, this means you cannot yet determine whether your specific data-sharing arrangements — with a US cloud provider, a UK analytics firm, or a Singapore-based group entity — will face any restrictions. Monitoring MeitY notifications closely between now and May 2027 is essential.
What law applies to cross-border transfers right now?
Until May 2027, when Phase III of the DPDP Act comes into effect, the existing framework under the Information Technology Act, 2000 — specifically Section 43A — and the IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) continue to govern the transfer of sensitive personal data.
The SPDI Rules will cease to apply only when Section 44(2) of the DPDP Act takes effect in May 2027, which will amend the IT Act to remove Section 43A. Until that happens, complying with the SPDI Rules is a live, enforceable obligation — not optional.
If your company collects passwords, financial information, health data, biometric data, or similar categories of sensitive personal information and shares it internationally, the SPDI Rules set conditions you must already be meeting.
For a broader overview of how India’s data protection obligations interact with your day-to-day operations, see our Law for You guides, which break down complex legal frameworks in plain language for founders and compliance teams.
What should your business do right now?
Audit your current international data flows
Map every instance where personal data collected from Indian users or employees leaves India — cloud services, outsourced processing, group-company sharing, analytics platforms, and advertising tools all count. Document the countries involved and the categories of data transferred.
Comply with the SPDI Rules today
Do not treat May 2027 as a reason to defer all action. The SPDI Rules are in force now. If you transfer sensitive personal data abroad, ensure you have the required consent and contractual protections in place under the existing framework.
Build your DPDP compliance architecture in parallel
Use the window before May 2027 to understand who your Data Fiduciaries and Data Processors are, how consent is collected and recorded, and how data principal rights will be handled. The cross-border transfer rules under Rule 15 sit within a broader compliance architecture that takes time to implement properly.
Monitor MeitY for the restricted-country list
The blacklist is the single most important unknown in the cross-border transfer framework. When it is published, some of your existing transfer arrangements may need to be restructured. Build a process to track MeitY notifications well before May 2027.
Frequently asked questions
Can Indian companies transfer personal data abroad under the DPDP Act right now?
The DPDP cross-border data transfer provisions under Rule 15 of the DPDP Rules, 2025 do not come into force until May 2027. Until then, the IT Act, 2000 and the SPDI Rules, 2011 continue to apply to sensitive personal data transfers. When Rule 15 does take effect, transfers abroad will be permitted by default unless the Central Government has restricted a specific country — and no such restricted list has been published yet.
Do Indian companies need Standard Contractual Clauses or adequacy decisions like under GDPR?
No — not under the DPDP Act. India’s framework does not require adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules for cross-border transfers. Rule 15 takes a permissive default approach: transfers are allowed unless the Central Government issues a restriction. However, if you are transferring data to or from the EU, you will still need to comply with GDPR requirements on the European side.
Which countries are restricted under the DPDP Act?
As of the date of this article, none. The Central Government has not yet published the list of countries to which personal data transfers are restricted or prohibited. The list is expected to be issued before the cross-border provisions take effect in May 2027. Until the list is notified, it is not possible to determine the full impact of Rule 15 on specific international data-sharing arrangements.
Primary sources
- Digital Personal Data Protection Act, 2023 — India Code (indiacode.nic.in)
- Digital Personal Data Protection Rules, 2025 and MeitY notifications — Ministry of Electronics and Information Technology (meity.gov.in)
- Information Technology Act, 2000 and IT (SPDI) Rules, 2011 — India Code (indiacode.nic.in)
Written by Editorial Team, The Courtroom · Reviewed by Advocate [Name on file] · Published 2026-06-28 · Last verified 2026-06-28
This article is for general information only and is not legal advice. Laws change; verify against the primary sources cited and consult a qualified advocate for your situation.
