📖 Part 1 of 5

Cross-Border Transfer Framework Under Section 16

⏱️ 45 minutes read 📚 DPDPA 2023 Section 16 🎯 Essential for Practice

Introduction: India's Approach to Cross-Border Data Transfers

In an age where data flows across borders as freely as goods once did across ancient trade routes, the question of how to regulate international data transfers becomes paramount. India's Digital Personal Data Protection Act, 2023 takes a distinctive approach—one that balances the need for digital commerce with sovereignty concerns, reflecting what we might call "permissive localization."

Unlike the European Union's GDPR, which operates on an adequacy determination model (permitting transfers only to countries deemed "adequate"), or China's approach of mandatory localization with government approval for transfers, India has charted a middle path under Section 16.

📜 Section 16: Transfer of Personal Data Outside India

Section 16(1): "The Data Fiduciary may transfer personal data of a Data Principal for processing to such country or territory outside India as may be notified by the Central Government..."

Section 16(2): "The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified."

The Default Permission Model

India's framework operates on what practitioners call the "negative list" or "blacklist" approach—transfers are permitted by default to all countries EXCEPT those specifically restricted by Central Government notification.

Understanding the Philosophy

This approach reflects several policy considerations:

  • Trade Facilitation: India's IT services industry exports over $200 billion annually, requiring seamless data flows
  • Regulatory Efficiency: Evaluating 195+ countries for adequacy would be administratively impractical
  • Flexibility: The government retains power to restrict transfers to specific jurisdictions as needed
  • Global Competitiveness: Overly restrictive rules could drive business to other jurisdictions
💡 Practical Example: TCS Cloud Services

Tata Consultancy Services processes payroll data for a US multinational's global workforce. Under Section 16:

  • TCS can transfer employee data to its US, UK, and Singapore centers by default
  • No prior government approval required (unlike China's PIPL)
  • No adequacy determination needed (unlike GDPR)
  • Transfers remain permitted unless the destination country is notified as restricted

Section 16(1): The Permissive Framework

Textual Analysis

Section 16(1) uses specific language that practitioners must parse carefully:

  • "may transfer" — Creates a permission, not a prohibition
  • "personal data of a Data Principal" — Covers all personal data, not just sensitive categories
  • "for processing" — Transfers must be for a processing purpose (not mere storage without purpose)
  • "as may be notified" — Government retains discretion to specify permitted destinations
⚠️ Ambiguity Alert: "Notified" Countries

Section 16(1) creates potential ambiguity. Does "notified by the Central Government" mean:

  • Interpretation A: Only transfers to specifically notified (whitelisted) countries are permitted?
  • Interpretation B: Transfers are permitted by default, with government power to specify rules?

Reading Section 16(1) with Section 16(2), the legislative intent appears to be Interpretation B—a negative list approach where Section 16(2) provides the restriction mechanism.

No Adequacy Requirement

Notably, Section 16 does not require:

  • Adequacy determination by Data Protection Board
  • Equivalent protection in destination country
  • Contractual safeguards as a statutory requirement
  • Prior approval from any authority

This distinguishes India from the EU (which requires adequacy decisions or appropriate safeguards) and provides significant flexibility for Indian businesses.

Section 16(2): The Restriction Mechanism

Government Powers to Restrict

Section 16(2) empowers the Central Government to restrict transfers to specific countries or territories through notification. Key aspects:

Aspect Section 16(2) Provision Practical Implication
Authority Central Government Ministry of Electronics & IT (MeitY) likely to issue notifications
Mechanism Notification in Official Gazette Public, prospective effect; check Gazette regularly
Scope "Country or territory" Can restrict specific regions (e.g., Crimea) not just countries
Granularity "Data Fiduciary" Could potentially restrict transfers by specific fiduciaries, not just destinations

Likely Criteria for Restriction

While the Act doesn't specify criteria, restrictions may be imposed for countries that:

  • Lack rule of law or independent judiciary
  • Engage in mass surveillance without safeguards
  • Have hostile relations with India (geopolitical factors)
  • Lack any data protection framework
  • Facilitate cybercrime or data misuse
⚖️ Comparative: EU Schrems II Approach

CJEU Case C-311/18 (Data Protection Commissioner v. Facebook Ireland)

The EU Court of Justice invalidated Privacy Shield because US surveillance laws provided inadequate protection. Key holding: destination country must have "essentially equivalent" protection to EU standards.

India's Difference: Section 16 does not require equivalent protection—only non-inclusion in restricted list. This is a significantly lower threshold.

Rule 14: Transfer Notifications and Compliance

The DPDP Rules, 2025 elaborate on cross-border transfer compliance requirements:

📜 Rule 14: Transfer of Personal Data Outside India

Rule 14(1): Where a Data Fiduciary transfers personal data outside India, it shall ensure that such transfer is in accordance with Section 16.

Rule 14(2): The Data Fiduciary shall maintain records of such transfers including destination country, categories of data transferred, and purposes.

Rule 14(3): Such records shall be made available to the Board upon request during any inquiry.

Documentation Requirements

Practitioners should advise clients to maintain:

  • Transfer Mapping: Document all cross-border flows with destination countries
  • Purpose Documentation: Record specific purposes for each transfer category
  • Data Categories: Classify what types of personal data are transferred
  • Recipient Details: Identify Data Processors or sub-processors abroad
  • Legal Basis: Document consent or legitimate use basis for underlying processing
💡 Documentation Template Example

Transfer Record for Infosys HR Operations:

  • Source: Infosys BPM Ltd, India
  • Destination: Infosys Poland Sp. z o.o., Warsaw, Poland
  • Data Categories: Employee name, employee ID, compensation details, performance ratings
  • Purpose: Global payroll processing for European subsidiary employees
  • Legal Basis: Employment contract performance (Section 7(a))
  • Restricted Country Check: Poland not notified under Section 16(2) as of [date]

Global Comparison: Transfer Mechanisms

Jurisdiction Default Position Approval Mechanism Key Safeguards
India (DPDPA) Permitted by default Blacklist (restricted countries) Documentation; contractual (voluntary)
EU (GDPR) Restricted by default Adequacy decision, SCCs, BCRs Supplementary measures; TIA required
China (PIPL) Restricted by default CAC security assessment for "important data" Localization for CIIOs; contracts mandatory
USA Generally permitted Sectoral rules (HIPAA, GLBA) Contractual; varies by sector
Singapore (PDPA) Permitted with safeguards Comparable protection requirement Contractual binding; consent

Sectoral Considerations

Financial Services: RBI Localization

Despite Section 16's permissive approach, sectoral regulators impose additional requirements:

📜 RBI Circular on Data Localization (April 2018)

"All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India."

Scope: Payment data including full end-to-end transaction details, information collected/carried/processed as part of the message/payment instruction.

Practical implication: Even though DPDPA permits cross-border transfers, payment data must be stored in India, with only a copy permitted abroad for cross-border transactions.

Healthcare: Emerging Requirements

Digital health data regulations under the Digital Information Security in Healthcare Act (DISHA) proposals suggest stricter localization for health records.

Telecommunications: License Conditions

Telecom license conditions require subscriber data to be stored in India, limiting cross-border transfers by telecom operators.

Section 33: Government Data Restrictions

A critical carve-out exists for government-related data:

📜 Section 33: Power to Exempt

The Central Government may, by notification, require that personal data collected for government functions be processed only within India.

This enables mandatory localization for government contracts and public services.

💡 Practical Scenario: Government IT Contract

Situation: A cloud provider wins a contract to process citizen data for a government scheme.

Impact: Even if Section 16 permits transfers to the US (provider's primary data center), Section 33 notification may require all processing within India.

Solution: Provider must establish Indian data centers or use Indian cloud regions (AWS Mumbai, Azure India, Google Cloud Mumbai).

Compliance Checklist for Cross-Border Transfers

📋 Before Initiating Any Cross-Border Transfer:

  • Check if destination country is on restricted list under Section 16(2)
  • Verify no sectoral regulations (RBI, IRDAI, SEBI) impose additional restrictions
  • Confirm government contract doesn't require domestic processing (Section 33)
  • Document the transfer in transfer mapping register
  • Ensure valid legal basis exists for underlying processing
  • Update privacy notice to inform Data Principals of international transfers
  • Execute appropriate contractual safeguards with recipient
  • Assess recipient's security measures for adequacy

Penalties for Non-Compliance

Transfers in violation of Section 16 attract significant penalties:

Violation Penalty Reference
Transfer to restricted country Up to ₹250 Crore Schedule, Item 7
Failure to maintain transfer records Up to ₹50 Crore Schedule, Item 5
Non-compliance with Board inquiry Up to ₹50 Crore Section 27

Key Takeaways

🎯 Essential Points for Practice:

  • India uses a "blacklist" approach—transfers permitted unless destination is restricted
  • No adequacy determination or prior approval required (unlike GDPR)
  • Central Government can restrict transfers via Section 16(2) notification
  • Rule 14 requires documentation of all cross-border transfers
  • Sectoral regulations (RBI, telecom) may impose stricter localization
  • Government contracts may require domestic processing under Section 33
  • Always verify restricted country list before advising on transfers
  • Contractual safeguards, while not mandatory, remain best practice

Preparation for Part 2

In the next part, we will examine:

  • Restricted countries framework and likely criteria for blacklisting
  • Due diligence requirements when transferring to high-risk jurisdictions
  • Risk assessment frameworks for destination countries
  • Practical guidance on evaluating recipient safeguards