General awareness
The DPDP Act does not ban cross border data transfers
A common assumption is that the DPDP Act forces personal data to stay in India, or that sending data abroad needs an approval similar to the GDPR. Both readings usually run in the wrong direction.
Start with the model
Start with the model, because the model decides everything else. Under the GDPR, the question is "is this destination approved?" Transfer is restricted by default, and you look for an adequacy decision or a safeguard before data can leave.
Under the DPDP Act, the question is the opposite. "Is this destination blocked?" Section 16 lets the Central Government restrict the transfer of personal data to a country or territory that it notifies. Until a destination is notified, transfer to it is not prohibited by this section.
It is a banned list, not a guest list. That single inversion dissolves a lot of the folklore. There is no DPDP adequacy list to wait for, and no general rule that personal data must be localised in India under this section.
But it is not a free pass
Two things stop this from becoming a free pass.
- Section 16(2) preserves any other law that provides a higher degree of protection. So a sector specific rule, such as the RBI directive on storage of payment system data, continues to apply on its own terms. DPDP being permissive here does not switch those off. Where another law is stricter, the stricter law governs.
- The framework leaves room for the State to act. The Central Government can notify restrictions, and the 2025 Rules add requirements around making personal data available to a foreign State or its agencies. The permissive default is a default, not a guarantee that nothing will ever be restricted.
Neither fear nor complacency
So the practical posture is neither fear nor complacency. Do not localise everything by reflex because you assume the Act demands it. It generally does not.
But do map, for each category of personal data you send abroad, whether any other law, sectoral or otherwise, imposes a stricter localisation or transfer rule than DPDP does. That is usually where the real obligation sits, not in Section 16 itself.
Before building an expensive localisation programme, ask a different question.
For the data we transfer outside India, is our real constraint the DPDP Act, or a sector specific law that is stricter, and are we solving for the right one?
In your experience, where does the confusion run deepest: treating DPDP as if it mandates localisation, or the reverse, assuming Section 16 clears a transfer that a sectoral law actually restricts?