DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.

‹ General awareness

General awareness

The DPDP Act does not ban cross border data transfers

A common assumption is that the DPDP Act forces personal data to stay in India, or that sending data abroad needs an approval similar to the GDPR. Both readings usually run in the wrong direction.

Start with the model

Start with the model, because the model decides everything else. Under the GDPR, the question is "is this destination approved?" Transfer is restricted by default, and you look for an adequacy decision or a safeguard before data can leave.

Under the DPDP Act, the question is the opposite. "Is this destination blocked?" Section 16 lets the Central Government restrict the transfer of personal data to a country or territory that it notifies. Until a destination is notified, transfer to it is not prohibited by this section.

It is a banned list, not a guest list. That single inversion dissolves a lot of the folklore. There is no DPDP adequacy list to wait for, and no general rule that personal data must be localised in India under this section.

But it is not a free pass

Two things stop this from becoming a free pass.

  • Section 16(2) preserves any other law that provides a higher degree of protection. So a sector specific rule, such as the RBI directive on storage of payment system data, continues to apply on its own terms. DPDP being permissive here does not switch those off. Where another law is stricter, the stricter law governs.
  • The framework leaves room for the State to act. The Central Government can notify restrictions, and the 2025 Rules add requirements around making personal data available to a foreign State or its agencies. The permissive default is a default, not a guarantee that nothing will ever be restricted.

Neither fear nor complacency

So the practical posture is neither fear nor complacency. Do not localise everything by reflex because you assume the Act demands it. It generally does not.

But do map, for each category of personal data you send abroad, whether any other law, sectoral or otherwise, imposes a stricter localisation or transfer rule than DPDP does. That is usually where the real obligation sits, not in Section 16 itself.

Before building an expensive localisation programme, ask a different question.

For the data we transfer outside India, is our real constraint the DPDP Act, or a sector specific law that is stricter, and are we solving for the right one?

In your experience, where does the confusion run deepest: treating DPDP as if it mandates localisation, or the reverse, assuming Section 16 clears a transfer that a sectoral law actually restricts?

#DPDP #DPDPAct2023 #DPDPRules2025 #DataProtection #PrivacyLaw #IndiaLegal #Compliance

DPDP Act, not a ban on cross border transfers. An infographic contrasting the GDPR approval first model, where a destination must be approved before data can leave, with the DPDP Act blocked list model under Section 16, where transfer is allowed until the Government notifies a restriction, and noting that a stricter sectoral law still governs.
DPDP is a blocked list, not a guest list. Check other laws and comply with the stricter one. Tap to enlarge.

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.