Cross-Border Data Transfers and Exemptions Under the DPDP Act

Section 16 takes a permissive approach to cross-border data transfers. The Central Government may, by notification, restrict transfer of personal data to specific countries or territories. This means transfer is allowed by default — you do not need pre-approval — unless the government has published a notification restricting transfer to the destination country.

This is called a "negative list" model. Instead of maintaining a list of approved countries (the approach taken by the GDPR, which grants adequacy decisions to qualifying jurisdictions), India will maintain a list of restricted countries. If a country is not on the restricted list, data can flow freely to it.

For businesses, this means the default position is favourable. Unless and until the Central Government publishes a restriction notification naming a particular country, you can transfer personal data there. However, organisations should monitor government notifications, because the restricted list could be updated at any time.

Section 16(2) adds an important clarification: the cross-border transfer provision does not restrict the applicability of any other Indian law that provides a higher degree of protection or imposes stricter restrictions on data transfers. If another statute imposes tighter controls — for instance, sector-specific regulations in banking or telecommunications — those controls continue to apply on top of Section 16.

Rule 15 introduces a specific compliance requirement. When making personal data available outside India, the Data Fiduciary must meet any requirements the Central Government specifies regarding making personal data available to a foreign State, any person or entity controlled by a foreign State, or any agency of a foreign State. This means that even when transferring data to a non-restricted country, if the recipient is a foreign government entity or is controlled by one, additional requirements may apply.

Section 17 is the longest and most complex exemption provision in the Act. It contains five sub-sections, each creating a different type of exemption. Understanding what is exempted — and what still applies — is essential for compliance planning.

Sub-section (1) provides partial exemptions from most of the consent and rights framework. Six categories of processing are exempt from Chapter II (consent and grounds for processing), Chapter III (Data Principal rights), and Section 16 (cross-border transfers). However, even for these categories, Section 8(1) — the non-delegable compliance responsibility of the Data Fiduciary — and Section 8(5) — the obligation to maintain reasonable security safeguards — continue to apply. The six categories are: processing necessary for enforcing legal rights or claims; processing by courts, tribunals, or regulatory bodies performing judicial, quasi-judicial, regulatory, or supervisory functions; processing for the prevention, detection, investigation, or prosecution of offences; processing personal data of non-Indian Data Principals under contracts with persons outside India; processing related to mergers, amalgamations, or reconstructions approved by courts; and processing necessary for ascertaining the financial information, assets, and liabilities of loan defaulters under the Insolvency and Bankruptcy Code 2016.

Sub-section (2) provides complete exemptions from the entire Act. First, the Central Government may exempt any State instrumentality from the Act entirely, where the exemption is necessary for sovereignty or integrity of India, security of the State, friendly relations with foreign States, public order, or prevention of incitement to cognisable offences. Second, processing for research, archiving, or statistical purposes is exempt from the entire Act, provided the data is not used for making decisions about specific Data Principals and the processing is carried out in accordance with prescribed standards. Rule 16 specifies that these standards are set out in the Second Schedule to the Rules.

Sub-section (3) creates class-based exemptions — and this is where the startup exemption lives. The Central Government may exempt classes of Data Fiduciaries, including startups, from six specific provisions: Section 5 (notice requirements), Section 6 (consent requirements), Section 8(3) (data accuracy obligations), Section 8(7) (data erasure obligations), Section 10 (Significant Data Fiduciary obligations), and Section 11 (right to information). A "startup" is defined as a private limited company, partnership firm, or limited liability partnership incorporated in India and recognised as a startup per criteria set by the Central Government. This exemption is significant because it reduces the compliance burden on early-stage companies. However, even exempt startups remain subject to Section 8(1) — they cannot outsource their compliance responsibility — and Section 8(5) — they must still maintain reasonable security safeguards. The exemption is also subject to conditions the Central Government may specify.

Sub-section (4) provides a specific exemption for the State. The State is exempt from Section 8(7) and Section 8(8) — the obligations to erase data when consent is withdrawn or the purpose is fulfilled, and the deemed purpose fulfilment on inactivity. The State is also exempt from Section 12(3) — the obligation to erase data on request from the Data Principal. Additionally, where processing has no legal effect on the Data Principal, the State is exempt from Section 12(2) — the obligation to correct, complete, or update data on request.

Sub-section (5) is a transitional provision. The Central Government may, for a period of up to five years, declare that any provision of the Act does not apply to specified Data Fiduciaries. This gives the government a tool to phase in compliance requirements gradually. An organisation that receives a transitional exemption today could be required to comply fully within five years.