Skip to main content
UrbanVakeel
Live wire
SCC OnlineTamil Nadu Appoints Five New Advocates-on-Record for Supreme Court Following Resignations of Existing AoRsThe New Indian ExpressSC forms expert panel to revisit Aravalli definition, seeks report by August 2026www.iconnectblog.comWhen Apex Courts Disown Their Watchdogs: India, Judicial Accountability, and the Proprietary TurnThe Indian ExpressCan pending case prevent foreign trip? Court defends doctor’s right to travelTheWire.inSupreme Courts SIR Verdict Marks a New Low For an Already Compromised JudiciaryMoneycontrol.comSupreme Court forms high-powered expert panel to re-examine Aravalli definitionLawBeatSupreme Court Weekly Round Up [May 25- May 31, 2026]SCC OnlineDue Process Challenges and Public Policy Review in Indian Arbitration | SCC TimesWIONMeet the lawyer who skipped High Court bench and went straight to India’s Supreme CourtLegal Service IndiaK. Raheja Corp. v. State of Maharashtra (2026): Supreme Court Redefines Demolition, Proportionality and Property Law RemediesBar and BenchCourt managers are India’s underused judicial reformBusiness StandardSupreme Court swears in five new judges, strength increases to 37DT Next5 things to know about newly appointed Supreme Court judge Venkita MohanaIndian Television Dot ComBroadcasters to take Ad-Cap battle to Supreme Court soon after HC blowThe Indian ExpressSupreme Court appoints high-powered panel to review Aravalli definition report

Editorial

Cross-border data transfer under DPDP: the negative list mechanism explained

The Act swapped the white-list model for a negative list — countries are presumptively permissible unless the Central Government says otherwise. Here is what the framework actually requires.

By Editorial Desk2 min read
Cross-border data transfer under DPDP: the negative list mechanism explained
Cross-border data transfer under DPDP: the negative list mechanism explained

Section 16 of the DPDP Act takes a distinctive approach to cross-border data transfer. Unlike the GDPR, which requires an adequacy decision or appropriate safeguards before personal data can leave the EEA, the DPDP Act presumes that transfer to any country is permissible — except where the Central Government has expressly notified that country to the contrary. The negative list mechanism is one of the few areas where Indian law is more permissive than its European counterpart.

How the mechanism works

Three operative pieces:

  • Section 16(1) authorises transfer to any country not specifically restricted.

  • Section 16(2) preserves stricter sectoral regimes — banking, telecom, healthcare may impose stronger localisation than DPDP itself.

  • Section 16(3) creates the negative list: any country the Central Government notifies becomes a restricted destination.

As of writing, no country has been added to the negative list. The list is reviewed annually. The expectation among practitioners is that countries with documented hostility to India's strategic or commercial interests are the candidates — though the Act gives no statutory criteria, leaving the executive a wide margin of discretion.

What it means for SaaS contracts

The practical effect is that most India-to-overseas data flows are presumptively lawful under the DPDP framework. Standard contractual clauses in SaaS agreements are not required by Indian law — though most enterprise buyers will still demand them on the strength of their own GDPR or local-law obligations. The contracting team's job is largely to make sure that the sectoral overlay (RBI, IRDAI, TRAI) is identified and respected before relying on the general DPDP permission.

The unresolved RBI question

The most important friction is between DPDP and the RBI's 2018 payments data localisation directive, which mandates that payments data be stored only in India. DPDP does not override sectoral law, so the RBI position controls — but the boundary between 'payments data' and 'personal data of a payments user' has never been crisply drawn. Until the regulators issue a joint clarification, enterprise teams should assume the stricter regime applies.

Share this storyLinkedInWhatsAppTelegramFacebookEmailCopy link

The Brief · the newsletter

Short legal explainers in your inbox.

Continue reading

court-verdict

Reading

Scheduled post Testing is being done on this one

MAY 25, 2026 · 2 min read

Shopping receipt and a complaint form

Consumer Law

Filing a Consumer Complaint Under the 2019 Act

MAY 25, 2026 · 1 min read

Industrial facility with steam rising at sunset

Law Firms

JSA Advisors Closes India's First Carbon Credit Trading Transaction Under New CCTS Rules

MAY 24, 2026 · 1 min read