A. Transfer mode Permitted by Default
Legal backing Section 16(1) of the DPDP Act and Rule 15 of the DPDP Rules, 2025
- The Rule: Organization are generally allowed to transfer personal data to any country. The government does not need to "approve" the country first.
- The Restriction: The Central Government has the power to notify (list) specific countries where transfers are restricted. If a country is not on this "restricted list," can send data there.
B. Conditions for transfers
Even though transfers are allowed, Organisation must follow these specific conditions found in the Rules.
Foreign State Access Check Reference: Rule 15 of the Rules
- The Central Government can issue a "general or special order" regarding transfers.
- If organization send data to a country where the Foreign State (their government) or an agency under its control can access that data, you must meet specific requirements set by the Indian Government.
- Practical Meaning: Organisation must check if the foreign government (like the US or China) has laws allowing them to spy on or access the data you send there.
Significant Data Fiduciary (SDF) Localization Reference: Rule 13(4) of the Rules
- If Organisation are a Significant Data Fiduciary (SDF), the government can list specific types of sensitive personal data that must stay in India.
- The "Traffic Data" Rule: For this specific data, organisation generally cannot transfer the data or the "traffic data pertaining to its flow" (the logs and metadata) outside India.
C. Any exceptions (government processing)
Some activities are exempt from these strict transfer rules.
· The "Outsourcing" Exception Reference: Section 17(1)(d) of the DPDP Act
o If organization are in India processing data for a client outside India (outsourcing), and the data belongs to people outside India, the transfer restrictions (Section 16) do not apply.
o Example: An Indian BPO handling data for US customers can send that data back to the US freely.
· Research and Statistics Exception Reference: Section 17(2)(b) of the DPDP Act; Rule 16 of the Rules 2025
o The Act does not apply to processing necessary for research, archiving, or statistical purposes.
o Condition: The data must not be used to make any specific decision about a Data Principal.
D. Risk considerations for organizations
These are the risks created by the specific language in the Rules.
Risk of Sudden Orders Reference: Rule 15 of the Rules
- The Government can issue a "general or special order" at any time. This means a country that is "safe" today could have new requirements tomorrow if the political situation changes.
The "Traffic Data" Trap for SDFs Reference: Rule 13(4) of the Rules
- For SDFs, the ban extends to "traffic data".
- Technical Risk: Many cloud services route "traffic data" (like server logs) globally for security monitoring. SDFs might violate this rule if they use standard global cloud settings for restricted data.
- Note- Traffic data is not defined under DPDP act as well as DPDP Rules, 2025.