Read as
Why this module exists. DPDP Phase 2 introduces a “negative list” mechanism allowing the central government to bar data transfers to specific countries. Practitioners need to understand the mechanic, the operational implications for cross-border data architectures, and the practical defensive posture given that the negative list itself is still empty. This module is the operational guide.
Why this module exists. The cross-border-transfer regime under DPDP is materially different from what came before (the Section 43A regime under IT Act). Practitioners are unsure whether to act, when, and on what. This module covers the law as written, the gaps, and the defensible position.
The framework — what DPDP actually says
DPDP Act Section 16 provides for cross-border data transfer. The model:
- Transfer of personal data outside India is permitted to any country except countries on a negative list notified by the Central Government.
- Existing sectoral rules (e.g., RBI’s localisation requirements for payment data) remain superior — DPDP does not override them.
- The Central Government can add countries to the negative list by notification, considering factors including data protection adequacy, security of the country, and international commitments.
Phase 2 of the DPDP Rules adds operational mechanics: how the list is published, the duration of notice before additions take effect, and the consultation process (or lack thereof).
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants