Last updated: April 29, 2026
Why this module exists. DPDP §16 is the section every Indian SaaS founder argues with their legal team about. “Can we use AWS US?” “Can we send data to our analytics team in Singapore?” “What about Stripe?” The answers depend on where you are sectorally and what mechanism you use. Most enterprises operate in a grey zone they haven’t formalised.
What §16 actually says
The Central Government may, by notification, restrict transfer of personal data to “such country or territory outside India” as may be specified. The default is permitted unless restricted.
This is a 180-degree change from the GDPR pattern (default-restricted, listed exceptions). Under DPDP: most countries are open until India says otherwise.
As of 2026, India has not published a comprehensive restricted list. It has reserved the right.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.