Introduction
In today’s digital economy, cross-border data transfers are a key part of global trade. For Indian businesses, this is a day-to-day operational reality, but it is also a trigger for multifaceted challenges because of the range of disparate and often conflicting data protection laws in different countries.
The disequilibrium of legal regulations is not just a compliance issue but it poses an operational and economic risk. Not understanding and complying with the norms of the relevant jurisdictions can lead to penalties, disruptions in business operations, and the loss of a disproportionate share of competitive value in the global marketplace.
In this context, and the challenges it portends for the Indian online economy, India has brought into force the Digital Personal Data Protection Act of 2023 (“DPDPA”). The legislation departs from the old, vague “whitelist” paradigm to a new permissive “blacklist” approach.
Ambiguity of the ‘Whitelist’ Model
The whitelist model is originally based on an ‘adequacy’ principle on which the preceding framework was focused on through the IT Rules of 2011 (Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, (the “IT Rules”). Like the EU’s General Data Protection Regulation (“GDPR”), this model catered to cross-border transfers of sensitive personal data only to countries that provided an adequate level of data protection.
However, the ambiguity of this approach caused rising concerns. The Central Government offered no formal ‘whitelist’ of countries it considered adequate, which caused operational friction. Companies that relied on legally dubious ad hoc solutions were only increasing their legal risks, which was the case of explicit consent, offered under consent frameworks. It was operationally infeasible at scale, and, worse, it caused consent fatigue.
Consequently, corporations, particularly Indian vendors serving global clients, were placed in a state of persistent, low-level compliance risk. A demonstrable legal basis for data transfers could not be reliably provided under this framework. This legal uncertainty henceforth presented a significant operational and financial risk to the multi-billion-dollar Indian IT sector.
The DPDPA’s Paradigm Shift: The ‘Blacklist’ Model
The DPDPA has introduced a new, streamlined approach that is vital for Data Fiduciaries to understand. This procedure involves:
- Assessment of the New Default: The new default position allows data transfers without restrictions. Under the DPDPA, the Data Fiduciary does not have to assess the destination country for “adequacy.” This turns the old default model on its head since the default position now is “open.” “Restricted” is now the exception.
- Understanding the Legislative Framework: The guiding provision for this is section 16 of the DPDPA. This section allows the Central Government to “restrict the transfer of personal data to any country or territory outside India,” and it may do so by notification. This creates the “blacklist” model; data may flow to any country unless it is specifically named on the restricted list. Additionally, Rule 14 of the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) outlines the criteria the Central Government will consider to impose restrictions on a country, although these criteria are not exhaustively defined.
- Continued Vendor Due Diligence: The Data Fiduciary’s accountability remains, even though the “adequacy” question is removed. A robust due diligence process remains critical. This involves assessing the contractual safeguards, technical security, and compliance certifications of the foreign data processor. The focus shifts from if you can transfer, to how you are protecting the data once it is transferred.
Legislative Framework
Even though the DPDPA sets a new starting point, corporations need to consider all other applicable legal frameworks. The GDPR governs the data flow from the EU to India. Thus, Indian companies that are processing EU data will continue to deal with Standard Contractual Clauses.
Currently, in India, Section 16 of the DPDPA will apply. However, it does specify that it does not affect the operation of any law that provides for a higher degree of protection or restriction on the transfer of personal data. Hence, sectoral regulators like the RBI and IRDAI will continue to actively impose tougher data localization laws that will exceed the DPDPA’s permissive transfer model.
AMLEGALS Remarks
As the digital environment undergoes changes, India’s new data governance strategy incorporates the DPDPA’s switch to the “blacklist” model. DPDPA’s transition to a blacklist model is a practical approach given the reduced compliance friction to align with India’s commercial frameworks, as opposed to the more restrictive GDPR model which is relatively disengaged from global commerce.
From India’s perspective, the framework is likely to provide a new point of uncertainty. With the ambiguity around “whitelist” dispensed with, the DPDPA and Draft Rules still do not provide any articulated and transparent mechanisms around how a country will be evaluated to be placed on the “blacklist.” The framework needs to provide a level of consistency and regulatory alignment, and a predictable strategic environment which is necessary for businesses when managing high-value cross-border data flows.
For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com