Data PrivacyRegulation Of Cross Border Data Transfers Under The Digital Personal Data Protection Act, 2023

August 23, 20230


The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act”) attempts to regulate personal data transfer beyond the Indian borders through section 16 of the DPDP Act. Section 16 of the DPDP Act talks about cross borders data transfers and primarily aims on the following fronts:

  • Section 16(1) states that the central government may restrict the transfer of personal data outside the border of India specifying certain countries by issuing a notification as it deems fit.
  • Section 16(2) develops a synergy between the existing laws in force and itself by allowing the application of already existing higher data protection measures.

Globally, many of the developed countries have come up with stringent policies on cross border data protection. European union’s (hereinafter referred to as “EU’s”) General Data Protection Regulation (hereinafter referred to as “GDPR”) lists out provisions for personal data transfer from an EU country to a non – EU country.


The European GDPR dedicates a whole chapter for the provisions of cross-border personal data protection and provides strict sanctions for the breach including a penalty up to €20 million or 4% of the annual turnover of the next fiscal year. Such stringent penalties make it essential to comply with the rules.

Personal data transfer within EU member nations make it mandatory for the data controllers and data processors to sign an agreement, setting up the subject matter, type of personal data, and nature, duration and purpose of the processing of such data.

Cross-border data transfer, or data transferred to a non-EU country, are subject to an ‘Adequacy Decision’, this adequacy decision is essentially a measure of standard which verifies that that a third country, territory or an international organisation offers levels of Data Protection that are essentially equivalent to that within the EU.

Once the adequacy decision is found to be affirmative then any personal data is allowed to be transferred from the EU to the relevant country.

Under the GDPR regime Data Controller also rely upon the appropriate measures provided under the rules for cross-border data transfer which includes complying with corporate rules which is useful for group of companies established in different companies. EU has approved certain standardised clauses and certification mechanism for data protection which are a must for cross border transfer of data.


Cross-border data transfer facilitates international trade and supports the production and distribution of goods and services effectively. According to the World Development Report by the World Bank, the global internet traffic has been estimated to be around 4.8 zettabytes by the year 2022. This rapidly increasing internet traffic indicates huge amounts of data transfer happening globally which requires stringent policies for economic growth and data privacy. Presently, countries like EU, China, Japan and Canada have the most stringent data privacy laws worldwide.

The DPDP Act is aimed to be a contender to such other data protection laws by synergizing the existing Information Technology Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), 2011 and the Information Technology Act, 2000 which requires companies to take explicit free consent of the individual before processing their data further. Financial services and digital lenders are being regulated by the Reserve Bank of India guidelines on data processing, protection and retention.

Despite the positive efforts the 2023 Act, in its present form, lacks stricter and well-defined provisions which are clear about the personal data transfer outside the territory of India. However, much of this is attributable to the approach of the Indian government to make the DPDP Act not prescriptive in nature and rather frame it in a manner to provide a comprehensive framework that outlines principles and standards while allowing flexibility for technological advancements.


Being one of the largest internet markets in the world, India has started its revolutionary journey to formulate data privacy laws by the enactment of DPDP Act. The Act is in check with the global privacy laws but still needs a faster implementation which is currently estimated to take 8-9 months. It certainly put forth the provision of restricting data fiduciaries to transfer personal data to some particularly notified countries but currently lacks specific penalising provisions for such data breach. Cross border personal data transfer policies must be clear, precise and stringent in nature as it can be a question of the nation’s security.

– Team AMLEGALS, assisted by Ms. Khanak Sharma (Intern)

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.