1.Introduction
The Digital Personal Data Protection Act, 2023 (‘Act’) read with the Digital Personal Data Protection Rules, 2025 (‘Rules’) significantly reshapes India’s data governance framework. For technology driven companies (‘Tech Co’), data by itself is not only operational but is often a core commercial asset. Tech Cos usually have foreign collaborators, overseas data processors[1], Artificial Intelligence (‘AI’) development, shared intellectual property, or common cloud-based infrastructure- thereby making cross-border transfers and data localisation norms central to operational structuring and contractual risk allocation.
2. Cross-border data transfers and data localisation under the Act
Legal framework
The Act adopts a permissive approach wherein a ‘negative list’ model is adopted, i.e., transfers of personal data[2] are allowed unless explicitly blacklisted by the Central Government[3], thereby giving businesses flexibility in determining the jurisdiction in which they wish to process data.
However, this flexibility is restrained in various ways that may impact Tech Cos:
1. Central Government’s powers- The Central Government retains broad discretion to restrict transfers to specified jurisdictions.[4] The Rules additionally stipulate that transfers of personal data will also be subject to the Data Fiduciary[5] meeting such criteria as may be prescribed.[6]
The Act does not prescribe any objective criteria, creating regulatory uncertainty. Such restrictions may not just be jurisdiction-based, but they also hinge on compliance standards to be met by a Data Fiduciary.
2. Applicability of other laws- The Act expressly preserves the applicability of sectoral laws that impose stricter data protection or localisation requirements.[7] Accordingly, domestic sectoral frameworks of Reserve Bank of India (‘RBI’), Insurance Regulatory and Development Authority of India (‘IRDAI’) or Securities and Exchange Board of India (SEBI) may override the general permissive stance of the Act.
This is particularly relevant for Tech Cos operating in regulated sectors such as banking, insurance or health-tech. For example, RBI mandates that all data collected by payments bank[8] and that collected by regulated entities in relation to digital lending can only be stored in servers located in India[9]. Further, the IRDAI restricts storage of data in relation to Indian policyholders and claims outside of India.[10]
3. Significant Data Fiduciary (‘SDF’) [11]– The Rules impose additional obligations for SDFs, including a targeted localisation requirement.[12] While the criteria for SDF designation depend on factors such as volume and sensitivity of data processed, the precise thresholds and process remain unclear.[13]
This causes uncertainty at the initial stage, as compliance burdens may intensify over time without clarity of what lies ahead.
4. Responsibility of a Data Fiduciary– A Data Fiduciary remains fully accountable in relation to all compliance obligations, even where processing of personal data is undertaken by an overseas Data Processor.[14] While processing must mandatorily be governed by a valid contract, the Act does not prescribe any specific provisions that should be incorporated in such contracts.[15] This means liability stays with a Data Fiduciary (such as a Tech Co outsourcing its data processing to another firm), regardless of where or by whom the data is actually processed.
Practical relevance for Tech Cos
The Act does not prescribe any criteria guiding the Central Government’s decision to restrict jurisdiction where personal data may not be transferred, leading to regulatory uncertainty for Tech Cos relying on global data flows. In this regard, it is important to consider the operational realities of any technology focused venture, which is that data does not just sit on one server in one country, rather, it flows continuously and often without deliberate transfer decisions. In Tech Cos, cross-border transfer is rarely a deliberate, one-time act. It is often embedded in how the business is designed. This could happen in the following ways:
1. A Tech Co using any global cloud system, will have data stored or backed up across servers in multiple countries. Oftentimes, when foreign partners maintain a central data hub for all group entities worldwide or use group-wide software for customer management, finance, HR, or operations, then Indian data might flow automatically into that global system for analysis or storage.
2. Data Processors often engage sub-processors to perform specialised services. If the data processing agreement (‘DPA’) does not mandate prior consent or oversight mechanisms, a sub-processor may be appointed without the consent of the Data Fiduciary. As the statutory liability continues to rest with the Data Fiduciary, a compliance failure by a downstream sub-processor may therefore expose the Tech Co to penalties.
3. If the Tech Co is building AI tools/AI agents or doing analytics, it may combine data collected from Indian users with data from other countries to improve or train AI models. That pooling itself involves cross-border transfer.
4. As the broad definition of ‘processing’[16] of personal data includes usage of such data and disclosure of such data by transmission, even remote cross-border access of personal data may qualify as ‘transfer’, depending on how strictly regulators interpret the concept.
The key risk in this regard is that a Data Fiduciary remains responsible for compliance even where processing is undertaken by a Data Processor. A Tech Co acting as a Data Fiduciary cannot contractually shift statutory liability to any of its Data Processor. A breach by an overseas Data Processor may expose a Tech Co to stringent penalties (ranging from INR 50 crore to INR 250 crore)[17] and may materially affect the functioning and valuation of the Tech Co. While reducing reliance on third-party processors may significantly reduce regulatory exposure, this is not practically feasible for companies as out-sourcing is a norm. Given these risks, it is imperative that Tech Cos approach data governance and contractual risk allocation strategically.
Contractual implications
1. At the outset, Tech Cos should undertake a granular mapping exercise of all personal data flows, from the point of collection to storage, processing, analytics, transfer, and deletion. This exercise should not be limited to formal ‘transfer’ events, but should be examined from the perspective of embedded data mobility arising from contracts or shared digital infrastructure arrangements. Identifying the flow of data allows a Tech Co to assess reliance on specific foreign jurisdictions that may later be restricted.
2. Although the Act does not prescribe mandatory standard contractual provisions for cross-border transfers of personal data, the Data Fiduciary centric liability model makes robust DPAs commercially important. A well-structured DPA for a Tech Co (as the Data Fiduciary) should have the following elements:
a. Description of processing of personal data and its purpose, along with detailed norms of seeking consent of Data Principal[18] in a legally compliant manner for transfer of such personal data.
b. Representations on server hosting locations, with appropriate penalties in case of breach. Such clause should carefully be drafted with enforceable stringent consequences, considering the heavy monetary penalties prescribed under the Act.
c. Prior written consent of the Tech Co (in its capacity as the Data Fiduciary) ought to be required before engaging any sub-processor, along with flow-down of equivalent contractual obligations as the Data Processor.
d. Defined technical and organisational security measures, along with security breach notification obligations.
3. Conclusion
In the framework of the Act, data transfer flexibility exists, but it is conditional and dynamically changing. The risk of regulatory exposure for Tech Cos is not immediate prohibition but regulatory unpredictability, inherent technological dependence of Tech Cos, and high fiscal penalties. Pre-planning and informed operational decisions as well as strategically negotiated contracts can determine whether a Tech Co can adapt to regulatory evolution or faces costly restructuring and potential enforcement action.
[1] Section 2(k) of the Act defines ‘Data Processor’ as “any person who processes personal data on behalf of a Data Fiduciary”.
[2] Section 2(t) of the Act defines ‘personal data’ as “any data about an individual who is identifiable by or in relation to such data”.
[3] Section 16 of the Act.
[4] Section 16(1) of the Act.
[5] Section 2(i) of the Act defines ‘Data Fiduciary’ as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”.
[6] Rule 15 of the Rules.
[7] Section 16(2) of the Act.
[8] ‘Storage of Payment System Data’, RBI/2017-18/153, dated 06 April 2018, available at: https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244.
[9] Paragraph 13, ‘Reserve Bank of India (Digital Lending) Directions, 2025’, dated 08 May 2025, available at: https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12848&Mode=0
[10] Regulation 3(9), IRDAI (Maintenance of Insurance Records) Regulations, 2015.
[11] Section 2 (z) of the Act defines ‘Significant Data Fiduciary’ as “any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 [of the Act]”
[12] Rule 13(4) of the Rules.
[13] Section 10(1) of the Act.
[14] Section 8(1) of the Act.
[15] Section 8(2) of the Act.
[16] Section 2 (x) of the Act defines ‘processing’ in relation to personal data as “a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”
[17] Section 33 of the Act.
[18] Section 2 (j) of the Act defines ‘Data Principal’ as “the individual to whom the personal data relates…”
