DPDP Act Allows Free Overseas Transfer of Data

 Chennai: While data is a critical economic asset, the Digital Personal Data Protection (DPDP) Act, 2023, allows free transfer of data outside India except to “blacklisted countries”. However, the law has not specified the names these countries, says Dhruv Kaushal, Partner, Data Privacy, of noted legal firm King Stubb & Kasiva. In order to maintain data sovereignty, India should mandate multinational big tech companies and hyperscalers to create localized data centres in India and ask them to store data within the country, he said in an interaction with Financial Chronicle.

Data has two dimensions — personal data and the collective data of the country. Let us start with personal data. Is data privacy a new concept for the Indian legal system? How effective is the Digital Personal Data Protection Act, 2023, in safeguarding user privacy?

To start with, the DPDP Act is a first-of-its-kind law in India, which is why the concepts, technology and terminology are fairly new to individuals in the country.

The law imposes monetary penalties that were previously unheard of in the Indian legislative context. We are looking at fines that can go as high as ₹250 crore on Indian entities. In terms of enforcement, we are dealing with a new regulator, the first virtual regulator in India, called the Data Protection Board of India, which has investigative and adjudicatory powers.

This is fresh territory not only for companies but also for government officials, regulators and individuals. It represents a significant step and a major overhaul in India’s regulatory and legislative history.

Data is increasingly being treated as an economic asset. Who benefits from it — the individual, the company collecting it, or the country where it is generated? Are these aspects specified in the DPDP Act?

These aspects are indeed discussed under the DPDP law. We often hear phrases such as “data is the new oil” or “data is the new economic asset.” What this essentially means is that data has become the foundation on which modern businesses and technology-driven startups are built.

India generates enormous volumes of data. We are talking about an economy that will soon have over 150 crore individuals, which means 150 crore individuals’ worth of data. We do not need to look outside the country for this resource.

The opportunity for India lies in creating technology and regulatory mechanisms around the use and export of this data. The beneficiaries include Indian companies that use data to train models, understand consumer behaviour, advertising preferences and buying patterns. Government agencies and the country as a whole also benefit because economic value creation ultimately contributes to national growth.

Who is responsible if something goes wrong with the data?

The DPDP law creates a framework involving four key stakeholders.

Take the example of ordering food online. When I share my financial information, name, phone number and email address with a food delivery platform, I become the Data Principal, the individual who owns the data.

The food delivery company becomes the Data Fiduciary, the entity responsible for collecting and using the data.

If the platform outsources storage or processing of that data to a third-party technology company, that company becomes the Data Processor.

The fourth stakeholder is the Data Protection Board of India. If the data is breached or processed without consent or a legitimate legal basis, the Board can impose penalties on the Data Fiduciary.

So the responsibility ultimately lies with the Data Fiduciary?

Yes. Unlike the European Union’s GDPR, where liability can be shared between controllers and processors, the Indian DPDP law places the entire responsibility on the Data Fiduciary.

Why was the Data Processor excluded from direct liability?

Indian regulators have often faced challenges in pursuing multiple stakeholders simultaneously. It appears that policymakers wanted a single point of accountability. Therefore, the Data Fiduciary bears the responsibility and must ensure adequate contractual safeguards with Data Processors.

How do the rules ensure that access to an individual’s data is not concentrated in the hands of a few companies, institutions or political entities?

The DPDP law does not provide any special access to ruling parties or specific government stakeholders. It does not create provisions allowing manipulation of information or electoral outcomes.

However, the government does have access in specific situations involving national sovereignty, public interest, prevention or detection of crime. In such cases, investigating agencies have significant powers to collect and process data.

The Act also grants several exemptions to government agencies. Do these exemptions dilute privacy protections and create the possibility of unchecked surveillance?

There is no blanket exemption for the government. However, there are circumstances where government agencies can process data without obtaining consent.

One notable exemption concerns the Right to Erasure, under which individuals can ask organisations to delete their data. Government agencies may not always be required to comply with such requests.

Similarly, when government bodies are providing subsidies, benefits or public services, consent requirements are substantially reduced. This does result in a partial dilution of obligations for government entities.

At the same time, the Ministry of Electronics and Information Technology has issued internal safeguards and data protection mandates applicable to government departments.

In Europe, are governments held more accountable and are such exemptions more limited?

The European Union operates differently. The GDPR provides a common framework, while member states implement specific laws.

There have been several cases where government entities in Europe have been penalised by regulators. Such precedents do exist.

In India, although terms such as sovereignty, security of the state and public interest are broad, we expect judicial checks and balances to evolve over time. Oversight can come from the Data Protection Board, the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and ultimately the Supreme Court of India.

Does this mean the regulator must function independently of the government?

Absolutely. Regulatory independence and judicial independence are essential. Without them, the law cannot function as intended.

Data breaches continue to occur frequently. Does this indicate gaps in the legal framework or failures in implementation?

As of now, the law has not yet been implemented. It will become effective on May 12, 2027.

The Act was enacted on August 12, 2023, and the rules were finally notified on November 13, 2025. At that point, organisations were given 18 months to prepare for compliance.

Are companies and data fiduciaries preparing themselves for compliance?

My advice is simple: every enterprise in India must comply.

There are approximately 28.5 million entities in India, of which around 17.5 million are active enterprises. Even if a company does not handle customer data, it certainly handles employee data.

In that sense, compliance is similar to the introduction of GST. Before GST came into force, nobody was compliant. Once implemented, everyone had to become compliant.

Unfortunately, significant gaps remain. A large amount of work still needs to be done across both private enterprises and government institutions.

Many enterprises may not even know they need to prepare. Who is responsible for creating awareness?

The law grants rights directly to individuals. If someone is unhappy about how a company handles their data or about spam communications, they can approach the Data Protection Board or the company itself.

This creates pressure on organisations to address grievances and improve compliance.

But most citizens may not even be aware of their rights under the law.

That is true. We are talking about a country of nearly 150 crore people with diverse languages and varying levels of legal awareness.

How these concepts will be communicated effectively at the grassroots level remains an open question. We have not yet seen a large-scale public awareness campaign.

My advice to enterprises is to start by identifying stakeholders and educating employees about the law, its obligations and its underlying principles.

Since both governments and enterprises benefit from individuals remaining unaware of their rights, who will actually educate the public?

The Data Protection Board has suo motu powers and can initiate action if it believes entities are not acting in the best interests of individuals.

Globally, we have also seen NGOs and privacy activists play a crucial role in representing citizens. Representative suits and class-action mechanisms also exist under the DPDP framework.

So widespread public education and activism will be critical to implementation?

Yes, absolutely.

As AI adoption grows, concerns are increasing around biased datasets, algorithmic decision-making and profiling. Does India have a comprehensive AI regulatory framework?

The answer is both yes and no.

India currently does not have a unified AI law comparable to the European Union’s AI Act. There were discussions around the proposed Digital India Act, which would have contained AI-specific provisions, but that framework has not materialised yet.

There are certain guidelines under the Information Technology Act dealing with AI usage by intermediaries and social media platforms.

The DPDP law does require Significant Data Fiduciaries to assess the risks that AI and machine learning systems may pose to individual rights. However, this obligation currently applies only to Significant Data Fiduciaries.

Let us move from personal data to data sovereignty. A large portion of Indian user data is controlled by global technology companies. How prepared is India to protect national data interests?

India is one of the most data-rich economies in the world.

The most important question is whether India should mandate hyperscalers and large technology companies to establish localised data centres and store data within the country.

The DPDP law takes a different approach. It allows free transfer of data outside India except to blacklisted countries, which have not yet been identified.

Another important provision is that if sectoral regulators such as the RBI or IRDAI require localisation, regulated entities must comply and store data within India.

Whether India will eventually mandate localisation more broadly remains an open question.

When global technology firms control Indian data, is India losing an opportunity to monetise that data?

Absolutely.

Data is the new oil. If India cannot monetise its data, support startups or create value from this resource, it risks significant economic losses.

Cross-border data transfers should ideally be limited to jurisdictions that provide protections equivalent to those available in India.

What are the hidden risks in international trade agreements that include data-sharing provisions?

The biggest concern is data security.

We need clarity on what security standards apply and under what circumstances foreign governments can access Indian citizens’ data.

At the same time, trade agreements can be beneficial because they can establish mutual recognition of trusted data protection frameworks and facilitate economic growth.

But if data flows are largely one-sided, with Indian data moving abroad while foreign data does not flow into India, would that not disadvantage India?

Definitely.

If data simply flows from India to another country without reciprocity, India loses both revenue opportunities and control over how that data is protected.

That is why any data-related trade arrangement must be bilateral and mutually beneficial.

What kind of regulatory mechanism is ultimately needed to address concerns around both privacy and data sovereignty?

The DPDP Act is a strong starting point. The law is fairly clear on consent requirements, technical safeguards, encryption, confidentiality and access controls.

The grey areas primarily concern enforcement and implementation. That is where judicial oversight becomes critical.

The Data Protection Board will have investigative powers, and its findings will carry significant weight. The challenge is whether a single regulator can effectively handle complaints from a population of 150 crore people.

The Board is expected to use mediation and other mechanisms to reduce its burden. Ultimately, the effectiveness of the framework will depend on how quickly regulators and courts are able to resolve the grey areas that remain.

In conclusion, India now has a foundational framework to address personal data protection, supported by a dedicated regulator. However, its success will depend heavily on institutional independence, public awareness and effective implementation.

At the same time, important questions remain around data sovereignty, localisation and cross-border data flows. As India negotiates trade agreements and expands its digital economy, policymakers will need to balance economic opportunities with the need to protect national data interests.