
DPDPA Rule 15: Cross-Border Data Transfers
Navigate the complexities of DPDP Act compliance. Discover actionable steps for data fiduciaries to protect user privacy and avoid hefty regulatory fines.
Written by
Himanshu Jotwani
Date
Read time
6 min

Rule 15 of the DPDP Rules 2025 sets the ground rules for cross-border transfers of personal data under India’s Digital Personal Data Protection Act. On paper, it is remarkably short. In practice, it is a loaded spring.
The rule permits personal data to be transferred outside India, but only if the Data Fiduciary meets any conditions the Central Government may prescribe through general or special orders. Everything else you do must still comply with the Act. Consent, purpose limitation, security safeguards, and rights handling do not stop at the border.
The Default Position: Transfers Are Allowed Unless Restricted
DPDPA Rule 15 creates a permissive baseline. Data Fiduciaries can transfer personal data to any foreign jurisdiction unless the Central Government issues an order that explicitly restricts the transfer.
This is a marked shift from earlier, localisation-heavy proposals. The current framework supports global data flows while keeping a sovereign kill switch within arm’s reach. Until the government publishes a contrary order, transfers remain lawful if you comply with the rest of the DPDPA.
What this means for your operations:
- You can architect cross-border data flows today.
- You must be ready to respond quickly if a restriction is notified.
- You still bear full responsibility for DPDPA compliance in the receiving location.

Government Controls: General Orders and Special Orders
The Central Government can regulate transfers through two mechanisms:
- General orders that apply widely. For example, blocking transfers to a named country because of national security concerns.
- Special orders that target a sector, an entity, or a specific data category. For example, limiting transfers of children’s data to a particular company or jurisdiction.
This dual toolset lets the government act systemically or surgically. Expect these orders to be published as formal notifications. When they land, they bind Data Fiduciaries immediately.
Scope: Who Must Comply
Rule 15 applies to all Data Fiduciaries. A Data Fiduciary is any person or entity that determines why and how personal data is processed. This includes:
- Indian firms sending data to offshore affiliates or vendors
- Outsourcing and IT services providers moving client data abroad
- Platforms using overseas payment gateways or cloud infrastructure
- Healthcare providers sharing diagnostic data outside India
- Financial institutions using foreign analytics or hosting
Data Processors act on instructions and are not directly bound by Rule 15. However, the Data Fiduciary must impose suitable contract terms on processors and sub-processors to ensure their dpdp data fiduciary obligations flow down the chain.
The “Requirements” You May Need to Meet
Rule 15 says transfers may occur if the Data Fiduciary meets requirements the Central Government may specify. Until such orders are issued, the exact conditions are a blank space. Based on the policy posture and comparative practice, future orders could include:
- Country-based restrictions or permissions, including blacklists
- Data category controls for financial, health, or children’s data
- Contractual terms that must appear in transfer agreements
- Technical safeguards such as encryption standards or anonymisation
- Reporting obligations to a regulator or the Data Protection Board
- Conditions that require a copy to be stored in India for supervision
Treat this as structural change risk. Design contracts, controls, and data architectures that can adapt without requiring a full rebuild.
Transfers Involving Foreign States and State-Controlled Entities
Rule 15 explicitly references transfers to foreign States, their agencies, and persons or entities under the control of such States. This captures both direct transfers to a foreign government body and indirect transfers to State-controlled or State-influenced companies.
The practical implications are immediate:
- Map the ownership and control of your overseas recipients, not just their place of incorporation.
- Watch for orders that restrict transfers to entities under the control of a specific government, even if the recipient looks like a private company.
- Expect heightened scrutiny where sovereign funds, State-owned enterprises, or legal frameworks allow State access to data.
Interaction With Sectoral Localisation Rules
Rule 15 does not override sectoral mandates. Where regulators already impose storage or transfer rules, those walls remain standing. Examples include:
- RBI: Payment system data must be stored in India. Limited processing outside India may be permitted subject to bringing data back.
- IRDAI: Insurance sector data storage requirements apply.
- SEBI: Capital markets data storage conditions remain in force.
If sectoral rules are stricter than Rule 15, the stricter norm prevails. Always check both the DPDP framework and sector notices before you move a single byte.

Compliance Posture to Adopt Now
Before any orders are issued under Rule 15, Data Fiduciaries should act on the following:
- Map cross-border flows. Record destination countries, recipient entities, data categories, purposes, and volumes.
- Diligence recipients. Identify whether recipients are agencies of a foreign State or under its control. Document beneficial ownership and control paths.
- Strengthen contracts. Include data transfer clauses requiring compliance with Indian law, security standards, cooperation with inquiries, and notification of changes in ownership or control.
- Verify sectoral constraints. Confirm whether RBI, SEBI, IRDAI, TRAI, or others impose localisation or transfer conditions that narrow your options.
- Monitor government orders. Track notifications from MeitY and the Ministry of Home Affairs. Assign responsibility for monitoring and escalation.
- Update privacy notices. Disclose cross-border transfers and destination countries as required by the DPDP Rules on notice.
- Minimise data. Send only what is required for the stated purpose. Prefer pseudonymisation or tokenisation where possible.
Practical Scenarios
- Indian services exporter: Processing HR data of overseas employees and sending results back to foreign servers is permitted today, provided you meet core DPDPA duties and any sectoral rules.
- Global platform using foreign hosting: Hosting Indian data in Singapore or Ireland is allowed unless a government order restricts those jurisdictions. Disclose destinations in privacy notices and maintain security controls.
- Recipient controlled by a foreign State: If the government restricts transfers to State-controlled entities in a given country, transfers to a private company majority-owned by that State’s sovereign fund would be barred.
- After a restriction is issued: If transfers to Country Z are restricted, you must stop the flow promptly, switch providers or locations, update contracts and records, and document your remediation. Delay invites enforcement.
Comparison Context Without the Legalese
Unlike the EU, which blocks transfers unless you use a specific transfer tool or the destination is pre-approved, India permits transfers unless the government restricts them. The United States has no general federal regime governing a dpdp act cross border data transfer equivalent. India’s model optimises for business flexibility while keeping a strong sovereignty lever for targeted control. Your compliance burden is lighter upfront, but it can change the moment an order is notified.
Boundaries and Oversight
Rule 15 will be read alongside constitutional privacy principles. Any order must be proportionate and capable of review. Indian courts have scrutinised blanket surveillance and cross-border arrangements in other contexts, and similar reasoning can apply here. Document your decision-making and be ready to show that your transfers align with legal requirements and respect individual privacy.
What Changes in Practice
Treat cross-border transfers as a living risk. Build inventories, embed contractual and technical safeguards now, and establish a playbook for rapid response if an order lands. Avoid single-country or single-vendor concentration that could cripple operations overnight. Keep your notices current, train the teams that approve new vendors, and rehearse your stop-transfer and migration plan.
Closing
Rule 15 looks simple. It is not. It gives you room to operate today but expects you to stay sharp, know your data flows, and pivot fast when restrictions arise. The winners will be the teams that pair legal clarity with operational agility.
Compliance is execution. That means tracking orders, coordinating legal, security, procurement, and engineering, and proving you did the right things at the right time. At Regodit, we built a structured way to map flows, manage contracts and controls, and operationalise DPDP compliance across teams. If you want to cut through the ambiguity and align your organisation around a single, adaptable compliance plan, let’s talk about your environment.
Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.
Keep reading
All blogs →DPDPA Rule 23: Government Requests for Information from Data Fiduciaries and Intermediaries
Handling a notice under DPDP Act Rule 23 requires strict confidentiality. Discover how to respond to government data requests and ensure full compliance.
DPDPA Rule 22: Appeals to the Appellate Tribunal
Lost at the Data Protection Board? DPDPA Rule 22 governs the digital-first appeals process. Read our complete guide to filing an appeal with the Tribunal.
DPDPA Rule 21: The Machinery Behind the Data Protection Board of India
Ensure your business meets DPDP Act compliance requirements. Discover key obligations for data fiduciaries, penalty risks, and steps to protect user privacy.
