Official Text of Rule 15, DPDP Rules 2025:

Any personal data processed by a Data Fiduciary under the Act may be transferred outside the territory of India subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.

Legal interpretation of DPDP Rule 15 : Transfer of Personal Data Outside the Territory of India

1. Overview and Legislative Context

Rule 15 of the Digital Personal Data Protection Rules, 2025 is the implementing provision for Section 16 of the Digital Personal Data Protection Act, 2023 (DPDPA). It addresses one of the most commercially significant and geopolitically sensitive aspects of modern data governance — the cross-border transfer of personal data.

Unlike the European Union's GDPR, which relies on a detailed adequacy-decision framework, bilateral agreements, Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs), India's approach under Rule 15 is characterised by deliberate executive flexibility: the Central Government retains overarching power to specify, restrict, or permit cross-border data flows by general or special order, without requiring Parliament's intervention each time.

Philosophically, this echoes the Kantian idea that freedom is not absolute but regulated by universalisable principles — here, data is permitted to flow freely across borders unless the State, exercising its sovereign duty to protect citizens, steps in with restrictions. As Justice D.Y. Chandrachud observed in Puttaswamy v. Union of India (2017) 10 SCC 1: "Informational privacy is a facet of the right to privacy." Rule 15 operationalises that right in the cross-border context.

2. The Default Position: Permitted Unless Restricted

A crucial interpretive point that practitioners must appreciate is that Rule 15 establishes a permissive default: personal data processed by a Data Fiduciary may be transferred outside India. There is no blanket prohibition. The transfer is permitted unless the Central Government, through an order, imposes specific restrictions.

This is a significant departure from earlier drafts of the DPDPA Bill (2019, 2021) which had proposed mandatory data localisation for certain categories of sensitive personal data. The final Act and Rules deliberately chose a more open, trade-friendly regime, recognising India's deep integration into global digital value chains — from IT services exports to cloud computing, fintech, and healthcare analytics.

                                Practical Takeaway: Until the Central Government issues a specific order restricting a particular country or category of data transfer, Indian Data Fiduciaries may lawfully transfer personal data to any foreign jurisdiction, subject to compliance with the Act's other requirements (purpose limitation, consent, data security, etc.).
                            

3. The Central Government's Power: General and Special Orders

Rule 15 grants the Central Government two distinct regulatory instruments:

3.1 General Order

A general order would apply to all Data Fiduciaries or broad categories of data transfers — for example, an order restricting the transfer of any personal data to a specific country deemed adversarial to India's national security or sovereignty. This is analogous to a "blacklist" mechanism.

3.2 Special Order

A special order could target specific sectors, entities, or categories of data. For instance, the government could issue a special order restricting transfer of health data or children's data to a named foreign entity or a particular jurisdiction, without affecting other cross-border flows.

This dual-instrument design gives the government both a broad brush and a scalpel — the ability to respond both to systemic geopolitical threats and to specific regulatory concerns with surgical precision. It mirrors India's approach under the Information Technology (Amendment) Act, 2008 and Section 69A orders used for blocking digital platforms.

Order Type	Scope	Example Scenario
General Order	All entities / broad categories	Blocking transfers to a country under sanctions or in armed conflict with India
Special Order	Specific sector / entity / data type	Restricting a named foreign tech company from receiving biometric or children's data

4. Scope: Who Is Subject to Rule 15?

Rule 15 applies to every Data Fiduciary — defined under Section 2(i) of the DPDPA as any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. This includes:

Indian companies sharing customer data with overseas parent companies or subsidiaries
IT/BPO firms processing data under contracts with foreign clients and sending processed outputs abroad
Cloud service providers whose infrastructure is located partially outside India
E-commerce platforms transferring transaction data to international payment gateways
Healthcare providers sending patient data to overseas diagnostic centres or research institutions
Banks and NBFCs using overseas data centres or analytics platforms

Data Processors (who process data on behalf of a Data Fiduciary) are not independently bound by Rule 15 — the obligation sits with the Data Fiduciary, who must contractually ensure compliance flows down through the processing chain.

5. Nature of the Restriction: What Must a Data Fiduciary "Meet"?

The Rule requires Data Fiduciaries to "meet such requirements" as the Central Government may specify. Until specific orders are published, it is not yet possible to enumerate those requirements with certainty. However, based on the legislative history, expert committee reports (particularly the Justice B.N. Srikrishna Committee Report, 2018), and analogies with comparable global frameworks, the likely requirements could include:

Country-level restrictions: A list of countries to which transfers are prohibited or restricted (similar to the EU's "non-adequate" country list under GDPR Art. 45)
Data category restrictions: Special requirements for sensitive categories (financial data, health data, children's data)
Contractual safeguards: Mandating specific clauses in data transfer agreements (like SCCs in the EU)
Technical safeguards: Encryption standards, anonymisation requirements, or data residency requirements for mirror copies
Reporting obligations: Disclosures to the Data Protection Board about cross-border flows

6. The "Foreign State / Entity Under Control" Dimension

Rule 15 specifically calls out transfers to:

Any foreign State
Any person or entity under the control of a foreign State
Any agency of such a State

This language introduces a national security and sovereignty dimension that goes beyond ordinary commercial cross-border transfers. It empowers the government to prevent Indian citizens' personal data from reaching foreign government agencies — whether intelligence agencies, state-owned enterprises, or entities controlled by a foreign government — even if the immediate data recipient is nominally a private company.

This provision has clear implications for India's relations with specific countries and for businesses with ownership structures that could make them "entities under the control of" a foreign State. Given the expanding concept of "VIE structures" (Variable Interest Entities) used by some tech companies, Data Fiduciaries must carefully assess the ultimate ownership and control of their overseas recipients.

                                Illustrative Example: An Indian fintech startup shares user payment data with a cloud analytics provider headquartered in Country X, whose government has majority ownership through a sovereign fund. If the Central Government issues a general order restricting transfers to Country X, this transfer would be prohibited — even though the direct counterparty appears to be a private company.
                            

7. Comparison with Global Cross-Border Data Transfer Frameworks

Parameter	India (Rule 15, DPDP Rules 2025)	EU (GDPR Chapter V)	USA (CCPA / State Laws)
Default Position	Transfers permitted unless restricted by Government order	Transfers prohibited unless a transfer mechanism applies	No general prohibition on cross-border transfers
Restriction Mechanism	General / Special order by Central Government	Adequacy decisions, SCCs, BCRs, derogations	No federal mechanism; sector-specific (HIPAA, GLBA)
Business Flexibility	High (until orders issued)	Moderate (requires pre-transfer mechanism)	High
Sovereignty Focus	High (State-controlled entity restriction)	Moderate (adequacy focuses on rule of law)	Low
Data Localisation	Not mandated by Rule 15 (but may be by sector regulators)	Not mandated (except for specific data categories)	Not mandated federally

8. Interaction with Sectoral Regulations

Rule 15 operates alongside — and does not override — sector-specific data localisation and transfer rules already in force in India:

RBI Circular on Storage of Payment System Data (2018): Mandates that all data related to payment systems must be stored only in India. Transfers abroad are only permitted for processing, subject to the data being brought back.
IRDAI Regulations: Insurance data must generally be stored within India.
SEBI Guidelines: Capital market data must be stored domestically.
DPDPA + RBI: A Data Fiduciary in the payments sector must comply with both Rule 15's general framework and RBI's stricter data localisation mandate. The stricter norm prevails.

9. Compliance Obligations for Data Fiduciaries

In the current regulatory environment — before specific Central Government orders under Rule 15 are published — Data Fiduciaries should adopt the following compliance posture:

Data Transfer Mapping: Maintain a complete inventory of all personal data transfers to foreign jurisdictions (country, entity, data category, volume, purpose)
Recipient Due Diligence: Assess whether overseas recipients are under the control of or are agencies of a foreign State
Contractual Provisions: Include data transfer clauses in agreements with overseas partners, requiring them to comply with Indian law and notify of changes in their control/ownership
Sectoral Compliance: Check whether sector-specific regulators (RBI, SEBI, IRDAI, TRAI) have imposed additional restrictions on top of Rule 15
Monitoring Government Orders: Maintain a watch on MeitY and Ministry of Home Affairs notifications for any general or special orders under Rule 15
Privacy Notices: Update privacy notices to disclose the countries to which data is transferred, as required by Rule 3 (Notice by Data Fiduciary)
Data Minimisation: Transfer only the minimum personal data necessary for the stated purpose abroad

10. Key Case Laws and Judicial Precedents

K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (Supreme Court of India): Established informational privacy as a fundamental right under Article 21. Rule 15 must be read in light of this — any Central Government order restricting or permitting data transfers must be proportionate and not arbitrarily violate the right to privacy.
Schrems II — Data Protection Commissioner v. Facebook Ireland (C-311/18, CJEU, 2020): While a European ruling, it is highly instructive. The Court invalidated the EU-US Privacy Shield on grounds that US surveillance laws did not provide adequate protection. Indian courts may take analogous approaches when reviewing any orders under Rule 15 that enable data transfers to surveillance-heavy jurisdictions.
Gramophone Company of India v. Birendra Bahadur Pandey, AIR 1984 SC 667: Established that international law norms are part of Indian law to the extent they are not inconsistent with domestic law. This principle would apply to international data protection standards when interpreting Rule 15 in cross-border contexts.
People's Union for Civil Liberties v. Union of India, (1997) 1 SCC 301: Affirmed that surveillance and interception powers must be exercised with adequate procedural safeguards. By analogy, Central Government orders under Rule 15 that permit or restrict data flows should be backed by transparent, reviewable procedures.

11. Practical Scenarios and Worked Examples

Scenario 1: Indian Software Exporter

An Indian IT company processes HR data of US-based employees under a contract with a US parent company and transfers the processed data to servers in the USA. Under Rule 15 (current state, no restrictive order), this transfer is lawful provided the company fulfils its obligations under the DPDPA (purpose limitation, security safeguards, etc.).

Scenario 2: Global E-Commerce Platform

A global e-commerce platform processes Indian consumers' personal data on servers located in Singapore and Ireland. Rule 15 permits this unless a Government order restricts transfers to these jurisdictions. The platform must ensure it discloses this in its privacy notice (Rule 3 compliance) and maintains security standards (Rule 6 compliance).

Scenario 3: State-Controlled Foreign Entity

An Indian hospital seeks to share patient data with a medical AI company incorporated in Country Y, which is 60% owned by Country Y's government investment fund. If the Central Government issues an order restricting transfers to entities under the control of Country Y's government, this transfer would be prohibited — even if Country Y is otherwise not blacklisted.

Scenario 4: Post-Restrictive-Order Compliance

After a general order is issued restricting transfers to Country Z (due to, say, a deterioration in diplomatic relations), an Indian fintech that was sending transaction data to a Country Z-based analytics firm must immediately cease that transfer, find an alternative data processor, and update its data processing agreements — or face penalties under the DPDPA.

12. The Data Localisation Debate in India

Rule 15 represents India's considered rejection of hard data localisation — the requirement that personal data be stored exclusively within India. The Justice Srikrishna Committee (2018) had proposed tiered localisation for different categories of sensitive personal data, but this was dropped in the final 2023 Act and 2025 Rules.

Instead, India has adopted a conditional free flow model — data can flow freely abroad, but the government can impose conditions or restrictions by order. Critics argue this leaves businesses in a state of regulatory uncertainty, since they must be perpetually ready to adjust their global data architectures based on executive orders. Proponents counter that this flexibility is precisely what allows Indian businesses to compete globally without being hamstrung by blanket localisation requirements, while still preserving national security.

Sector regulators like the RBI have, however, effectively imposed localisation for their domains, creating a patchwork regime where Rule 15's openness coexists with strict sectoral mandates.

13. Conclusion: Strategic Significance of Rule 15

Rule 15 of the DPDP Rules 2025 is deceptively simple — just one sentence in the official text — but its strategic and commercial implications are vast. It sits at the intersection of data sovereignty, international trade, national security, and individual privacy.

For India — a country whose digital economy is deeply intertwined with global data flows (IT exports exceeding USD 245 billion, 1,000+ GCCs operating from Indian soil, and one of the world's largest digital payments ecosystems) — getting this rule right is not merely a legal exercise but an economic and geopolitical imperative.

Data Fiduciaries must treat Rule 15 not as a static compliance checkbox but as a dynamic risk management obligation: continuously monitoring for Central Government orders, maintaining agile data transfer architectures, and ensuring robust contractual and technical safeguards are in place before any transfer is made.

As Aristotle observed, the law is reason free from passion — and Rule 15, by granting the executive measured, principled control over cross-border data flows, attempts to bring exactly that reasoned governance to an inherently passionate subject: the flow of information in a connected world.