legalanswers.in logolegalanswers.in
Technology & Future Law

Can I store Indian user data outside India?

Updated · 6 July 2026

Generally yes — the DPDP Act, 2023 permits cross-border data transfer to most countries (except notified 'negative list'). But sector-specific rules (RBI, SEBI, telecom) impose stricter localisation requirements.

What does the DPDP Act, 2023 say about cross-border transfers?

Section 16 of the DPDPA, 2023 creates a relatively liberal cross-border framework — a significant shift from earlier drafts.

Transfer is permitted to all countries by default. Unlike GDPR's 'adequacy decision' approach, the DPDPA permits transfer to any country except those specifically prohibited. The Central Government may, by notification, restrict transfer to certain countries via general or specific notification — the 'negative list' approach. As of early 2026, no negative list has been published. Existing sectoral rules — RBI, SEBI, telecom, insurance localisation requirements — continue to apply in full force; DPDPA does not override them.

Data Principals must give consent for processing including cross-border transfer. Data Fiduciaries must ensure adequate security in the destination country, maintain contractual safeguards with the processor, report breaches even where data was abroad, and demonstrate accountability. Significant Data Fiduciaries — notified categories likely to include large platforms, financial services and healthcare — face additional obligations: Data Protection Impact Assessment (DPIA), periodic audits, a Data Protection Officer in India, and possibly further restrictions in some categories.

Government access: the government can access data of any Data Fiduciary regardless of location, and this breadth has attracted criticism. The DPDPA's overall balance is pro-localisation through sectoral rules and negative list power, but pro-flow through default permissive cross-border transfer. Actual implementation will depend on Rules and Notifications — many still awaited as of early 2026.

What does RBI's payment data localisation require?

The RBI circular of 6 April 2018 on Storage of Payment System Data is one of India's strictest data localisation regimes.

Coverage extends to all Payment System Operators, banks providing payment services, payment aggregators and gateways (PayU, Razorpay, Stripe India), card schemes (Visa, Mastercard, RuPay, Amex), wallets (Paytm, PhonePe, Mobikwik, Amazon Pay), UPI Payment Service Providers, and ATM operators.

What must be stored in India: end-to-end payment transaction details, including customer details, payment data and sensitive customer data — all data 'collected / carried / processed' for or in connection with payment systems. Foreign processing is allowed only if data is stored in India, if data processed abroad is returned to India and stored within 24 hours, and if foreign copies are deleted.

Compliance requires a System Audit Report from a CERT-IN empanelled auditor, annual confirmation to RBI, and internal audit committee review. Non-compliance can lead to operating licence cancellation or suspension, variable monetary penalties, public listing of non-compliant entities, and restrictions on adding new customers. Multiple foreign players have faced restrictions — American Express was temporarily restricted in 2021 and others have come under scrutiny.

Practical challenges include card networks needing to process Indian transactions within India, cloud services needing Indian regions for payment data, and cross-border transactions creating complexity that RBI clarifications continue to address. For payment fintechs, RBI compliance is a top priority — engage a reputable, specialised RBI / fintech lawyer.

How is data localisation enforced for different sectors?

Data localisation obligations vary sharply by sector.

Banking and payments (RBI): payment data faces strict localisation under the 24-hour return rule; banking customer data is primarily kept in India under various RBI guidelines; and the Master Direction on outsourcing requires due diligence on foreign service providers. Securities and insurance (SEBI, IRDAI): SEBI's Cybersecurity Framework applies to intermediaries, sensitive client data of brokers, mutual funds and AIFs must be in India, and IRDAI requires policyholder data in India. Telecom (TRAI / DoT): Customer Acquisition Form data, Call Detail Records and metadata must be in India, and lawful interception requires Indian storage.

Healthcare: proposed Digital Health Data Rules are phasing in patient data localisation, and the Ayushman Bharat Digital Health Mission emphasises India storage. Government and defence: classified information cannot leave India, government cloud services must be Indian-based (MeghRaj), and defence data faces the strictest controls. Aadhaar (UIDAI): the Aadhaar database is exclusively in India under the Aadhaar Act, 2016 — even partial replication abroad is prohibited.

E-commerce: the Consumer Protection (E-Commerce) Rules, 2020 create an implicit India requirement for customer transaction records. OTT / VOD / social media have no specific localisation requirement currently, though IT Rules 2021 require Chief Compliance Officer and Grievance Officer in India for significant intermediaries — the future Digital India Act may impose stricter requirements. PMLA-specific products cover customer due diligence records and crypto exchanges under FIU-IND requirements (see our crypto guide).

Multi-sector businesses need layered compliance. Engage a reputable, specialised data privacy / IT lawyer with experience in your specific sectors.

What are 'Significant Data Fiduciaries' under DPDPA?

Section 10 of the DPDPA, 2023 creates a tier of Significant Data Fiduciaries (SDFs) subject to enhanced obligations. The Central Government will notify categories based on the volume and sensitivity of personal data processed, risk to Data Principals' rights, potential impact on the sovereignty, integrity or security of India, risk to electoral democracy, and public order.

Expected SDF categories, based on global trends and policy signals, include large social media platforms (Meta, X, YouTube, LinkedIn, Snap), e-commerce giants (Amazon, Flipkart), financial services aggregators, healthcare data processors, EdTech platforms, search engines, and specific government-facing platforms.

Additional obligations for SDFs under Section 10: a Data Protection Officer based in India, senior in role and reporting to the Board of Directors, serving as the primary contact for the Data Protection Board and functioning independently; an Independent Data Auditor conducting periodic compliance audits and reporting to the DPB; a Data Protection Impact Assessment for high-risk processing, identifying risks and mitigations and submitted to the DPB. Further prescribed measures may include specific consent flows, algorithm transparency, verification requirements, cross-border transfer restrictions and annual transparency reports.

Penalties: up to ₹250 crore for serious breaches, with lower penalties for procedural non-compliance. Rules notifying SDFs and detailed obligations are awaited as of early 2026 — watch MeitY notifications. Engage a reputable, specialised data privacy lawyer for SDF readiness.

What practical steps should my company take for India data compliance?

India data compliance runs in eight moving parts — build them together rather than layer by layer.

Data inventory: map all personal data collected, processed and stored; identify categories (personal, sensitive personal, financial, health); document flows from collection through processing, storage, sharing and deletion; identify cross-border transfers; and map sectoral data (payment, telecom, health) requiring localisation. Legal basis for processing: under DPDPA, primarily consent (Section 6) or 'legitimate uses' (Section 7). Consent must be free, specific, informed, unconditional, unambiguous, given by clear affirmative action, and withdrawable — in clear, easy-to-understand language. Children's data (under 18) requires verifiable parental consent.

Infrastructure: use Indian cloud regions — AWS Mumbai / Hyderabad, Azure Mumbai / Pune / Chennai, GCP Mumbai / Delhi, IBM, Oracle — for India-residency requirements; database geo-tagging; data classification; access controls; and encryption at rest and in transit. Policies and procedures: privacy policy in plain language, data retention policy, data breach response plan, data subject request workflow (access, correction, erasure under DPDPA), grievance redressal with a named officer, and vendor management (especially for foreign vendors).

Organisational structure: DPO (mandatory for SDFs, recommended for all), privacy training, privacy-by-design in product development, and periodic compliance audits. Documentation: records of processing activities, consent records, DPIA reports for high-risk processing, vendor contracts with privacy clauses, and incident logs. Customer-facing tools: easy consent management, data access request portal, right-to-erasure mechanism, and prominently displayed grievance officer contact.

Cross-border transfer measures: Standard Contractual Clauses with foreign processors, adequate technical safeguards, avoidance of 'negative list' countries once notified, and documented legal basis for each transfer. Engage a reputable, specialised data privacy / IT lawyer for end-to-end compliance design. See our related data breach rights guide.

Reference Citation: DPDP Act, 2023; RBI Directions on Storage of Payment System Data, 2018; sector-specific guidelines (SEBI, IRDAI, TRAI)

Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.