Originally published on AI Tech Connect.
What builders need to know before touching the router India's DPDP Act does not mandate blanket localisation. Section 16 is a negative list — transfers are allowed to every country except those the Central Government blacklists by notification, and as of July 2026 no such list has been notified. The sharp edges are elsewhere: sectoral rules (the RBI's payment-data directive) and a DPDP Rules, 2025 power to pin specified data categories inside India for Significant Data Fiduciaries. UK GDPR and EU GDPR care about the mechanism, not the postcode. Neither requires data to stay home; both require a lawful transfer route — adequacy, SCCs (plus the UK Addendum) or the ICO's IDTA, or BCRs — and evidence that the destination actually matches the paperwork. At-rest residency and in-region…
Top comments (0)