Subscribe to get latest news delivered straight to your inbox


    EU Authority blocks data transfer to India and the future of cross border transfers from the EU under the DPDP Act

    • 09.06.2025
    • By Suvarna Mandal and Sanchit Shrivastava
    Saikrishna & Associates

    Introduction

    • On 23rd April 2025, the European Data Protection Supervisor (EDPS), an authority under the EU released its annual report, in which, under the ‘International Transfers’ section, it denied the request of the European Investment Bank (EIB”) to transfer data, specifically contact details, to a number of non-EU countries including Brazil, India, Fiji. The brief reason stated by the EDPS in the said report was that there was not enough evidence and proof that these countries could guarantee the protection of individuals’ personal data in the same way that the EU does, otherwise known as an “essentially equivalent level of data protection” under the European Union’s General Data Protection Regulation (GDPR).
    • On 19th May 2025, a clarificatory statement was provided by the EDPS to a financial news agency stating that the denial of transfer to India was merely procedural, and not a verdict on the Digital Personal Data Protection Act, 2023 (DPDP Act). The EDPS further stated that the data controller (i.e. the EIB) could not demonstrate the presence of appropriate safeguards in accordance with the GDPR and accordingly recommended relying on “derogations” under the GDPR that are exceptions allowed for occasional, low-risk data transfers.
    • The EDPS has therefore clarified that the denial of the request of data transfer from EIB in Europe to India was based on the lack of the necessary justification of the required legal safeguards by the EIB, and also noted that it has not carried out an ‘adequacy’ assessment of India’s upcoming legal framework– the DPDP Act. This anyway is the responsibility of the European Commission (Commission) and not the EDPS.
    • Chapter V of the EU GDPR regulates international transfer from the EU to third countries and/or international organisations. Chapter V has been built on the premise that protection accorded to personal data under the GDPR should travel with the data.
    • While this instance has been clarified, it does trigger an important discussion on whether the DPDP Act framework will be considered by the Commission to be satisfactory and pass the muster of ‘Adequacy decisions’ under the EU GDPR therefore allowing easier data flow from the EU to India. If not, reliance will continue to be placed on the alternative modes of cross-border data transfer from the EU under the EU GDPR, i.e. Standard Contractual Clauses and Binding Corporate Rules.

    Mechanisms for international data transfer under the GDPR

    • The general principle under the GDPR pertaining to the transfer of data is to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined. Accordingly, any transfer of personal data which is undergoing any ‘processing’ or is intended for processing after transfer to a third country or an international organisation should only take place under one of the protective mechanisms set out in Chapter V. Overall, Chapter V places the following conditions to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined by such data transfers:
      • Adequacy decision under Article 45
      • Appropriate safeguards under Article 46, and
      • Derogations for specific situations under Article 49.
    • Under Article 45, Data can be transferred to a third country where the Commission has issued an adequacy decision confirming that such countries offer an adequate level of protection.
    • The adoption of an adequacy decision involves:
      • a proposal from the Commission;
      • an opinion of the European Data Protection Board;
      • an approval from representatives of EU countries;
      • the adoption of the decision by the Commission.
    • The Commission makes this decision based on various factors listed in Article 45(2) and 45(3) of the GDPR. These factors inter alia include the rule of law, respect for human rights, data protection rules, and international commitments the third country or international organisation concerned has entered into. While making this assessment, the Commission, in particular, must take into account the ‘effective and enforceable data subject rights’ for data subjects whose personal data are transferred. To date, fifteen (15) countries have been recognised by the Commission as providing an adequate level of protection. The effect of such a decision is that personal data can flow from the EU to the third country without any further safeguard being necessary.
    • In the absence of an adequacy decision, international data transfer may take place subject to the appropriate safeguards provided under Article 46 of the GDPR and “on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” The appropriate safeguards includes binding corporate rules (BCRs) under Article 46 and 47, standard data protection clauses (SCCs) adopted by the Commission.
    • SCCs assure a GDPR-conform data transfer to third countries with a non-adequate data protection level through model contract clauses that have been “pre-approved” by the Commission. On 4th June 2021, the Commission, in view of the Schrems II verdict, issued modernised standard contractual clauses under the GDPR for such data transfers. These SCCs are solely intended to provide contractual guarantees that apply uniformly in all third countries and consequently, independently of the level of protection guaranteed in each third country.
    • BCRs are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. These BCRs must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. BCRs require approval from the competent data protection authority in the EU that in turn must ensure the consistency mechanism set out in Article 63 of the GDPR.
    • Therefore, BCRs can only serve as a transfer tool within the data transfer of a group of companies, and single enterprises exporting personal data to non-adequate third countries can only use tools like SCCs for compliance with GDPR.
    • Lastly, in the absence of an adequacy decision and appropriate safeguards, the transfer of data may take place based on ‘derogations for specific situations’ set out under Article 49 of the GDPR. Article 49 lists out specific derogations from sub-clauses (a) to (g) and include when the data subject has explicitly consented to the proposed transfer, such transfer is necessary for the performance of a contract, or such transfer is necessary for important reasons of public interest. This is meant for occasional transfers and not routine exchanges.

    Mechanism for transfer under Indian law:

    • In India, the current regime of data protection is prescribed under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules). The SPDI Rules are rudimentary and rely heavily on consent and notice for collection, transfer and disclosure of personal data. The SPDI Rules are set to be replaced by the DPDP Act, which was notified in August 2023, but has not come into force yet.
    • As per the SPDI Rules, a body corporate can transfer (including cross-border transfers) personal information and sensitive personal data or information (such as password, financial information, sexual orientation etc.), after obtaining consent of the provider of information, unless such transfer is necessary for the performance of the contract between the body corporate or any person on its behalf and the provider of information.
    • The DPDP Act applies generally to the ‘processing’ of digital personal data. The term ‘processing’ is wide and is defined to mean wholly or partly automated operation or set of operations performed on digital personal data including inter alia ‘storage’, ‘use’, ‘sharing’, ‘disclosure by transmission’, ‘dissemination or otherwise making available’ the personal data. Accordingly, any transfer of personal data would qualify as ‘processing’ under the DPDP Act and would either be processed based on consent or non-consent (i.e., certain legitimate uses under Section 7 of the DPDP Act).
    • For cross-border transfer under the DPDP Act, the delegated legislation or ‘rules’ (which have not been introduced yet) will prescribe the countries that will be notified for restricted transfer of data outside India. The extent of these restrictions is not clear at this stage and will likely be prescribed through the rules itself. Further, sectoral laws pertaining to data localisation or restrictions on the transfer of data must also be followed. Accordingly, sectoral regulations on data transfer restrictions or data localisation requirements, such as the RBI Directive on Data Localisation, will continue to apply to the sectors they regulate.
    • The EPDS also stated that “given the limited volume and the occasional character of the envisaged transfers, the EDPS recommended considering the use of derogations to carry out such transfers, decision that is ultimately taken by the controller.” Further, the EDPS said that it is currently not engaged in adequacy talks with India. If, in the future, it is consulted by the European Commission on a draft adequacy decision in relation to India, the opinion will focus on the assessment of both the general GDPR aspects of the draft decision, as well as on the access by public authorities of India to personal data transferred from the European Economic Area (EEA) for law enforcement and national security. This will further include legal remedies available to individuals in the EEA.

    Future of data transfer from the Eu to India

    • While the EDPS decision in this particular instance (i.e. the EIB’s request) appears to be limited to the lack of the necessary justifications and safeguards provided by the EIB, it does trigger the question on whether India can meet the necessary standard on “essential equivalence” under the GDPR.
    • The EDPS in its follow up statement said that it is currently not engaged in adequacy talks with India. As noted above, if, in the future, it is consulted by the Commission on a draft adequacy decision in relation to India, the opinion will focus on the assessment of both the general GDPR aspects of the draft decision, on the access by public authorities of India to personal data transferred from the EEA for law enforcement and national security, and legal remedies available to individuals in the EEA.
    • This raises concerns on whether the DPDP Act can offer the framework the EU trusts. The key considerations under the DPDP Act that may pose to be issues for adequacy assessments by the Commission are summarised below –
      • Access of public authorities to personal data – The DPDP Act provides broad exemptions to state and its instrumentalities under Section 17 and does not provide any measures for review or necessary safeguards.
      • The Data Protection Board of India and its independence – The appointment and management of the Board will be carried out by the central government thereby sparking concerns about its independence.
      • Cross border transfers – The DPDP Act has not provided details on the necessary safeguards for personal data from India to outside India. There are also no measures provided for cross border transfer to territories or countries that may be restricted by the government.
      • Enforcement of Data Principal Rights – The DPDP Act requires the Data Principal to first exhaust the grievance redressal mechanism provided by a Data Fiduciary before it raises a compliant before the Board. Additionally, the Board can also impose penalties on the Data Principal for false and fraudulent complaints. This raises concerns on the effectiveness of the DPDP Act to enforce Data Principal rights.
      • Lack of precedents – The Commission must also examine case laws pertaining to effective administrative and judicial redress for the data subjects whose personal data are being transferred, which at the moment is not available.
    • Unless the above issues, amongst others, are addressed, India will continue to be outside the purview of jurisdictions that ‘ensures an adequate level of protection’. This in effect is a roadblock to businesses in India that want to partner with European companies. Taking necessary efforts in due time to meet the necessary requirements of an adequacy decision will help facilitate safe and free data flows thereby promoting business between India and the EU.
    Links

    * The contents of this blog reflects the personal opinions of the author(s) and should not be construed as the views or any endorsement of any particular legal or policy position by the Firm.

    This article was originally published on Saikrishna & Associates 

    Latest News

    Latest News

    Explained: Amazon’s Legal Battle Over Alexa’s Voice Recording Privacy Violations

    • 10.07.2025
    • Medianama
    read article

    Latest News

    Google Launches AI Mode In India: Here Are Our First Impressions

    • 10.07.2025
    • Medianama
    read article

    Latest News

    Sports at the heart of India’s digital entertainment revolution

    • 10.07.2025
    • Storyboard18
    read article