A Curious Case of EDPS’s Refusal
India’s Data Protection Landscape and Cross-Border Transfers
**Priyansh Jain
Introduction
In its annual report for 2024, the European Data Protection Supervisor (EDPS) disclosed that it had rejected the European Investment Bank (EIB)’s request to transfer personal data to India, among various other countries. According to the data watchdog, the decision was based on the absence of definitive evidence that India offers an “essentially equivalent level of data protection,” a requisite for cross-border data transfers under the European Commission (EC)’s General Data Protection Regulation (GDPR).
The EDPS, in turn, recommended that EIB rely on the ‘fall-back mechanism’ of derogation, provided under Article 49 of the GDPR. The provision allows for data transfers, in the absence of adequate safeguards, if specific conditions are met. In the present case, the transfer was permitted under Art. 49(1)(d), which allows such a derogation when serving important reasons of public interest.
This blog piece, while examining the feasibility of relying upon such derogations under the GDPR, explores the potential rationale behind the EDPS’s decision and what it means for the future of cross-border data transfers between the EU and India. It further analyses the role of Standard Contractual Clauses (SCCs) as a prevalent mechanism in the absence of ‘adequacy’. Through a comparative analysis, the piece highlights gaps in India’s data protection landscape and considers how Indian courts have contributed to sustaining the regulatory status quo in the aftermath of the Puttaswamy and Aadhar judgments. Lastly, building on this backdrop, the blog offers a way forward to facilitate compliant data transfers between the two jurisdictions.
Why did EDPS refuse the data transfer?
The annual report doesn’t offer a chance to meaningfully examine the rationale behind the EDPS’s refusal. It is unclear how EDPS concluded that there is not enough evidence to support India’s adequacy under Art. 46 of the GDPR. The article allows for the transfer of personal data to a country, a sector within the country or an international organisation in the absence of an adequacy decision of the EC under Art. 45. As the vast majority of countries and organisations do not have their own adequacy decision, Art. 46 contributes to enabling global data flows, provided that “enforceable data subject rights and effective legal remedies for data subjects are available.”
A potentially simple explanation for the EDPS’s stance could be attributed to the fact that while the Digital Personal Data Protection Act 2023 (DPDP Act) has been enacted, it is not yet in force. The Digital Personal Data Protection Rules 2025 have also not yet been implemented. This legal limbo may well have contributed to the denial, as it remains unclear how the act’s safeguards and remedies could be enforced in practice. The conundrum, however, also opens up a more constructive opportunity to engage in a comparative analysis to critically examine India’s data protection framework.
The annual report lists Brazil, Türkiye, and Fiji, alongside India, among the countries where data transfers were denied. The following table attempts to map and analyse the data protection legislations of each of these countries, using two identified indicators, derived from its requirement that “enforceable data subject rights and effective legal remedies” be available: (i) the extent of exemptions from obligations placed by the legislation and (ii) the existence and independence of a redressal data protection body. This analysis attempts to explore whether provisions adversely affecting privacy obligations or access to remedies, such as expansive surveillance powers, may have influenced the EDPS’s decision by looking for similarities across these countries.
| Country | Legislation | Exemptions | Data Protection Body |
| India | DPDP Act 2023 | The act provides for extensive and vague exemptions for any “instrumentality of the State” in the interests of sovereignty, public order, security, friendly relations with foreign states, etc. The state also has the power to exempt certain Data Fiduciaries or a class of Data Fiduciaries, such as a startup, from certain obligations. Law enforcement is also exempted from obligations to prevent, detect, investigate, or prosecute any offence. | The Data Protection Board of India shall be comprised of a chairperson and other members, as appointed by the central government. The government can disqualify any member, including when they are convicted of an offence, which, in its opinion, involves “moral turpitude.” This has an adverse impact on the autonomy of the body. |
| Brazil | Lei Geral de Proteção de Dados Pessoais or Brazilian General Data Protection Law 2018 | The Law does not apply if processing of personal data is done exclusively for purposes of public safety, national defence, state security, or activities of investigation and prosecution of criminal offences. The Law provides that processing data in such cases “shall be governed by specific legislation.” However, in the absence of such legislation, there is relative legal uncertainty about protection and the rights of the data subject under the exceptions. | The autonomy of the Autoridade Nacional de Proteção de Dados, or the National Data Protection Authority, has historically been a source of conflict. However, as of now, the body consists of a Board of Directors, among other offices. The board shall be chosen and appointed by the President, after approval by the Senate. The directors can be disqualified by an unappealable judicial conviction or a dismissal penalty as a result of disciplinary administrative proceedings by a special commission composed of “stable federal public servants.” |
| Türkiye | Kişisel Verilerin Korunması Kanunu or Turkish Personal Data Protection Law 2016 | The Law exempts “public institutions and organisations” from obligations for preventive, protective and intelligence activities to maintain national defence, national security, public security, economic security, etc. It also excludes judicial authorities and law enforcement, such as the National Intelligence Organisation, from its scope. While there are certain safeguards provided for such exemptions, they are rather fragmented. Human Rights Watch has previously criticised access to information by the Turkish intelligence organisation for the lack of protection of privacy and data rights. | EC at various instances have expressed dissatisfaction with the functioning and independence of the Kişisel Verileri Korunma Kurumu or the Turkish Personal Data Protection Authority. The board consists of nine members, 5 of whom are elected through the National Assembly of Türkiye, and the others are to be nominated by the President. |
| Fiji | There is no specific law governing data protection in Fiji. | N/A | N/A |
The table reasonably suggests that similar concerns over broad exemptions to the data protection obligations and disputable autonomy of the supervisory authorities across the listed countries may have influenced the EDPS’s denial. A growing lack of institutional trust for expansive surveillance power in these countries makes the concerns more pertinent. For instance, back in 2022, companies such as Proton, withdrew servers from India in response to the ‘regressive surveillance’ directive for Virtual Private Network providers, to collect and store various user data like names, IP addresses, etc., and more for up to five years. Then IT minister Rajeev Chandrasekhar blatantly dismissed the criticism, stating, “[if] you don’t want to go by these rules, if you want to pull out, then frankly you have no other opportunity but to pull out.”
The courts have done little to ease this distrust. Particularly, in India, the Supreme Court in the Puttaswamy and Aadhar judgments broadly derived a test to require every rights-infringing measure to satisfy the following contours: (a) legality, (b) legitimate goal, (c) suitability and (d) necessity. However, the ability of this robust doctrinal test to constrain data abuse depends on how rigorously courts are willing to enforce it, something that has often been found wanting. In a surprising ruling last month, an Indian court issued a mandamus, disproportionately directing the government to initiate proceedings under Section 69A of the Information Technology Act 2000 (IT Act) to block privacy-forward Proton Mail just because it was used to send obscene, AI-generated emails to employees of the aggrieved company.
Lastly, a more relevant concern is how the redressal mechanism under the DPDP Act will practically pan out. To draw parallels, the mechanism under the IT Act is notoriously disproportionate and opaque. Recently, Indian authorities blocked access to the news website over a sub-page without convening the mandated Inter-Departmental Committee or offering the company a chance to present its case, as they are required to do so under the IT Act and IT (Procedure and Safeguards for Blocking of Access of Information by the Public) Rules 2009.
Are derogations a feasible alternative?
Given the concerns that appear to potentially underlie the EDPS’s refusal to permit data transfers to India and similarly placed countries, it becomes imperative to examine what alternative compliant pathways remain available under the GDPR to sustain the data flow between two important trade partners in the globalised economy.
In the present case, the EDPS recommended that EIB rely on derogations under Article 49 of the GDPR. However, it noted that the recommendation was made considering the “limited and occasional nature” of the transfer. Derogations as a ‘fall-back mechanism’ are a ‘last-resort basis’ for data transfer and can only be used for legitimate interests on an exceptional basis. Subject to strict interpretation, derogations can be used when the transfers are not repetitive and concern only a limited number of data subjects. As such, it is not feasible for a developing country like India to rely on such a tool for all its cross-border data transfer needs.
Are Standard Contractual Clauses a viable solution?
The EDPS’s refusal has naturally sparked some concerns about whether the SCCs’ framework is viable going forward. SCCs are essentially a mechanism under Art. 46 of the GDPR to transfer data in the form of clauses between the data exporter and importer that legally bind them to safeguard data subject rights, ensuring that protections ‘equivalent’ to GDPR travel with the data.
However, they do not operate in a vacuum. They are not intended to function as a workaround to dilute the high standards of protection guaranteed under the GDPR. The Court of Justice of the European Union, in its landmark Schrems II judgment held that, SCCs must be assessed in light of the data protection laws in the importer’s jurisdiction. If the laws undermine the effectiveness of the protection envisioned by the SCCs, then their mere use is insufficient. In India’s case, the broad government exemptions and concerns about the independence of the Data Protection Board raise serious questions. The judgment further held that in such cases exporters are required to implement “supplementary measures” to fill the gaps in the protection and bring it up to the level required by GPDR. However, given the point that exporters are unsure about how the DPDP will practically pan out, the gaps make it difficult to ensure that SCCs can be relied upon to provide consistent and enforceable rights to data subjects. Data exporters must engage in a case-by-case examination until significant reforms materialise in India’s data protection landscape.
Conclusion & Way Forward
Data diplomacy is a two-way street. The EDPS’s disclosure about its refusal to transfer personal data raises serious concerns about the data protection landscape of India. If the country seeks to leverage its growing digital economy, it must critically reassess safeguards and redressal mechanisms embedded in the DPDP Act. Until it does so, the country cannot rely on derogations for periodic and large-scale transfers. The feasibility of SCCs is also uncertain, as the exporters can only assume and take limited measures to ensure protection equivalent to GDPR travel with the data.
Looking ahead, India could also explore avenues for deeper bilateral cooperation or a formal treaty to enable compliant data flows between the jurisdictions. Curiously, Brazil appears to be doing so. However, for such efforts to succeed, India must improve the institutional trust through demonstrable commitments to data rights. The constitutional courts must take a proactive approach in achieving this. Only through comprehensive steps, while ensuring the Puttaswamy and Aadhar judgments are followed upon, can India position itself as a trustworthy partner in the global data ecosystem.
**Priyansh Jain is a second-year law student at Rajiv Gandhi National University of Law
**Disclaimer: The views expressed in this blog do not necessarily align with the views of the Vidhi Centre for Legal Policy.