-
CENTRES
Progammes & Centres
Location
As India pushes to be a global data hub, the EDPS’s cautious stance underscores how implementation gaps in the DPDPA risk undermining international confidence.
Image Source: Getty
In April 2025, the European Data Protection Supervisor (EDPS) disclosed that it had declined a request by the European Investment Bank (EIB) in February 2024 to transfer contact data to India, citing concerns over the adequacy of India’s data protection framework. While EDPS has clarified that their stance was not a judgment on India’s Digital Personal Data Protection Act, 2023 (DPDPA/ The Act), the decision raises concerns on India’s data protection framework.
This article critically examines the EDPS decision to restrict data transfers to India and uses it to assess the broader concerns about India’s data protection regime. Instead of mimicking the European Union (EU) model, the piece highlights why India must strengthen its own framework.
The EDPS, the EU’s independent privacy authority for its institutions, took a cautious stance in its 2024 Annual Report. It refused a request by the European Investment Bank (EIB) to transfer contact details of external stakeholders to India, alongside Brazil, Türkiye, and Fiji. It cited a lack of ‘sufficient evidence and proof’ which would show that personal data would be protected at a level equivalent to the EU’s General Data Protection Regulation (GDPR).
The message was clear: under the current Indian framework, routine personal data transfers from the EU may not yet meet GDPR’s strict compliance thresholds. However, this reflects a difference in legal frameworks, not a lack of strength in India’s law itself.
As a backup measure, the EDPS has recommended permitting transfers under limited derogations, such as public interest or legal claims. However, these are intended for exceptional situations, not regular or systemic transfers.
The message was clear: under the current Indian framework, routine personal data transfers from the EU may not yet meet GDPR’s strict compliance thresholds. However, this reflects a difference in legal frameworks, not a lack of strength in India’s law.
India’s data protection framework, as laid out in the DPDPA 2023, marks a significant milestone in establishing a dedicated framework for personal data governance.
While DPDPA is not India’s first attempt at data protection, it is the most comprehensive so far. The law reflects India’s distinct priorities, owing to the country’s more socially diverse and economically stratified society, in comparison to the EU. However, as India increasingly positions itself as a trusted data hub, certain structural and procedural elements of the DPDPA merit strengthening.
The Act does not provide for any independent oversight, necessity or proportionality tests, or judicial review of such exemptions.
One of the most significant differences between India’s DPDPA and the EU’s GDPR lies in how they treat government access to personal data. Under Section 17(2) of the DPDPA, the Central Government may exempt any instrumentality of the State from the application of the law on broad grounds such as sovereignty, security, integrity, public order, and preventing incitement. The Act does not provide for any independent oversight, necessity or proportionality tests, or judicial review of such exemptions. In contrast, under Article 23 of the GDPR, exemptions from data subjects’ rights for reasons such as national security must be ‘necessary and proportionate’ and subject to appropriate safeguards. Such unchecked exemptions within DPDPA risk enabling opaque data practices by state agencies, weakening accountability and public trust in the data governance regime.
Another key concern is the absence of a structurally independent regulatory authority. The DPDPA’s Data Protection Board is established under Section 19, the Central Government retains full control over the appointment of its members, as well as their service conditions and procedural rules. This differs markedly from the GDPR’s requirement under Article 52 that supervisory authorities be ‘completely independent’ in performing their tasks. The EU data protection bodies are accountable to parliaments or courts, not to executive governments, a safeguard seen as essential to impartial enforcement.
Policy experts have raised concerns about such centralisation of appointment powers and lack of operational clarity, which may compromise the Board's autonomy and effectiveness. Experts have highlighted that such centralisation of power may undermine the credibility of the regulatory framework, especially when compared to international standards that emphasise independent oversight. These structural issues suggest that without genuine independence, the Data Protection Board may struggle to enforce the DPDPA impartially. Taking inspiration from international frameworks could benefit in this aspect.
While the DPDPA grants users the right to access, correct, and erase personal data under Articles 11 and 12, these rights are qualified by the phrase ”as may be prescribed,” meaning they depend entirely on yet-to-be-notified DPDPA rules.
Even in areas where individual rights are formally recognised, the lack of implementation and clarity under India’s DPDPA weakens their practical utility. While the DPDPA grants users the right to access, correct, and erase personal data under Articles 11 and 12, these rights are qualified by the phrase ”as may be prescribed,” meaning they depend entirely on yet-to-be-notified DPDPA rules. In contrast, GDPR rights under Articles 12 to 23 are immediately operable and backed by clear procedures, including defined timelines for response.
Moreover, the Draft DPDP Rules make it cumbersome for users to exercise their rights embedded in the DPDPA. To access or delete their data, users must provide specific identifiers, including customer IDs, application references, or license numbers. In contrast, the GDPR allows individuals to exercise their data rights without needing to provide such specific identifiers, placing the onus on data controllers to identify and respond to requests appropriately.
This requirement under Draft DPDP Rules could pose practical challenges for individuals, especially if they are unaware of these identifiers or have difficulty retrieving them. It would also impose an unnecessary burden on them to be responsible for their data.
Additionally, almost two years after its enactment, the DPDPA remains non-functional. The Data Protection Board has not yet been constituted, grievance redressal procedures have not been notified, and frameworks for consent managers and child data processing are pending. Without these operational components, the statutory rights and duties envisioned under the Act cannot be enforced in practice.
Finally, the DPDPA provides certain limitations vis-à-vis a data principal’s right to delete personal data. Section 17(4) states that individuals may not request deletion of their personal data where it has been processed by a government entity for the provision of a subsidy, benefit, certificate, license, or permit. In other words, if a government entity uses personal data to provide a service or entitlement, individuals cannot request its deletion.
The law reflects India’s distinct priorities, owing to the country's more socially diverse and economically stratified society, when compared to the European Union. However, as India increasingly positions itself as a trusted data hub, certain structural and procedural elements of the DPDPA merit strengthening.
This is a significant restriction, as it removes user control over a substantial volume of government-held data. While the GDPR permits exceptions to the right of erasure, these are allowed only under strict conditions. Under Article 23 of the GDPR, such limitations are permitted only if they are necessary and proportionate, requiring the government to demonstrate that such restriction is justified to protect the public interest, national security, or other legal obligations. These exceptions are not allowed on broad or vague grounds.
India’s data protection framework was designed with the socio-economic realities of its economy in mind. It does not aim to replicate the EU’s General Data Protection Regulation (GDPR), nor should it. The DPDPA marks a crucial step in India’s journey towards a structured and accountable data governance regime. It reflects the ambition to balance innovation, user rights, and India’s intention towards building a rapidly digitising economy.
However, despite its passage, the Act remains unimplemented, with many of its core provisions dependent on the Rules, yet to be notified. This regulatory vacuum– rather than any inherent flaw in the law’s intent or architecture, may explain why institutions such as the EDPS have expressed reservations about India’s adequacy in handling cross-border data transfers.
The lack of implementation only amplifies these gaps, making it difficult for international partners to assess the law’s effectiveness in practice.
The EDPS decision signals a growing global expectation for clearly defined safeguards, institutional independence, and operational transparency, particularly when personal data crosses borders. In this context, India’s broad statutory language, limited clarity on procedural safeguards, and the absence of an independent data protection authority raise valid concerns. The lack of implementation only amplifies these gaps, making it difficult for international partners to assess the law’s effectiveness in practice.
To shift these perceptions and build global trust, India must urgently move to operationalise the DPDPA through timely and consultative rulemaking.
Tanusha Tyagi is a Research Assistant with the Centre for Digital Societies, Observer Research Foundation.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Tanusha Tyagi is a research assistant with the Centre for Digital Societies at ORF. Her research focuses on issues of emerging technologies, data protection and ...
Read More +
PREV
