Navigating India-EU Data Transfers: DPDPA, GDPR, and the Quest for Adequacy

The enactment of India's Digital Personal Data Protection Act (DPDPA), 2023 has initiated a formal assessment of its equivalence to the EU's GDPR. While no adequacy decision has been granted, high-level discussions between India and the EU are underway. This has created a critical need for businesses to understand the points of convergence and divergence between the two laws to manage current compliance obligations for cross-border data transfers while preparing for a potential future adequacy framework.

Under Article 45 of the GDPR, the European Commission can determine that a third country provides an 'adequate' level of data protection, allowing personal data to flow from the EU to that country without further safeguards. The assessment considers the rule of law, existence of an independent supervisory authority, and enforceable data subject rights. The DPDPA establishes rights for Data Principals (e.g., access, correction, erasure) and obligations for Data Fiduciaries. However, it also includes broad exemptions for government processing and establishes a Data Protection Board that operates under the Ministry of Electronics and Information Technology, raising questions about its independence compared to EU Data Protection Authorities.

Until an adequacy decision is granted, organizations must manage EU-to-India data transfers using existing GDPR mechanisms.

For European companies transferring data to India:

• ✓Use Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for all transfers of personal data to Indian entities, including subsidiaries and vendors.
• ✓Conduct a Transfer Impact Assessment (TIA) that specifically evaluates the supplementary measures needed to address risks, particularly concerning government access to data in India.
• ✓Ensure Data Processing Agreements (DPAs) with Indian counterparts explicitly incorporate GDPR requirements and SCCs.

For Indian companies processing personal data of EU residents:

• ✓Implement a dual compliance strategy. Adhere to the DPDPA for all personal data, but apply the higher GDPR standards to any EU data being processed.
• ✓Be prepared to sign and comply with SCCs provided by your European partners.
• ✓Include a precedence clause in contracts specifying that GDPR/SCC obligations prevail in case of any conflict with local law.
• ✓Conduct a gap analysis to identify and address areas where GDPR is more stringent than the DPDPA, such as rules on automated decision-making and children's data.

Several significant issues remain unresolved, creating uncertainty around the timeline and likelihood of an EU adequacy decision for India. Key open questions include:

• ✓Independence of the Data Protection Board (DPB): Will the DPB's structure, which reports to a government ministry, meet the GDPR's stringent requirement for an independent supervisory authority?
• ✓Scope of Government Access: The DPDPA provides broad exemptions for government processing for national security and other functions. It is unclear if these exemptions and the lack of explicit judicial oversight requirements will be acceptable to the EU.
• ✓Enforcement and Remedies: The DPDPA's penalty structure and mechanisms for data principal compensation are less severe than GDPR's. Whether these are considered 'essentially equivalent' is an open question.
• ✓Official Timeline: There is no official timeline for an adequacy decision. Informed estimates suggest a formal assessment might not conclude before 2027-2029, and the outcome could range from full adequacy to a deferred decision pending legislative changes in India.

Organizations navigating DPDPA and GDPR compliance for India-EU data flows should avoid these common mistakes:

• ✓Assuming DPDPA Compliance Equals GDPR Compliance for Transfers: Simply complying with the DPDPA is insufficient for legally receiving personal data from the EU. Until an adequacy decision is in place, GDPR-mandated transfer mechanisms like Standard Contractual Clauses (SCCs) are non-negotiable.
• ✓Neglecting Supplementary Measures in Transfer Assessments: A common error is to execute SCCs without properly assessing and documenting the need for supplementary technical and organizational measures (e.g., end-to-end encryption) to protect data from potential government access in India.
• ✓Treating the Data Protection Board as an Independent DPA: Mistaking the Indian Data Protection Board for an independent authority equivalent to an EU Data Protection Authority can lead to flawed risk assessments. Its quasi-judicial nature and reporting line to a government ministry is a key point of divergence.
• ✓Awaiting an Adequacy Decision Before Acting: Delaying the implementation of robust transfer mechanisms in the hope of an imminent adequacy decision is a significant compliance risk. Businesses must operate based on the current legal reality, which requires SCCs or BCRs.