Author : Unnati Parati Manikchand Pahade Law College,chh Sambhajinagar
ABSTRACT
Cross-border data transfer has become a crucial issue in the digital economy. As companies expand globally, data frequently moves across national boundaries, raising concerns about privacy, security, compliance, and state surveillance. India recently enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), while the European Union’s General Data Protection Regulation (GDPR) is considered the world’s strongest data protection law.
This article compares how both laws regulate international data flow, the safeguards they impose, the rights of data principals/subjects, and the obligations of data fiduciaries/controllers. The study highlights similarities, key differences, and points that a corporate or legal practitioner must understand while handling global data transfers.
PROOF & AUTHORITIES (Statutory basis)
DPDP Act, 2023 – Sections related to data transfer, government notifications, data fiduciary obligations, security safeguards.
GDPR (EU Regulation 2016/679) – Articles 44–50 governing cross-border transfers, adequacy decisions, Standard Contractual Clauses (SCCs).
International instruments – OECD Privacy Guidelines, EU–US Data Privacy Framework (reference context only).
TO THE POINT (MAIN ARTICLE)
1. Introduction
In today’s digital world, personal data travels across borders through cloud services, social media platforms, fintech apps, e-commerce, multinational companies, and digital payment systems. Therefore, regulating the movement of such data becomes necessary to protect privacy and prevent misuse.
India’s DPDP Act aims to create a “trust-based, accountability-driven” digital framework, whereas the GDPR focuses on a “rights-based, highly-regulated” privacy model. Both regulate cross-border transfers but follow different philosophies.
2. Basic Concepts Before Comparing
What is Cross-Border Data Transfer?
When personal data leaves the country where it was originally collected and gets stored/processed in another country, it is known as a cross-border transfer.
Example:
An Indian user uploads photos on Instagram → Data is sent to servers in the US → This is a cross-border transfer.
Why regulate it?
To prevent surveillance by foreign governments
To ensure adequate protection outside the home country
To maintain legal accountability
To protect individuals’ privacy rights
3. Cross-Border Data Transfer Under the DPDP Act (India)
The DPDP Act adopts a “Government-Controlled Allowlist Approach.”
This means: India will allow data transfer only to those countries that the Central Government notifies as trusted.
Key Features
3.1 No blanket ban
The Act does not ban cross-border transfers. Instead, the government will create a list of “permitted countries.”
3.2 Government to notify ‘Trusted Countries’
India will decide which countries provide adequate data protection.
If a country is not on the list → transfer not allowed.
3.3 Based on diplomatic and security considerations
India’s decision may consider:
National security
Data protection standards
Bilateral agreements
Cybersecurity concerns
This gives the central government strong discretionary power.
3.4 Obligations on Data Fiduciaries
A company transferring data abroad must:
Get valid consent
Ensure reasonable security safeguards
Conduct due diligence while selecting processors
Inform users about data transfer
3.5 Sensitive data treated same as personal data
Unlike the old PDP Bill or GDPR, DPDP does not create special categories for sensitive data.
All digital personal data is treated uniformly.
4. Cross-Border Data Transfer Under the GDPR (European Union)
The GDPR uses a “Rights-Based, Multi-Layered Safeguard System.”
Transfers outside the EU/EEA are permitted only when adequate protection exists.
4.1 Adequacy Decisions (Article 45)
The European Commission evaluates if a foreign country’s laws provide “essentially equivalent protection.”
If yes → data can flow freely.
Countries with adequacy decisions include Japan, UK, Switzerland, Canada, South Korea (as of current EU decisions).
4.2 Appropriate Safeguards (Article 46)
If there is no adequacy decision, companies must use:
Standard Contractual Clauses (SCCs)
Binding Corporate Rules (BCRs)
Codes of Conduct + Certification
4.3 Derogations (Article 49)
In exceptional cases, transfers are allowed:
Explicit consent
Performance of a contract
Important public interest
Legal claims
4.4 Schrems Case Impact
The Schrems I and Schrems II rulings by the CJEU invalidated earlier EU–US data-sharing frameworks because of concerns over US surveillance practices. These decisions highlight how firmly the GDPR prioritises privacy and strict compliance in cross-border data transfers.”
5.1 Philosophical Difference
DPDP Act (India)
GDPR (EU)
State-controlled model
Rights-centric model
Executive decides permitted countries
Independent supervisory authority involvement
Focus on digital economy and innovation
Focus on individual rights and privacy
5.2 Mechanism of Transfer
Factor
DPDP Act
GDPR
Transfer Basis
Government-approved countries only
Multiple mechanisms: adequacy, SCCs, BCRs
Flexibility
Limited
High
User Rights
Moderate
Extensive (right to restriction, erasure, portability)
Data Protection Officer
Only for significant data fiduciaries
Mandatory for many entities
5.3 Sensitive Data Approach
GDPR: Special protection for sensitive data (health, biometrics, sexual orientation).
DPDP Act: No separate category; uniform treatment.
5.4 Compliance Burden
DPDP: Moderate, simpler obligations, industry-friendly.
GDPR: Heavy compliance burden, high penalties.
6. Important Case References
Even though India’s DPDP Act is new, global jurisprudence offers guidance.
Schrems I (2015)
Struck down EU–US Safe Harbor Framework because US surveillance laws compromised user privacy.
Schrems II (2020)
Invalidated Privacy Shield due to inadequate protections from US intelligence agencies.
Google v CNIL (2019)
Clarified territorial limits of EU privacy laws and “right to be forgotten.”
7. Practical Implications for Companies
7.1 For Indian companies
Must wait for government list of approved countries
May face issues if the US or EU is not on the list
Multinational companies will need revised contracts
7.2 For EU companies
Transfers to India require SCCs or adequacy decisions India does not yet have an EU adequacy decision Cloud companies must ensure strong encryption & privacy controls
8. Corporate Compliance Checklist
Under DPDP Act:
Obtain consent
Inform user of transfer
Use reasonable security measures
Store records of transfer
Use trusted processors
Under GDPR:
Confirm legal basis (Articles 45–49)
Conduct Transfer Impact Assessment
Use encryption & pseudonymization
Execute SCC
Maintain documentation for audit
USE OF LEGAL JARGON (Explained)
Data Fiduciary / Data Controller: Entity deciding purpose of processing
Data Principal / Data Subject: Individual whose data is processed
Adequacy Decision: EU approval for foreign country
Standard Contractual Clauses: Legal contract ensuring GDPR-level protection abroad
Cross-Border Transfer: Movement of data outside jurisdiction
Legitimate Purpose: Lawful reason for processing
CONCLUSION
Both laws aim to protect personal data but follow fundamentally different approaches. GDPR is deeply rights-driven, focused on granting maximum control to individuals, while the DPDP Act adopts a flexible, government-driven model suitable for India’s digital ecosystem.
For cross-border transfers, GDPR offers multiple mechanisms (adequacy, SCCs, BCRs), whereas DPDP relies mainly on a government-app
roved list. As global digital trade expands, both India and the EU may collaborate on harmonizing standards, which will help multinational companies operate smoothly and ensure that individuals’ data remains safe, irrespective of borders.
FREQUENTLY ASKED QUESTIONS (FAQ)
1. What is cross-border data transfer?
It means sending personal data from one country to another for storage or processing.
2. Does the DPDP Act allow international data transfers?
Yes, but only to countries approved by the Indian Government.
3. How does GDPR regulate transfers?
Through adequacy decisions, SCCs, BCRs, or specific exceptions.
4. Can Indian data be sent to the US under DPDP Act?
Only if India notifies the US as a “trusted country.”
5. Why are GDPR rules stricter?
GDPR treats privacy as a fundamental right and prioritizes individual protection.
6. Does DPDP have special rules for sensitive data?
No. All digital personal data is treated equally.
7. Will companies need extra contracts for transfers?
Yes. Especially for GDPR compliance (SCCs).
8. Is India expected to get an EU adequacy decision?
Not immediately. It requires alignment with EU privacy standards.
