Author : Apeksha Saraf and LLB Hons, University of Leeds; Incoming LLM, University of Law
To The Point
Global trade has been drastically altered by the digital economy, and online shopping between the EU and India is now at an all-time high. Businesses must navigate a complicated web of data protection requirements that might make or ruin their global operations as they increasingly conduct business across numerous jurisdictions. Now in its sixth year of implementation, the General Data Protection Regulation (GDPR) of the European Union has become the industry standard for data protection. In the meantime, India’s largest attempt to establish a thorough data privacy framework is the Digital Personal Data privacy Act 2023 (DPDP Act).
Multinational firms face an enormous obstacle: how to concurrently adhere to two complex yet essentially distinct regulatory frameworks? The smooth transfer of personal data across borders is crucial to the EU-India commercial partnership, which is worth over €88 billion a year. The legal frameworks controlling this data transfer are not at all uniform, though.
The DPDPA gives the government the power to impose restrictions on the transfer of personal data across international borders to specific nations by creating a “negative list.” The GDPR’s adequacy judgement framework, which is based on the idea that data can only go to nations that are judged to have appropriate protection levels, stands in stark contrast to this strategy.
There are huge practical ramifications. Implementing multiple compliance systems is a difficult undertaking for digital service providers, financial companies handling payments, and e-commerce behemoths like Amazon. Multiple data transfers, each subject to various legal constraints, are involved in a customer’s trip from perusing products on a European website to finalising the transaction processed through Indian servers.
Examining consent processes makes the conflict very noticeable. Although both laws place a strong emphasis on the right to privacy, they take somewhat different approaches to getting and handling consent. The DPDP Act introduces ideas like “deemed consent” that might cause compliance issues for companies operating under both regimes, whereas the GDPR requires precise, detailed consent for every processing purpose.
The lack of an adequate ruling between the EU and India is arguably the most significant. Businesses are forced to adopt alternate transfer methods, such as Standard Contractual Clauses (SCCs), in the absence of this recognition, which makes regular commercial operations more complicated and potentially liable. Beyond the expense of compliance, regulatory uncertainty influences strategic company choices regarding data storage, processing sites, and service architecture.
Abstract
This article looks at the complicated legal environment that global corporations operating under India’s 2023 DPDP Act and the GDPR of the European Union must contend with. The analysis uses comparative legal evaluation to pinpoint important regulatory areas of convergence and divergence, with a particular emphasis on permission requirements, compliance obligations, and cross-border data transfer systems. The analysis finds that although both frameworks aim to safeguard individual privacy rights, businesses face substantial compliance issues due to their divergent approaches to geographical scope, data localisation, and transfer limits.
Use of Legal Jargon
Although both laws are based on the idea of a data controller vs a data processor, there are minor but important differences between their definitions. While the definition of a data fiduciary in the DPDP Act covers a wider range of duties and includes extra requirements unique to the Indian context, a data controller is responsible for deciding the objectives and methods of processing under GDPR Article 4.
Mechanisms for cross-border transfers are arguably the most intricate part of dual compliance. Adequacy decisions provide the gold standard, followed by Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) for intragroup transfers, and particular derogations under Article 49. This hierarchy of transfer mechanisms is established under Chapter V of the GDPR. Any jurisdiction or territory outside of India may receive personal data for processing purposes under the DPDP Act, with the exception of those that the Indian government has officially blacklisted.
The DPDP Act’s notion of data localisation imposes obligations not found in the GDPR. India’s approach focusses on keeping specific kinds of data within national borders, whereas GDPR concentrates on transfer limits based on adequacy assessments. This could cause problems for global businesses.
Another level of complication is introduced by territorial scope. Any company that sells products or services to EU citizens or keeps track of their activities is subject to the GDPR’s Article 3 extraterritorial application, regardless of the company’s location. The jurisdiction requirements in the DPDP Act also cast a broad net, possibly giving the same data processing operations overlapping regulatory authority.
According to GDPR Article 35, high-risk processing operations must be systematically evaluated using Data Protection Impact Assessments (DPIAs). Organisations are compelled to carry out evaluations in parallel under both frameworks since the DPDP Act encompasses comparable principles but has different thresholds and obligations.
The DPDP Act’s related provisions and GDPR Article 17’s right to erasure provide as an example of how concepts that are identical might have distinct implementation needs. Although both laws acknowledge people’s right to have their data erased, there are major differences between countries in terms of exclusions, processes, and deadlines.
The Proof
Businesses looking to comply across jurisdictions face practical difficulties as a result of the legal underpinnings of both frameworks, which expose essentially divergent philosophical perspectives on data protection. The GDPR views data protection as a fundamental human right that needs the highest level of protection, and it is based on the European Union’s Charter of Fundamental Rights. Every element of the legislation, from its extensive territorial reach to its strict permission requirements, is infused with this rights-based philosophy.
Despite embracing international best practices, India’s DPDP Act captures the nation’s own developmental aspirations and digital governance ethos. For processing and transferring personal data in India, the main piece of legislation is the 2023 DPDP Act. Its goal is to safeguard the privacy of people’s data while allowing companies to function in a technologically controlled environment.
Cross-border data flows between these jurisdictions are statistically real, which emphasises how urgent it is to resolve regulatory issues. Indian IT services are becoming more and more important to European firms, and Indian businesses use digital platforms to cater to European clients. Harmonising regulations is not only desirable but also necessary for ongoing economic cooperation because of this reliance.
One complicated area of variation is consent processes. According to GDPR Article 7, consent must be freely given, explicit, informed, and unequivocal. Additionally, people must have the ability to revoke their consent as readily as they provided it. With its notion of implied permission for specific processing activities, the DPDP Act adds more complexity and may lead to circumstances in which an activity is legal under Indian law but in violation of GDPR regulations.
The difficulties with compliance are further demonstrated by breach notification regulations. Cross-border data transfers are subject to more stringent regulations under the DPDP Act, which mandates that the government publish rules defining the circumstances under which such transfers are acceptable. Multinational incident response teams face operational difficulties because the DPDP Act requires notification to regulatory authorities within 24 hours of learning of a breach, whereas the GDPR requires disclosure to supervisory authorities within 72 hours.
Although the penalties amounts (up to 4% of worldwide revenue) are comparable under both legislation, the procedures used for calculation and enforcement are different. While the DPDP Act’s penalty framework is awaiting comprehensive implementation through rules and regulatory guidelines, the GDPR’s tiered penalty system offers explicit guidance on elements influencing fine calculations.
Most importantly, there is constant ambiguity because the EU and India lack mutual recognition procedures. Businesses must negotiate intricate transfer procedures that increase the cost and compliance burden of regular foreign operations in the absence of an adequacy decision or mutual adequacy agreement.
Case Laws
EU Precedents:
Schrems II Case ( C-311/18) – Global data transfers from EU was radically changed by this case. The Privacy Shield was not valid. While the court maintained the SCC at that point enabling transfer of data from the EU to other nations, the validity of SCCs were still questioned. The Court of Justice underlined that if the laws of the destination jurisdiction do not offer sufficient protection in reality, SCCs by themselves are insufficient. This decision directly affects data transfers between the EU and India since it mandates that companies thoroughly evaluate Indian surveillance regulations and data security procedures prior to using SCCs.
Google Spain (C-131/12) – This judgement created the foundations of the right to be forgotten, compelling search engines to erase insufficient or unnecessary private information from search results. This decision governs how companies must manage removal petitions under GDPR and DPDP Act, albeit the compliance standards vary across jurisdictions.
Planet49 (C-673/17) – This case established GDPR consent standards, stating that boxes that are pre-checked cannot be considered legitimate consent and that consent has to be unique to each for a reason. This decision affects how companies create cookie consent processes and data collecting interfaces when serving both EU and Indian customers.
Fashion ID (C-40/17) – This case dealt with joint controllership duties and established that joint controller duties can be created even when third- party plugins are embedded. Due to its impact on liability allocation and compliance obligations, this case is especially essential for e-commerce platforms that operate in EU-India markets.
Indian Precedents:
Justice K.S. Puttaswamy v. Union of India – The DPDP Act’s constitutional basis was established by this case, which affirmed privacy as a fundamental right under the Indian Constitution. The Supreme Court’s acknowledgement that privacy includes information self-determination strongly impacts how Indian data protection law perceives rights of individuals and obligations as a company.
WhatsApp v. Competition Commission of India (2021) – The case examined data sharing actions between WhatsApp and its parent company Meta, emphasising the overlap between data protection and competition regulations. This situation illustrates the method Indian courts use to handle cross-border data exchange among corporate groups, which is important for multinational companies with intricate organisational frameworks.
Aadhaar Judgement Series – This series of judgement set forth rules of data minimisation and purpose limitation that affect the implementation of the DPDP Act. These judgements compel companies to explain their data gathering and processing practices, impacting how international businesses structure their operations in India.
Conclusion
The alignment of GDPR and India’s DPDP Act results in a complicated regulatory environment for international firms, requiring sophisticated compliance approaches. Although both frameworks seek to safeguard privacy rights, their distinctions create notable challenges, necessitating companies to allocate resources towards dual compliance systems and governance structures customised for each region.
Such a situation may obstruct innovation and competition in the market. Businesses ought to establish strong compliance structures that tackle both regulations and promote regulatory cooperation between Indian and EU authorities. Harmonisation initiatives must create multilateral frameworks that account for global digital commerce while endorsing national data management, thereby placing compliant entities in a favourable position for expansion within interlinked markets.
FAQs
What is the present situation regarding data transfers between the EU and India?
At present, there is no adequacy decision acknowledging India as ensuring sufficient data protection, which means EU-India data transfers must depend on other methods such as SCCs. Chapter V of the EU GDPR governs the transfer of data from the EU to third countries and/or international organisations. Chapter V is based on the belief that the protection granted to data subjects must not be compromised by international transfers. Companies are required to perform transfer impact evaluations and establish extra protections when needed.
In what ways do the consent requirements vary between the GDPR and the DPDP Act?
GDPR mandates clear, specific consent for every processing purpose, along with straightforward withdrawal options. The DPDP Act presents “deemed consent” notions for specific processing tasks, possibly resulting in conflicts where an action is permitted under Indian law but breaches GDPR standards. Companies need to adopt the more rigorous standard to guarantee dual adherence.
What are Standard Contractual Clauses and what is their relevance to India?
SCCs are standardised contractual clauses that ensure protections for global data transfers. For transfers between the EU and India, companies are required to utilise the European Commission’s 2021 SCCs and carry out transfer impact assessments to confirm that Indian legislation does not weaken the protection assurances
What consequences might businesses encounter for failing to comply in both areas?
Each law stipulates maximum penalties of 4% of global yearly revenue or specific monetary sums, whichever is greater. GDPR fines may go up to €20 million for major breaches, whereas penalties under the DPDP Act can amount to ₹500 crores. The methods of calculation and approaches to enforcement vary, necessitating that companies grasp both penalty structures.
How ought multinational corporations to handle dual compliance?
Businesses ought to adopt privacy-by-design frameworks that comply with the more stringent demands of both regulations, create consent mechanisms tailored to specific jurisdictions, and set up transparent data governance protocols. Routine compliance evaluations and legal updates are crucial due to the changing regulatory environment.
What does data localisation mean and what impact does it have on international business?
“The Central Government can, following an evaluation… limit the movement of personal data by a Data Fiduciary to any nation or region beyond India.” , Section 16(1). The DPDP Act gives the Indian government authority to regulate data transfers via a negative list method, whereas GDPR emphasises adequacy-based limitations.
When will the EU grant India an adequacy decision?
No schedule has been revealed for the EU’s adequacy evaluation of India. The procedure necessitates a thorough assessment of Indian data privacy regulations, implementation methods, and monitoring activities. Companies ought to avoid depending on future adequacy acknowledgment and should establish strong transfer mechanisms immediately.
In what ways do the breach notification obligations vary among the laws?
GDPR mandates that supervisory authorities be informed within 72 hours of discovering a breach, and individual notification is required if there is a high risk. The DPDP Act mandates notification within 24 hours but is pending specific guidelines on notification processes. Companies need to get ready for the tighter schedule and create synchronised incident response protocols
Sources
Regulation (EU) 2016/679 (General Data Protection Regulation)
Digital Personal Data Protection Act, 2023 (India)
Securiti.ai – Cross-Border Data Transfer Requirements Under India DPDPA (2024)
Saikrishna & Associates – EU Authority blocks data transfer to India (2025)
Court of Justice of the European Union Case C-311/18 (Schrems II)
TrustArc – How the Schrems II Decision Changed Privacy Law (2024)
Privacy World Blog – Impact of India’s New Digital Personal Data Protection Rules (2025)
Taxmann – Cross-Border Data Transfers under the DPDP Act 2023 (2025)
DPO India – Impact of the Digital Personal Data Protection Act on Cross-Border Data Transfers
DLA Piper – Transfer in India – Data Protection Laws of the World
