Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Data flows: India, EU kick can down the road, to review later

March 01, 2026 5 min read Economics International Relations GS2 (International Relations Governance) GS3 (Economy Digital Trade)
On This Page

What Happened

  • India and the European Union concluded a landmark Free Trade Agreement on January 27, 2026 — one of the most comprehensive trade deals in India's history — but the critical chapter on cross-border data flows has been deferred for a future review.
  • Both sides agreed to commit to "curbing unjustified barriers" to digital trade and promoting an open, secure online environment, but stopped short of establishing mutual data adequacy recognition.
  • The deferral reflects a structural mismatch: the EU's GDPR (General Data Protection Regulation) requires an "adequacy decision" before personal data can freely flow from EU to non-EU countries, while India's DPDPA (Digital Personal Data Protection Act, 2023) follows a different architecture — a government-maintained blacklist rather than a positive adequacy whitelist.
  • Without EU adequacy status for India, Indian IT services firms face compliance costs (Standard Contractual Clauses, Binding Corporate Rules) on data transfers from EU clients — effectively a "compliance tax" on India's $250+ billion IT exports sector.
  • The Data Protection Board of India, which will enforce the DPDPA, lacks the statutory independence of EU Data Protection Authorities — a key EU concern in the adequacy assessment pathway.

Static Topic Bridges

Digital Personal Data Protection Act, 2023 (DPDPA) — India's Data Framework

The DPDPA, enacted on August 11, 2023, is India's first comprehensive data protection law, replacing the fragmented protections under the IT Act, 2000. It establishes a rights-based framework for "Data Principals" (individuals whose data is processed) and obligations for "Data Fiduciaries" (entities processing data). India's approach to cross-border data transfers is fundamentally different from GDPR: instead of requiring an adequacy decision to send data abroad, DPDPA allows all transfers except to countries on a government-notified blacklist — a more permissive, government-directed regime.

  • DPDPA passed by Parliament August 2023; draft rules finalized November 2025 (two-year implementation gap).
  • The Act creates a Data Protection Board of India (DPB) as the adjudicatory body — but DPB reports to MeitY (Ministry of Electronics and IT), raising independence concerns.
  • Significant exemptions: Government agencies may process data without most DPDPA restrictions "in the interest of sovereignty and integrity of India" — mirroring but broader than Article 9 GDPR exemptions.
  • India has rejected blanket data localisation (as proposed in the earlier PDP Bill 2019) but the Act allows sector-specific localisation rules for "significant data fiduciaries."
  • Rights of data principals: Right to access, correction, erasure, grievance redressal, and nomination — broadly parallel to GDPR Article 15-22 rights.

Connection to this news: The India-EU FTA deferral on data flows reflects this structural incompatibility — the EU cannot grant adequacy to India until DPDPA's government exemptions and DPB independence concerns are addressed, pushing a formal adequacy decision to 2027-2029 at the earliest.

GDPR and EU's Adequacy Decision Framework

The General Data Protection Regulation (GDPR), effective May 25, 2018 (Regulation EU 2016/679), is the world's most comprehensive data protection law and has become the de facto global standard. GDPR's Chapter V restricts personal data transfers to non-EU countries unless: (a) the European Commission has issued an "adequacy decision" recognising the third country's protection as "essentially equivalent" to EU standards; (b) appropriate safeguards exist (SCCs, BCRs); or (c) specific derogations apply. As of 2026, only 15 countries hold full adequacy status — including Japan, South Korea, UK, Argentina, Canada (partial), and Israel. India is not on the list.

  • EU adequacy decisions are granted under GDPR Article 45 — a formal Commission act after assessment of the country's data protection law, supervisory authority independence, and rule of law.
  • Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) are the fallback compliance mechanisms for data transfers without adequacy — adding legal costs and administrative burden.
  • The Schrems II judgment (CJEU, 2020) invalidated the EU-US Privacy Shield, illustrating how government surveillance laws can block adequacy — a direct precedent for India's broad government exemptions concern.
  • The UK-India FTA (under negotiation in 2026) faces similar data flow issues, though UK's GDPR-like framework is more compatible with India's DPDPA.

Connection to this news: India "kicking the can down the road" on EU data adequacy in the FTA reflects a deliberate choice to avoid binding commitments that would require amending the DPDPA's government exemptions — a politically sensitive area impinging on national security prerogatives.

India's Digital Trade and IT Services Exports

India's IT and IT-enabled services (ITeS) sector exports were $227 billion in FY2023-24, with Europe accounting for approximately 25-30% of revenues for major Indian IT firms (TCS, Infosys, Wipro, HCL, Tech Mahindra). Cross-border data flows are the lifeblood of this sector — every outsourced business process, cloud service, and software development engagement involves transferring European personal data to Indian data centres. EU adequacy would eliminate compliance costs currently running to hundreds of millions of dollars annually across the sector.

  • India ranks as the world's largest IT services exporter, serving clients in BFSI, healthcare, manufacturing, and retail sectors in the EU.
  • India's proposed India-EU Digital Partnership (2022) and the India-EU Trade and Technology Council (TTC, 2023) are the diplomatic frameworks for digital cooperation.
  • The India-EU FTA concluded January 27, 2026, covers 96.6% of traded goods by value — the digital trade chapter is a standalone negotiation.
  • NASSCOM estimates EU adequacy could unlock $20-30 billion in additional digital trade per year by reducing compliance friction.
  • India's DPDPA implementation timeline: Rules notified November 2025; Data Protection Board operational from mid-2026.

Connection to this news: The data flow deferral in the FTA is directly consequential for India's IT sector — without adequacy, Indian firms must continue the compliance overhead of SCCs for each EU-to-India data transfer, maintaining a structural competitive disadvantage relative to EU-adequate jurisdictions.

Key Facts & Data

  • India-EU FTA signed: January 27, 2026; covers 96.6% of traded goods by value
  • DPDPA enacted: August 11, 2023; rules finalized: November 2025
  • EU GDPR effective: May 25, 2018; adequacy decisions: ~15 countries (India excluded)
  • Schrems II judgment (CJEU, 2020): invalidated EU-US Privacy Shield over US surveillance laws
  • India IT/ITeS exports FY2023-24: $227 billion; EU share: ~25-30%
  • EU adequacy assessment pathway for India: formal decision expected 2027-2029 earliest
  • Data Protection Board of India: reports to MeitY — independence gap vs. EU DPA standards
  • NASSCOM estimate of potential uplift from EU adequacy: $20-30 billion additional digital trade annually
  • India's cross-border transfer model: permissive (blacklist-based) vs. EU's restrictive (whitelist/adequacy-based)