News |
2026-02-10
Data transfers to India
1 Introduction
Briefly before the summer holidays, the Irish Data Protection Commission imposed a substantial €530 million fine on TikTok for its violations of the General Data Protection Regulation (GDPR) relating to the transfer of personal data to China, and warned that it may suspend all such transfers. This decision once again underscores the critical importance of ensuring compliance with the GDPR when transferring personal data internationally.
As we all know, India is a major player in technology-intensive industries, and many Swedish companies have already outsourced, or are planning to outsource, all or parts of their IT operations there. To provide practical guidance for Swedish companies – and considering the TikTok fine – TM & Partners and Panag, Babu & Sarangi have produced this whitepaper. It outlines recent developments, highlights what you need to know, and sets out key considerations to ensure that transfers of personal data to India are lawful.
2 Transfers to India and other countries outside the EU/EEA
2.1 Adequacy decision, appropriate safeguards, and specific derogations
2.1.1 Overview
The GDPR lays down the conditions for when transfers of personal data to countries outside the EU/EEA are permissible. As a general rule, transfers of personal data outside the EU/EEA may only be transmitted when:
- Adequacy decision: There is a decision from the European Commission admitting that the relevant receiving country ensures an adequate level of protection;
- Appropriate safeguards: The sending entity has implemented appropriate safeguards such as Standard Contractual Clauses (SCC); or
- Specific derogation: a specific situation making the transfer admissible is applicable.
2.1.2 Adequacy decision
For India, there is currently no adequacy decision from the European Commission (EC) determining that India offers an adequate level of data protection under the GDPR. To this date, the EC has recognised Andorra, Argentina, Brazil, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom[1], the United States (commercial organisations participating in the EU-US Data Privacy Framework), and Uruguay as providing adequate protection. The adequacy decisions for these countries have the effect that personal data can flow from the EU/EEA to that third country without any further safeguard being necessary, subject to the restrictions and provisions under the EC’s decision and the GDPR.
2.1.3 Appropriate safeguards
In addition to an adequacy decision, transfer of personal data outside of the EU/EEA can be permitted to territories if appropriate protection measures have been taken.[2] There are different types of appropriate safeguards, such as Binding Corporate Rules (“BCR”) or Standard Contractual Clauses (“SCC”).
SCCs are the most commonly implemented safeguards. SCCs are model contract clauses that have been “pre-approved” by the European Commission, setting the general framework for data transfers by regulating the rights and obligations for both exporters and importers of personal data to territories outside the EU/EEA. The SCCs may not be amended by the parties. However, the parties are free to incorporate the SCCs into a broader commercial agreement, provided that the agreement between the parties does not include any contradictions to the SCCs or in any way prejudice the rights of data subjects.
In some cases, additional safeguards may need to be put in place, beyond e.g. SCCs. This is the case if the level of protection in the recipient country is not effective and the protection cannot be guaranteed by the appropriate safeguards, due to e.g. national legislation that makes it impossible to maintain adequate safeguards in practice.
In June 2021, in the wake of a CJEU judgementC-311/18 (Schrems II), the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.[3] The EDPB recommends exporters to do an assessment in the following six steps.
- Know the transfers, by mapping all transfers of personal data to third countries;
- Verify the transfer tool the transfer relies on, e.g. Articles 45, 46 and 49;
- Assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools the processing is relying on, in the context of the specific transfer;
- Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence;
- take any formal procedural steps the adoption of the supplementary measure may require, depending on the Article 46 GDPR transfer tool relied on; and
- re-evaluate at appropriate intervals the level of protection afforded to the personal data that is transferred to third countries and to monitor if there have been or there will be any developments that may affect it.
The assessment in step 3 above includes examining if there is anything in the law and/or practices in force in the country outside the EU/EEA (in this case India), that may impinge on the effectiveness of the appropriate safeguards of the transfer tools the exporter relies on, in the context of the specific transfer. The EDPB clarifies that exporters, in the assessment, need to focus first and foremost on third country legislation that is relevant to the transfer. The assessment needs to include examining the practices of the third country’s public authorities and ensuring the effective protection, in practice, of the personal data transferred. Examining these practices will be especially relevant for the assessment where: (i) legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice; (ii) there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking; (iii) the transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool’s contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality).[4]
The EDPB has drafted a non-exhaustive list of examples of supplementary measures with some conditions that they would require to be effective. Such supplementary steps are only necessary if the assessment reveals that the third country legislation and/or practices impinge on the effectiveness of the Article 46 GDPR transfer tool that the exporter is relying on or the exporter intends to rely on in the context of the transfer. Supplementary measures may include technical or additional contractual measures, or, depending on the context, a combination of the two. Technical measures may include e.g. encryption, pseudonymization, or similar technical access restrictions, while additional contractual measures may include transparency obligations or obligations on the importer to commit to reviewing and to challenge an order from a requesting public authority.
2.1.4 Specific derogations
In specific situations and under certain conditions, personal data can be transferred to a third country or an international organisation even if there is neither an adequate decision issued by the EC nor any applicable safeguards. It is important to recognise that this is a last resort to enable a transfer and should never be seen as a default solution to enable third country transfers. Such derogations must be interpreted restrictively and cannot be used for routine, large-scale, or repeated transfers. Such specific situations include:
- If the data subject has given their consent. However, this exception is subject to strict conditions. While the general requirements for valid consent under the GDPR still apply, additional and more specific elements are necessary for consent to serve as a legal basis for international data transfers.
- If the transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken at the data subject’s request. In this context, the data subject must be a party to the contract, and there must be a close and substantial connection between the data transfer and the purpose of the contract.
- If it is necessary for important reasons of public interest recognised in EU or member state law.
- If necessary for the establishment, exercise, or defence of legal claims.
- If the transfer is necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
- The transfer, under certain conditions, is made from a register which, under national or EU law, is for public information.
Lastly, in cases not covered by the above exceptions, a transfer may be allowed if it is not repetitive, concerns only a limited number of data subjects, and is necessary for the compelling legitimate interests pursued by the controller. Such an exception requires that the controller has assessed all the circumstances of the transfer, provided suitable safeguards, informed the supervisory authority and the data subject, and ensured that the transfer does not override the rights and freedoms of the data subject.
2.2 Transfer impact assessment
While the GDPR does not explicitly mention transfer impact assessments (“TIAs”), it is an essential compliance tool considering the EU data transfer rules. TIAs are closely related to data protection impact assessments (“DPIAs”), which are explicitly governed by Article 35 GDPR. Though both assessments aim to evaluate and mitigate risks, they apply in different contexts and serve distinct purposes.
A TIA is required when personal data is transferred to a third country outside the EU/EEA, and stems from the obligations set out in Articles 44-50 GDPR.[5] Its purpose is to identify and evaluate the potential risks of such transfers, focusing on how the personal data will continue to enjoy protection equivalent to that afforded by the GDPR.
It is crucial that the TIA is conducted before any data transfer takes place, ensuring that the controller, through a documented evaluation, can demonstrate compliance with the GDPR. The TIA should also be regularly reviewed, especially if relevant laws or circumstances change.
Failure to perform an adequate TIA and demonstrate compliance of the GDPR may expose the controller to penalties and administrative fines.[6] Recent enforcement actions, such as the record-breaking fine of 1.2 billion EUR against Meta[7] and the 530 million EUR fine against TikTok[8], highlight the importance of conducting an adequate assessment. These cases underscore that supervisory authorities expect organisations to conduct thorough, case-by-case assessments and not rely on generic or incomplete risk evaluations.
2.3 Transfer of personal data to India
For India, since there is currently no adequacy decision from the European Commission determining that India offers an adequate level of data protection, controllers need to assess other options for a transfer of personal data to be permitted. This places high demands on the controller to assess, among other things, India’s legislation to determine whether it offers sufficient guarantees that the personal data will be subject to at least the same level of protection as if the personal data processing were carried out within the EU/EEA.
3 Indian law
3.1 Overview
The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the “DPDPA”). The DPDPA will replace India’s existing patchwork of data protection rules and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. The DPDPA is a concept-based legislation that has remained in suspended animation, awaiting implementation.
The DPDPA, whilst being the proposed central data protection regime, is also a response to the Indian Supreme Court’s decision in Justice K.S. Puttaswamy v Union of India[9] (Puttaswamy Case), which read Article 21 (Protection of life and personal liberty) to include the right to privacy. The Puttaswamy Case of 2017 was a landmark decision in Indian jurisprudence as an intrinsic part of the fundamental right to life and personal liberty of every individual guaranteed by the Constitution. Therefore, the violation of any individual’s right to privacy, particularly foreign data subjects who may not fall under the scope of other local laws and regulations, may enable them to seek remedies for breaches of their fundamental rights before constitutional courts. The Indian courts have recognised the rights of foreign citizens to be forgotten and to require the destruction of evidence collected in a breach of procedural and substantive safeguards. However, these cases are isolated and may have limited precedential value.
3.2 Background of the DPDPA
The DPDPA, which was promulgated in 2023 and notified as a law in the Official Gazette after approval by both houses of Parliament and receiving the President’s assent, has not yet become operational. The DPDPA is expected to be operationalised after the establishment of the regulatory authority (“Data Protection Board”) and the notification of the subordinate rules, i.e., the (draft) Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), as these will provide interpretative guidance on procedural steps and enforcement methodology.
The DPDPA introduces key concepts similar to the GDPR[10], such as:
- Data Principal: The individual to whom the personal data relates (equivalent to a data subject under the GDPR).
- Data Fiduciary: The entity that determines the purpose and means of processing personal data, alone or in conjunction with others (equivalent to a controller under the GDPR).
- Data Processor: An entity that processes personal data on behalf of a controller.
3.3 DPDPA and the GDPR
With the soon-to-be-implemented DPDPA, the protections provided to data subjects under Indian law would be commensurate with those provided for in the GDPR. The GDPR and the DPDPA follow broadly similar principles and are conceptually embodied in a consent-based model. The DPDPA is, however, tacitly different from the GDPR, with such specific granular differences explained below:
3.3.1 Scope
The DPDPA regulates the processing of digital personal data, i.e., personal data collected in digital form, or collected in non-digital form and subsequently digitised. The GDPR is applicable to digital as well as, under certain circumstances, non-digital personal data. The scope of the DPDPA is therefore limited in its application to only digitised personal data.
Additionally, the definition of personal data under the DPDPA is quite similar to that prescribed under the GDPR; however, the definition under the DPDPA excludes any publicly available personal data, made available by the data principal or by any other person under a legal obligation to make that data publicly available, from its scope.
3.3.2 Legal basis for processing of personal data
The DPDPA provides that controllers may lawfully process personal data only with the consent of the data principals or for certain specified “legitimate uses”. Such legitimate uses include:
- processing of personal data voluntarily shared by the data principal for a specified purpose (provided that the data principal does not object);
- processing to comply with the law or court orders;
- for employment purposes;
- or to respond to medical emergencies, epidemics, or disasters.
However, the DPDPA does not permit processing for the lawful bases of contractual necessity or legitimate interests, unlike the GDPR, which recognizes these categories as a lawful basis for processing.
3.3.3 Consent Standards
The DPDPA’s consent standard is similar to that of the GDPR, with consent required to be obtained as “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” However, the DPDPA does not categorise consent as ‘explicit’ or otherwise, as has been recognised in the GDPR for the processing of sensitive personal data. As has been set out below, the DPDPA does not classify any categories of personal data either.
3.3.4 Data subject rights
Whilst data subjects will have certain rights similar to those under the GDPR (i.e., rights of access, correction, or erasure), there are certain additional rights in the DPDPA which are unique to Indian data protection regulation. The DPDPA prescribes the right to a readily available and effective means of grievance redressal (e.g., via a grievance redressal officer) by the controller, which needs to be exhausted prior to approaching the Data Protection Board. Additionally, the DPDPA will enable the data subject to have the right to nominate an individual who will be able to exercise their rights in the event of the death or incapacity of the data subject. However, the DPDPA is currently silent on the right to restrict processing, the right to data portability, and rights concerning automated decision-making and profiling.
3.3.5 Cross-border data transfers
In terms of transfer mechanisms, the DPDPA is a significant departure from the GDPR’s ‘adequacy’ or ‘whitelist’ approach, as it adopts a ‘blacklist’ model. It permits a controller to transfer personal data for processing to any country or territory outside India, except to those countries that have been specifically blacklisted by the Government of India.
However, the DPDPA Rules apply significant backstops to the general transfer provision in the DPDPA by prescribing that:
- all transfers of personal data will have to comply with the conditions the Central Government will prescribe by way of a special or general order, and
- significant data fiduciaries (defined hereinafter in 3.4.1) will be restricted from transferring specific categories of personal data (as will be specified by the Central Government) and traffic related to such personal data outside the territory of India.
Despite the broader transfer mechanisms under the DPDPA, unlike other specific legislations, the DPDPA does not override other sectoral laws that may impose stricter data localisation requirements or transfer restrictions. For instance, regulations in the financial services or healthcare sectors may still require certain data to be stored within India.
3.3.6 Data breach notification
In accordance with the DPDPA, controllers will be required to notify personal data breaches not only to the regulatory authority (i.e., Data Protection Board) but also to the impacted data subjects. The DPDPA departs from the breach reporting requirements under the GDPR, as it provides a broader reporting requirement, which is required regardless of the magnitude of the breach or risk of harm.
3.3.7 Consent of Children
While the GDPR and DPDPA specifically provide for heightened consent requirements when processing the personal data of children, the DPDPA specifically provides that ‘verifiable’ consent of the parent or lawful guardian of the child must be obtained. As per the DPDP Rules, verifiable consent is obtained when the individual identifying themself as the parent or lawful guardian of a child is an adult who can be identified, if required in connection with complying with any law in India.
Additionally, the DPDPA prescribes certain obligations in addition to the GDPR with respect to the processing of children’s data as well. In accordance with the DPDPA, any data processing that is detrimental to children, or processing of data that in any manner would aid targeted advertising directed at children, should not be undertaken.
Lastly, any individual under the age of 18 (eighteen) years is identified as a child under the DPDPA, unlike the GDPR, which provides a threshold of 16 (sixteen) years, with the option for each of the member states in the EU/EAA to prescribe an age not lower than 13 (thirteen) years.
3.4 Departure from the GDPR
The compliance requirements and provisions set out above are elaborated on in the context of the GDPR, as incremental compliance applicable under the DPDPA. Additionally, there are certain key concepts that are unique to the DPDPA framework and warrant attention while assessing the data protection framework and safeguards in India for the transfer of personal data.
3.4.1 Significant data fiduciaries
As per the DPDPA, the Government of India will have the power to classify specific classes of controllers as ‘significant data fiduciaries’ on the basis of categories or volume of personal data processed. The DPDPA prescribes the following factors, based on which notification as a significant data fiduciary will be made:
- the sensitivity and volume of personal data processed,
- the impact of processing on the rights of data subjects,
- risk to electrical democracy, or
- the impact on the sovereignty, security, public order, and integrity of India.
Entities classified as a significant data fiduciary will have additional obligations, which include the appointment of an independent auditor, a data protection officer, undertaking data protection impact assessments periodically, and restricting cross-border transfer of certain classes of personal data, as will be notified by the Central Government.
3.4.2 Consent Manager framework
Consent manager is a concept unique to the DPDPA and is defined as a person who shall be responsible as the sole point of contact to enable a data subject to give, manage, review, and withdraw their consent for processing their personal data through an accessible and transparent platform. Consent managers are required to be registered with the Data Protection Board.
3.5 Summary of Analysis
As has been set out above, the DPDPA sets standards of data protection that are broadly comparable in scope and intent to those under the GDPR, ensuring proportional safeguards for personal data routed through India. Therefore, a TIA conducted prior to the transfer of personal data to India can reasonably conclude that India’s data protection regime offers adequate measures to justify the transfer from the EU/EEA to India, although a more in-depth analysis may be required depending on the scope and the nature of the data. Both frameworks provide broadly similar data subject rights, require robust security measures, and impose significant compliance obligations on data controllers to prevent the misuse of personal data.
Recommendations
In instances wherein any controller in the EU/EAA collects or processes the personal data of vendors based in India, such controllers would be required to consider the compliance obligations imposed by the DPDPA. The DPDPA has an extraterritorial effect in that it applies to digital personal data processing outside of India if such processing relates to the offering of goods or services to data subjects in India.
Although, as the compliance requirements between the DPDPA and the GDPR are conceptually mirrored, controllers collecting or processing personal data of Indian vendors would only be required to undertake specific incremental compliance measures in addition to what is already in place, owing to their GDPR specific compliance measures adopted as a part of their data compliance framework.
In case of any non-compliance with the DPDPA, penalties range from INR 500 million (~€5 million) to INR 2.5 billion (~€25 million). Urgent remedial or mitigation measures can be imposed by the Data Protection Board in the event of a personal data breach. The DPDPA signals a major change in the way personal data is processed in India. While the DPDPA is currently in suspended animation, organisations targeting individuals in India or already having an operational presence in India should consider preemptive steps to bring their privacy compliance in line with the DPDPA, including as regards data collection and consent mapping practices.
Authors
For Sweden (TM & Partners)
Fredrik Gustafsson
Partner
fredrik.gustafsson@tmpartners.se
+46 76-00 283 57
Francisco Stråhle
Associate
francisco.strahle@tmpartners.se
+46 76-00 283 21
For India (Panag, Babu & Sarangi)
Akash Karmakar
Partner
akash@pblawoffices.com
Anshika Gaur
Associate
anshika.gaur@pblawoffices.com
Kopal Arora
Associate
kopal.arora@pblawoffices.com
This whitepaper is intended to be illustrative and provide a general summary of the applicable legal frameworks. It does not constitute legal advice. Controllers considering the transfer of personal data to India should conduct an independent and thorough analysis of their specific circumstances and ensure that such an assessment is appropriately documented in accordance with applicable data protection requirements.
[1] Under the GDPR and the LED (Commission Implementing Decision (EU) 2021/1773 of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom)
[2] Article 46 GDPR.
[3] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
[4] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
[5] Cf. CJEUs judgement of 16 June 2020, C-311/18 (Schrems II).
[6] Article 83.5 GDPR.
[7] Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR).
[8] Notice from the Irish Data Protection Commission, 2nd May 2025, Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China.
[9] (2017) 10 SCC 1
[10] For ease of reference, we have used the terms ‘data subject’ and ‘controller’ instead of ‘data principal’ and ‘data fiduciary’ while referring to Indian data protection laws.
