The European Data Protection Supervisor (EDPS) blocked the request by European Investment Bank (EIB) 4 to transfer personal data—specically contact details—to India and few other non-EU countries. The EDPS cited weak privacy protections under India’s current legal framework.
The EU data regulator released this decision in its latest annual report. It acted just months after India passed the Digital Personal Data Protection (DPDP) Act in August 2023. Despite the legislation, India has not yet enforced the law. The government only released the draft rules in 2025 for consultation.
The EDPS found that India does not offer an “essentially equivalent level of data protection” compared to the EU’s General Data Protection Regulation (GDPR). The regulator said it found no sufficient evidence to prove India can guarantee GDPR-level safeguards.
Instead of approving the data transfer, the EDPS advised the EIB to use a limited fallback option called a “derogation.” This clause allows data transfers for specific public interest reasons when the recipient country lacks adequate data protections. However, legal experts warn that derogations should only apply to exceptional cases—not routine cross-border data transfers.
India’s Ministry of Electronics and Information Technology (MeitY), which led the DPDP legislation, has not issued a public response to the EDPS ruling.
Aaron Kamath, a technology law expert at Nishith Desai Associates, explained the possible reasons behind the block. “India has passed the DPDP Act, but it is not in force yet,” he said. “There’s still no standalone data protection law in effect, and several government exemptions under the DPDP Act raise concerns about surveillance and enforcement.”
Kamath added that most companies currently rely on standard contractual clauses (SCCs) or bilateral agreements to transfer data from the EU to India. He noted that the EDPS’s recommended derogation should not replace SCCs or formal adequacy decisions.
Without a clear enforcement framework or operational law, India may continue to face restrictions on receiving personal data from the EU under GDPR rules.
