INTRODUCTION
Cross-border data flow involves the transfer of digital information across national jurisdictions and forms a core element of the contemporary digital economy. These include activities such as cloud computing and global e-commerce. As a fast-growing technology exporter, India’s ICT (Information, Communications, and Technology) sector contributes approximately 13% to its gross domestic product (GDP) and aims to reach 20% by 2025. India’s Digital trade policies run contrary to global norms and seem to undermine the interests of the fast-growing ICT sector.[1] Citing concerns related to national sovereignty, security, and revenue, India has frequently resisted international standards promoting unrestricted data flow. Unlike other emerging economies, India has refrained from incorporating strong digital trade commitments in trade agreements and has often opposed global initiatives to liberalise digital trade. This blog examines India’s framework for international data transfers and compares it with the European Union’s approach.
INDIA’S DOMESTIC FRAMEWORK ON DATA PROTECTION
In India, the Information Technology Act 2000(IT Act)[2] established the foundational structure for data protection in India. This framework was significantly strengthened following the Supreme Court’s decision in Justice K. S. Puttaswamy v. Union of India.[3], which constitutionally recognises privacy as a fundamental right under Article 21. This led to the formulation of a comprehensive data protection framework for India known as the DPDP Act.
The DPDP (Digital Personal Data Protection) Act 2023[4] is limited in scope to digital personal data and expressly excludes non-personal data from its regulatory coverage. Under this statute, data fiduciaries or controllers must process data lawfully and securely, focusing on user consent to retrieve data for processing. Section 16 of the act allows the government to blacklist specific foreign countries and restrict transfers of personal data to them. This means that India retains broad discretion to approve or block international data flows. Rule 15 of the DPDP Rules 2025[5] allows personal data to move outside India unless specifically restricted by the government for national security, and requires firms to follow government-imposed conditions before sending any data beyond the borders.
The DPDP Act does not cover data localisation, but sectoral laws may require certain laws to be stored within the country for privacy and security. The Reserve Bank of India mandates that all payment system data, including customer credentials and transaction details, be stored within the borders.
India’s framework on non-personal data, including industrial data, anonymised analytics, etc., is largely unregulated. In 2020, the Expert Committee constituted by the Ministry of Electronics and Information Technology, chaired by Kris Gopalakrishnan, proposed a separate “Non-Personal Data Governance Framework”. acknowledged the risk of re-identification of anonymised data and proposed the establishment of a dedicated regulatory authority. Thus, recommended a Non-Personal Data Authority to oversee industrial data sharing and the risks associated with non-personal data.[6] However, the absence of enacted legislation leaves India’s non-personal data subject to private sector discretion and fragmented regulatory oversight.
THE EUROPEAN UNION’S DATA FLOW REGIME
The EU’s General Data Protection Regulation (GDPR, 2016)[7] Is a strict personal-data law with global influence. Under GDPR, personal data can flow outside the EU only if the recipient country ensures an adequate level of protection or employs standard contractual clauses. The European Commission maintains a list of ‘adequate jurisdictions’ including countries like Argentina, Canada, Israel, Japan, New Zealand, the Republic of Korea, Switzerland, the UK, the USA, and others. As of 2025, India is not recognised as an adequate jurisdiction. Thus, any transfer of EU-origin personal data to India must rely on contractual mechanisms to reach GDPR standards.
Beyond GDPR, the EU actively seeks to promote data flows in trade, provided data protection is respected. The EU’s stance is that data must flow freely to support commerce, innovation, and research, but with people’s rights protected. It has adopted new regulations relating to non-personal or industrial data. The EU’s Data Act 2024[8] guarantees that users and businesses can access data generated by their IoT (Internet of Things) devices, like vehicles, smart appliances, or industrial gear, while setting rules for cloud switching and providing new data-driven services to boost the digital economy.
Internationally, the EU has pursued bilateral flow mechanisms. In 2024, t the EU and China initiated a bilateral communication mechanism to facilitate the exchange of non-personal industrial data, recognising the importance of cross-border data to trade in sectors such as insurance, pharma, automotive, and ICT.[9]
INDIA VS EU FRAMEWORK
The EU framework focuses on the free flow of data with a strong protection mechanism, like the ‘Adequacy list’. Its GDPR does not mandate data localisation, forbidding unjustified flow restrictions. India, however, treats data transfer as a policy instrument, where the government authority restricts data flows on a case-by-case basis, and many classes of data are required to be stored within the country. India’s regime currently covers only personal data, forming a gap in industrial and anonymised data flows. The EU is actively establishing spaces for non-personal data flows. While the EU focuses on the free flow of data, India demands keeping maximum regulatory freedom.
India’s courts have not yet ruled on cross-border data issues, while EU courts have strictly enforced these rules in the landmark case of Schrems II. The Court of Justice of the EU invalidated the EU-US Privacy Shield, a mechanism for transferring data across the Atlantic, finding that the US surveillance law did not meet EU standards of privacy requirements. The court upheld the validity of Standard Contractual Clauses (SCC) as a transfer tool and data exporters and importers must assess to ensure data protection equivalent to EU standards for any cross-border data flow.
CONCLUSION
In conclusion, India’s approach to cross-border data flow focuses mainly on security, sovereignty, and development control rather than a liberal data flow policy like other developing economies. The challenge will be to balance these controls in such a way that they do not hamper Indian businesses or violate international commitments. Establishing a framework inspired by GDPR’s mechanism, training regulators, and seeking technical support can help India to benefit from digital trade while protecting privacy.
Author(s) Name: M Jananiya (Kristu Jayanti College of Law)
References:
[1] Kholofelo Kugler, ‘The Great Disconnect in India’s Digital Trade Policy’, February 10 2025, Council on Foreign Relations
https://www.cfr.org/article/great-disconnect-indias-digital-trade-policy> accessed 26 December 2025
[2] Information Technology Act, 2000
[3] Justice K.S. Puttaswamy (Retd) v. Union of India (2017) 10 SCC 1
[4] Digital Personal Data Protection Act 2023, s16
[5] Digital Personal Data Protection Rules 2025, s 15
[6] Expert Committee Report on Non-Personal Data Governance Framework, PRS Legislative Research, July 2020
<https://prsindia.org/policy/report-summaries/non-personal-data-governance-framework> accessed 26 December 2025
[7] General Data Protection Regulation, 2016 OJ L119/1
[8] Regulation (EU) 2023/2854 (Data Act) [2023] OJ L 2854
[9] Directorate General for Trade and Economic Security, ’EU and China Launch Cross-Border Data Flow Communication Mechanism’, Trade and Economic Security, 28 August 2024
<https://policy.trade.ec.europa.eu/news/eu-and-china-launch-cross-border-data-flow-communication-mechanism> accessed 27 December 2025
