EDPS Rejects European Investment Bank Data Transfers to India Over GDPR Issues
The European Data Protection Supervisor (EDPS) has blocked the European Investment Bank’s (EIB) request to transfer personal data, including contact details, to India and several other non-EU countries. The decision was made in February 2024 and disclosed in the EDPS’s annual report. The EDPS cited insufficient guarantees that these countries provide a level of data protection equivalent to the European Union’s General Data Protection Regulation (GDPR).
India’s Digital Personal Data Protection (DPDP) Act, passed in August 2023, has not yet been implemented despite the release of draft rules for consultation in 2025. The EDPS emphasized that the DPDP Act does not currently offer the robust data protection required under the GDPR framework. The absence of a fully operational data protection law in India means there is no comprehensive assurance that personal data transferred there would be adequately safeguarded.
Instead of approving routine data transfers, the EDPS recommended that the EIB rely on a limited-use exception known as a “derogation.” This exception allows data sharing for specific public interest purposes even when the recipient country does not meet EU-level data protection standards. However, experts caution that derogations are intended for occasional, exceptional cases rather than regular data exchanges.
Legal experts highlight that standard contractual clauses (SCCs) remain the preferred mechanism for transferring data from the EU to India. The lack of clarity regarding the enforcement and practical application of the DPDP Act, especially its exemptions for government agencies, contributes to the EDPS’s cautious stance. The Ministry of Electronics and Information Technology (MeitY) has not yet responded to the EDPS’s decision or comments on the matter.