Data Protection Disaster? 5 Powerful Reasons India Risks Losing Global Trust Without Urgent DPDPA Action

Concerns about India’s operational data protection framework, not its legislation, triggered the recent European Data Protection Supervisor (EDPS) decision blocking a routine data transfer. While India’s Digital Personal Data Protection Act (DPDPA) is a significant step, the EDPS ruling highlights a critical lack of trust stemming from its unimplemented state and structural gaps. Key concerns include broad, unchecked government exemptions from the law, the absence of a genuinely independent Data Protection Board, and cumbersome, undefined processes for citizens to exercise their rights. Crucially, nearly two years after passage, core elements like the Board itself and supporting rules remain inactive, creating a regulatory void.

This paralysis fundamentally undermines India’s ambition to be a global data hub, as international partners require demonstrable safeguards and enforcement. India doesn’t need to mimic the EU’s GDPR, but it must urgently operationalize the DPDPA with transparent rules, establish an impartial enforcement body, and clarify safeguards around state data access. Building global trust hinges on proving the DPDPA works in practice, not just on paper.

Data Protection Disaster? 5 Powerful Reasons India Risks Losing Global Trust Without Urgent DPDPA Action

The recent decision by the European Data Protection Supervisor (EDPS) to block a routine data transfer from the European Investment Bank (EIB) to India wasn’t a formal “adequacy” rejection. Yet, it landed like a tremor through India’s aspirations to become a global data hub. The reason? A fundamental lack of trust in the operational reality of India’s Digital Personal Data Protection Act (DPDPA), 2023. 

While the EDPS clarified it wasn’t judging the DPDPA’s inherent strength, its refusal – citing insufficient proof of GDPR-equivalent protection – exposes a critical vulnerability: India has a law, but not yet a functioning data protection ecosystem. This incident is less about mimicking Europe and more about India urgently translating its legislative vision into credible, enforceable practice. 

The EDPS Signal: A Canary in the Data Mine 

The EDPS, safeguarding data for EU institutions, denied the EIB’s request to transfer contact details to India (alongside Brazil, Türkiye, and Fiji). Its core concern: no “sufficient evidence and proof” existed to guarantee personal data would be protected to GDPR standards. The recommended fallback – relying on limited, exceptional derogations – is impractical for routine business. The message is stark: under the current implementation vacuum, India is not seen as a naturally safe harbor for EU personal data. 

Structural Gaps: Where the DPDPA Raises Eyebrows 

The EDPS’s caution stems from identifiable differences between the DPDPA and the GDPR framework, particularly concerning oversight and government access: 

• Unchecked State Exemptions (Section 17(2)): The DPDPA allows the Central Government broad exemptions for state agencies on grounds like sovereignty and security. Crucially, it lacks mandated independent oversight, necessity/proportionality tests, or judicial review. Contrast this with the GDPR (Article 23), where similar exemptions require strict justification and safeguards. This creates potential for opaque government data handling, eroding accountability and trust – a major red flag for international partners. 

• The Independence Question (Section 19): The Data Protection Board of India (DPBI), the DPDPA’s enforcer, is appointed entirely by the Central Government, which also sets its rules and service conditions. This contrasts sharply with the GDPR’s requirement (Article 52) for supervisory authorities to be “completely independent,” typically accountable to parliaments or courts. Experts widely warn this centralization risks undermining the Board’s perceived and actual impartiality – a cornerstone of credible data governance. 

The Paralysis of Non-Implementation 

Beyond structural concerns, the DPDPA’s profound implementation gap is the most immediate barrier to trust: 

• Rights Without Remedies: While the DPDPA grants rights (access, correction, erasure), their exercise hinges entirely on unpublished Rules. Draft Rules suggest cumbersome processes, like requiring specific IDs (customer IDs, license numbers) – a significant hurdle compared to the GDPR’s user-friendly approach placing the onus on data controllers. Rights on paper are meaningless without clear, accessible procedures. 

• The Ghost Board: Nearly two years post-enactment, the Data Protection Board still doesn’t exist. Grievance mechanisms, consent manager frameworks, rules for child data – all remain in limbo. The law is effectively inert. 

• Limited Deletion Rights (Section 17(4)): Individuals cannot request deletion of personal data processed by the government for subsidies, licenses, etc. While GDPR allows erasure exceptions, they require strict “necessary and proportionate” justification. The DPDPA’s broad, unconditional carve-out significantly diminishes user control over government-held data. 

India’s Path Forward: Building Trust Through Tangible Action 

The DPDPA is a landmark, born from India’s unique socio-economic context. It doesn’t need to be a GDPR clone. However, global data flows demand global trust, built on demonstrable safeguards and independent oversight. 

The EDPS decision is a wake-up call, not about the law’s intent, but about its execution. The current “regulatory vacuum” makes it impossible for partners like the EU to assess the DPDPA’s real-world effectiveness. 

To transform ambition into adequacy, India must: 

• Operationalize Urgently: Notify comprehensive Rules immediately and establish the Data Protection Board as a truly functional, independent entity. Transparency in appointments and processes is non-negotiable. 

• Clarify Safeguards: Address concerns around government exemptions by introducing, even through Rules or guidelines, clear necessity/proportionality tests and independent review mechanisms for state data access. 

• Empower Users: Ensure the Rules for exercising data rights are practical, accessible, and place reasonable burdens on data fiduciaries, not individuals. 

• Demonstrate Enforcement: The DPBI must quickly establish a track record of impartial, robust enforcement to build domestic and international credibility. 

The Bottom Line: India’s digital future is bright, but its role as a trusted global data hub hinges on bridging the chasm between the DPDPA’s promise and its current reality. The world isn’t waiting. Building trust requires moving decisively from legislative intent to demonstrable, accountable action. The adequacy India seeks won’t be granted; it must be earned through concrete implementation and proven safeguards. The clock is ticking.