Excerpt from Moneycontrol Article – Published on Aug 22, 2023

The European Commission, the executive arm of the European Union (EU) responsible for enforcing its laws, is currently examining India’s Digital Personal Data Protection (DPDP) Act in light of concerns regarding data privacy. This assessment comes in response to queries from Moneycontrol about the potential impact of the DPDP Act on data transfers from the EU to India.

Under the EU’s General Data Protection Regulation (GDPR), the transfer of personal data belonging to EU citizens is permitted only to countries that offer an adequate level of data protection. This requirement mandates that the recipient country, in this case India, must possess data protection laws equivalent to the standards set by the GDPR. However, experts highlight certain provisions of the DPDP Act, such as government exemptions and its authority to request information, that could hinder the assessment of equivalence.

A spokesperson from the European Commission stated, “We take note of the adoption of the law, and we are analyzing it.” The commission’s involvement encompassed participation in various events and consultations during the legislative formulation of the DPDP Act.

The DPDP Act was recently enacted into law in August, receiving approval from President Droupadi Murmu following its passage through both houses of the Indian Parliament, despite protests over specific provisions. Critics, including opposition MPs, civil society groups, and rights advocates, contend that certain aspects of the law violate the Right to Privacy, potentially facilitate surveillance, and curtail press freedom. Some are even contemplating legal challenges against the law.

Interestingly, Ireland’s Data Protection Commission, which recently imposed a $1.3 billion fine on Meta for an issue related to the transfer of EU user data to the United States, has welcomed India’s DPDP Act. Ireland, like other EU nations, adheres to the GDPR’s jurisdiction. A spokesperson from Ireland’s DPC remarked that the new legislation augments data protection standards.

Conversely, the Organization for Economic Co-operation and Development (OECD), which adopted a declaration on government access to data held by private sector entities, declined to comment on the matter. Similarly, Brazil’s data privacy commission refrained from offering a statement.

To delve deeper into this topic, please read the full article on Moneycontrol.