India EU Data Localization under the DPDP Act and Its Effect on Cross Border Data Agreements

Legal Framework of the DPDP Act

Implemented in 2023, the Digital Personal Data Protection Act creates a Data Protection Board to oversee compliance, places the Ministry of Electronics and Information Technology in charge of policy guidance, and grants individuals a set of rights while setting duties for organisations that process personal data.

Data Localization Provisions

Section 29 defines critical personal data as information whose loss or unauthorised exposure could threaten national security, public order or economic stability. The law requires that such data be kept on servers physically located inside India and that any processing abroad must first obtain approval from the government. Sensitive personal data does not have a strict storage rule, but it may be transferred only when the processor applies strong security measures and obtains clear consent from the individual.

EU Adequacy and Cross Border Mechanisms

The European Union judges third‑country regimes against its General Data Protection Regulation through adequacy decisions issued by the European Commission. When adequacy is lacking, transfers must rely on Standard Contractual Clauses or Binding Corporate Rules, both of which demand that the receiving jurisdiction provide protection that is essentially comparable to EU standards.

Negotiation Dynamics Between India and the EU

By 2025, officials from the European Commission and the Indian government have been discussing whether India can satisfy adequacy requirements. The EU has raised concerns that compulsory local storage of critical data could hinder the free flow of information and clash with GDPR principles of accountability and transparency. India argues that localisation protects national interests and that the permission process for overseas processing is meant to align with global expectations.

Potential Implications for Cross Border Data Flow Agreements

If India secures an adequacy decision, the Data Protection Board is likely to issue guidance on how the localisation rule fits within the EU’s "essential equivalence" test. This could result in sector specific solutions for finance, health, digital advertising and may involve carve outs or SCCs enriched with extra contractual protections. If adequacy is not granted, Indian companies will continue to use EU approved SCCs, but they will still need government permission for critical data, adding compliance steps, raising transaction costs and causing delays.

Compliance Landscape for Indian and EU Entities

Organizations in India that handle EU data may adopt dual storage models, keeping critical data on domestic servers while routing other personal data through EU based sub processors. EU firms planning to operate in India are expected to embed the permission request process into their data transfer impact assessments and may consult the Data Protection Board for clarification on obligations.

Conclusion

The localisation requirement embedded in the DPDP Act is shaping the dialogue on India‑EU data exchanges. While it reflects India’s desire to maintain control over strategic information, it also creates practical hurdles for meeting EU adequacy standards. The final outcome will hinge on how both regulators balance security concerns with the EU’s call for comparable data protection guarantees.