Abstract | Keywords | Export | Availability | Bookmark

Choose an application

• Reference Manager
• EndNote
• RefWorks (Direct export to RefWorks)

This study explores why the EU scrutinizes India’s approach towards cross-border data flows. India as of 2023, has no data protection law. Its government seeks to develop a data protection regime distinct from that of the EU, US or China. Generally, the EU limits cross-border data flows to countries that do not have data protection legislation deemed adequate in comparison to its own. Overall, the GDPR has inspired the content of data protection laws in countries around the world but few countries have GDPR adequate laws. Existing theories stop short of answering what motivates the EU’s efforts at exporting its rules. A theory on the EU’s regulatory export power, called regime vetting may be able to help answer such questions. This theory conveys that the EU vets the regulations of a country with the prospective to either restrict or widen access to the EU market. I proceed to empirically test regime vetting on the case of India. I build three hypotheses to answer why the EU uses regime vetting on India’s cross-border data flows regime: 1) protect - to prevent further regulatory divergence 2) promote – to promote its standards through relational tools due to a lack of regulatory leverage and 3) regulate – to find an agreement to facilitate cross-border data flows through relational tools. Three expert interviews were conducted and a podcast on data protection standards between the EU and India was transcribed for the analysis. Furthermore, the analysis was supplemented by official documents, mainly from the EU institutions and the Indian Government. The analysis yields that the EU practices regime vetting on India’s cross-border data flows regime in order to protect the safety offered by the GDPR within the EU in light of the unpredictability of India’s evolving data protection regime. The EU also promotes the GDPR through its foreign policy as it lacks regulatory leverage over India. It could not be confirmed that the EU wants to regulate in India through its relational engagement with the country. India seems intent on developing a data protection law that strikes a balance between that of the EU and the United States. Priorities for India seem to be national security and the facilitation of commerce. In the discussion, it is revealed that the EU’s use of assertive regime vetting on cross-border data flows differs in each country case. Countries who already have adequate laws can have their adequacy status reviewed and revoked. A country without an adequate law may have more leeway in deciding how it will deal with cross-border data flows. Moreover, it appears that, if the EU is not able to further restrict market access, that it has little leverage in promoting its standards. Since Indian companies can transfer data between companies located in the EU, through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), the EU is probably not in a position to restrict data transfers more. For that to happen, Indian companies and their European partners would have to start ignoring SCCs and BCRs. Regime vetting could be more useful in explaining what happens with countries that already have adequacy. Importantly, data protection standards around the world are influencing each other. Just as the EU is influencing India’s developing standards, India is influenced by American interests. The EU is not the sole regulator but one of many mutually influenceable actors.