On 30 April 2026, Ireland's Data Protection Commission (DPC) notified Infinite Styles Services Co. Ltd. — the Dublin-headquartered EU entity of fast-fashion giant SHEIN — that it was the subject of a statutory inquiry under section 110 of the Data Protection Act 2018. The probe, announced publicly on 5 May, examines SHEIN's transfers of EU/EEA users' personal data to China against GDPR Chapter V (third-country transfers), Article 5 (processing principles) and Article 13 (transparency). It is the DPC's first privacy inquiry into SHEIN since the company set up in Dublin in 2023, and it lands exactly one year after the regulator's landmark TikTok decision.
The pattern is unmistakable. The EU is hardening into a posture where transfers to China are treated as presumptively suspect. For India — which finalised the opposite architecture in its Digital Personal Data Protection (DPDP) Rules in November 2025 — the SHEIN inquiry is a useful natural experiment in two philosophies of cross-border data governance. India should resist the pull toward Europe's model.
The case Europe is making
It would be a mistake to dismiss the DPC's concern as protectionism. The strongest version of the regulator's argument is concrete, not hypothetical. In its TikTok decision of 2 May 2025, the DPC fined the company €530 million — €485 million for breaching Article 46(1) and €45 million for an Article 13 transparency failure — after finding that TikTok could not demonstrate that Standard Contractual Clauses and supplementary measures gave EEA data a level of protection "essentially equivalent" to the EU's, given Chinese surveillance and counter-espionage laws that compel disclosure to state authorities.
"When an individual's personal data is transferred to a country outside the EU, the GDPR requires that this personal data is afforded essentially the same protections as it would within the EU." — Deputy Commissioner Graham Doyle, on the SHEIN inquiry
Crucially, the TikTok case was not abstract. In April 2025, TikTok admitted to the DPC that limited EEA user data had in fact been stored on servers in China — contradicting its own evidence to the inquiry. When a legal regime in the destination country can override a contract, the contract is not a real safeguard. That is a serious, legitimate point, and any honest analysis has to start there.
Why India's design is still better
Where India diverges is in how it manages that risk. Section 16 of the DPDP Act 2023, operationalised by Rule 15 of the 2025 Rules, adopts a "negative list" approach: personal data "may be transferred outside the territory of India" by default, subject only to such requirements as the Central Government may specify by "general or special order" for particular states or entities. As of mid-2026, no restricted-country list has been notified. The baseline is open; restriction is the exception that must be actively invoked.
This is the right default. The EU's model inverts the burden: every transfer to a non-adequate country is presumptively unlawful unless the exporter can affirmatively prove equivalence — a standard that, post-Schrems II, has proven nearly impossible to meet for any jurisdiction with broad state-access laws. The result is the regulatory equivalent of strict liability, dressed up as a case-by-case assessment. It generates enormous compliance cost, freezes commercially ordinary transfers, and — as the Information Technology and Innovation Foundation noted in June 2025 — offers exporters no workable adequacy, binding-corporate-rules, or SCC pathway in India's framework either, but at least India does not start from a presumption of illegality.
A permissive baseline is not the same as no protection. It means the government targets specific, evidenced risks — a named state, a named entity — rather than imposing a blanket equivalence test on every flow to every destination. That is more honest about where the real risk lies (state compulsion in specific jurisdictions) and less destructive of the routine cross-border processing that underpins India's $250-billion IT-services economy.
The localisation trap India must avoid
The threat to India's model is internal. Rule 12 obliges Significant Data Fiduciaries — large platforms — to implement measures preventing transfer of government-specified personal data and traffic data outside India. This reintroduces, through the back door, the hard data-localisation mandate that earlier DPDP drafts had wisely abandoned. The danger is that the open negative-list default quietly becomes a localisation regime for exactly the largest, most economically significant operators.
The SHEIN inquiry should clarify the choice. The EU is demonstrating that a presumption-against-transfer regime, even backed by half-billion-euro fines, does not actually stop data reaching China — TikTok's own servers proved that — it just imposes friction on everyone. India can achieve the legitimate sovereignty goal more surgically: a transparent, criteria-based negative list invoked against demonstrated risks, with due-process protections against arbitrary designation, rather than mandatory localisation or a blanket equivalence test.
The ₹250-crore-per-breach penalties already give the regulator teeth. What India needs is restraint in how those teeth are bared. Proportionate regulation means matching the intervention to the evidenced harm — not, as Europe increasingly does, treating an entire destination country as radioactive. India got the architecture right in 2023. The job now is to keep it that way.