On July 24, 2025, India and the UK entered into an international agreement, the “Comprehensive Economic and Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and India”, commonly referred to as the India-UK CETA. One of the significant aspects of this Agreement is the recognition of the importance of Privacy and Data Protection. For this, a comprehensive Annex has been put in place, namely Annex 3E (Data Protection and Processing of Personal Information).
As per Chapter 3 (Rules of Origin) of the Agreement and specifically Article 3.16 Basis of a Claim for Preferential Tariff Treatment and Annex 3D (Framework for the Authentication Process of Origin Declarations), this Annex 3E is to be signed by the Parties with modifications to enable India to establish the authenticity of an origin declaration prior to an Indian importer making a claim for preferential tariff treatment. This will be applicable to personal data processed by the Parties or shared between them pursuant to this authentication process.
This Annex also recognises the terms used in the Digital Personal Data Protection Act, 2023, with respect to Data Fiduciary and Data Principal, amongst others.
Scope of the Annex
This Annex applies to the transfer of personal data between the customs authorities of the Parties for general processing. In accordance with Annex 3D (Framework for the Authentication Process of Origin Declarations), the scope of personal data covered is limited to data necessary as part of any transfer of information, such as the following:
- unique reference numbers,
- registered email addresses of exporters and producers,
- and other information as agreed by the Parties.
It does not apply to the origin declaration as Proof of Origin.
Provisions of the Annex
The Annex follows the mandates of the UK General Data Protection Regulation (GDPR), dealing with the principles of legal processing, Data Subject rights and Disclosure and Transfer requirements. Some specific provisions of the Annex are as follows:
- Purpose and Use Limitation
The transfer of personal data shall be strictly limited to the specified purpose of verifying the authenticity of an origin declaration. It must be ensured that no processing of the personal data occurs for any purposes that are incompatible with this original intent. Furthermore, the handling of relevant personal data must not be used for any purpose beyond those clearly outlined in the Agreement.
- Data Accuracy & Minimisation
Under the provisions of the UK GDPR, it is imperative that any Personal Data collected is not only adequate and relevant but also strictly limited to what is necessary for the specific purpose for which it is being processed. Furthermore, the accuracy of Personal Data is crucial; organisations must implement procedures to guarantee that the data remains up-to-date and correct at all times. To achieve this, reasonable steps must be taken promptly to address any inaccuracies. This includes erasing or correcting data and ensuring that such corrections are carried out in a timely manner, considering the significance of the data’s accuracy in relation to its intended processing purpose.
- Storage Limitation
As per the Annex, personal data must not be retained for a period exceeding what is necessary and deemed appropriate for the specific purpose for which it was processed. This includes considerations for the duration of any administrative, quasi-judicial, or judicial proceedings that may arise from non-compliance with applicable laws and regulations. To safeguard adherence to this requirement, appropriate technical and organisational measures must be put in place.
- Security of Processing
Appropriate technical and organisational measures must be implemented to ensure the security of personal data, including protection against accidental or unlawful destruction, loss, or alteration, as well as protection against unauthorised disclosure or access. In the event of a personal data breach, notification must be made as soon as possible, but no later than 24 hours from the time of discovery and may include restrictions on the further transmission of the personal data.
A delay may be allowed when there is a danger to the security of the Party or any form of public security operation. Reasonable and appropriate measures will be required to remedy the personal data breach, including those to minimise and mitigate possible adverse effects and prevent such a breach from occurring again. Details such as documentation, reporting, investigation and record must also be kept.
- Transparency & Notice Requirements
A notice must be made available to Data Subjects, describing in a clear and accessible manner how personal data under this Annex may be processed. Such notice must include the following details:
- information on the purposes of processing,
- rights available to data subjects and procedures to exercise them,
- relevant safeguards, and
- any limitations or conditions applicable to such processing.
Further, the notice must be published on an official government website and remain accessible to data subjects, along with a copy of this Annex.
- Data Subject Rights
In line with the UK GDPR, the Data Subject has the following rights:
- Access
- Rectification
- Automated Decision
- Restrictions
The Annex provides a time limit of 30 days to deal with a Data Subject’s rights for Access and Rectification, extendable up to 60 days for the Right of Access.
Onward Disclosure and Transfer
The Data may only be disclosed and transferred to other national customs enforcement, regulatory or administrative authorities if it is disclosed and transferred for the purpose specified and the recipient authority undertakes to comply with the safeguards set out in this Annex.
Redressal
- Administrative: The Data Subject is entitled to administrative redressal of a complaint for Access and Rectification requests. Each Party shall have a designated authority or person, referred to as a Reviewer, who must respond to the complaint within 30 days, with an extension of up to 45 days in exceptional cases.
- Judicial: Data Subjects have the right to judicial redress against that Party following that Party’s domestic appeal and dispute resolution process as part of the data protection laws and regulations, as appropriate.
Suspension
The Annex provides for a series of provisions to deal with the suspension of this Annex. Where there is a serious or systematic failure to comply with the obligations, and the transferring Party has sufficient evidence to prove such material breach, the transferring Party can suspend the transfer of personal data. This must be done by way of a written notification. The suspension will be in effect for 20 days from the date of notification, unless the breach is of a nature that requires immediate suspension. This is for incidents that compromise the integrity of the system or personal data.
Conclusion
While the Annex must be read in conjunction with the principles enshrined in the India-UK CETA, it represents a significant step toward establishing a more compliant regulatory regime for the transfer of personal data between India and the United Kingdom. By harmonising data transfer practices, this initiative could bring India closer to achieving recognition as an “adequate country” by the UK, acknowledging that India provides sufficient safeguards for personal data protection comparable to those in the UK, thereby enhancing mutual trust. Although this recognition may not extend to the European Union at this stage, the progress made through the Annex could serve as a foundation for future negotiations with EU regulators, further strengthening India’s place in the global digital economy.
Authors: Srinjoy Banerjee and Shivi Gupta
First Published by: Mondaq here