含羞草社区

As the global regulatory environment becomes increasingly concerned with sustainability and digital governance, the European Union’s battery law, , is a landmark framework directing how batteries are produced, tracked and disposed of. Its environmental and supply chain obligations are far-reaching, but what is often overlooked is the role of data privacy laws in effecting compliance. These are specifically the EU’s General Data Protection Regulation (GDPR) and 含羞草社区 Digital Personal Data Protection Act, 2023 (DPDPA).

Privacy laws matter because, even though the EU battery regulation does not explicitly compel the storage of personal data, it does require all industrial and electric vehicle (EV) batteries to incorporate a digital battery passport which stores extensive data relating to the battery’s composition, sourcing, usage, performance, carbon footprint and end-of-life history. Although this information is mainly technical in nature, personal data may be captured when identifiable entities, such as small-scale manufacturers, suppliers or technicians are included in the passport or backend systems. Geolocation data collected for tracking battery usage or recycling may also become personal data if linked to individuals. Batteries communicating with consumer-facing devices, such as EVs and smartphones, enable indirect identification through app or vehicle integration as well.

Thus, even if battery data appears to be non-personal, it may still fall under the GDPR. This is relevant for Indian exporters or service providers managing battery data that integrates with EU platforms or apps as they may unwittingly become data processors or controllers under the GDPR.

The GDPR provides that personal data cannot be transferred from the EU to a country outside the European Economic Area unless it provides an “adequate level of protection”. India is not currently included in this category. As a result, Indian businesses working with batteries that incorporate digital passports in the EU are considered recipients of personal data from the EU. They must therefore rely on alternative safeguards. These are usually standard contractual clauses, binding corporate rules or specific derogations. Following the by the European Court of Justice in the Schrems II case, businesses must also conduct transfer impact assessments to evaluate the legal environment in the destination country, in this case, India.

Although the DPDPA does not impose adequacy requirements or list approved nations as does the GDPR, it does require businesses to implement safeguards. This is a compliance challenge for Indian exporters. A battery embedded with a digital passport sold into the EU must align the underlying data with both, the GDPR and the DPDPA. Although both these laws are based on similar principles of consent, transparency and data minimisation, their application in industrial use cases such as battery rules is novel, imposing increased compliance obligations. As a result, an Indian battery exporter may have to carry out a number of practical steps to achieve compliance. This includes conducting a data protection impact assessment before integrating digital passport systems; drafting contracts with EU partners incorporating data responsibilities; maintaining separate compliance logs for DPDPA and GDPR audits, and engaging consent managers or data protection officers to oversee data handling.

As sustainability and privacy converge, battery manufacturers, EV suppliers and electronics exporters must establish integrated compliance programmes that incorporate environmental and data governance. Investing in privacy-by-design architecture, interoperable cloud storage and ESG-compliant supply chain documentation is crucial.

Indian companies can seize this strategic opportunity by embracing dual compliance with the GDPR and the DPDPA. They can position themselves as trusted suppliers to the EU, gain first-mover advantage in ESG-conscious markets and build digital capabilities to serve future wider initiatives.

Thus, while the EU battery regulation may have been adopted to regulate environmental concerns, but it is built on data, including personal data. It therefore engages with privacy law. As the GDPR and the DPDPA increasingly intersect in their application, Indian companies must recognise that their exposure is no longer limited to tariffs or recycling requirements. They must also comply with evolving data governance and international privacy regulations.

Ashima Obhan is a senior partner and Arzu Chimni is a managing associate at Obhan and Associates