Author: Swastika Dauthal, a student of ILS Law College, Pune
To the Point
In an increasingly digital world, personal data has become one of the most valuable assets, shaping how businesses operate, governments function, and individuals interact. With the rapid growth of internet usage, smartphones, and artificial intelligence in India, concerns around data privacy and protection have come to the forefront. To address these concerns, the Indian government enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), marking a major step in the country’s journey toward establishing a comprehensive data protection regime.
The Digital Personal Data Protection Act, 2023 is India’s first full-fledged law designed to protect people’s digital personal data. It was enacted to ensure that individuals have control over their personal information, especially in today’s digital world where data is constantly collected and used. This legislation was introduced almost six years after the Supreme Court’s landmark 2017 judgment in the K.S. Puttaswamy case, which recognized the right to privacy as a fundamental right guaranteed under Article 21 of the Indian Constitution. The DPDP Act is influenced by international laws like the European Union’s GDPR and provides a legal structure for how digital personal data should be collected, stored, and processed in India.
The Act applies to digital personal data collected in India or outside the country if it relates to offering goods or services to people in India. It covers data that is collected online or converted into digital form later. However, it does not apply to data used only for personal or domestic purposes or to data that the individual has made public or is required to be made public under a law.
Under the Act, organizations can only use someone’s personal data after getting their clear and informed consent. This consent may be revoked by the individual at any point in time. If the person is a child (defined as anyone under 18) or someone with a disability, the consent must come from a parent or legal guardian. However, consent is not required in certain situations like government services, emergencies, or legal matters.
The Act gives individuals (called Data Principals) several rights. They can access details about their data, ask for corrections or deletion, and file complaints. They can also nominate someone to manage their data if they become disabled or pass away. However, individuals must not misuse these rights or provide false information; doing so may lead to a fine of up to ₹10,000.
Organizations (called Data Fiduciaries) that handle personal data have certain responsibilities. They must keep data accurate, protect it with security measures, and inform the authorities and affected individuals if there is a data breach. Once the purpose of data collection is over, and the data is no longer legally needed, it must be deleted.
The government can also label some organizations as Significant Data Fiduciaries (SDFs) based on the amount or sensitivity of the data they handle. These organizations must take extra steps, like appointing a Data Protection Officer, hiring an independent data auditor, and doing regular risk assessments to ensure they are not harming people’s rights or national interests.
There are certain exemptions under this act. These include situations involving government agencies working for national security, law enforcement, court or tribunal duties, research, statistics, archiving, and cases involving processing of foreign data inside India under contracts. Some start-ups and specially notified groups may also get limited exemptions.
The Act sets up the Data Protection Board of India (DPBI) to monitor its enforcement and ensure adherence to its provisions. This Board will handle complaints, monitor compliance, respond to data breaches, and impose penalties when needed. People can appeal DPBI’s decisions to the Telecom Disputes Settlement and Appellate Tribunal.
This act gives people greater control over their information, puts strict duties on those who use this data, and establishes a legal system to resolve privacy issues. While the Act is a significant achievement, its actual success will depend on how well it is implemented and whether it addresses concerns about government exemptions, transparency, and accountability.
Use of Legal Jargon
Data Principles: A Data Principal is the person whose personal information is being collected, stored, or used by someone else. The adults (18 years and above) are their own Data Principals. As for children (under 18 years) and persons with disabilities who need help managing their affairs, the parent or legal guardian is considered the Data Principal on their behalf.
Data Fiduciaries: a Data Fiduciary is any person, company, government body, or organization that collects, stores, or processes personal data of individuals (called Data Principals).
The Criticisms
1. Too Much Power to the Government:
The Act gives the central government many exemptions, allowing it to collect and use personal data without restrictions in the name of national security, public order, or other reasons. This could lead to violations of privacy and misuse of personal data, especially since there’s no clear limit on how the government can use the data.
2. Missing Key Data Rights:
The Act leaves out some important rights that are part of global laws like the EU’s GDPR. For example, there’s no right to data portability (which allows people to move their data from one platform to another easily).
3. Unrestricted Cross-Border Data Transfers:
The Act allows flow of personal data to foreign countries, with the government deciding which countries are restricted. This can raise concerns about data security and national data sovereignty, since Indian citizens’ data could be sent to countries without strong privacy protections.
4. No Clear Protection Against Harms:
The law does not directly talk about how to protect people from data-related harms like identity theft, financial fraud, or discrimination. This leaves people more vulnerable if their personal data is misused.
5. Limited Scope of the Act:
The Act only applies to digital personal data. So, if someone collects your data offline and later digitizes it, they might find ways around the law. In contrast, the GDPR covers all forms of personal data, including those on paper or in video recordings. Also, the DPDP Act does not protect data that has been made public, but it is unclear whether such public data can still be used freely.
6. No Classification of Sensitive Data:
Unlike earlier drafts of the law and global standards, this Act does not separate “sensitive personal data” (like health, religion, or sexual orientation) from regular data. Sensitive data usually requires extra protection and stronger consent, but the DPDP Act treats all data the same.
7. Wide Government Discretion to Give Exemptions:
The government can exempt certain companies, including start-ups, from following key parts of the Act, without explaining why. It also has the power to delay applying the law for five years for any group it chooses. There are no clear rules or limits on how these exemptions will be given.
8. Weak Enforcement Body:
Instead of an independent regulator (like the Data Protection Authority proposed in earlier drafts), the Act sets up a Data Protection Board (DPB). But this board is appointed and controlled by the government, and members serve for only two years, which may affect their independence and fairness. The board lacks power to make regulations like the earlier proposed authority.
9. No Criminal Punishment:
If someone breaks the rules of the Act, they will only face a monetary penalty (fine). There is no criminal punishment, even for serious data breaches. Earlier drafts had stricter consequences, including criminal offences for some violations.
10. No Compensation for Victims:
The Act does not provide compensation to individuals whose data has been misused or leaked. This is a big issue, especially since the law repeals Section 43A of the IT Act, which earlier allowed people to claim compensation for data breaches.
11. Weakens the Right to Information (RTI) Act:
The Act amends the RTI Act, 2005, making it harder to access personal data of public officials through RTI requests. Earlier, if data was in the larger public interest, it could be accessed—even if it was personal. The DPDP Act removes this safeguard, which could reduce transparency and weaken citizens’ rights to hold public authorities accountable.
While the DPDP Act is a positive first step towards protecting digital privacy in India, it has many weaknesses. These include broad government powers, missing protections, a lack of strong enforcement, and weakened transparency laws. Experts suggest that the law needs stronger safeguards, clearer rules, and more independence to truly protect people’s data rights.
Abstract
The Digital Personal Data Protection Act, 2023 serves as India’s first all-encompassing legislation dedicated to safeguarding personal data in the digital era. Enacted after the Supreme Court recognized privacy as a fundamental right, the Act outlines rules for data collection, consent, individual rights, and the responsibilities of data fiduciaries. While it marks a significant step forward, concerns remain about excessive government exemptions, lack of safeguards for sensitive data, and weakened transparency.
Case Laws
AK Gopalan Case (1950): The Supreme Court dismissed the contention that the right to privacy was protected under the Constitution.
Kharak Singh Case (1962): This case marked the first time the Supreme Court extended relief referencing the right to privacy, although it stopped short of officially declaring it a fundamental right.
Justice K.S. Puttaswamy (Retd.) vs Union of India (2017): In a landmark ruling, the Supreme Court unanimously declared the right to privacy as a fundamental right embedded within the right to life and personal liberty under Article 21 of the Constitution.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a significant milestone in establishing a legal structure for ensuring privacy and safeguarding personal data in India. It introduces much-needed accountability for data fiduciaries and grants individuals certain rights over their personal data. However, the Act also leaves several critical issues unaddressed, such as the lack of protection for sensitive data, broad government exemptions, absence of criminal liability, and the weakening of transparency under the RTI Act. For the DPDP Act to truly uphold the constitutional right to privacy and ensure trust in India’s digital ecosystem, further refinements are essential. Strengthening regulatory independence, ensuring clarity in implementation, and prioritizing individual rights will be key to making the Act a more robust and balanced data protection law.
Frequently Asked Questions (FAQs)
What is informational privacy?
It’s your right to decide how companies and governments collect, use, and share your personal data, which can be anything from your name and address to your online habits, health details, or relationship status.
Why it matters in India today?
As more services move online and smart devices track everything we do, we leave “digital footprints.” All those footprints become “big data,” which can reveal a lot about us, like our income, culture, health, loves, and more. But if that data isn’t kept safe, people can face hacking, identity theft, or other scams.
How does the Act deal with privacy and data use?
It lays out who requires permission to collect data, how they must protect it, and what they can do with it.
What safeguards does it build in?
It requires clear consent, secure storage, limits on sharing, and penalties for breaches.
How are individual rights balanced with state security?
The Act lets the government access data for national safety, but also says individuals have the right to see what data is held about them and to correct or delete it.
Does it bind only the government or also private firms?
It applies to any organization, whether public or private, that processes your data.
