Data Privacy in the Digital Age: Analysing India’s legal framework under the digital personal data protectionmact,2023

Author: Iasha, a student

college : Janhit college of law

To the point

In an era where the personal data has become the new currency of digital India economy, the privacy of the individual becomes the most pressing legal challenge of our time. India is the home of 900 million internet user, long operated without any dedicated data protection statue – sec 43A of the Information Technology Act,2000 is a legal provision that made companies financial liable where they careless with your most private digital data.

The Digital Personal Data Protection Act,2023 (DPDPA) is the India’s first complete and modern law to protect your personal data information. Before this provision India has weak law regarding data protection in sec 43A under IT Act,2000. This article examines the DPDPA’s architecture, its interplay with existing cyber law provisions, judicial precedent that helps to shape the enactment, and the critical gaps that remains unaddressed. 

Use of the Legal Jargon

Personal data:  any data about an individual who is identifiable by or in relation to such data- the foundational subject, matter of DPDPA,2023.

Data principal: the individual to whom personal data relates; recognised under the DPDPA as the bearer of enforceable rights over their own data.

Data processor: an entity that processes personal data on behalf of and under the instructions of data fiduciary.

Consent: under section 6 of the DPDPA, valid consent must be free, specific, informed, unconditional, and unambiguous -expressly through a clear affirmative act.

Data localisation: the legal requirement that personal data of citizens be stored and processed within the territorial boundaries of the country.

Abstract

The digital personal data protection act,2023 represents India’s most ambitious attempt to regulate the digital data ecosystem. 

Passed after nearly a decade of deliberation, multiple failed draft bills, and a landmark Supreme court judgement affirming as a fundamental right, the DPDP

A established a rights based framework centred on individual consent, accountability, and institutional enforcement through a newly constituted Data protection board of India. This article presents a comprehensives legal analysis of the DPDPA,2023 against the backdrop of comparative frameworks, judicial precedent, and India’s evolving cybersecurity landscape.

Relevant laws/ Statutary provisions

  1. Digital personal data protection act,2023

Section 4- Grounds for processing personal data

Personal data may be processed only for a lawful purpose- either with the consent of the data principal or for certain Legitimate uses specified under section 7. 

Section 6- Consent  

Consent must be:

Free, specific, informed, unconditional, and unambiguous;

Expressed through a clear affirmative act;

Limited to the specified purpose;

Withdrawal at any time.

    Section 7- deemed consent 

Processing without consent is permissible in enumerated circumstances including: performance of a state function, compliance with a legal obligation, medical emergency, employment purposes, and public interest. Critics have noticed that this list is broad and insufficient bounded, creating potential for misuse.

Section 8- obligations of data fiduciaries

Data fiduciaries must:

Process data only for the stated purpose;

Ensure completeness, accuracy, and consistency of data; 

Implement appropriate technical and organisational measures.

Section 11-13: right of data principals

The DPAPA confers the following enforceable rights:

  • Section 11: Right to access information about personal data being processed;
  • Section 12: Right to correction, completion, updating and erasure of personal data;
  • Section 13: Rights to grievance redressal;
  • Section 14: Right to nominate another individual to exercise rights in the event of death or incapacity.

 Sections 27-30: data protection board of india

The DPDPA establishes the data protection board of India as the adjudicatory body for complaints and breach notifications. The board has the power to make liable, of up to:

  • Rs.250 crore for breach of obligations relating to children’s data;
  • Rs.200 crore for failure to notify a data breach;
  • Rs.150 crore for non-fulfilment of additional  obligation by SDFs.
  1. Information Technology Act,2000- pre existing framework

Section 43A- compensation to fail in protecting data

Imposed civil liability on body corporates handling “sensitive personal data” who failed to implement “reasonable security practices”. This was the primary data protection provision before the DPDPA and remains operative for matters not yet subsumed by the act.

Section 72A – Punishment for disclosure of information 

Criminalises the disclosure of personal information of another person without their consent and in breach of a lawful contract, with imprisonment up to 3 years.

IT ( reasonably security practices and procedures and sensitive personal data or information) rules, 2011

Defined “sensitive personal data” to include passwords, financial information, biometric data, and health records, and mandated privacy policies and consent mechanisms for body corporates. 

  1. Constitutional foundation 

Article 21- Right to life and personal liberty

As interpreted by the Supreme court in K.S puttaswamy v. union of India 2017, that the right to privacy- including informational privacy- is an intrinsic component of Article 21. This constutitional grounding is the bedrock upon which the DPDPA’s legitimacy rests and against which its exemptions must be tested.

   Case laws

  1. Justice K.S puttaswamy  v. UOI, (2017) 10 SCC 1

The foundational judgment of Indian Data privacy law. A nine-judge bench held that its an fundamental right under article21. The court recognised Informational privacy- the right of an individual to control personal information about themselves- as a distinct and protected dimensions of privacy. The judgement directly compelled the legislative process that ultimately produced the DPDPA, 2023. The court held that any state interference with privacy must satisfy the triple test of legally, necessity, and proportionality- a standard against which the DPDPA’s board government exemptions under section 17 remain constitutionally vulnerable.

  1. Shreya Singhal vs. Union of India, (2015) 5 SCC 1

The supreme court of India break down Section 66A of thr information technology act, 2000. The provision, which criminalised sending “offensive” or “annoying” messages online, was declared unconstitutional as it violated the fundamental right to Freedom of speech and expression.

  1. Karmanya Singh Sareen v. Union of India, (2017) -WhatsApp privacy case (Delhi HC)

The Delhi High Court examined WhatsApp’s 2016 privacy policy update- which proposed sharing user data with facebook- and held that the right to privacy of citizens in the digital space is enforceable, directing the government of India to frame a comprehensive data protection law. The case is significant as an early judicial recognition that platform level data sharing agreement are subject to constitutional scrutiny.

  1. Vinit Kumar v. central bureau of Investigation, (2019)- Bombay HC 

The Bombay High Court held that Call Data Records constitute personal information and that their interception without following due procedure under section5(2) of the Indian telegraph Act is a violation of the right to privacy. This case established that metadata- not just content- attracts privacy protection, a principle directly relevant to DPDPA’s scope of “personal data”.

Conclusion

The digital personal data protection act,2023 is a good step toward protecting people’s personal data in India, but its not perfect. It gives people real rights over their data and setup a system called The Data Protection Board to enforce those rights- which is a big improvement over the old, weak law (sec 43A). but there is four major problems:

1.Government exemption- section 17 lets the government bypass the law, so it controls private companies but leaves state surveillance largely unchecked.

2.No clarity on cross border data- the act is silent on data localisation and what happens when Indian user’s data is processed in other countries.

3.Anonymised data not covered- data with identities removed is excluded from the law, even though it can often be re identified using modern technology.

4.Board lacks independence- the data protection Board’s members are appointed and removable by the government, raising concerns about bias and lack of autonomy.

Until the rules under this law are properly notified and the Board actually starts functioning, ordinary citizens remain unsure about the how well their data is protected.

FAQs

Q.1. When did the DPDPA,2023 come into force?

Ans. The act received presidential assent on 11 August 2023, but its operative provisions are yet to be fully notified. Enforcement will begin once the central government issues the rules and constitutes the data protection board.

Q.2. Does the DPDPA apply to data processed outside India?

Ans. Yes, section3 gives the act extra territorial application- it applies to the processing of digital personal data of Indian citizens even when such processing occurs outside India, if it is in connection with offering goods or sevices to data principals in India. 

Leave a Reply

Your email address will not be published. Required fields are marked *