Author: Kartik Madhu,Presidency University, Bangalore
TO THE POINT
In 2017, the Supreme Court delivered a historic ruling affirming that privacy is a fundamental right under the Constitution. At the same time, the Court pointed out the absence of a dedicated legal framework to safeguard digital privacy in India, highlighting the need for comprehensive regulation in the face of growing technological challenges. The Court also noted that India lacked a proper legal framework to regulate privacy in the digital age, leaving personal data vulnerable in an increasingly connected world. Following this, in 2023, the Digital Personal Data Protection Act, 2023 (DPDPA), India’s first comprehensive data and privacy protection legislation, was enacted. The legislation attempts to regulate data processing by both private and government entities; however, the broad powers granted to government enforcement agencies to monitor the digital landscape may run contrary to the ideals of privacy as a right. The act attempts to maintain this delicate balance between necessary observation and privacy.
INTRODUCTION
Humans are perhaps the only creatures on this planet that feel the requirement of privacy; even then, the need for privacy is relatively new in human society. The right to privacy was required as a fundamental right relatively late in 2017 through the landmark judgment given in the case of Justice K.S. Puttaswamy v. Union of India. With the rapidly developing technology and the increasing amount of information that is made available on the internet, the need for privacy has increased more than ever before. In the digital sense, privacy refers to the control over personal information. This means that a person should have control over their personal information, such as addresses, credit details, and any other digital footprints, and that they shall be the ones to determine who has access to such information. The violation of a person’s digital privacy can have more serious consequences than just embarrassing secrets becoming public. It can lead to identity theft, where the victim’s identity is used without their knowledge to conduct a slew of activities without their knowledge, such as issuing credit or doing illegal online activities, which can be framed on the victim’s identity. Thus, the importance of privacy laws in India cannot be understated.
USE OF LEGAL JARGON
Privacy, at its most basic, means letting every person have a personal space that cannot be violated. But a person’s freedom is also shaped by how they interact with society. These relationships often bring up questions about how much autonomy and choice a person really has. Both the government and private entities have a big role in regulating parts of life that affect individual freedom. Protecting constitutional liberty is an ongoing effort. We have to solve the problems we already face while also dealing with new ones by understanding how liberty fits into our social structure.
The act does not expressly define the term “privacy”; however, the act does define terms such as “data” and “digital personal data.” The act also defines what may constitute a breach of such data. The act defines entities acting as custodians of personal data as “data fiduciaries,” and such persons whose data is kept in custody of the fiduciary as “data principal”
THE PROOF
The act applies to the processing of digital personal data within the country. The act provides a broad definition of “data” and “digital personal data.” The act covers data processing both by civil and government entities. The act mandates that the data shall only be processed in a lawful manner and for lawful purposes only with the fully informed consent of the person whose data is being processed. The act mandates that any entity acting as a custodian of personal data shall implement reasonable safeguards and maintain transparency. The act empowers the data principals with the following rights:
The right to obtain information about processing.
The individual retains the right to seek rectification of inaccurate personal data and to request the erasure of data that is no longer necessary or unlawfully retained.
The right to nominate a person to exercise rights in the event of death or incapacity.
The act permits cross-border data transfers to countries notified by the central government. The act facilitates international data transfers. The Data Protection Board of India is an independent adjudicatory body tasked with monitoring compliance and adjudicating complaints, established under the act. However, despite all these provisions aimed at regulating the digital privacy of Indian citizens, there are challenges faced by the act, such as state surveillance and exemptions, dilution of data fiduciaries’ accountability, digital literacy, and informed consent. In addition to the fact that enforcement of the provisions under the act is challenging due to the large amounts of data and the presence of a large number of data fiduciaries within the system.
CASE LAWS
1 Justice K.S. Puttaswamy (Retd.) v. Union of India
Relevance: The Supreme Court held that the right to privacy was an intrinsic part of the right to life and personal liberty under Article 21 of the Indian constitution. The Supreme Court also acknowledged the lack of a comprehensive legal framework on behalf of the Indian government towards protecting the digital privacy of Indian citizens.
2. Tathagata Satapathy vs. HDFC Bank Ltd., Mumbai and Ors. (MANU/OR/0336/2025)
This case in the Orissa High Court, while reiterating the Puttuswamy judgment, acknowledges that the right to privacy, while a fundamental right, is not absolute; the interests of the state take priority over the interests of the individual, and, like all other rights, the right to privacy can be subverted through procedure established by law.
3. Karthick Theodore Versus Registrar General, Madras High Court, Chennai and Others [2024]
In this case, the Madras High Court emphasized that the right to privacy included the right to remove or destroy any personal information present on a digital platform, that a person shall be able to be “forgotten” in the sense that he/she may erase his personal information from any particular platform at will.
CONCLUSION
The Digital Personal Data Protection Act, 2023, represents a significant and long-awaited legislative step in India’s journey toward recognizing and safeguarding the right to informational privacy. By codifying rights of data principals and imposing obligations on data fiduciaries, the Act seeks to strike a delicate balance between individual autonomy and the legitimate interests of the State and private entities. However, as the jurisprudence in Puttaswamy and subsequent cases underscores, the right to privacy, though fundamental, is not absolute and is subject to reasonable restrictions through procedures established by law.
The DPDPA must, therefore, be implemented with vigilance to ensure that the broad exemptions granted to state actors do not undermine the very constitutional liberty it aspires to protect. Effective institutional mechanisms increased digital literacy, and independent oversight will be key to addressing challenges such as surveillance, accountability gaps, and consent fatigue. Ultimately, the preservation of privacy in India’s rapidly evolving digital society requires not just statutory safeguards but also a sustained constitutional commitment to protect individual dignity in the face of competing societal and technological pressures.
FAQs
What is the Digital Personal Data Protection Act, 2023?
The Digital Personal Data Protection Act, 2023, commonly referred to as the DPDPA, constitutes India’s first comprehensive legislative framework dedicated to the regulation and protection of personal data in the digital sphere. Enacted against the backdrop of the Supreme Court’s jurisprudence in Justice K.S. Puttaswamy (Retd.) v. Union of India, the statute seeks to harmonize the individual’s fundamental right to privacy with the legitimate objectives of data-driven innovation and governance. The Act delineates the permissible contours of data processing, establishes obligations for data fiduciaries, and confers enforceable rights upon data principals, thereby codifying the principles of accountability, informed consent, and proportionality into India’s data protection regime.
Who does the Act apply to?
The Act is of broad application, covering the processing of digital personal data within the territory of India by both private and public entities. Furthermore, its extraterritorial applicability extends to data processing undertaken outside India, where such processing involves profiling of individuals in India or offering goods or services to them. This expansive territorial reach reflects the legislature’s intention to subject all actors, regardless of their domicile, to the obligations imposed by the Act so long as their activities bear a nexus with the Indian digital ecosystem.
What rights does the act give to individuals?
The Act confers a bundle of rights upon individuals, referred to as data principals, which are designed to operationalize the autonomy inherent in informational self-determination. Among these rights are the right to access information concerning the processing of one’s data, the right to seek correction or erasure of inaccurate or unnecessary personal data, and the right to nominate a representative to exercise such rights in the event of death or incapacity. These statutory entitlements echo the constitutional promise of privacy and are essential for enabling data principals to retain meaningful control over their personal information in the face of pervasive digital surveillance and commodification.
Can the government access my personal data under this Act?
Although the Act purports to protect individual privacy, it does provide for circumstances under which the state may process personal data without the consent of the data principal. Such circumstances include considerations of sovereignty, public order, and national security. The legislature has vested the central government with considerable discretion in determining the scope of these exemptions. However, this has elicited considerable criticism for its potential to dilute the constitutional safeguards against arbitrary state surveillance, given the absence of robust oversight mechanisms to ensure proportionality and necessity in such intrusions.
