Author: Radhika Menon, The Kerala Law Academy Law College, Trivandrum
Abstract
In the digital economy, personal data has become one of the most valuable resources. It is often taken, sold, and turned into profit without people’s informed consent. This situation, known as surveillance capitalism, has changed the relationship between technology users and service providers. Users are no longer just consumers; they have become the product. Tech giants increasingly rely on behavior data, often collected secretly or through misleading consent forms, to make money through targeted advertising, algorithmic manipulation, and predictive analytics. As a result, concerns about personal autonomy, data misuse, and privacy violations have increased significantly.
India responded to this growing crisis with the Digital Personal Data Protection Act, 2023 (DPDP Act). The Act aims to regulate how personal data is processed, ensure transparency and accountability among data handlers, and give individuals control over their personal information. While it is an important legislative step, the law has faced criticism for its weak enforcement, broad government exemptions, limited user rights, and unclear surveillance practices.
This article will evaluate whether the DPDP Act is enough to address the exploitative nature of surveillance capitalism in India. It will explore the theoretical aspects of data privacy, review the key provisions and weaknesses of the DPDP Act, and examine relevant case law and global practices. By highlighting the gap between the Act’s intentions and how it works in practice, the article aims to encourage a rethinking of how to truly protect privacy in a digital-first society.
To the Point
The digital revolution has led to a new economic model where data is the most valuable asset. Every click, search, scroll, or purchase online generates personal data, which tech companies systematically track, analyze, and profit from in a system known as surveillance capitalism. Harvard professor Shoshana Zuboff coined this term to describe an economic system focused on turning personal data into profit by predicting and manipulating behavior.
In this environment, individuals are not just users of digital platforms; they generate data without fully realizing how much of their digital activity is collected, stored, shared, and sold. This has serious implications for personal freedom, the health of democracy, and individual dignity, especially in India, which has over 850 million internet users and increasing digitization across both public and private sectors.
Some key features of the Act include:
Consent-based processing
Purpose limitation and data minimization
Right to information, correction, and grievance redressal
While the Act is a significant step in India’s journey toward data privacy, it has several gaps and weaknesses that weaken its effectiveness. One major concern is the broad exemption given to the State under unclear terms like “public interest” or “national security.” This could allow mass surveillance programs without enough oversight or judicial review. Additionally, the Data Protection Board lacks independence since its members are appointed by the central government, which raises fears of bias and inefficiency.
The Act also does not tackle the dominance of big tech companies and their ability to gather user data through complicated consent methods and unclear algorithmsIn contrast, global frameworks like the European Union’s General Data Protection Regulation (GDPR) provide stronger protections. These include the right to data portability, the right to opt-out of automated decision-making, and hefty fines for not complying. The California Consumer Privacy Act (CCPA) similarly allows individuals to refuse their data being sold or used for profiling.
Ultimately, the DPDP Act raises an important question: is regulatory compliance enough to protect privacy rights in a time when surveillance is woven into the fabric of digital capitalism? The solution might not lie in making small changes to legal texts but in fundamentally changing the governance system to make data privacy a basic, enforceable, and user-focused right.
Use of Legal Jargon
Understanding key legal terms is important for grasping the legal and policy framework of data privacy. Here are some important terms related to the Digital Personal Data Protection Act, 2023 (DPDP Act) and the larger discussion on surveillance capitalism:
The Digital Personal Data Protection Act, 2023 introduces several important terms and legal concepts that are key to understanding its framework and impact. At the heart of the Act is the idea of a “data fiduciary,” which refers to any entity, whether private or public, that decides how personal data is processed. The person whose data is being processed is called the “data principal,” and they have several rights, including access, correction, erasure, and grievance redressal. To aid users in managing consent, the Act establishes a “consent manager,” a registered platform that helps individuals manage, grant, or withdraw consent in a clear and user-friendly way.Key principles of this system include purpose limitation, which requires that data be collected only for specific and lawful reasons, and data minimization, which ensures that only the minimum necessary data is processed.
In some cases, the Act allows data to be processed without consent under the legitimate use doctrine, such as for state functions, medical emergencies, or legal compliance. Personal data is broadly defined to include any information that can identify someone, such as names, addresses, contact details, or digital identifiers like IP addresses. While the DPDP Act does not clearly define sensitive personal data, global standards like the GDPR recognize health, biometrics, sexual orientation, political or religious beliefs, and financial data as sensitive, requiring stronger protections.
The Proof
Although the Digital Personal Data Protection Act, 2023 (DPDP Act) is an important step toward establishing a formal data protection system in India, this article argues that the Act is not enough to tackle the complex challenges brought on by surveillance capitalism. A closer look at the statute shows several critical flaws that undermine its ability to offer genuine and enforceable protections for personal privacy.
Firstly, the Act gives broad exemptions to the State under Section 17. This allows government bodies to process personal data without consent for reasons like “national security,” “public order,” and “sovereignty.” These terms are undefined, which gives the executive unchecked power. This contradicts the constitutional principles held in Justice K.S. Puttaswamy v. Union of India , where the Supreme Court stated that any limits on the right to privacy must meet the tests of legality, necessity, and proportionality. By permitting mass surveillance or indiscriminate data collection without proper supervision, the Act risks validating intrusive state actions and does not protect individuals’ rights to informational privacy.
Secondly, the Data Protection Board of India, meant to be the main enforcement authority under the Act, lacks institutional independence. Its members are chosen by the central government, and the procedures, powers, and terms of service are to be set by future rules created by the executive. This undermines the Board’s independence and raises concerns about political influence, making it unlikely to act as a strong and unbiased regulator especially when large companies or government agencies are involved.
Thirdly, the Act does not sufficiently empower users. In the realm of surveillance capitalism, where data is often processed using algorithms to predict and influence user behaviour, lacking these rights leaves individuals at significant risk of manipulation and exploitation without real recourse. However, studies, including a 2022 report by the Internet Freedom Foundation, show that most Indian users do not read or fully grasp these policies. In today’s digital world, where consent is often bundled, coerced, or ignored, simple formal consent offers inadequate protection. This structural issue is especially harmful in a country with low digital literacy and limited consumer awareness.
Case Laws
Judicial decisions in India have significantly influenced the development of the right to privacy, especially given the lack of a strong legal framework for data protection. The following landmark cases provide the legal basis for evaluating the effectiveness of the Digital Personal Data Protection Act, 2023 (DPDP Act) and set out constitutional expectations for data privacy laws in the digital age:
1. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1
A unanimous nine-judge bench of the Supreme Court determined that the right to privacy is a fundamental right protected under Article 21 (Right to Life and Personal Liberty) and Part III of the Constitution. The Court stated that privacy includes informational privacy, personal choice, and bodily integrity.
Relevance: The Puttaswamy ruling established a three-part test for any violation of privacy: (i) legality (existence of law), (ii) necessity (legitimate state interest), and (iii) proportionality (least intrusive means). The DPDP Act’s Section 17, which allows the State to process personal data without consent, seems to violate this test by not providing clear safeguards, judicial oversight, or procedural checks. Therefore, the Act may not fulfill the constitutional requirements set out in this case.
2. People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301
Issue: Is telephone tapping legal and does it affect the right to privacy in communications?
Holding: The Court decided that telephone conversations are part of a person’s private life and are protected under Article 21. The state needs specific authorization, oversight, and valid reasons to intercept phone calls.
Relevance: This case marked early judicial recognition of informational privacy in India. It highlighted the necessity of procedural safeguards when the State accesses data. In today’s digital age, where data surveillance goes beyond phone interception to mass digital tracking, the principle of procedural fairness is even more critical. However, the DPDP Act lacks statutory checks on state surveillance programs, raising concerns that align with the PUCL case.
3. Anuradha Bhasin v. Union of India, (2020) 3 SCC 637
Issue: Is the internet shutdown in Jammu & Kashmir constitutional following the repeal of Article 370?
Holding: The Supreme Court found that freedom of speech and expression over the internet is constitutionally protected. Restrictions on internet access must be reasonable, necessary, and proportionate.
Relevance: This case widened the discussion on digital rights by connecting privacy, access to information, and proportionality. In a digital economy driven by data-based services, any interference with access or processing must be justified and temporary. The DPDP Act does not provide for real-time grievance resolution or require the State or private entities to be transparent about algorithmic decisions or user profiling, which could impact key freedoms when data is used to target, suppress, or manipulate individuals.
4. WhatsApp Privacy Policy Case (2021), Delhi High Court
Issue: Challenge to WhatsApp’s updated privacy policy that allowed sharing user data with parent company Facebook without an opt-out option.
Holding: The case is still pending final decision, but the Delhi High Court recognized serious privacy issues connected to unilateral changes in privacy policies and highlighted the need for a strong data protection framework.
Relevance: This case emphasizes the limitations of consent-based models when users must accept non-negotiable terms to continue using vital platforms. The DPDP Act still heavily relies on consent without addressing the power imbalances between tech companies and users. Additionally, the Act does not provide adequate protections against unilateral changes to data policies or meaningful consent revocation.
Conclusion
In a world of surveillance capitalism, where data is collected, analyzed, and sold on a large scale, this Act does not provide enough protection for individual privacy. It relies too heavily on consent, gives broad exemptions to the State, and lacks accountability for algorithms, which exposes major flaws in regulation. Additionally, the Data Protection Board lacks independence, and users have limited rights, which reduces the Act’s effectiveness. When we compare it to global standards like the GDPR, India’s law focuses more on compliance than on protecting rights. In a digital economy where companies profit from behavioral profiling and data manipulation, we need stronger safeguards. We urgently require a law that centers around citizens and is rooted in the values of dignity and autonomy to prevent exploitation and truly protect privacy. The DPDP Act is just the start, but it must change to meet the challenges of the digital age.
FAQS
Q1. What is surveillance capitalism?
Surveillance capitalism is the practice of collecting personal data through digital monitoring to predict and influence people’s behavior, mainly for profit.
Q2. What are the key features of the DPDP Act, 2023?
It includes rules on consent-based data processing, individual rights like access, correction, and erasure, responsibilities of data custodians, and the creation of a Data Protection Board.
Q3. How does the DPDP Act differ from GDPR?
Unlike GDPR, India’s DPDP Act has weaker enforcement methods, broader exemptions for government bodies, and lacks strong options for users to opt out.
Q4. Does the DPDP Act apply to foreign companies?
Yes, if they process personal data of individuals in India related to goods or services offered in India.
Q5. Is consent always required under the DPDP Act?
No. The Act allows data processing without consent in “legitimate use” situations, such as state functions, emergencies, or legal responsibilities.
Q6. How can individuals protect their data better?
By being careful with app permissions, using privacy settings, reading data policies, and opting out of unnecessary data sharing whenever possible.
