Data Protection Act, 2023: A Boon or Burden for Privacy in India?

Admin

Headline of the Article:- Data Protection Act, 2023: A Boon or Burden for Privacy in India?

Author: Vanshika Singh, Vivekananda Global University

To the Point

The enactment of the Digital Personal Data Protection Act, 2023 represents a significant move by India to regulate personal data in the digital sphere. In an era where data is considered the new oil, the Act aims to protect individual rights while enabling the government and businesses to use data for innovation and governance. However, the effectiveness of this legislation hinges on its ability to balance privacy with national and economic interests. This article critically evaluates whether the Act genuinely strengthens individual privacy or if it creates more leeway for government surveillance and corporate data monetization under legally sanctioned terms.

Use of Legal Jargon 

  1. Data Principal – This is the individual whose personal information is being collected or processed.
  2. Data Fiduciary – The organization (business, individual, or governmental authority) that defines the purpose and method of processing personal data.
  3. Consent Manager – A platform or entity that manages consent on behalf of data principals, ensuring that they can grant, review, and withdraw consent effectively and transparently.
  4. Purpose Limitation – Data collected should be used only for the specific purpose for which consent was obtained and not beyond that.
  5. Data Minimisation – Only the data necessary for fulfilling the intended purpose should be collected and retained.
  6. Deemed Consent – Under certain conditions, such as during public emergencies or for government functions, consent is considered implied.
  7. Significant Data Fiduciary – A category introduced for large-scale data processors who have a greater obligation due to the volume or sensitivity of data handled.
  8. Cross-border Data Transfer – The Act allows data to be transferred to countries notified by the central government, which can affect data sovereignty and individual control.
  9. Exemptions Clause (Clause 17) – Allows the government to exempt any of its departments from certain provisions of the Act on grounds such as national security or public order, leading to fears of excessive surveillance.

The Proof 

India’s journey toward data protection legislation began after the Supreme Court, in the Puttaswamy Judgment (2017), held that privacy is a fundamental right under Article 21. This decision compelled the government to draft legislation that would safeguard digital privacy. The original draft was proposed by Justice B.N. Srikrishna Committee in 2018, was heavily debated for its intrusive clauses. Multiple drafts followed over the years, eventually leading to the Digital Personal Data Protection Act, 2023.

This Act comes in the backdrop of increasing digital transactions, data breaches, misuse of personal information, and unregulated corporate data processing. It aims to fill the legal vacuum in data governance, offering a structure that includes user consent, penal provisions for misuse, and a grievance redressal mechanism through the Data Protection Board of India.

Abstract

The Digital Personal Data Protection Act, 2023, is India’s first comprehensive statute aimed at regulating the collection, storage, processing, and transfer of digital personal data. By codifying rights and responsibilities of individuals and organizations handling such data, the Act seeks to empower users and ensure accountability in the digital ecosystem. However, provisions such as “deemed consent,” broad government exemptions, and the lack of a fully independent regulatory authority raise significant concerns. This research analyzes the Act’s strengths and weaknesses in the context of privacy protection, compares it with global frameworks, and explores how it aligns with the Indian constitutional framework.

Case Laws 

  1. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)
    • The Supreme Court recognized the right to privacy a basic right, establishing the constitutional foundation for India’s data protection policy. It emphasized that any restriction on privacy must satisfy the tests of legality, necessity, and proportionality.
  2. People’s Union for Civil Liberties (PUCL) v. Union of India (1997)
    • The Court ruled that recording calls without appropriate legal protections is unconstitutional, underlining the importance of informational privacy.
  3. Selvi v. State of Karnataka (2010)
  • The judgment determined that compelled administration of narco-analysis, polygraph exams, and brain mapping breaches individual autonomy and one’s rights to privacy under Article 21.

These cases collectively underscore the judiciary’s evolving recognition of privacy as a multidimensional right, encompassing not just bodily but also informational autonomy.

Conclusion

The Digital Personal Data Protection Act, 2023, is a positive step toward creating a structured data privacy regime in India. It introduces long-needed legal definitions and compliance mechanisms. However, the Act appears to tilt the balance in favor of the State and large corporations through broad exemptions and a loosely defined “deemed consent” clause. Additionally, the lack of an independent data protection authority weakens oversight.

To truly make privacy a reality, the government must ensure that the rule-making under this law is transparent, that the Data Protection Board is given autonomy, and that individuals have real control over their data. Until then, the Act remains a framework with potential—more a boon in concept, but possibly a burden in execution.

FAQ

Q1. What is the primary objective of the Digital Personal Data Protection Act, 2023?
The main aim is to protect digital personal data by enforcing accountability, transparency, and consent-based data processing, while allowing for lawful use by State and corporations.

Q2. What does “deemed consent” mean under the Act?
“Deemed consent” refers to situations where the law assumes that the individual has given consent, such as during emergencies, public interest functions, or government services. Critics say that this undermines the concept of informed consent.

Q3. Can companies transfer data outside India?
Yes. The Act permits cross-border data transfers to countries specified by the Central Government, though critics warn it may reduce user control and legal accountability for data misuse.

Q4. What are the rights of a Data Principal?
The rights include access to information, correction and erasure of data, grievance redressal, and the right to nominate someone to act on their behalf in case of incapacity or death.

Q5. Does the Act apply to offline data? 

No, The Act applies only to digital personal data and to digitized versions of personal data collected offline.

Q6. Who will enforce the Act?
The Data Protection Board of India, appointed by the government, will adjudicate disputes and ensure compliance, but its lack of independence raises accountability concerns.

Q7. Does this law supersede the Right to Information Act of 2005?
Yes. It amends Section 8(1)(j) of the RTI Act to restrict disclosure of personal data, sparking fears that it may hinder transparency in public governance.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *