Author: Sukkhdev Dawar, CPJ College, GGSIPU
To the Point
The DPDP Act, 2023 represents India’s first standalone legislation dedicated exclusively to the protection of personal digital data. Rooted in the constitutional recognition of privacy as a fundamental right under Article 21, the Act seeks to regulate data processing, ensure accountability of data fiduciaries, and empower individuals with enforceable rights. However, concerns remain regarding state exemptions, enforcement mechanisms, and the adequacy of safeguards in a surveillance-driven digital ecosystem.
Use of Legal Jargon
Personal Data: Any data about an individual who is identifiable by or in relation to such data.
Data Principal: The individual to whom personal data relates.
Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data.
Consent: Free, specific, informed, unconditional, and unambiguous indication of the data principal’s agreement.
Data Processing: Collection, storage, use, sharing, or deletion of personal data.
Reasonable Restrictions: Constitutionally permissible limitations on fundamental rights
The Proof (Evolution and Constitutional Basis of Digital Privacy)
Right to Privacy in India
The concept of privacy in India evolved through judicial interpretation rather than explicit constitutional text. Initially, privacy was not recognized as a fundamental right.
In M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of Uttar Pradesh (1963), the Supreme Court adopted a restrictive approach.
A paradigm shift occurred in Justice K.S. Puttaswamy v. Union of India (2017), where a nine-judge bench unanimously held that the right to privacy is a fundamental right under Article 21, intrinsic to life and personal liberty.
This landmark judgment laid the constitutional foundation for comprehensive data protection legislation in India.
Background to the DPDP Act, 2023
Following the Puttaswamy judgment, the government constituted expert committees to draft a data protection framework. After multiple drafts and consultations, the Digital Personal Data Protection Act, 2023 was enacted.
The Act aims to:
Protect personal digital data
Regulate processing of such data
Balance individual rights with lawful data use
Promote a trusted digital economy
Key Features of the DPDP Act, 2023
1. Consent-Centric Framework
The Act mandates that personal data can be processed only with valid consent, except in certain legitimate uses such as:
State functions
Compliance with law
Medical emergencies
2. Rights of Data Principals
The Act empowers individuals with:
Right to access information
Right to correction and erasure
Right to grievance redressal
Right to nominate another person to exercise rights
3. Obligations of Data Fiduciaries
Data fiduciaries are required to:
Ensure data accuracy and security
Use data only for specified purposes
Delete data once the purpose is fulfilled
Prevent data breaches
4. Data Protection Board of India
The Act establishes a Data Protection Board to:
Adjudicate disputes
Impose penalties
Ensure compliance
Impact on Digital Privacy in India
Positive Impact
1. Strengthening Individual Autonomy
The Act enhances individual control over personal data, reinforcing the constitutional right to privacy.
2. Corporate Accountability
By imposing penalties for non-compliance, the Act promotes responsible data governance among corporations.
3. Legal Certainty
The DPDP Act provides clarity in an area previously governed by fragmented IT laws and judicial precedents.
Concerns and Criticisms
1. Broad State Exemptions
The government may exempt agencies from the Act on grounds such as national security and public order, raising fears of unchecked surveillance.
2. Limited Scope
The Act applies only to digital personal data, excluding non-digital and anonymized data.
3. Independence of the Data Protection Board
The appointment and control mechanisms raise questions about the Board’s independence.
4. Burden on Individuals
The effectiveness of rights depends heavily on awareness and accessibility, which may be limited.
Abstract
In the digital age, personal data has emerged as one of the most valuable assets, making the protection of digital privacy a critical legal and constitutional concern. India’s rapid digitization, coupled with large-scale data collection by both state and private entities, has raised serious questions about individual autonomy, surveillance, and data misuse. Recognizing these concerns, the Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act) to provide a comprehensive framework for data protection. This article examines the evolution of digital privacy in India, the constitutional foundations of the right to privacy, key provisions of the DPDP Act, and its implications for individuals, corporations, and the State. It also critically analyses the challenges and limitations of the Act in balancing privacy rights with governance and innovation.
Case Laws Related to Digital Privacy
1. Justice K.S. Puttaswamy v. Union of India (2017)
Established privacy as a fundamental right and laid the groundwork for data protection laws.
2. Aadhaar Case (2018)
The Supreme Court upheld Aadhaar’s constitutionality while emphasizing data protection safeguards.
3. Anuradha Bhasin v. Union of India (2020)
Recognized the importance of internet access in exercising fundamental rights.
4. Pegasus Surveillance Case (2021)
Highlighted concerns regarding state surveillance and privacy violations.
DPDP Act and Parliamentary Democracy
The DPDP Act has implications beyond privacy, affecting transparency, governance, and democratic accountability. While data protection strengthens citizen trust, excessive exemptions may undermine democratic oversight. Parliamentary scrutiny and judicial review remain essential to ensure constitutional compliance.
Comparative Perspective
Globally, data protection regimes such as the EU’s General Data Protection Regulation (GDPR) set higher standards of independence and enforcement. While India’s DPDP Act is a significant step forward, it remains less stringent in comparison.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a historic milestone in India’s journey toward safeguarding digital privacy. Anchored in constitutional values, the Act seeks to balance privacy, innovation, and governance. However, its effectiveness will depend on robust implementation, institutional independence, and judicial oversight. As India continues to expand its digital footprint, continuous reforms and accountability mechanisms will be necessary to ensure that the right to privacy remains meaningful and enforceable in practice.
FAQS
Q1. What is the objective of the DPDP Act, 2023?
To protect personal digital data and regulate its processing.
Q2. Is the right to privacy a fundamental right in India?
Yes, under Article 21 as held in the Puttaswamy judgment.
Q3. Who enforces the DPDP Act?
The Data Protection Board of India.
Q4. Does the Act apply to government agencies?
Yes, but certain exemptions are provided on specified grounds.
Q5. Why is the DPDP Act criticized?
Due to broad state exemptions and concerns over enforcement independence.
