Author: Ashutosh Chaudhary, WBNUJS, Kolkata
To the Point
The contemporary milestone in this chase by India to get the reeling intricacies of the data economy under control is the draft Digital Personal Data Protection Act, 2023 (DPDP Act). Motivated by a landmark court decision, Puttaswamy that declared the right to privacy to be a fundamental right, this Act was expected to strengthen data privacy. But it has received acute criticism by the civil society, constitutional researchers, and digital rights campaigns. The issues that lead to controversies are mainly connected with very broad exemptions which are provided to the state, the absence of a regulatory body which would be independent and absence of strong user rights. The article evaluates the controversial legal aspects of the DPDP Act, particularly with constitutional principles, case law and comparative measures such as the GDPR, the EU regulation.
Abstract
In India, the Digital Personal Data Protection Act, 2023 intends to establish a legal net on personal data processing. In as much as it tries to strike a balance between personal data and a justifiable interest on the part of the state and commerce, it fails on a number of counts. This paper analyses the constitutional and legal issues behind the Act, especially on the wide range of exemption granted to the government, the independence of Data Protection Board, and the actions that citizens can take. Through this evaluation of some of the landmark legal cases, including Justice K.S. Puttaswamy v. As a result, this article notes how the formulation of the Act under Union of India has highlighted the importance of reform so that it can be in strict adherence to the fundamental right to privacy.
Use of Legal Jargon
The concept of the data fiduciaries and a principal data, consent architecture and deemed consent may be regarded as various legal terms which have been introduced in the DPDP Act. However, Section 17 becomes the source of trouble where the government has been accorded the discretion to self exempt itself and its instrumentalities to the provisions of the Act on rather flimsy and ambiguous reasons that are decided upon as national interest. This wide discretion can be used to go against the principle of proportionality so well-established by the constitutional jurisprudence since Puttaswamy. Even more so, the Data Protection Board of India as envisaged in the Act does not share the qualities of independent quasi-judicial body, in which case it does not meet the criteria of institutional integrity exercised under PUCL v. Union India. Imbalance of language and unreasonable Executive format of the Act may result in unreasonable decisions with a threat of breaching the right of informational self-determination.
The Proof
The DPDP Act, though made with an ambitious outlook has been littered with ambiguities which in turn weaken privacy protection. The Section 17 allows the Central Government to exclude any state-instrumentality to the reach of this law without any significant parliamentary or judicial review. Data breach notifications are not mandatory, criminal liability is not imposed against activities associated with misuse of data, user rights (data portability and the right to explanation) are very narrow, which diminish the law efficiency.
Furthermore, the organization of the Data Protection Board, which is tasked with enforcing the Act, lacks organizational independence. It resides in the executive’s appointment process, where a person is appointed only by the executive and not by the parliament. This directly violates the separation of powers and calls into question the impartiality of the process. The law focuses on the consent model, which is compromised by the broad definition of considered permission, which may be applied without the user’s knowledge and eliminates their true informational autonomy.
Case Laws
Justice K.S. Puttaswamy (Retd.) v. Union of India
The historic ruling that established the right to privacy as a fundamental right guaranteed by Article 21. Legality, need, and proportionality are the three criteria the Court set for any legislation that infringes on the right to privacy. One may argue that the DPDP Act’s Section 17’s broad government exclusions violate this standard, especially the proportionality and procedural protection tests.
Internet Freedom Foundation & Ors. v. Union of India
A pending constitutional challenge to the DPDP Act filed by digital rights NGOs. The petition argues that the Act’s exemption clauses and the lack of an independent data protection authority violate the Puttaswamy standard and fail to protect citizens from arbitrary state surveillance.
Anuradha Bhasin v. Union of India
The Court held that restrictions on internet access must meet the test of proportionality and must be temporary and reviewed regularly. The case emphasized the importance of judicial oversight and transparency in state-imposed restrictions, principles that are relevant when examining unchecked government powers in the DPDP Act.
People’s Union for Civil Liberties (PUCL) v. Union of India
The Court struck down telephone tapping rules that lacked procedural safeguards, holding that right to privacy is violated by arbitrary state surveillance. It mandated a proper review mechanism and independent oversight, which the DPDP Act currently lacks in its implementation structure.
Selvi v. State of Karnataka
This judgment declared that forcible narco-analysis, brain mapping and polygraph tests without consent violate the right against self-incrimination and informational privacy. It reinforces the principle that personal autonomy over one’s data is constitutionally protected.
Thaler v. Hirshfeld (U.S.)
Even though it is a U.S decision, it shows that the law concerning emerging technologies has obstacles when correlating with the old law. The court decided that the AI system (DABUS) cannot be mentioned as an inventor because the U.S. patent law demands a human inventor, which illustrates legal inflexibility in innovative technology areas, such issues experienced by the DPDP Act.
European Court of Justice – Schrems II Case
The ECJ invalidated the EU-US Privacy Shield, holding that data transfers outside the EU must meet high privacy standards. This case can be used as a comparator to argue that India’s DPDP Act does not ensure data localization or equivalent protections, especially in the context of cross-border data flows.
Kharak Singh v. State of U.P.
Though predating Puttaswamy, this early case recognized that unauthorized surveillance violates personal liberty under Article 21, even if it doesn’t involve physical intrusion. It underscores the foundational idea that privacy includes freedom from unwarranted state observation, which is relevant for analyzing exemptions under the DPDP Act.
Conclusion
One innovative regulation that can direct the handling of personal data in India is the Digital Personal Data Protection Act, 2023. Though it is an essential step towards bringing Indian digital governance in line with the principles of privacy accepted in other countries, it is full of inner structural and constitutional problems that undermine it in regards to its efficacy and its democratic integrity. The foremost of these matters is Section 17, which affords the Central Government the opportunity of exempting any agency of the Government to the law that in effect, creates a two-tier system in which state-level surveillance can evade the law under the pretence of serving the national interest. Such exemption puts the legislation under the threat of becoming the toothless tool, especially once regarded in the context of the proportionality methodology of the Puttaswamy judgment.
Moreover, the mechanism of enforcing the Act is subject to lack of institutional independence since the act, Data Protection Board, is constituted and entirely subject to the control of the executive. This is against the concept of the separation of powers and checks and balances, which are significant in democratic systems of government, where the rights of citizens are concerned. Unless there is an independent regulator that is sufficiently empowered, the legal edifice will be threatened by executive supremacy and arbitrariness.
The Act lacks also a number of important data subject rights that have become among the world best practices including the right to explanation, data portability and meaningful consent architecture. Although the Act establishes a concept of the deemed consent, due to its general formulation, it can be interpreted to stretch broadly, leaving the companies or the State an opportunity to avoid the need to obtain a consent and informed consent in particular, which are the ways of giving an individual control of his/her personal data.
In contrast, other jurisdictions such as the General Data Protection Regulation (GDPR) in the European Union have chosen a more balanced approach, with both strong user rights and effective accountability measures on the part of data controllers incorporated. The law in India, on the other hand, highly favours government powers of discretion and gives citizens little right to participate thus giving DPDP Act the aspect of a tool of enabling surveillance rather than rights-based legislation.
The courts will play significant role in determining the constitutionality of the Act as the legal battles proving either way about the legality of the law unfold. To achieve the purpose that the Act is meant to accomplish, it must be amended thoroughly, and such amendments must include:
Limiting the exceptions of the government
The empowerment of the Data Protection Board with the full authority to oversee and establish full consciousness of independence
Empowering rights oriented to the citizen
Including in the Act a legislative review of executive actions
In the digital world, human respect and democratic inclusion are about informational independence. Any law that is made concerning personal data should not only control the movement of data, but they should also work on the constitutional principles of accountability, transparency, and freedom of an individual. The DPDP Act, within the current form, does not live up to that vision. Otherwise, it will disappointingly become an additional lost chance in the successful pursuit of a rights-based regime of Indian data protection.
FAQs
What is the DPDP Act, 2023?
The Digital Personal Data Protection Act, 2023 is India’s comprehensive data protection law that governs the processing of personal data by government and private entities.
Why is the Act controversial?
It grants broad exemption powers to the government under Section 17, lacks an independent regulatory authority, and provides limited rights to individuals.
What does Section 17 of the Act state?
Section 17 empowers the government to exempt any state agency from the provisions of the Act in the interest of sovereignty, security, and public order—terms that are vague and prone to abuse.
Has the Act been challenged in court?
Yes, digital rights organisations like the Internet Freedom Foundation have filed petitions in the Supreme Court challenging the constitutionality of various provisions of the Act.
What reforms are suggested?
Reforms should include narrowing the scope of government exemptions, ensuring independence of the Data Protection Board, introducing stronger user rights, and aligning the law with the principles established in the Puttaswamy judgment.
REFRENCES
📘 Indian Cases
Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1
Internet Freedom Foundation and Others v Union of India, Writ Petition (Civil), Supreme Court of India, 2023 (pending)
Anuradha Bhasin v Union of India (2020) 3 SCC 637
People’s Union for Civil Liberties (PUCL) v Union of India (1997) 1 SCC 301
Selvi v State of Karnataka (2010) 7 SCC 263
Kharak Singh v State of Uttar Pradesh AIR 1963 SC 1295
📘 Foreign and Comparative Cases
Thaler v Hirshfeld 558 F Supp 3d 238 (ED Va 2021) (United States District Court for the Eastern District of Virginia)
Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II) Case C-311/18, EU:C:2020:559 (CJEU)
📘 Statutes and Instruments
Digital Personal Data Protection Act 2023 (India)
General Data Protection Regulation (GDPR), Regulation (EU) 2016/679
Berne Convention for the Protection of Literary and Artistic Works, 1886, as amended
