AUTHOR- SRISHTI BATRA, a student at Vivekananda Institute of Professional Studies
Abstract
A landmark piece of legislation, the Digital Personal Data Protection Act, 2023 aims to balance business interests, state functions and privacy rights while regulating digital personal data processing. In addition to introducing consent-based data gathering, fiduciary requirements, and fines for breaches, it also raises worries about weak surveillance safeguards, large government exemptions and lack of independent oversight. The DPDP Act is a step forward in data governance, but in order to guarantee robust privacy safeguards in accordance with international data protection standards, judicial oversight and regulatory transparency are required.
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s latest legislative effort to regulate personal data processing in the digital space. The Act aims to strike a balance between individual privacy rights and the operational needs of businesses and the government. However, concerns arise regarding its broad government exemptions and potential conflict with the right to privacy.
Historical Context
The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 were the main laws governing data protection in India prior to the DPDP Act, 2023. These laws however, fell short in tackling contemporary data privacy issues. According to Article 21 of the Constitution, privacy was acknowledged as a basic right in the historic Puttaswamy ruling from 2017. The DPDP Act, 2023 was eventually passed as a result of this ruling which cleared the path for a specific data protection law.
The DPDP Act enacted in 2023, seeks to fill this gap by providing a structured framework for data collection, processing, storage, and transfer.
Digital Personal Data Protection Act, 2023
The Act applies to personal data processed digitally within India.
It also extends to entities processing Indian citizens personal data outside India, if such processing relates to the provision of goods or services to individuals in India.
- Personal Data includes any identifying information about a specific person
- Any organization that chooses how and why to process personal data is considered a data fiduciary.
- The person whose data is processed is known as the data principal.
Data Principal’s Rights
The DPDP Act gives people certain rights, such as:
- Right of Access: People have the ability to ask for information about how their data is processed.
- Right to Erasure and Correction: People have the ability to remove or amend their data.
- The right to file a complaint Redressal: Complaint filing procedures are provided.
- Right to Nominate: In order to enjoy their rights, people can designate a nominee.
Data Fiduciaries Duties
- Prior to processing personal data they have to get consent of the Data Personal.
- They must maintain security protocols to avoid data breaches.
- Upon fulfilment of required purpose the personal data can be asked to erase by the Data Principal.
- Notify the Indian Data Protection Board of any data breaches.
Disagreements and Exclusions
For reasons of public order, national security or state interests, the Central Government may exempt its agencies from compliance.
Processing Without Consent is permitted in situations involving police enforcement, medical emergencies, and natural catastrophes.
A Legal View of Privacy vs. State Control
Adherence to the Puttaswamy ruling
In Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court ruled that any violation of privacy must meet three requirements:
It must serve a justifiable objective to ensure legality.
The invasion needs to be necessary.
Proportionality requires that interference be justified and kept to a minimum.
The DPDP Act’s extensive exemptions for the government raise questions about unrestricted state monitoring. The Act’s ambiguous national security exceptions, according to critics go against the proportionality principle established in Puttaswamy.
A Comparative Analysis of DPDP Act VS GDPR Act
Aspect
The Indian DPDP Act
GDPR (EU)
Consent Standard
requires express consent in order to process.
requires precise, informed, and voluntarily provided consent.
Government Exclusions
Exclusions for public order and security.
Few exceptions subject to legal regulations.
Location of Data
No rigorous guidelines for data localization.
Allowable cross-border transfers with protections.
Although the GDPR places stringent restrictions on state monitoring, the DPDP Act gives the government broad exemptions weakening privacy rights.
Unlike the GDPR, which imposes strict conditions on state surveillance, the DPDP Act grants sweeping exemptions to the government, raising serious concerns about privacy and state accountability.
Analyzing Justice K.S. Puttaswamy vs Union of India
The Digital Personal Data Protection Act, 2023 (DPDP Act) and other data protection regulations in India were established by this historic ruling.
By establishing privacy as a basic right under Article 21 of the Indian Constitution, the Supreme Court’s ruling influenced further legislative developments in the areas of data security and the protection of personal information.
The Supreme Court’s nine-judge panel unanimously decided that:
Right to Privacy is a Fundamental Right included in Article 21, personal liberty and life are inextricably linked to privacy.
The Court acknowledged that private sector data exploitation and state surveillance constituted risks to individual privacy. It underlined that government and business accountability must be addressed via data protection regulations.
The Court somewhere also stressed upon the need for judicial safeguards to prevent misuse of personal data. The Puttaswamy judgment directly led to India’s first dedicated data protection legislation, shaping the Digital Personal Data Protection Act, 2023.
Challenges
Even though the DPDP Act complies with privacy standards, there are a number of legal, procedural, and implementation issues to consider:
- Exemptions from the Government In the interest of sovereignty, public order and national security, Section 18 grants government agencies broad exemptions. This calls into question the proportionality test.
- The absence of a separate regulator as the Central Government appoints the Data Protection Board (DPB), there may be state meddling. The DPB’s structure raises concerns about impartiality, in contrast to the EU GDPR, which includes an independent data authority.
- Poor Cross-Border Data Transfers and Data Localization exists. The Act does not require tight data localization, in contrast to previous proposals. Cross-border data transmission can be permitted by the government, but regulatory ambiguity results from unclear constraints.
- No Clear Reforms in Surveillance as the existing surveillance frameworks such as the IT Act of 2000 and the Telegraph Act of 1885, remain unaltered by the DPDP Act’s failure to restrict government spying.
- Mechanism of Vague Consent due to which the Data misuse may result from the Act’s introduction of presumed consent, which permits processing under numerous exemptions.
Impacted Sectors Under the DPDP Act, 2023
- The Digital Personal Data Protection Act, 2023 has far-reaching implications across multiple industries, particularly those that handle large volumes of personal data. The technology and IT sector must revamp its data collection, processing, and storage mechanisms to comply with explicit consent requirements and ensure secure cross-border data transfers. In the banking and financial sector, stricter Know Your Customer (KYC) norms enhanced cybersecurity measures and customer data protection obligations will become pivotal for compliance.
- The healthcare industry faces increased responsibilities in securing electronic health records and maintaining patient confidentiality given the sensitive nature of medical data.
- Similarly, e-commerce and digital marketing platforms must overhaul their user tracking targeted advertising and data retention policies to align with new consumer privacy safeguards.
- Additionally, telecom companies and social media platforms will experience tighter regulations on user data collection, content moderation and cross-border data sharing. These sectors must adopt robust compliance frameworks to meet the Act’s requirements while balancing operational efficiency and regulatory obligations.
Connection between cybersecurity and the DPDP Act of 2023
The cybersecurity and DPDP Act,2023 both seek to safeguard personal information from breaches, illegal access and misuse due to which they are closely related and go hand in hand and provide protection to digital personal data from emerging cyber threats and crimes.
Data fiduciaries are required under the DPDP Act to put in place appropriate security measures to stop cyberattacks, illegal access, and data leaks. This ensures strong data protection and is in line with cybersecurity best practices including encryption and access limits. Because of the Act’s severe penalties for data breaches, businesses are legally required to have cyber resilience.
When transmitting sensitive personal data, cybersecurity measures must provide secure transmission, encryption and protection against cyber espionage because the DPDP Act permits cross-border data transfers based on government-approved jurisdictions.
Existing cybersecurity laws that currently require data protection safeguards for digital organizations, such as the Information Technology (IT) Act, 2000 and the CERT-In Guidelines, are supplemented by the DPDP Act. When combined, they provide a thorough legal and technological framework for protecting personal information and cooperating with current cyber laws in India’s current digital environment.
Conclusion
The Digital Personal Data Protection Act, 2023 represents India’s most structured attempt at data privacy legislation. While it provides a framework for consent-based data processing, the lack of independent oversight and excessive government exemptions make it vulnerable to potential misuse.
To ensure stronger privacy protections, amendments should:
Introduce independent regulatory oversight.
Limit vague government exemptions.
Ensure compliance with international privacy standards.
A balanced approach is necessary to safeguard individual privacy while ensuring legitimate national security interests. Future amendments must strengthen judicial oversight, limit discretionary powers and enhance consumer rights to ensure a balanced approach between national security, digital innovation and fundamental privacy protections. Until these reforms are implemented, the DPDP Act remains a progressive yet incomplete framework, requiring further refinements to fully uphold the right to privacy as enriched under Article 21 of the Indian Constitution.
FAQs
- What is the primary goal of DPDP Act?
The purpose and goal of the Digital Personal Data Protection Act, 2023 (DPDP Act) is to control how digital personal data is processed while guaranteeing individual privacy, responsibility and transparency. It lays out guidelines for data processing, requires user consent and imposes sanctions for noncompliance.
- Are foreign corporations subject to the DPDP Act?
Yes, Foreign businesses that handle the personal data of Indian individuals are subject to the DPDP Act’s extraterritorial applicability, even if they are not physically located in India.
- What is the difference between the GDPR and the DPDP Act?
Although there are some similarities between the DPDP Act and the General Data Protection Regulation (GDPR) of the EU, such as consent based data processing and individual rights over personal data, the DPDP Act offers less robust privacy protections. Notably, in contrast to the GDPR, which requires more stringent independent control, it permits extensive government exemptions on the basis of public interest and national security.
- What consequences result from non-compliance of the Act?
Violations of the DPDP Act carry heavy financial penalties. Data breaches can result in fines of up to ₹250 crore for organizations who fail to protect personal information.
