Author: Aastha Das, NMIMS Hyderabad
To the Point
In August 2023, the Digital Personal Data Protection (DPDP) Act, 2023, was passed by the Indian Parliament. It is a comprehensive law devoted solely to safeguarding personal digital information. After five years of deliberations and numerous drafts, the DPDP Act represents a milestone in India’s data governance framework. Based on the Ministry of Electronics and Information Technology’s (MeitY) 2022 draft, the Act only addresses digital personal data; non-personal data is not covered. Following the notification of its provisions, it will take the place of Section 43A of the Information Technology Act of 2000 and the 2011 Rules on Sensitive Personal Data. The Draft DPDP Rules, 2025, are presently undergoing public consultations, indicating the imminence of a contemporary data protection framework that strikes a balance between legitimate data processing and individual privacy. The purpose of this article is to discuss whether the law actually accomplishes its goal of protecting personal information.
Abstract
India’s first all-encompassing legal framework devoted solely to digital personal data is the Digital Personal Data Protection (DPDP) Act, 2023. Aiming to strike a balance between legitimate data processing and individual privacy rights, the Act was passed following years of discussion and public consultation. It replaces out-of-date clauses in the IT Act of 2000 and adds a consent-based regime along with new ideas like data principals and data fiduciaries. Although the Act is a significant step in the right direction, there are issues with its wide state exemptions, insufficient rights for data subjects, and lack of institutional independence. In this article, the main features of the Act, pertinent court rulings, and its possible effects on India’s changing digital legal environment are examined.
Use of Legal Jargon
In accordance with international data protection standards, the DPDP Act establishes and codifies a number of legal definitions and principles. The structure of the Act revolves around concepts like Data Principal, which refers to the person whose data is collected, and Data Fiduciary, which refers to the organization that decides the cause of data processing. By requiring lawful purpose, purpose limitation, and data minimization—that is, only necessary data may be collected and used, the Act adopts a notice-and-consent model. The Act forbids the detrimental processing or profiling of minors and requires verifiable parental consent for processing children’s data under Section 9. Significant Data Fiduciaries (SDFs), who are required to designate Data Protection Officers (DPOs) and carry out Data Protection Impact Assessments (DPIAs), are introduced. Chapter VI’s establishment of the Data Protection Board of India (DPBI) establishes an adjudicatory body with the authority to levy fines under Section 36. Concerns regarding the restriction of informational transparency are also raised by the Act’s reliance on Section 44(3) to amend the RTI Act. The absence of clear protections against identity theft, profiling, and cross-border abuse raises concerns about the Act’s compliance with the proportionality standard established by the Constitution in Justice K. S. Puttaswamy versus the Union of India (2017).
The Proof
The Act covers digital personal data that is gathered or processed in India as well as data that is processed overseas and connected to Indian-origin goods or services. Data made public by the user or by law, as well as domestic and personal use, are not included. Clear, informed consent, which is revocable at any time, is required for processing under Sections 6–7. A guardian’s consent is required for minors (those under the age of 18) and people with disabilities (Section 9). The Act raises concerns regarding user protection because it permits some exceptions without consent, including state functions, legal compliance, and medical emergencies. Data Principals are able to file complaints, view, update, and remove their data. They can designate or delegate in the event of incapacity or death. Rights like the right to be forgotten and data portability, however, are absent. False complaint filing carries a fine of up to 10,000 Rs. Fiduciaries are required to guarantee data security, accuracy, and prompt breach alerts. When data is no longer needed, it needs to be removed. Additional compliance requirements, such as designating a Data Protection Officer and carrying out audits and impact analyses, must be fulfilled by Significant Data Fiduciaries (SDFs). Penalties, complaints, and enforcement oversight will all be handled by the DPBI (the Data Production Board of India). Its brief tenure and absence of independent appointment procedures, despite being appointed by the Central Government, have sparked questions regarding its independence. Section 16 allows data transfers to nations that the government has notified. However, India’s authority over personal data sovereignty is weakened, and concerns regarding data security are raised by the absence of explicit adequacy standards.
The Act gives the state broad permission to process data in the interest of national security, public order, or sovereignty. Additionally, processing for statistical, legal, or research purposes is exempt. These exclusions run the risk of weakening the fundamental right to privacy upheld by Justice K. S. Puttaswamy versus the Union of India, 2017. Through the removal of the “public interest” test, Section 44(3) amends the RTI Act, potentially undermining transparency by enabling authorities to refuse access to personal data just by designating it as such.
Although the Act promises a lot, it falls short in a number of ways. It gives the Central Government broad rule-making authority without any explicit restrictions. The logistics of data processing are prioritized over user privacy. It is not well protected against threats such as profiling or identity theft. It discourages legitimate concerns by penalizing users for making false complaints.
Case Laws
1. Justice K.S. Puttaswamy v. Union of India (2017)
The right to privacy was acknowledged as a fundamental right under Article 21 of the Indian Constitution in this historic ruling. It was necessary to operationalize this right in the context of digital data, which is why the DPDP Act was created.
2. Internet and Mobile Association of India (IAMAI) v. Reserve Bank of India (2020)
The Supreme Court stressed the need for state-imposed limitations to be equal with the detriment they’re intended to stop. Because the RBI had banned cryptocurrency services without enough empirical evidence of detriment, the Court determined that this was an inordinate restriction on the right to trade. State agencies may be excused from important clauses like consent and purpose limitation under the DPDP Act, which gives the Central Government broad optional powers. It’s possible that this immunity will be enquired as disproportionate and whimsical if they are not supported by compelling corroboration or necessity.
3. Swami Ramdev v. Facebook, Inc.( 2019)
The Delhi High Court ordered that all defamatory content about Swami Ramdev be removed, even if it was posted from outside of India. The Court used Section 75 of the Information Technology Act, 2000 to support its ruling, pressing Indian law’s extraterritorial governance when its effects are felt domestically. This ruling illustrated India’s adding judicial readiness to exercise authority over digital content that’s located outside of its boundaries. The ruling has a direct bearing on the DPDP Act, 2023, which also promotes extraterritorial connection by addressing data processing operations conducted outside of India in connection with the provision of goods or services inside India. Questions concerning governance, enforcement, and the reach of public laws in a borderless internet are raised by the case and the Act, which both demonstrate India’s efforts to uphold domestic legal norms in the global digital sphere. Both, however, are blamed for conceivably permitting overreach.
Conclusion
A long-awaited advancement in the protection of personal data is represented by the DPDP Act, 2023, a cornerstone piece of legislation in India’s digital governance framework. It establishes the frame for a regulatory environment that requires responsibility, transparency, and consent when handling digital personal data. The Act does have some failings, like its pledge of privacy empowerment is undermined by its expansive immunity for the state, administrative optional powers, lack of essential rights like data portability, and weak oversight procedures. Likewise, the RTI Act amendment weakens the spirit of public responsibility, and the vague provisions for cross-border data transfers give rise to security and sovereignty issues. Legal precedents like Puttaswamy and IAMAI v. RBI as well as Ramdev v. Facebook, offer a jurisdictional and indigenous frame for assessing the Act’s operation. The DPDP Act must be enforced with a privacy-first approach in order to achieve its objectives.
FAQS
1. What’s the DPDP Act, 2023?
The DPDP Act i.e., the Digital Personal Data Protection Act, 2023, permits legitimate data processing by both public and private organizations; it establishes a framework based on consent to safeguard people’s privacy.
2. Who are Data Principals and Data Fiduciaries under the Act?
A Data Principal is the person to whom the particular information relates, and a Data Fiduciary is the association (like a business or government agency) that decides how and why to reuse the information. Because of the type and volume of data they manage, Significant Data Fiduciaries (SDFs) have further liabilities.
3. What rights do individuals have under the DPDP Act?
Data principals can file complaints, request the omission or correction of their particular information, and designate a representative in the event of their incapability or death. Still, important rights like the right to be forgotten and data portability are not covered by the Act.
4. What is mandatory for data processing under the Act?
A key component of the Act is consent. Only with the Data Principal’s explicit consent can the personal data be controlled for legitimate purposes. Revocable consent and verifiable parental consent are prerequisites for processing children’s data.
5. Does the Act permit the transfer of data outside India?
Indeed, the Act permits the cross-border transmission of particular data to nations that the central government has notified. Still, questions of data security and sovereignty have been stressed by the absence of clear criteria for relating these nations.
6. What are the main tenets of the DPDP Act, 2023?
The RTI Act’s expansive immunity for the state, limited individual rights, unrestricted governmental rule-making authority, lack of safeguards against identity theft and profiling, and dilution of transparency are among the inquiries directed at the Act. These problems call into question whether the Act can actually cover personal data in a significant and responsible manner.
