The Digital Personal Data Protection Act, 2023: A Toothless Tiger or the Dawn of Data Sovereignty?

Admin

Author: Shibrah Aftab Khan, a law student at University of Kashmir.  

Abstract

This article examines India’s Digital Personal Data Protection Act, 2023 (DPDP Act), which represents the country’s first comprehensive data protection legislation after years of deliberation. The analysis explores whether the Act truly empowers Indian citizens with data sovereignty or merely creates an illusion of protection while favoring business and government interests. By evaluating the Act’s key provisions, enforcement mechanisms, exemptions, and comparing it with international standards like the GDPR, this article attempts to determine if the DPDP Act is sufficiently robust to address modern data protection challenges or if it falls short of providing meaningful safeguards in an increasingly data-driven world.

Introduction: The Long Road to Data Protection

India’s journey to a comprehensive data privacy framework has taken a surprisingly long time for a nation with over 820 million internet users. The digital revolution swept through India like wildfire, with smartphones becoming extensions of our hands and data becoming the new currency, yet our legal framework remained stuck in the pre-digital era. When my grandfather got his first smartphone at 72, learning to make video calls and send WhatsApp messages, I wondered who was protecting his digital footprint.

The Digital Personal Data Protection Act, 2023 (DPDP Act) emerged after a six-year gestation period following the landmark Puttaswamy judgment of 2017, where the Supreme Court recognized privacy as a fundamental right. The initial Personal Data Protection Bill of 2019 underwent multiple iterations, consultations, and faced significant pushback from various stakeholders before finally taking its current form. As someone who grew up witnessing the digital transformation—from cybercafés charging by the hour to carrying supercomputers in our pockets—I’m wondering if this long-awaited law is indeed the knight in shining armour we hoped for, or simply a paper tiger.

Key Definitions and Provisions: Decoding the Legal Maze

Core Concepts Under the DPDP Act

The DPDP Act introduces several key terms that form its foundation:

  • Data Principal: The person to whom the personal data relates (you and I)
  • Data Fiduciary: The organisation that decides how and why to process personal data
  • Significant Data Fiduciary: Organizations designated based on factors like volume of data processed and potential impact on data principals
  • Consent Manager: A middleman who helps data principals control their consent
  • Personal Data: Any data that can identify a natural person
  • Processing: Operations performed on personal data including collection, storage, retrieval, use, and disclosure

The Act operates on seven key principles that sound promising at first glance:

  1. Usage Limitation: Personal data can only be processed for lawful purposes
  2. Purpose Limitation: Data processing may only be used for the purposes specified.
  3. Data Minimisation: Only the information that is required should be gathered.
  4. Accuracy: Personal information must be current and correct.
  5. Storage Limitation: Information shouldn’t be kept for longer than is required.
  6. Security Safeguards: Reasonable security measures must be implemented
  7. Accountability: The data fiduciary is responsible for compliance

The Act grants data principals several rights including:

  • Right to information about data processing
  • Right to correction and erasure
  • Right to nominate another person in case of death or incapacity
  • Right to grievance redressal

On paper, these provisions seem comprehensive. But as my Constitutional Law professor often says, “The devil is in the details—or in this case, in what’s conveniently left out.”

Critical Analysis: Looking Beyond the Legal Veneer

The Question of Independence

The Data Protection Board of India (DPB), established under the Act as the primary enforcement authority, raises serious questions about independence. Unlike similar bodies in other jurisdictions, the DPB’s members are appointed directly by the Central Government, with terms and conditions of service also determined by the government. This creates an inherent conflict of interest when the Board is required to adjudicate complaints against government entities.

As Justice D.Y. Chandrachud noted in the Puttaswamy judgment: “The legitimacy of a constitutional order is measured by its commitment to protecting liberty in the face of advances in technology.” Does a quasi-judicial authority appointed by and answerable to the executive truly fulfill this commitment?

Exemptions: The Widening Gaps

Section 17 of the Act provides sweeping exemptions to government agencies for reasons including “sovereignty and integrity of India,” “security of the State,” “public order,” and—most concerning—”for preventing incitement to the commission of any cognizable offence.” These broadly-worded exemptions could potentially nullify the Act’s protections in numerous scenarios.

During a recent moot court competition, I argued these exact points, drawing parallels to the notorious Section 69 of the IT Act, which has been used for surveillance with minimal oversight. The judges, seasoned privacy lawyers, struggled to counter this fundamental weakness.

The Act also exempts certain provisions for smaller entities and startups, which while encouraging innovation, creates potential protection gaps for users of emerging technologies and services.

Cross-Border Data Flows: A Geopolitical Gambit

The Act empowers the government to restrict data transfers to certain countries through a “whitelisting” approach. Unlike the GDPR’s adequacy assessment framework, which is relatively transparent, the DPDP Act provides little clarity on the criteria for such restrictions, potentially turning data flows into geopolitical bargaining chips.

As recently as March 2024, India engaged in digital trade negotiations with the UK where data localization became a contentious issue. The Act’s ambiguity on cross-border transfers leaves much to executive discretion, creating uncertainty for both businesses and users.

Penalties: Bark Without Bite?

The Act stipulates that non-compliance can result in financial penalties of up to Rs 250 crore. While this appears substantial, there are concerns about enforcement mechanisms. The Data Protection Board’s procedures for investigation and adjudication remain to be specified through rules, and the absence of class action provisions limits collective redressal options.

For perspective, under the GDPR, penalties can reach up to 4% of global annual turnover, which for tech giants could translate to billions of dollars. The DPDP Act’s flat-rate approach might prove inadequate for deterring deep-pocketed multinational corporations.

Comparative Perspective: DPDP Act vs. Global Standards

DPDP Act and GDPR: Distant Cousins

The European Union’s General Data Protection Regulation (GDPR) remains the world’s gold standard for data protection. Several significant distinctions emphasise the DPDP Act’s limitations:

  1. Right to Explanation: The GDPR grants individuals the right to explanation regarding automated decision-making. Despite India’s burgeoning AI sector, there is no provision for it under the DPDP Act.
  2. Data Breach Notification: While both frameworks require notification of breaches, the GDPR specifies a 72-hour timeframe. The DPDP Act leaves this to be prescribed later.
  3. Data Protection Authority: The European Data Protection Board operates with far more independence than India’s Data Protection Board.
  4. Special Categories of Data: The GDPR explicitly provides heightened protection for sensitive personal data like biometrics and health information. The DPDP Act’s treatment of sensitive data is comparatively limited.

The Delhi High Court’s observations in Karmanya Singh Sareen v. Union of India (2016) regarding WhatsApp’s privacy policy highlighted the need for India to develop robust data protection standards comparable to international frameworks. The DPDP Act, while a step forward, still falls short of this benchmark.

Recent Developments: Testing the Waters

Implementation Challenges

Since the Act’s notification in August 2023, the government has yet to operationalize many of its key provisions. The Data Protection Board remains to be constituted, and crucial Rules under the Act are still being formulated. This slow rollout raises questions about implementation priorities.

In February 2024, the Ministry of Electronics and Information Technology (MeitY) released a consultation paper on the Rules framework, soliciting stakeholder input. Industry bodies have expressed concerns about compliance costs and timelines, while civil society organizations have highlighted gaps in protection mechanisms.

Recent examples of data breaches underscore the urgency of robust protections:

  • In December 2023, a major Indian fintech company experienced a breach affecting over 3.5 million users
  • Government databases including CoWIN vaccination records have faced unauthorized access allegations
  • The Election Commission of India’s voter data allegedly appeared on dark web marketplaces

These incidents demonstrate both the scale of vulnerability and the necessity for effective enforcement machinery.

Arguments: Toothless Tiger or Dawn of Sovereignty?

The Case for “Toothless Tiger”

  1. Government Exemptions: The broad exemptions granted to government agencies essentially create a parallel regime where citizen data remains vulnerable to state surveillance.
  2. Lack of Independent Oversight: The Data Protection Board’s structural dependence on the executive compromises its ability to function as an impartial adjudicator.
  3. Limited Individual Recourse: The absence of provisions for class action suits and compensation frameworks weakens individual redressal mechanisms.
  4. Diluted Obligations: The reduced compliance burden for certain entities creates protection gaps and inconsistent standards.

The Case for “Dawn of Data Sovereignty”

  1. First Step Forward: Despite its drawbacks, the Act is India’s first comprehensive attempt at data protection law.
  2. Cultural Context: The Act attempts to balance Western notions of individual privacy with Indian realities of collective living and governmental functions.
  3. Economic Considerations: By avoiding excessively stringent regulations, the Act prevents stifling innovation in India’s growing digital economy.
  4. Evolving Framework: The Act establishes foundational principles that can be strengthened through subsequent amendments and Rules.

Case Laws: The Judicial Compass

Justice K.S. Puttaswamy v. Union of India (Aadhaar Case) (2018)

The Supreme Court’s nine-judge bench recognition of privacy as a fundamental right forms the constitutional bedrock of data protection in India. Justice Chandrachud’s observation that “privacy is the constitutional core of human dignity” established the necessity of data protection legislation. The DPDP Act must be evaluated against this constitutional standard.

The Supreme Court’s judgment upheld the Aadhaar scheme while imposing limitations on data usage and retention. The Court emphasized proportionality and necessity in data collection—principles that the DPDP Act incorporates but with significant exemptions. Justice Chandrachud’s dissenting opinion warned against creating a surveillance state and emphasized the need for robust data protection. His observation that “constitutional guarantees cannot be subject to the vicissitudes of technology” resonates with concerns about the DPDP Act’s technological neutrality.

Shreya Singhal v. Union of India (2015)

While primarily focused on free speech, this judgment’s emphasis on precision in law and proportionate restrictions is relevant to evaluating the broad exemptions in the DPDP Act.

Karmanya Singh Sareen v. Union of India (2016)

This case questioned WhatsApp’s privacy policy modification following Facebook’s purchase. The Delhi High Court recognised the need of data protection legislation, particularly for third-party sharing of user information, noting regulatory loopholes that the DPDP Act aims to fill.

The Proof: Facts and Figures

India’s digital ecosystem highlights the critical need for adequate data protection.:

  • As of 2023, India has over 820 million internet users, ranking as the world’s second-largest online market.
  • The average Indian smartphone user has 50+ apps installed, each collecting various data points
  • In India, cybercrime increased by 350% between 2018 and 2022.
  • 78% of Indian organizations reported at least one data breach in the past two years
  • Government databases hold biometric information of over 1.3 billion citizens through Aadhaar
  • Only 32% of Indian internet users report being aware of their data protection rights

A recent industry survey revealed that only 23% of Indian businesses feel fully prepared to comply with the DPDP Act’s requirements, highlighting implementation challenges ahead.

Conclusion: A Personal Perspective

As a law student studying India’s digital evolution, I believe the DPDP Act is more of an adolescent than a completely toothless tiger or the beginning of data sovereignty..

The fact that the Act eventually established the foundation for data security in India is one of its benefits. It acknowledges individual rights and holds data fiduciaries accountable, which is different from the regulatory vacuum that existed before to it. However, its efficacy is threatened by its flaws, especially the wide range of government exemptions and the questionable independence of the enforcement agency. 

The true test of the DPDP Act will be how it is put into practice. Will the Rules framework close existing gaps? Will the Data Protection Board assert true independence despite its structural limitations? Will courts interpret exclusions strictly in order to preserve the privacy rights guaranteed by the constitution???

Perhaps most importantly, will it evolve to meet emerging challenges posed by artificial intelligence, biometric surveillance, and increasingly sophisticated data analytics?

I believe the DPDP Act is neither the end nor the beginning of India’s data protection journey—it is simply a milestone on a continuing path. As future lawyers, our responsibility extends beyond critiquing its limitations to actively shaping its evolution through advocacy, litigation, and scholarship. The Act may not be perfect, but it provides a canvas on which a more robust data protection regime can be painted.

The tiger may not yet have its full set of teeth, but it is certainly not a paper tiger. And with the right nurturing, it may yet grow into the guardian of data sovereignty that India’s digital billion deserves.

Frequently Asked Questions

Q1: Does the DPDP Act apply to all personal data processing in India?

A: No. The Act contains significant exemptions, particularly for government agencies acting under various grounds including national security and public order. It also has limited application to non-automated processing and certain types of personal data processing by individuals.

Q2: How does the DPDP Act affect businesses operating in India?

A: Businesses processing personal data must implement measures for consent management, data minimization, and security safeguards. Significant data fiduciaries face additional compliance requirements. Non-compliance can result in penalties up to ₹250 crore. However, startups and smaller entities benefit from reduced compliance burdens.

Q3: Can individuals sue companies directly for data breaches under the DPDP Act?

A: The Act does not provide for direct civil litigation by individuals against companies for data breaches. Complaints must be filed with the Data Protection Board, which has adjudicatory powers. This represents a significant limitation compared to regimes like the GDPR which enable more direct individual recourse.

Q4: How does the DPDP Act affect cross-border data transfers?

A: The Act allows the government to restrict data transfers to certain countries through notification. This creates uncertainty for multinational operations, as the criteria for such restrictions remain largely undefined. Organizations processing Indian users’ data may need to implement data localization measures depending on forthcoming rules.

Q5: What happens if the government misuses personal data under exemption clauses?

A: This remains a significant gray area. While constitutional remedies through writ jurisdiction theoretically exist, the broad exemptions granted to government agencies create substantial barriers to challenging misuse. The absence of independent oversight mechanisms for exempted processing activities compounds this concern.

Bibliography

AIR. (2017). Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. Retrieved from https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf

AIR. (2018). Justice K.S. Puttaswamy v. Union of India (Aadhaar Case), (2019) 1 SCC 1. Retrieved from https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf

AIR. (2015). Shreya Singhal v. Union of India, (2015) 5 SCC 1. Retrieved from https://main.sci.gov.in/jonew/bosir/orderpdf/2090538.pdf

Delhi High Court. (2016). Karmanya Singh Sareen v. Union of India, 2016 SCC OnLine Del 5334. Retrieved from https://indiankanoon.org/doc/175890375/

Government of India. (2023). The Digital Personal Data Protection Act, 2023, Gazette of India, August 11, 2023. Retrieved from https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

Internet and Mobile Association of India. (2023). Digital India Report 2023. Retrieved from https://www.iamai.in/research/reports

Ministry of Electronics and Information Technology. (2024). Consultation Paper on Rules under the Digital Personal Data Protection Act, 2023. Retrieved from https://www.meity.gov.in/content/digital-personal-data-protection-act-2023

NASSCOM. (2024). India’s Data Protection Readiness Report. Retrieved from https://nasscom.in/knowledge-center/publications

National Crime Records Bureau. (2023). Cybercrime Statistics in India (2018-2022). Retrieved from https://ncrb.gov.in/en/crime-in-india

Reserve Bank of India. (2023). Report on Trends and Progress of Banking in India 2022-2023. Retrieved from https://www.rbi.org.in/Scripts/AnnualPublications.aspx

Telecom Regulatory Authority of India. (2024). Indian Telecom Services Performance Indicators: October-December 2023. Retrieved from https://www.trai.gov.in/release-publication/reports/performance-indicators-reports

World Economic Forum. (2024). Global Risks Report 2024. Retrieved from https://www.weforum.org/publications/global-risks-report-2024/

Related Posts

Law of Contract

– Pritish ChatterjeeAmity University, Haryana The Law of Contract is a fundamental aspect of the legal system, governing…

Leave a Reply

Your email address will not be published. Required fields are marked *