Author: Anirudh gupta , prestige institute of management and research
To the Point
The passage of the Digital Personal Data Protection Act, 2023 (DPDP Act) is a watershed moment in India’s legal history regarding privacy and data protection. It is India’s first major attempt to incorporate the right to data privacy into a statute. With the Supreme Court’s 2017 decision in Justice K.S. Puttaswamy v. Union of India recognizing privacy as a fundamental right, the absence of comprehensive data protection legislation became untenable.
While the DPDP Act preserves individual freedom in the digital realm, it raises the question of whether it sufficiently empowers citizens. Are the enforcement provisions adequate? Is it excessively promoting state surveillance or corporate power? This paper investigates whether the DPDP Act establishes a new privacy framework or is lacking in crucial ways.
Abstract
The Digital Personal Data Protection Act of 2023 aims to protect person data rights in an increasingly digitalized economy. It claims to empower the user (the “Data Principal”) through its consent-based processing architecture, data fiduciary duties, and individual rights to personal data protection. However, criticism of government exclusions, a lack of data localization, and a non-autonomous Data Protection Board has already alarmed legal experts and civil society. This paper critically examines the DPDP Act’s composition, positives, and downsides, compares it to worldwide models like as the GDPR, and considers if it fulfills the promise of the constitution.
Background and Development of the DPDP Act
India’s pursuit for comprehensive data protection began with the landmark Puttaswamy decision (2017), in which the Supreme Court stated that privacy is a constitutional right under Article 21. The Court emphasized the importance of an effective data protection system in light of rising surveillance and data collection practices.
In 2018, a committee led by Justice B.N. Srikrishna released a draft Personal Data Protection Bill that proposed a strong regulatory structure. Subsequent drafts were created but not enacted. After extensive deliberations, the DPDP Act, 2023, was passed in August 2023.
Scope and Application
The DPDP Act applies to both digitally processed personal data in India and data processed outside India for the purpose of supplying goods or services in India.
• Individuals (Data Principals) and organisations (Data Fiduciaries). The Act specifically prohibits non-digitized offline data, anonymised data, and personal data processed locally or for personal reasons.
Key Definitions
Data Principal: The individual whose information is being processed.
A data fiduciary is any company, government entity, or individual who processes data.
Consent: A voluntary, informed, precise, and unequivocal declaration of the Data Principal’s agreement.
Significant Data Fiduciary: Designated based on the volume and sensitivity of data processed, with more stringent compliance requirements.
Salient Provisions
1. Notice and Consent (Sections 5–7)
Personal data may only be handled with the data subject’s consent, which should be provided following a notice stating the purpose of collection. Consent must be clear, unequivocal, and revocable. In the case of youngsters, documented parental consent is required.
2. Legitimate Uses (Section 7)
Data can be handled without consent in restricted cases, such as for state objectives (e.g., subsidies, licensing), legal compliance, or employment.
3. Rights of Data Principals (Section 11)
• Right to access information regarding data processing.
• Right to correction and erasure of personal data.
• Right to grievance redressal.
4. Obligations of Data Fiduciaries (Section 8)
• Collect only necessary data.
• Implement security safeguards.
• Retain data only as long as necessary.
• Notify the Board and user in case of a breach.
5. Establishment of Data Protection Board (Section 18)
A quasi-judicial institution with the authority to investigate violations, direct orders, and penalties.
6. Cross-Border Data Transfers (Section 16)
Cross-border data transfer is allowed by default but can be restricted specifically by the Central Government by way of notifications.
7. Government Exemptions (Section 17)
Central Government may exempt any agency from the provisions of the Act in the interest of sovereignty, security, or public order, which raises civil liberty issues.
Strengths of the DPDP Act
Recognition of Individual Rights
The Act establishes essential privacy rights and grants citizens data access, rectification, and erasure. This complies with worldwide standards and respects informational autonomy.
B. Emphasis on consent.
By requiring transparent and revocable consent, the Act encourages transparency in data processing, moving power from corporations to individuals.
C. The Redressal Mechanism
Complaints may be lodged with the Data Fiduciary or escalated to the Board. This procedure method is necessary for the enforcement of rights.
D. Flexible Framework
The Act is principle-driven, allowing rules to keep up with evolving technology. This adaptability is critical in the continuously changing digital environment.
E. Economic Enabler.
The Act benefits India’s IT sector and global trade commitments by making data transfers easier and eliminating localization.
Major Criticisms and Gaps
A. Overbroad Government Exemptions
Section 17 allows the government to exclude its agencies from prior judicial approval or necessity-proportionality requirements. This directly contradicts the Puttaswamy decision and makes mass surveillance a simple matter.
B. Poor Regulatory Architecture.
The Data Protection Board is appointed and managed by the administration, with no guarantee of independence or openness. This differs from foreign models, such as the GDPR’s Data Protection Authorities (DPAs).
C. No data localization.
The Act does not allow for the local storage of sensitive personal information, which undermines data sovereignty and security in crucial fields like banking and health.
D. Limited Scope
• The scope excludes offline data and data used for domestic purposes.
• Anonymized data, which can easily be re-identified, is also beyond its scope.
E. Fuzzy Reasons for “Legitimate Use”
Processing without consent for poorly described “legitimate use” grounds taints the consent mechanism and threatens accountability.
Comparative Global Perspective
Feature: DPDP Act of India GDPR (Europe), CCPA (California)
Consent required; revocable. Required; opt-in. Opt-out system Rights include access, correction, erasure, transfer, objection, deletion, and opting out.
Regulator Data Protection Board (executively controlled) Independent DPAs: California Privacy Protection Agency, Government Exemption. Broad, unilateral, narrow, subject to law, and judicially reviewable.
Cross-border data is permitted, unless limited. Only for “adequate” jurisdictions. With protections.
The DPDP Act is less stringent in protecting individual rights and accountability measures than the GDPR.
Judicial Commentary and Constitutional Lens
• Puttaswamy v. Union of India (2017): Privacy was established as a fundamental right based on legality, need, and proportionality. Section 17 of the DPDP Act may not pass this test.
• Internet Freedom Foundation and Others (courts are still hearing challenges): Civil society and digital rights organizations argue that the Act creates a “surveillance state” in the name of privacy protection.
• Anuradha Bhasin v. Union of India (2020): Reaffirmed the requirement that limits be reasonable and subject to judicial review—principles eroded down by the DPDP Act.
Impact on Major Stakeholders
1. Citizens Benefits:
• Greater control over their data.
• Right to seek remedy.
Disadvantages:
• Government agencies may bypass protection.
• A weak regulator may impair enforceability.
2. Business Advantages:
• A consistent and predictable legal regime.
• There are no localization requirements with onerous demands.
Disadvantages:
• High penalties (up to ₹250 crore).
• Higher compliance expenses, especially for Significant Data Fiduciaries.
3. Government advantages:
• Manages data access for governance and security.
• Flexible limitations on cross-border flows.
Cons:
• Risks criticism for fostering a surveillance-friendly climate.
• Data adequacy may be subject to international inspection.
Missed Opportunities
There is no judicial oversight for monitoring or exemptions.
• Lack of algorithmic transparency and data profiling limits.
• Lack of rights, such as data portability and automated decision-making redress.
• Inadequate safeguards for children’s data and vulnerable populations.
Conclusion
The Digital Personal Data Protection Act of 2023 is a milestone, but not an ideal one. It grants people long-awaited rights and imposes responsibility on data processors. However, its blanket exclusions for the state, lack of an independent regulator, and watered-down consent procedure suggest that it will fail to meet the constitutional objective expressed in Puttaswamy.
Whether it is a watershed moment or a missed opportunity will be determined by how future rules are framed, how the judiciary interprets judicial constraints, and how firmly civil society demands reforms.
FAQs
Q1. Why was the DPDP Act, 2023 enacted?
For the purpose of securing digital personal data of individuals and regulating processing by data fiduciaries while ensuring public interest is balanced.
Q2. May the government access my personal data?
Yes, the Act permits government exceptions for designated functions, which has been deemed too broad.
Q3. Does the Act cover offline or anonymized data?
No, the Act covers only digital personal data and does not cover anonymized or non-digital data.
Q4. How similar is the DPDP Act to GDPR?
Partially. It adopts ideas such as consent and fiduciary duties but omits GDPR’s regulatory autonomy and greater data rights.
Q5. Am I able to file a complaint in case my data is being misused?
Yes, you can complain to the data fiduciary or appeal to the Data Protection Board.
