Author: Vedashree B. Rajput (5-3)
Government Law College, Mumbai
Abstract
Think about this: you downloaded an app, and it probably asked you to accept some terms and conditions. Most of us just “agree” without actually reading anything. But have you ever thought about what happens to your name, phone number, location, and all the other information you gave away in that moment? For a long time in India, there was no proper law to address that question. Companies could collect your data and use it however they wanted, leaving you with very little power. The Digital Personal Data Protection Act, 2023 is India’s attempt to change that. This article looks at what this law really says, why it matters, and where it still has weaknesses.
To the Point
The Digital Personal Data Protection Act (DPDPA), 2023 is India’s first law focused on protecting people’s personal data online. Before this, we had some scattered rules under the Information Technology Act, 2000, but nothing solid. This new law mentions that,companies or organizations must get your permission before collecting your data. You also have the right to know how your data is used, correct any mistakes, and even request its deletion. On paper, this sounds good. But the law also gives the government a lot of power to make exceptions, and many important details are left to future rules that have not been announced yet. So while this is a good start, there is still much work to do.
Use of Legal Jargon
The law includes specific terms that are important to grasp. The person whose data is being collected is called the Data Principal, which means you and me. The company or person collecting and using that data is the Data Fiduciary. For example, when you sign up for a food delivery app, you are the Data Principal and the app company is the Data Fiduciary.
The Act requires that consent must be free, specific, informed, and clear. This means you cannot be forced to give your data, and the company has to clearly explain why they need it. The idea of purpose limitation means they can only use your data for the reasons they stated; they cannot use it for something else without asking again.
There is also the term Significant Data Fiduciary, referring to companies that handle large amounts of data or data that might be sensitive. These companies have to follow more stricter rules. The law also establishes a Data Protection Board of India, which will deal with complaints and impose penalties when companies break the rules.
The Proof
The legal support for this kind of law comes from an important Supreme Court ruling. In 2017, a nine-judge bench of the Supreme Court in the case of “Justice K.S. Puttaswamy (Retd.) v. Union of India declared that, the right to privacy is a fundamental right under Article 21 of the Constitution, which protects every person’s right to life and personal liberty”. The Court noted that this right includes the ability to control information about oneself, which is exactly what data protection laws aim to ensure.
The DPDPA, 2023 was passed by Parliament after years of debate and multiple draft bills. It covers all digital personal data collected in India and also applies to data collected outside India if it is used to offer goods or services to people in India. Under the Act, Data Fiduciaries can face penalties of up to Rs. 250 crores for a single violation. This shows that the law is serious about enforcement, at least in theory.
Case Laws
1. “Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017)”
This case is crucial for privacy and data protection in India. A retired judge challenged the Aadhaar scheme, which eventually reached a nine-judge bench of the Supreme Court. The Court unanimously declared that privacy is a fundamental right under Article 21 of the Constitution. It also recognized that people have the right to control their personal information. This ruling clarified that India needed a strong data protection law, and the DPDPA, 2023 is a direct result of this decision.
2. “Shreya Singhal v. Union of India, (2015)”
This case is known for overturning Section 66A of the IT Act, which was misused to arrest people for online posts. The Supreme Court stated that any restriction on fundamental rights must be clear and specific; vague laws that grant too much power to the government are unacceptable. This principle applies to the DPDPA, where critics have pointed out that the Act gives the Central Government broad powers to grant exemptions, which could be misused in the future.
3. “People’s Union for Civil Liberties v. Union of India, (1997)”
Long before the internet became part of daily life, the Supreme Court ruled in this case that tapping someone’s phone calls without legal authority violated their right to privacy under Article 21. This was one of the early cases recognizing privacy as a constitutional right. It is relevant today because it shows that Indian courts have consistently protected citizens from unauthorized intrusions into their private communications, a principle that data protection law now extends to the digital world.
Conclusion
The Digital Personal Data Protection Act, 2023 is a law that was long overdue. In a country where millions of people use smartphones and the internet daily, not having a dedicated data protection law was a serious gap. The DPDPA takes the first real step in giving citizens some control over their data.
That said, the law is not perfect. The broad powers given to the Central Government to exempt certain entities from the law’s requirements, the lack of specific protections for sensitive data like health and financial information in the main Act, and the fact that many crucial details are still pending are all valid concerns.
As a law student, I am struck by the gap between what the law promises on paper and what it might deliver in practice. A law’s true worth actually lies in how it’s enforced. The Data Protection Board must be truly independent, the rules should be clear and user-friendly, and, most importantly, citizens need to understand their rights. Until then, the promise of this law remains just that—a promise.
FAQs
Q1. What counts as personal data under this law?
Any information that can identify you—like your name, phone number, email address, or even your location—is considered personal data. Essentially, if someone can figure out who you are from the information, it is personal data.
Q2. Do I have to give my consent every time a company wants to use my data?
Yes, under the DPDPA, companies must get your consent before collecting and using your data. The consent must be clear and specific; they cannot hide it in a long list of terms and conditions that nobody reads.
Q3. What can I do if a company misuses my data?
If this happens then, you can file a complaint to the Data Protection Board of India and the The Board will then investigate the complaint and impose heavy penalties on the company if they have violated the law.
Q4. Does this law apply to government agencies too?
This is one of the concerns about the Act. The Central Government can exempt certain government agencies from the law’s rules. So while private companies are covered, the government can choose to exclude its own entities, raising questions about accountability.
