Author: Abhirami Ajithan

Background & Objective of the Act

In the contemporary digital age, personal data has emerged as one of the most valuable resources. With the rapid growth of e-commerce, social media platforms, digital payments, online education, and e-governance initiatives, individuals routinely share vast amounts of personal information with both private entities and the State. Prior to 2023, India lacked a comprehensive and exclusive data protection framework. Personal data was regulated in a fragmented manner under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which were inadequate to address modern data-processing practices.

The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant shift in India’s approach to privacy and data governance. The Act is a legislative response to increasing incidents of data breaches, misuse of personal information, and growing public concern over digital surveillance and profiling. It seeks to operationalise the constitutional recognition of the right to privacy and establish a rights-based framework governing the collection, storage, processing, and sharing of personal data.

The primary objective of the DPDP Act is to protect the personal data of individuals while ensuring that lawful data processing for legitimate purposes is not hindered. The Act aims to balance individual autonomy with innovation, economic growth, and public interest.

Who Does the Act Apply To?

The DPDP Act applies to the processing of digital personal data within the territory of India. It also has extraterritorial applicability where personal data is processed outside India but in connection with offering goods or services to individuals located in India. This ensures that foreign entities dealing with Indian users are not beyond the reach of Indian data protection law.

The Act applies to:

Individuals whose personal data is processed (referred to as Data Principals)

Companies, firms, startups, digital platforms, and government bodies that process personal data (referred to as Data Fiduciaries)

Entities that process personal data on behalf of Data Fiduciaries (Data Processors)

Certain exemptions are provided, particularly for personal data processed for personal or domestic purposes, and for specific state functions such as national security, public order, and law enforcement, subject to conditions prescribed by law.

Key Sections Explained

Section 2 – Definitions

This section provides essential definitions that form the backbone of the Act. It defines terms such as personal data, data processing, consent, Data Principal, Data Fiduciary, and Data Processor. Personal data refers to any data about an individual who is identifiable by or in relation to such data.

Section 4 – Grounds for Processing Personal Data

Under the Act, personal data can be processed only for a lawful purpose with the consent of the Data Principal or for certain legitimate uses specified under the Act. Consent must be free, specific, informed, unconditional, and unambiguous, signifying a clear affirmative action by the individual.

Section 6 – Consent Management

This section allows individuals to withdraw consent at any time. The process of withdrawal must be as easy as the process of giving consent. Upon withdrawal, the Data Fiduciary must cease processing the personal data unless required by law.

Section 7 – Legitimate Uses

The Act recognises certain situations where personal data may be processed without explicit consent. These include purposes such as compliance with law, provision of benefits or services by the State, medical emergencies, and employment-related purposes, provided such processing is reasonable and proportionate.

Section 8 – Obligationsof Data Fiduciaries

Data Fiduciaries are required to take reasonable security safeguards to prevent personal data breaches, ensure accuracy of data, and delete personal data once the purpose for processing is fulfilled. They are also required to notify the Data Protection Board and affected individuals in case of data breaches.

Section 9 – Rights of Data Principals

This section enumerates the rights available to individuals, including the right to access information, right to correction and erasure, right to grievance redressal, and the right to nominate another person to exercise rights in case of death or incapacity.

Rights, Duties & Penalties

Rights of Individuals

Individuals are empowered with enforceable rights over their personal data. These include the right to know how their data is being processed, the right to correct inaccurate data, the right to erase personal data when it is no longer necessary, and the right to seek redressal against unlawful data processing.

Duties of Data Fiduciaries

Data Fiduciaries must process data lawfully, transparently, and for specified purposes only. They must implement appropriate technical and organisational safeguards and ensure accountability in data handling practices.

Penalties

The DPDP Act prescribes significant monetary penalties for non-compliance, which may extend up to several hundred crores of rupees depending on the nature and severity of the violation. Penalties are imposed by the Data Protection Board of India after due inquiry.

Practical Examples / Real-Life Scenarios

A common real-life scenario involves mobile applications collecting excessive permissions such as access to contacts, location, and microphone without necessity. Under the DPDP Act, such practices would violate the principle of purpose limitation.

Another example is data breaches by companies storing customer information without adequate safeguards. In the event of a breach, companies are legally obligated to inform both the Data Protection Board and the affected individuals, enabling timely remedial action.

Educational institutions collecting students’ biometric data without clear consent or retention policies may also fall foul of the Act.

Common Myths or Mistakes

A prevalent myth is that once consent is given, it cannot be withdrawn. The Act explicitly allows withdrawal of consent at any stage.

Another misconception is that only large corporations are covered under the Act. In reality, even small startups and individual entities processing personal data are subject to compliance.

Many believe that government agencies are completely exempt, whereas exemptions are limited and conditional.

7. Recent Developments and Judicial Context

Although the DPDP Act is a recent legislation, its foundation lies in the judicial recognition of the right to privacy as a fundamental right. The Supreme Court, in its landmark privacy judgment, held that informational privacy is an integral part of personal liberty. This judgment paved the way for comprehensive data protection legislation in India.

The Act also reflects India’s alignment with global data protection standards, such as the GDPR, while adopting a context-specific regulatory approach.

Conclusion: Why This Act Matters Today

The Digital Personal Data Protection Act, 2023 represents a crucial step towards safeguarding individual autonomy in the digital ecosystem. It empowers citizens, imposes accountability on data handlers, and fosters trust in digital services. As India continues its journey towards a digital economy, the DPDP Act plays a pivotal role in ensuring that technological progress does not come at the cost of personal liberty and privacy.

By creating a balanced and rights-oriented data protection framework, the Act reinforces the constitutional vision of dignity, freedom, and accountability in the digital age.