India’s Data Protection Legislation in the Digital Age: An Analysis of the Digital Personal Data Protection (DPDP) Act, 2023

1. Abstract

The need for strong and robust data protection rules is of utmost importance in today’s technological and internet era. The first law in India on personal and digital data protection was introduced in 2023, named as Digital Personal Data Protection (DPDP) Act, 2023[1]. It marks a crucial point in India’s legislative history, especially after the 2017 landmark K.S.Puttaswamy judgment, when the right to privacy was included as a fundamental right.

The article has focused on the evolution of data protection laws and their relevance through various Supreme Court judgments. The deficiencies in the Information Technology Act, 2000[2], led to the conclusion that there was a need for a different, separate, robust legislation dealing with personal and digital data protection. The Digital Personal Data Protection (DPDP) Act, 2023, aims to strike a balance between individual rights, the public interest, and national security through provisions on informed consent, the rights of data principals, the duties of data fiduciaries, cross-border transfers, and government exemptions.

The Act has explained various aspects, some of which align with the General Data Protection Regulation (GDPR), while others align with the government’s requirements and recommendations. It aligns with and is well-versed in the international standards. It also highlights its shortcomings and makes recommendations for changes that are required to strengthen democratic oversight and guarantee that privacy is not compromised for convenience.
Therefore, the Digital Personal Data Protection (DPDP) Act, 2023, is undoubtedly the first powerful phrase in India’s long-overdue data privacy chapter, but it is by no means the last word on data protection.

2. Introduction

In the current environment, which is being influenced and shaped increasingly by online ecosystems and technological environment, the collection, storage, and handling of sensitive and private data has become important in terms of how people come together, how companies operate, and how governments oversee the privacy and sovereignty. Owing to the expansion of social media, e-commerce, cloud storage, mobile apps, and smart technologies, there has been a tremendous amount of private data being transmitted through various worldwide networks and global channels. This revolution of the digital age has brought with it a package of its own pros and cons. While it’s providing simplicity, convenience, innovativeness, efficacy, at the same time, it’s creating fear and introducing people to several data hacking, phishing, piracy, etc. It’s essential to have a person’s personal data protected. Hence, it’s crucial to develop solid, reliable, and strong data protection methods.

In India, the government and private sectors operate with personal and private information in immense volumes. This can be in the form of e-commerce choices, biometrics, or Aadhar card details. However, the legislative structure for monitoring this vast amount of data is still insufficient, and till now, the framework related to this matter has been insufficient and unclear. The primary law governing this was the Information Technology Act, 2000, though it included only foundational laws to cover the protection of private data. Even though it had certain loopholes. There was a pressing requirement observed for a new, separate, and independent legislation related to the protection of private data[3].

The above need could be observed more clearly in the case of Justice K.S. Puttaswamy v. Union of India (2017)[4]. Under Art. 21[5] of the Constitution of India, the Right to privacy was recognized as a fundamental right. A committee was established to form a law related to data protection and privacy, which was headed by Justice B.N. Srikrishna. The primary framework in 2018 and 2019 laid the basis for the draft of the Personal Data Protection Bill. The law was scrapped in 2022, even after some parliamentary discussions and a report in 2021. The Digital Personal Data Protection (DPDP) Act, 2023[6], was updated and finally introduced in August 2023. It was approved by both Houses of Parliament. It received Presidential assent and was published in the Gazette on 11 August 2023. This Act is of utmost importance and has acted as a crucial event in the history of India’s digital governance. The Act somewhat relies on the General Data Protection Regulation (GDPR) of the European Union. The Act incorporates several crucial tenets, including the right to access and delete private data and information, purpose limitation, informed consent, lawful processing of data, and data minimization. A confederates Data Protection Board of India is established for monitoring compliance and settling conflicts. It describes the roles, responsibilities, and functions of data fiduciaries and data principals. It includes the handling and processing of digital personal and private data, regardless of whether it’s collected online/ offline. This Act even allows for extra-territorial applicability. This paper has analysed in depth the Digital Personal Data Protection (DPDP) Act, 2023.

3. Analyzing Digital Personal Data Protection (DPDP) Act, 2023.

3.1 Historical Background of DPDP Act, 2023

For a long time, the Constitution of India didn’t recognize the right to privacy as a fundamental right. The constitutional framework in India related to the ‘right to privacy’ has been laid as the primary basis for the Digital Personal Data Protection (DPDP) Act, 2023. There have been certain law commission reports in this regard. It suggested certain amendments in the Indian Evidence Act, 1872, where it indicated securing online and digital evidence, and computerized proof integrity. It stated to make changes related to this in the Indian Evidence Act, 1872[7]. Few early decisions of the Supreme Court in this regard are:-  M.P. Sharma v. Satish Chandra (1954)[8] and Kharak Singh v. State of U.P. (1963)[9].

In the case of   M.P. Sharma v. Satish Chandra (1954)[10] Under the Companies Act, 1913, a company became insolvent in 1952. The company was purported for investigation for swindling, fraud, and fabrication of accounts. Hence, FIR was registered under S. 96 CrPC[11]. This ended up in 34 places being searched concurrently. The petitioners protested that their fundamental rights were being violated under Art. 19(1)(f)[12]– right to property and Art. 20 (3)[13]– protection against self-incrimination. They even proposed the right to privacy as a fundamental right similar to the US Constitution’s 4th Amendment. All such arguments put forth by the Supreme Court were dismissed. The Court said that these searches did not lead to any permanent damage to the property or coerced confession.

Significantly, it was held by the Constitution of India that ‘right to privacy’ was not recognized as a fundamental right. Hence, such rights could not hinder the State’s power to conduct an investigation. Therefore right to privacy was not recognized as a fundamental right.

In the case of Kharak Singh v. State of U.P. (1963)[14]:- The majority of judges of the Supreme Court opined that the right to privacy is neither a fundamental nor a constitutional right. It was just said to be ‘psychological hindrances’. But the minority led by Justice Subba Rao opined that privacy is an integral part of personal liberty under Art . 21[15]. Hence, the right to privacy should be recognized as a fundamental right under Art . 21.

With the arrival and rapid growth of technological and digital advancements, there were rising concerns related to commercial and governmental spying, and laws related to data protection and privacy were in high demand.

In the landmark judgment of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)[16], which finally recognized the Right to Privacy as a fundamental right under Art 21[17]-> Right to Life and Personal Liberty. Right to privacy is said to be an integral part of personal liberty, and hence, broadening the scope of Art . 21 and including it under Art . 21[18].

The Justice B.N. Srikrishna Committee was constituted in the year 2017 and allotted the task of drafting a digital data protection law for India. The report and draft of the Act were received in 2018, which laid the foundation for the formation of the 2023 Act. Hence, this journey is linked with its constitutional journey of recognizing the right to privacy as a fundamental right and filling up the statutory gap that existed prior to the 2023 Act.

3.2 Need for Data Protection Law

There was an immediate requirement for exhaustive data protection laws in India. This was owing to the increasing electronic records and internet usage of the people, security lapses, and unorganized and uncontrolled data networks. As an outcome of increasing utilization and popularity of smartphones, the internet, e-governmental websites, and social media sites, large amounts of personal data have been created. It is crucial to safeguard and encrypt this private information and have laws regarding the same. Recently, government policies and projects such as Aadhaar, Digital India, and Smart Cities necessitate a massive accumulation of biometric and demographic data. This was one of the primary reasons for personal data protection statutes. Around that time, private businesses and companies were making profits from the private information and personal data through customized advertising. This was mostly done by gigantic internet companies, statistics, and data-driven startups and businesses. These EU frameworks have become internationally recognized, acting as a standard benchmark for all other countries. Due to the absence of a comprehensive legislative framework, there were certain concerns regarding security lapses, private freedom, etc. Regulations resembling the European Union’s General Data Protection Regulation (GDPR) were absent in India. Since Indian companies participated in foreign operations and transactions, outsourcing, and global data transfers. The Information Technology Act, 2000[19], and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, also known as the SDPI Rules of 2011, were enforced[20]. Though they were narrower in scope, covering only particular sections, many sectors were left unattended and unregulated. Hence there was a need observed for necessary and proper mechanisms covering all the aspects of digital data protection and data privacy laws. There were often security breaches and hacking incidents observed with respect to online bank transactions, e-commerce platforms, government websites, etc. Hence, there was an immediate requirement for the Digital Personal Data Protection (DPDP) Act, which was enacted in 2023.

3.3 Development and Legislative Journey DPDP Act, 2023

Following the K.S. Puttaswamy judgment, the committee was set up, headed by Justice B.N. Srikrishna Committee, to work on an exhaustive data protection law in India. The foundation was loosely based on the European Union’s General Data Protection Regulation (GDPR), as could be seen in the 2018 draft bill. A modified Personal Data Protection Bill was introduced in 2019 by the Ministry of Electronics and Information Technology (MeitY). It was further submitted to the Joint Parliamentary Committee (JPC) for a comprehensive and complete analysis. In December 2021, the Joint Parliamentary Committee (JPC) presented its report recommending several modifications and renaming it as “Data Protection Bill, 2021.” However, there were certain concerns related to the complicated structure of the bill, owing to which the government decided to withdraw it in 2022. In 2022, a new, simplified draft was made accessible for the general public to understand this personal data protection bill.

During the parliament’s monsoon season, the Digital Personal Data Protection Bill, 2023, was put forth. The Lok Sabha passed it on 7 August 2023. The Rajya Sabha passed it on 9 August 2023. The Bill received the President’s assent on 11 August 2023, thereby becoming the Digital Personal Data Protection (DPDP) Act, 2023[21]. The Act is a truncated version comprising 44 sections. The focus of the Act is upon limited liberties for data principles, consent-based processing, data fiduciary duties, and the establishment of a Data Protection Board.

3.4 Salient Features of Digital Personal Data Protection (DPDP) Act, 2023

Some of the notable features of the Digital Personal Data Protection (DPDP) Act, 2023 are as follows:-

S. 2[22]-> Key Definitions

Certain key definitions mentioned in this act are as follows:-

• 2(j)[23]->Data Principal: The entity to whom sensitive and personal information refers to.
• 2(i)[24]->Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data.
• 2(g)[25]->Consent Manager: A person registered with the Board who acts as a consent facilitator for the Data Principal.
• 2(t)[26]->Personal Data Breach: Any unauthorized processing or accidental disclosure, alteration, or destruction of personal data.

S. 3[27]-> Extent and Applicability

The Act applies to the proceedings of personal digital data

• Within India: Not concerned whether that data is collected online/ offline and then digitized.
• Outside India: If the procedure of data is connected to supplying goods and services to Indian citizens.

S.3(b)[28] does not apply to data

• Private data in non-digitized form
• Anonymous data and information

S. 6[29] & S.7->Consent and Legitimate Use

The Act has put forth legislation based on consent and authorization.

Acc. S.6 (1)[30]-> such authorization should be:

• Free, precise, informed, clear, and transparent, obtained through a positive action
• Acc to S.6(3)[31]-> consent can be rescinded anytime
• 6(2)[32]-> Prerequisites for notice. Data fiduciaries should provide notice to the data principal in explicit, clear, and straightforward language.

S.7[33]-> It lists down the acceptable uses of dealing with the data without consent

S. 8 [34] & S. 9-> Duties of Data Fiduciaries

Primary duties have been specified in S.8

• Acquire lawful consent
• To prevent any intrusions, verify that the security measures taken are adequate
• In case of any violation, contact the affected parties and inform the Data Protection Board.

S.9[35]-> Describes further responsibilities for Significant Data Fiduciaries (SDFs) based on factors such as:

• Quantity and Sensitivity of Data
• Threat to the privileges of data principals
• Possible effects on public order

These groups are also required to appoint:-

• Data Protection Officer (DPO)
• Execute Data Protection Impact Assessments and audits in a timely manner.

S. 9(5) [36]-> Children’s Data Processing

• According to S.2 (e)[37]: Children are those individuals who are below the age of 18 years.
• According to S.9 (5), prior to processing the children’s data, the consent of parents is mandatory

S. 11 to S.13-> Data Principal’s Rights -> The Act had given certain limited rights:-

• Right to Access [Section 11[38]]:- Private data which has been processed or is being processed, then there is a privilege to obtain a summary and overview of such data
• Right to Correction and Erasure [Section 12[39]]:- Rectifications in case of incorrect data might be requested for and redundant data might be removed
• Right to Grievance Redressal [Section 13[40]]:- A proper mechanism system has to be provided by the data fiduciaries. The Board may be approached if the grievance settlement is not satisfactory.
• Right to Nominate [Section 14[41]]:- In case of incapacity or death, data principals may propose an alternate person to exercise their rights

S. 15[42]-> Data Principal’s Responsibilities

The Act has imposed duties on persons

• 15 (a)[43]-> Prevent misrepresentation
• 15(b)[44]-> refrain from filing malicious complaints
• 15(c)[45]-> Give precise and relevant data
• Non-adherence to any of the above can lead to a fine up to 10,000/-

S. 16[46]-> Cross-Border Data Transfers

• Such transfers are authorized under S.16 by default
• Through a negative list, the government may inform ‘restricted countries’ where data transfers are not authorized
• No prior requirements for data localization as had been previously included in the 2018 and 2019 drafts.

S. 17[47]-> Government Exemptions

• 17(2)[48]-> Allows the Central Government to exempt any state’s instrumentality from the Act’s application.
• The section has been criticized for giving the government enormous discretionary powers, raising surveillance issues, a lack of legislative oversight, and the right to privacy being violated as recognized in K.S. Puttaswamy v. Union of India (2017)..

Apart from that, S. 18 [49] to S. 27[50] deals with the Data Protection Board, which is constituted under Section 18 and acts as a quasi-judicial body. S.33[51] deals with the penalties and punishment for infringement and their enforcement.

These are some of the vital sections of the Digital Personal Data Protection (DPDP) Act, 2023

Suggestions

Though the Digital Personal Data Protection (DPDP) Act, 2023 [52]is a crucial legislative development few suggestions can still be recommended:-

• Establishing a Truly Independent Data Protection Board:

The current board is under the complete control of the Central Government, which might threaten its impartial nature. There should be a constitutionally protected body similar to constitutional tribunals

• Restricting Government Exemptions

This is visible in S.17 (2)[53], where a lot of discretion and power stand with the government. It is better to give such discretionary powers after a judicial review

• Stringer classification and security of confidential private information

The DPDP Act lacks a strong, distinctive method for classifying sensitive personal information. Health, financial, and biometric data should be provided with greater protection and clarity.

• Incorporating concepts such as Data Minimization and Purpose Limitation

These principles should be incorporated, and their uses should be clearly defined and properly stated.

• Grievance redressal techniques and awareness campaigns

An average citizen is still not fully aware of their rights and duties. They should be made aware of this through the use of several awareness campaigns. There should be proper campaigns, and these redressal systems should even exist at the district level. 

• Challenging Repercussions for Data Fiduciary Infringements

Although there are fines of up to ₹250 crore, more stringent and reliable enforcement measures are needed to act as deterrents, particularly for tech companies.
In the end, data protection needs to be a democratic culture as well as a legal need, guaranteeing that people are not just data subjects in a surveillance state but also have the authority to manage their data.

Conclusion

“Data is the new oil. But like oil, it can pollute unless refined with laws.” — Justice B.N. Srikrishna

One of the crucial steps taken by India was to introduce the Digital Personal Data Protection (DPDP) Act, 2023 for protection of personal and private data. This has required years of legislative, constitutional, and public recognition for this law to come into force. The transition from M.P.Sharma to K.S.Puttaswamy demonstrates this. In this transition, the right to privacy has become legalized and constitutional, thereby becoming a fundamental right under the Indian Constitution. The Act outlines primary definitions, rules, redressal techniques, cross-border transfers, and provides for penalties for the needed offences. It even aligns itself with the European Union’s General Data Protection Regulation (GDPR), though it is a bit different in certain aspects.

India could no longer afford to put off enacting a comprehensive privacy law. There were rising security concerns, cyber risks, surveillance issues, and economic exploitation. However, the Act shouldn’t be viewed as a completed work. It is a living document that ought to change as a result of judicial review, amendments, and democratic discussion.

The Act enhances data principles, safeguards the most vulnerable, particularly children, and ensures that digital convenience doesn’t come at the expense of civil freedoms are urgent priorities. “The right to privacy cannot be overridden by a mere statutory right of a fiduciary or the State,” as Justice Srikrishna rightly stated. This spirit must be upheld under the DPDP Act.
India’s current level of data protection will determine its digital future. India’s journey toward digital democracy based on autonomy, dignity, and trust is only getting started, not finished, with this Act.

References:

[1] Digital Personal Data Protection Act, 2023, No.22, Acts of Parliament, 2023 (India).

[2] Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).

[3] Dr. Aniket Sharma, Transforming Data Privacy: An analysis of India’s Digital Personal Data Protection Act, Vol . 6 Issue 5, International Journal of Law, Management & Humanities (IJLMH), 1841- 1853(2023).

[4]  K.S. Puttaswamy (Privacy-9J.) v. Union of India, (2017) 10 SCC 1

[5] India Const. art. 21.

[6] Supra note 1.

[7] Indian Evidence Act, 1872, No. 1, Acts of Parliament, 1872 (India).

[8]  M.P. Sharma v. Satish Chandra, (1954) 1 SCC 385.

[9] Kharak Singh v. State of U.P., 1962 SCC OnLine SC 10.

[10] Supra note 8.  

[11] Code of Criminal Procedure, 1974, §.96, No. 2, Acts of Parliament, 1974 (India).

[12] India Const. art. 19, cl.1(f).

[13] India Const. art. 20, cl.3.

[14] Supra note 9.

[15] Supra note 4.

[16] Supra note 3.

[17] Supra note 4.

[18] Id.

[19] Supra note 2.

[20] Dr. Pradeep Kumar Kashyap, Digital Personal Data Protection Act, 2023: Anew light into the data protection and privacy law in India, Vol. 2 Issue 1, ICREP Journal of Interdisciplinary Studies, 1 – 12 (2023).

[21] Supra note 1.

[22] Digital Personal Data Protection Act, 2023, §.2, No.22, Acts of Parliament, 2023 (India).

[23] Digital Personal Data Protection Act, 2023, §.2, cl.j, No.22, Acts of Parliament, 2023 (India).

[24] Digital Personal Data Protection Act, 2023, §.2, cl.i, No. 22, Acts of Parliament, 2023 (India).

[25] Digital Personal Data Protection Act, 2023, §.2, cl.g, No.22, Acts of Parliament, 2023 (India).

[26] Digital Personal Data Protection Act, 2023, §.2, cl.t, No.22, Acts of Parliament, 2023 (India).

[27] Digital Personal Data Protection Act, 2023, §.3, No.22, Acts of Parliament, 2023 (India).

[28] Digital Personal Data Protection Act, 2023, §.3, cl.b, No.22, Acts of Parliament, 2023 (India).

[29] Digital Personal Data Protection Act, 2023, §.6, No.22, Acts of Parliament, 2023 (India).

[30] Digital Personal Data Protection Act, 2023, §.6, cl.1, No.22, Acts of Parliament, 2023 (India).

[31] Digital Personal Data Protection Act, 2023, §.6, cl.3, No.22, Acts of Parliament, 2023 (India).

[32] Digital Personal Data Protection Act, 2023, §.6, cl.2, No.22, Acts of Parliament, 2023 (India).

[33] Digital Personal Data Protection Act, 2023, §.7, No.22, Acts of Parliament, 2023 (India).

[34] Digital Personal Data Protection Act, 2023, §.8, No.22, Acts of Parliament, 2023 (India).

[35] Digital Personal Data Protection Act, 2023, §.9, No.22, Acts of Parliament, 2023 (India).

[36] Digital Personal Data Protection Act, 2023, §.9, cl.5, No.22, Acts of Parliament, 2023 (India).

[37] Digital Personal Data Protection Act, 2023, §.2, cl.e, No.22, Acts of Parliament, 2023 (India).

[38] Digital Personal Data Protection Act, 2023, §.11, No.22, Acts of Parliament, 2023 (India).

[39] Digital Personal Data Protection Act, 2023, §.12, No.22, Acts of Parliament, 2023 (India).

[40] Digital Personal Data Protection Act, 2023, §.13, No.22, Acts of Parliament, 2023 (India).

[41] Digital Personal Data Protection Act, 2023, §.14, No.22, Acts of Parliament, 2023 (India).

[42] Digital Personal Data Protection Act, 2023, §.15, No.22, Acts of Parliament, 2023 (India).

[43] Digital Personal Data Protection Act, 2023, §.15, cl.a, No.22, Acts of Parliament, 2023 (India).

[44] Digital Personal Data Protection Act, 2023, §.15, cl.b, No.22, Acts of Parliament, 2023 (India).

[45] Digital Personal Data Protection Act, 2023, §.15, cl.c, No.22, Acts of Parliament, 2023 (India).

[46] Digital Personal Data Protection Act, 2023, §.16, No.22, Acts of Parliament, 2023 (India).

[47] Digital Personal Data Protection Act, 2023, §.17, No.22, Acts of Parliament, 2023 (India).

[48] Digital Personal Data Protection Act, 2023, §.17, cl.2, No.22, Acts of Parliament, 2023 (India).

[49] Digital Personal Data Protection Act, 2023, §.18, No.22, Acts of Parliament, 2023 (India).

[50] Digital Personal Data Protection Act, 2023, §.27, No.22, Acts of Parliament, 2023 (India).

[51] Digital Personal Data Protection Act, 2023, §.33, No.22, Acts of Parliament, 2023 (India).

[52] Supra note 1.

[53] Supra note 47.