INDIA’S NEW DATA PRIVACY LAW: A CRITICAL STUDY
By Shoaib Ansari, Ph.D. Scholar, Faculty of Law, University of Delhi,
Email: shoaibhns@gmail.com.
https://doi.org/10.5281/zenodo.14077040
ABSTRACT
The Digital Personal Data Protection Act, 2023, represents a transformative shift in India’s approach to personal data protection, aiming to align with global standards such as the EU’s GDPR while addressing India’s distinct socio-economic landscape. The paper critically examines the Acts’s provisions, strengths, and potential drawbacks, assessing its impact on individual privacy, business dynamics, and governmental power. It seeks to determine whether the Act strikes an effective balance between empowering citizens over their data and enabling businesses and the government to operate within a secure digital environment. Key provisions include consent-based data processing, rights for individuals to access and correct their data, and significant obligations for data fiduciaries, particularly those handling large volumes of data. The Act’s flexible approach to cross-border data transfer and moderate data localization requirements demonstrate an attempt to balance data protection with the needs of the digital economy. However, the Act grants specific exemptions to government agencies, raising questions about potential privacy trade-offs in the interest of national security and public order. The paper explores the implications of these exemptions and the broader challenges of enforcement and public awareness. Through a comparative analysis with international standards such as the GDPR and insights from stakeholders across industries, this study evaluates whether the Digital Personal Data Protection Act, 2023, achieves its dual objective of empowering citizens over their data and fostering a robust digital economy. The findings offer recommendations to strengthen the Act’s implementation, aiming to support India’s role as a leader in data privacy and digital innovation.
Keywords- Digital Personal Data, Personal Data, Data Protection, and GDPR etc.
I. INTRODUCTION
Which of us does not consider ourselves a citizen of the digital world today? Whether it’s the digital services we see every day on our phones and tablets, or the digital infrastructure that underpins everything from banking to manufacturing. Technology is moving so fast. And consumer trust needs to follow it. That’s why a new law was needed. And that’s what we are getting with The Digital Personal Data Protection Act, 2023 (hereinafter ‘The DPDP Act’) which will include the provisions of the Digital Personal Data Protection Regulation within its broader scope.
Personal data are piece of information that relate to an Individual person. It is often used for understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendation. Unchecked processing may have adverse implications for the privacy of individual. Data protection law gives people rights in their personal information, and it restricts the ways in which organization can use people’s personal information.
Earlier there was no standalone law for personal data protection. Use of personal data was regulated under the Information Technology Act, 2000 (hereinafter ‘IT Act’). In 2017, the Central Government constituted a committee to examine issues relating to data protection in the country. The Digital Personal Data Protection Act, 2023 confers rights on individuals to protect their personal data, places obligation on entities that process personal data and lays down the compliance mechanism.
The perceived need for data protection legislation arose out of the growing use of computers in the 1970s and the threat to personal privacy that rapid manipulation of data potentially posed. This is a pivotal time for data protection and privacy. The laws we regulate are coming closer globally, consumer trust is ever more central to both businesses and the public sector, and a rapidly expanding digital economy is asking more questions of us all. But alongside that increased awareness of the law, a lot of people feel they have lost control of their own data – and that impacts their trust in organisations. Still, the end game in the data protection field is always about increasing public trust and confidence in how their personal data are used.
1.1 Literature Review
Indians live digital lives in large numbers going online for reasons of work and leisure, creativity and commerce. That adds up to millions of digital transactions, each living a trail of information – the valuable “new oil” of the digital economy. Let’s take a look in this research paper at what transpired, why it occurred, and what the ideal data protection law of the future should be like?
1.2 Scope and Objectives
Digital transactions have transformed economic as well as social interactions. Use of personal data for provision of services and other purposes is a common aspect of such transactions. In this context, protection of personal data has become a pre-requisite for growth of digital economy. Therefore, there is a need for a legislation that provides for protection and security of personal data of users and recognises the need to process such personal data for lawful purpose. The Digital Personal Data Protection Act, 2023 confers rights on individuals to protect their personal data, places obligations on entities that process personal data and lays down the compliance mechanism.
In this paper, the implications and intricacies of the DPDP Act has been discussed. In the late fall of 2023, India introduced a significant new legislation – the DPDP Act. This law marks the fifth iteration of India’s data privacy law and aims to provide a comprehensive framework for the processing and protection of personal data. The key takeaways of the paper are:
• Overview of the DPDP Act; understand the law’s extraterritorial applicability, the types of data it covers, and the scenario exempted from its purview.
• Lawful grounds for data processing; learn about the primary reliance on consent and the high standards required for valid consent under the DPDP Act.
• Rights and responsibilities; explore the rights granted to data subjects and the obligations placed on data controllers and processors.
• Comparison with GDPR ; gain insights into the similarities and differences between DPDP Act and GDPR, especially regarding lawful bases for processing and breach notification requirement.
• Practical steps for compliance; hear practical advice on data mapping, obtaining consent, and implementing security safeguards to ensure compliance with the new law.
Also, discussions on the challenges and opportunities posed by the DPDP Act and offer actionable steps for organizations to start preparing for compliance.
II. METHODOLOGY
The research will utilize a mixed-method approach, including legal analysis of the Act, a comparative study with international data protection laws, and interviews of stakeholders such as legal experts and privacy advocates. The data collected will be analysed to assess the Act’s effectiveness in protecting individual privacy and fostering economic development.
Thus, the methodology adopted in this study is doctrinal and analytical on the basis of facts and data already available. This work mainly depends on the secondary sources like books, articles and journals. It is basically a theoretical work which is built up from the information gathered from books and journals. Internet has been a key source in collecting the views and opinions of eminent writers. Dailies and magazines are also used as valuable information for the study to understand the latest trend.
III. DISCUSSION AND RESULTS
3.1 Historical Background and Legislative Evolution
This section traces the legislative journey, highlighting key events and debates that shaped the final Act. It covers the influence of public feedback, global benchmarks, and India’s strategic priorities. The 2023 Act replaced previous drafts, aiming for a simplified yet effective framework for the digital economy.
The internet’s design has been such that of the three stakeholders involved – the individual, the tech platform and the government; the former has the least control over who has access to one’s personal details, be it profit-seeking firms or intrusive government, data leaks and theft. The allegations of politically motivated use of spyware or the reckless use of facial recognition software make people vulnerable to fraud and faulty prosecution. A data protection law as has been enacted in several western jurisdictions is what citizens need. They wait for such a legal framework, however, has been exasperating.
The idea of such a law draws from a 2017 Supreme Court judgment in K.S. Puttaswamy (Privacy-9J.) v. Union of India, (2017) 10 SCC 1 that upheld the right to privacy as a part of our fundamental right to life and liberty. The top Court directed the government to enact a law to protect personal data. Thus, following which a panel chaired by Justice B N Srikrishna drew up a draft bill in 2018, but then the law introduced in parliament a year later saw a considerable failing of safeguards as it gave sweeping powers to the Centre and its agencies to call up data at will. So, more or less prompting Justice Srikrishna to flag its Orwellian risks.
The critic said, this was like two laws being legislated – one that brought commercial entities under scrutiny and another giving state agencies a free pass by stiffening data localization and increasing the regulatory burden on digital players. Added to that, it also sparked worries of a business environment that might choke innovation. The law must engage with the dissent and criticism put on record as well as invite greater consultation. It could take inspiration from EU’s data law that offers a strong shield against commercial and state surveillance, commits companies to using only minimal data and for specific purposes, bars them from holding data longer than necessary and makes them accountable for losses. Since our personal data evidently holds value, the basic thrust of India’s revised data law should accord as explicit ownership it by default. Consent mechanism, the use of anonymous data etc. could all flow from that. Under this sub-heading we have traced the evolution from the Personal Data Protection Bill, 2019, to the Digital Personal Data Protection Act, 2023, highlighting the socio-political factors influencing these changes.
3.2 Overview of the DPDP Act
A brief overview on what is the India’s digital personal data protection Act. The DPDP Act enacted as law in August 2023, is the fifth iteration of India’s data privacy law, after the first version of law was released way back in 2018. As of now, we expect the government to implement the law by end of this year. In terms of its applicability, the law applies to processing of all personal data maintained in digital form. So, the law essentially has extra territorial applicability. Thus, in addition to processing within India, it also applies to processing of personal data outside India, where such processing is for offering goods and/or services to data subjects within India. There are, however, certain blanket exemptions under the law, where the law does not apply to processing scenarios. Accordingly, the law does not apply to processing for domestic or personal purposes, or processing of publicly available data, or does not apply to certain notified government agencies where they process personal data for national security purposes. The law also does not apply to processing for research, archiving or statistics purposes. These blanket exemptions under the law to which the law does not apply at all unless exclusion under the law viz. lawful ground to process personal data for any purpose. Now, unfortunately consent is only a lawful ground under the law. The law does not include other commonly known lawful ground such as legitimate purpose, contractual necessity, so this is one drawback with the law. The consent is the main lawful ground under the law. The consent standard under the law is fairly high and for consent to be valid under the law it must be free, specific, informed, unconditional, unambiguous and expressed by an affirmative action. But of course, there are certain grounds prescribed under the Act which enables processing without consent. These are termed as legitimate uses of personal data. Accordingly, the examples of legitimate uses of personal data can be processing for employment purposes, or where an employer processes personal data to prevent loss or liability to itself, or processing for medical emergencies, or processing for disaster management, or processing in furtherance of exercise of State function. All these are considered legitimate uses of personal data and for these purposes consent is not required.
There are certain rights under the law, these are typically included in most global data privacy legislation. These are – right to confirm what data is being processed, right to correction, updating, deletion, erasure of personal data, and right to grievance redressal etc.
There are no data localization restrictions under the law. The previous versions of the law did have data localization restrictions. The DPDP Act does not include restrictions on transfer of personal data, but then the law empowers the government to come out with backlists of the countries to which transfer of personal data would be restricted. Interestingly, none of the compliance requirements under the law applies to data processors and all the requirements applies to data controllers. The data controller is obligated to ensure the processors compliance with the law. The penalty under the law is quite high and can go up to Indian rupees 2.5 billion which roughly translate to $30 million US dollar. To conclude the law, we believe is a good first step considering the India has at very minimal data privacy laws and considering that as a society we have very low privacy standards. The law is principle based and unlike many other Indian law, it is concise and written in simple language. There are quite few disadvantages with the law. Of course, the law does lack in certain aspects like there is no alternate lawful ground for processing, so I think is a big drawback. Given the high standards for consent it may not be possible to obtain valid consent in every processing scenario, so we will have to see how all of this will unfold once the law is implemented.
3.3 Concerns surrounding DPDP Act
There are a number of concerns which fall within four walls; one – the kind exemptions and potential exemptions for various kind of governmental use, and the use subject to court challenges as well, data of non-Indians given as India is a big outsourcing hub, so outsourcing companies might not fall within the scope of this law. Second, the challenges it poses to freedom of expression and freedom of press. There are no exemptions for journalists in this law and that will have to be adjudicated perhaps at a later date by the Court. This weakens the right to information Act in order to make privacy as a stronger contender is also a potential concern. Third, there are concerns around privacy namely; there should be different regime for people of different age viz. those who are below the age of 18 verification becomes a requirement. So, how we actually go about putting in place infrastructure for age verification which is not overburdened. Lastly, the problems of enforcement. This is not an independent data protection board and it is overcentralised at the same time where civil court are kept out of the process.
The startups will definitely need time to adopt. They are at a stage where they need to focus on growth. They have to hire data protection officer for them to comply. However, when it comes to government organizations, there needs to be a structure as which organizations to bring in under the law and give exemptions. The largest databases in India where personal identifiable information (PII) is collected is held by the government. There are bodies like Election Commission of India (ECI), Aadhar UIDAI, GST In – all of them have lot of PII, if these are not covered under this law then this law creates a huge risk and there are companies who are supporting these large databases. So, the implications of keeping them away also means the service provider who are working with them keeping those out of it. For instance, Airtel, if collecting data for UIDAI what kind of law will apply to it, because it is holding data centre. Thus, one as a third party to a large government database be impacted by these exemptions.
Section 43A of the IT Act and the Rules under the Act actually captured the eight data principles which was a kind of combination between the UK data protection Act of the 1988 and the EU 1995 directive of the data protection. If we look at the data principles which are primarily consent, purpose limitation, dissemination, erasure and transfer etc. is actually diluted. If it doesn’t meet Puttawsamy’s threshold then it would not stand the test of constitutionality. For instance, there is a right to be forgotten in the Act, but then if we look at the provision it says that whatever data one has shared, can modify it or ask for erasure or correction etc. but then, the right to be forgotten is a right one has to exercise irrespective of who shared it online or with the third party or with public entity. So, this kind of small nuancing which has been missed will have to addressed at some level.
Further, we have come across many cases predominantly by way of opinions with respect to the use of not just artificial intelligence and processing but also the use of novel technologies. Generative AI is there which effectively uses novel technology. So, any law to be dynamic should be technology agnostic, thus we do not need references to AI, blockchain, cloud etc. but having already recognised the concerns of the use of this technology.
The government have to do more specifically on the aspects of emerging technology be it artificial intelligence, machine learning or robotics. The kind of platform that are being used for collecting data or the kind of algorithms that are getting applied. The current regulation so far has just been focused on the big tech as we have intermediary guidelines. So, there is baseline that have been set and we can build on this further.
The balance is needed in terms of rights and duties besides ensuring the privacy of an individual along with proper enforcement mechanism should be in place. For any law to work it has to have balance. If we look at the global data protection law the two principles which drive it namely; one is user protection and another is enabling businesses. These are the two stated objectives for the data protection act of India also. The corporates are strong enough to be able to protect their rights or to contest against any violations, but to expect the same level of rigor from an individual may be stretching it too far. So, we should make sure that the Act itself protects the right of the individual, gives them easy opportunities for availing remedies and that it is going to be an effective form of availing these remedies.
Further, we need to talk about as to what centre has stated regarding this Act. As per the Act the government will have the authority to specify as to which countries, the companies may transfer personal data. The companies will be able to send user data to severs in the other countries outside India. So, the concept of cross-border storage and transfer of data to certain notified countries and territories is considered to be one of the biggest changes the Act has proposed.
3.4 Similarities and Differences with GDPR
In this regard, we can see a lot of similarities and differences with GDPR.
• Firstly, with regard to the applicability of law, the GDPR applies to both digital and non-digital personal data. Whereas the DPDP Act only applies to digital personal data and therefore excludes the manual processing of personal data.
• Secondly, in terms of the lawful basis for the processing. Both the GDPR and the DPDP Act has certain similarities, for example, both law permits processing on the basis of consent, or processing that is necessary to fulfil a legal obligation, or processing that is necessary for medical emergency. However, there are some grounds for processing that are present in the GDPR which are absent in DPDP Act and vice versa. For example, the DPDP Act unlike the GDPR does not recognise legitimate interest as a ground to process personal data, but the DPDP Act does permit processing of personal data for employment purposes which is not a ground that is recognized under the GDPR.
• Thirdly, regarding the breach notifications, so this is one of those areas where the DPDP Act might perhaps be more stringent than GDPR, because the GDPR requires a personal data breach to be reported only if the breach poses the risk to the rights and freedoms of individuals and that breach has to be reported to the data principle only if the risk is high. But the DPDP Act on the other hand requires data controllers to report all personal data breaches to both the Data Protection Board of India and the affected data principle irrespective of the severity of the breach. The timelines regarding the data breach notification are yet to be issued by the government so we are not clear on that aspect yet.
• Then regarding the fourth difference about the rights that are granted to the data subjects. The GDPR grants much more comprehensive set of rights, while the DPDP Act grants a more limited set of rights e.g., under the DPDP Act one does not have the right to data portability, or right to object to the processing of personal data or the right not to be subject to automated decision making.
However, one does have access right – right to erase personal data, right to rectify personal data and right to grievance redressal. Also, under the DPDP Act the data principles’ rights are only granted to those data principle whose personal data is processed on the basis of consent or if voluntarily provided that personal data thus rights are not available under all circumstances. Lastly, the difference I want to cover with regard to data processors. Basically, the GDPR has independent obligation that are placed on data processors. So, a data processor under the GDPR is expected to implement adequate technical and organizational measures, and appoint a data protection officer if applicable and also report personal data breaches. However, the DPDP Act actually does not impose any obligations directly on the data processor rather it is the data fiduciary who is responsible for the data processor’s compliance with the law. So, it is very likely that if the data processors violate the DPDP Act, it is data fiduciary who is held responsible.
3.5 Practical Steps to be taken by the Company
The next question in terms of practical steps to be taken both for companies. So, what measures should company take to be compliant or to start complying with the DPDP Act. Unfortunately, the law heavily relies on delegated legislation, accordingly the government is empowered to notify rules in respect of 26 matters. Thus, how the law will be implemented, or what organizations needs to do to comply with the law would be covered under the rules that the government will notify. Thus, we expect the government to notify the rules in the next couple of month or so. Therefore, in those ways, it may not be possible for organizations to take comprehensive or conclusive measures to start complying with the law. But having said that a lot of details is out there in the law. Thus, first practical measure organization could take is to do data mapping exercise to understand what personal data it holds, or how long it has been holding, or the purposes for which it is processing, or where it is holding that etc. Further, once understand the purposes for processing, it will need to evaluate whether it need to take consent under the law or whether processing is based on a legitimate use under the law. For example, employers processing employee personal data for employment purposes do not need consent but then they have legitimate use exception under the law. If it needs to obtain, it needs to design consent requisition forms, or draft privacy notices etc. thus can start with these steps. The law requires implementation of reasonable security safeguards to prevent breach of personal data held by data fiduciary. Therefore, organizations can start looking at industry standards and then start implementing data security measures which are considered industry best practices. There are certain compliance requirements for appointing data processors, thus essentially a data fiduciary can only appoint a data processor pursuant to a data processor agreement. We never have such a requirement in India, so this is something the organization start doing from scratch. Another important step it should take would be to start having awareness session on the law. India has a very minimal privacy laws and privacy awareness. The awareness sessions for employees, suppliers, vendors etc. so that they are aware of the law or requirements under the law. There are certain unique requirements of the DPDP Act like obtainment of consent. There can be scenario wherein you process data for certain purposes under the legitimate interests or lawful ground in Europe, but since this lawful ground is not available in India you may have to obtain consent. Consequently, there have to evaluate the purposes for which you are processing personal data in India and then comply with related requirements for obtaining consent.
IV. ADDITIONAL POINTS
4.1 Summary on the changes and difference between the GDPR and Indian law. Indian law is more or less similar to that of the GDPR. It is heavily inspired by the GDPR. However, the Act left a lot to be done and to be supplemented in the future by rules issued by the government. The effect of the Act can be only be known in full once these rules are issued and are in effect. These rules can either be more in line with GDPR.
The differences – first one and probably the most apparent one is that of the nomenclature of certain actors. Under the GDPR, Data Controllers whereas under the DPDP Act they are called Data Fiduciary. Similarly, Data Subjects are called Data Principles. The term processor remains the same between both. There are three significant differences, the first being that while the GDPR makes a difference between personal data and special categories of personal data, the new law does not make any distinction, the predecessors to the new law “The SPDI Rules” in India were specifically tailored to sensitive personal data and their protection. Now legislature treat every personal data on the same level. Unlike the GDPR, the new law does not include publicly available personal data within its scope, it is completely excluded from its scope of application. Thirdly, the GDPR applies to processing by automated as well as non-automated means which form a part of a filing system. However, the new law only applies to digitalized data and non-digitalized data subsequently digitalized which means any sort of purely non-digitalized data is not covered under the new law.
4.2 What was the approach used, is it similar to GDPR model or its different? It’s a much simpler draft than the previous ones, and it differs substantially from the GDPR model. It’s a simple Act with just a few prescriptions, gone are many of the provisions that were in the previous drafts like data portability, privacy by design, data localization and so on. So, a lot of this is missing in this draft.
The Act enable the data protection authority to build the law slowly through regulation. The various areas of law like banking, securities law, telecom law, most of these comes through delegated legislation or regulations rather than statutes. And that’s actually required not just for India but for most countries. It’s a kind of like a third way, as we have initial data privacy legislations which were consent based, and then like GDPR which many countries are following today, and this is kind of new path which the government has set out.
The key issue as to what’s the ground for processing personal data, accordingly the ground is mostly consent. There is no clear legitimate interest type of provisions which is the heart of data privacy regulation today. There are two sets of ground which are covered under deemed consent – one is where it is in public interest like network security, credit worthiness and so on, and another deals with where the processing of the personal data is considered to be necessary. Thus, the later part where the personal data is given voluntarily and it is necessary for processing, then there is reasonable expectation that the personal data would be asked for. Thus, in that situation one can continue to process. Therefore, this is somewhat like legitimate interest. There are few other grounds like contractual necessity or compliance with law and so on.
4.3 How much space there is for interpretation of the law? The drafting is not very close-fitting, therefore there is a scope for a lot of improvement. With the laws like data privacy, interpretation is an important aspect and there is really need to allow the law to grow along with the world of data privacy as well.
4.4 Data localization requirement – There is a difference between data localization and data transfers, that is cross-border data transfer. Accordingly, data localization in terms of the law stating that some type of data stored only in India or a copy must be stored in India. So, these kinds of provision are missing and there is no hint that it could come through delegated legislation either. However, there is provision on data transfer out of India, where the government will notify to which countries personal data can be transferred out of India. Nevertheless, a simplistic clause in the sense that it does not address other forms of cross-border transfers such as intergroup transfer, and most importantly standard contractual clauses, for the reason that there might be countries you might want to send data but those countries not got approval from India. For example, when we look at data from EU to India, in that case Standard Contractual Clauses (SCCs) are mostly used for data to be transferred to India. Hence, India needs to do the same as well.
4.5 How does it work for penalties? There are penalties, clearly not as troublesome as worrying as it was in the previous drafts which talked about percentage of global revenue and so on. The Act has a schedule, where there is mention of penalty amount that can be awarded for specific violations. I do feel that some justifications need to be provided within statutes itself, as penalty should be proportionate to harm caused and so on. One very important aspect is compensation to data subjects is missing, so its only penalties whereas no compensation prescribed in the law.
4.6 Appeal and Alternate Dispute Resolution – The appeal mechanism also gone change from the 2019 to the 2023, that is now go to the TDSAT instead of High Court. For some reason the law has decided that TDSAT is the path for all appeals, now from about three or four different tribunal, the appeals going to TDSAT. It’s an established tribunal so it can start functioning immediately. The appeal provision included in the Act is definitely a welcome move.
V. CONCLUSION
The question is why there is the need for data protection in India. India has become a big IT hub, so the need emerged with India’s growing outsourcing of data. The paper concludes by summarizing the strengths and limitations of the DPDP Act, and its significance in setting a precedent for digital privacy in India.
It took six years and four drafts and many consultations, the outcome was not exactly what we expected. To the extent that certain changes were made from the 2022 draft to ensure issues like composition, powers and functions and the other nitty-gritties in terms of the data protection board have now set out in the parent Act. Other things like deemed consent and legitimate use alternative and diluting the open-ended consent option under Act are good steps.
The DPDP Act will evolve with time, and there is lot to be done in the Act. The Data Protection law is much needed despite the IT Act being in place. The new law will establish guardrails for how organizations should handle personal data and offer citizens control over it. Also, the data that are being gathered from them and how that is being is used. The paper will provide insights into the effectiveness of India’s digital data protection efforts and contribute to the global discourse on how emerging economies can balance privacy, security, and economic growth in the digital age. Further, the study highlights successes and limitations, presenting a nuanced view of India’s data protection regime.
The topmost limitation is that India’s data protection Act applies to digital personal data only and that’s why the present study is limited to that only. It does not cover non digital personal data. Suggestions include enhancing data literacy, refining exemptions for government use, and implementing strong, transparent enforcement mechanisms. Recommendations are provided for policymakers, businesses, and regulators. The researcher hope this new law helps you be transparent, be accountable, and give people back control of their data.
*****