Assessing India’s Digital Personal Data Protection Act, 2023: Policy Implications and Future Outlook

Copy of Copy of Copy of Policy Update

Policy Update
Pranathi Poreddy

Background 

India is a rapidly digitalising  state with over 954.40 million users. The reach of internet services is immense, with various sectors like healthcare, banking, education and finance adopting the digital platforms to dispense their services. This widespread use mandates stringent standards for acquisition and compilation of user data. Furthermore, the landmark judgement of the Supreme Court in 2017 recognises privacy as a fundamental right, which makes protection of privacy a legal obligation of the government. Therefore, the government passed the Digital Personal Data Protection Act in 2023 to protect the rights of the citizens.

image 13

Indian digital economy growth rate of 15.6 (source: MeiTY)

Introduction

The act is designed to safeguard user data, with the purpose of obtaining “free, specific, informed, unambiguous and unconditional ” consent. The act outlines the obligations and duties of “data fiduciaries”, who are individuals or a company who determine the purpose and means of processing the data of “data principals”, who are the recipients of the data. 

The act also encompasses “Significant data fiduciaries”, which are entities identified by the government based on factors such as the volume and sensitivity of data processed or the potential impact on individuals’ rights. There are also specific provisions in the Act for the purpose of obtaining the consent of children below age 18, mandating express parental consent and explicitly prohibiting tracking and targeted advertisements. The act in general was legislated to address the ‘breach of data and privacy’ through a rigorous legal framework. 

Objectives of the Act

The core objective:  The protection of data privacy and control of personal data. The Data Protection Board of India was set up through the act for grievance redressal and to adjudicate breaches. 

Progressive and phased implementation: The Act also promotes a progressive and phased implementation of the law, allowing for its gradual adaptation in response to technological advancements and the expansion of the digital ecosystem. 

Provisions for Emerging Technologies: It contains special provisions to address the misuse of artificial intelligence, as well as mechanisms to accommodate the nation’s ever-growing digital infrastructure and emerging digital challenges.

Increased Penalties: By increasing the magnitude of penalties for the breach of privacy, it advocates for an increase in the onus of responsibility and care by data intermediaries and repositories. A major facet of the act is the provision for cross-border transfer of data. It limits the movement of personal data to any country which is not located in India. The conveyance of such transfers is permissible only where certain requirements are compiled to safeguard data privacy.

image

The timeline of the DPDP Act  (Source :Hindustan times.)

Draft of the DPDP Rules 2025

The draft of the DPDP Rules 2025 is an extension of the DPDP Act, 2023, released by the Ministry of Electronics and Information Technology(MeitY), to ensure operational efficiency. By making business institutions a central focus of the Rules, they facilitate the integration and application of these laws into their operational frameworks. The purpose of this draft is to enhance the autonomy of all the stakeholders and institutionalise the governance of the date so as to protect the Right to Privacy under the Right to Life – Article 21. 

Features of the Draft of DPDP Rules 2025:

  • IMPLEMENTATION FRAMEWORK: The rules specify the obligations of data fiduciaries for controlling the processing of data. Express intimation must be provided to the data principals in the case of breach of personal data. The entities with the data must provide a line of communication and must actively work towards disrupting the breach and must also provide a detailed report entailing the same.
  • CONSENT MANAGEMENT: The consent of a minor and specially abeled child must be exhaustively scrutinised. It must be obtained by a parent or a guardian with a verifiable identification document. Such tasks are to be undertaken by a consent manager for every company incorporated in India.
  • SECURITY SAFEGUARDS: Appropriate measures must be taken by data fiduciaries to safeguard the data provided through encryption, masking, and obfuscation, which are to be specified in the contract between the parties to ensure legal ramifications and protection. 
  • RETENTION PERIOD: The bill mandates erasure of data of principals after continuous disengagement with the fiduciary. A notice must be sent prior to carrying out such erasures.
  • CLASSIFICATION OF DATA FIDUCIARIES: The bill defines and outlines certain predominant fiduciaries, such as e-commerce entities, online gaming platforms, and social media intermediaries, as per the number of participants in these platforms.

Challenges faced by the bill

The bill is a pioneer in the field of conservation of privacy of individuals. However, it faces a plethora of obstacles in the sense of operationalisation of the bill. Some of the challenges include:

  • BURDEN ON SMALL-SCALE ENTERPRISES: The rigid provision of the bill fails to materialise in small- and medium-scale enterprises due to lack of necessary infrastructure, technical expertise and monetary funds in general. Such lacunae disproportionately pressurise such already dissipating industries and deter the inception of more industries. 
  • ENFORCEMENT: The enforcement of this bill remains an enormous challenge with no stipulation for a regulator or a board to facilitate cases regarding the breach of such regulations and for the imposition of fines, which reduces the practicality of the bill.
  • CROSS-BORDER DATA TRANSFERS: The regulations regarding the cross-border transfers discourage the engagement of global companies due to the adherence to  heightened protection measures.
  • AWARENESS DRIVES: The bill’s objectives can only be realised if information is effectively communicated to the principals, which calls for awareness campaigns and widespread engagement with industry stakeholders to integrate them into the process of recognising their rights.

Way forward

The way forward would be strengthening the accountability clauses in the regulations while also enabling the micro and small industries to follow these regulations. Mechanisation of this bill revolves around a regulatory board safeguarding the interests of all stakeholders. Successful implementation of this bill also depends on technological automation and investments targeting such improvements. Bolstered policies must be drafted to enhance global relations with compliance to the regulations.

Conclusion 

The proposed Act is an important evolution within India to protect personal data and further a right to privacy. It increases the protection of users, who will have more control over their data, with transparency concerning what is taking place with that data and clear rules about how it can be processed. Being a foundational law, the Act forms the basis for the development of principles which reflect emerging and evolving challenges and impart awareness among the natural as well as artificial persons so dependent on data sharing in the digital ecosystem.

References

About the contributor: The author, Pranathi Poreddy is a second year law student at Damodaram Sanjivayya National Law University working as a research intern at IMPRI.

Acknowledgment: The author extends sincere gratitude to Ms. Aasthaba Jadeja for her invaluable guidance and mentorship throughout the research process.

Disclaimer: All views expressed in the article belong solely to the author and not necessarily to the organisation.

Read More at IMPRI

Government e-Procurement System (GePNIC)

India – Russia Revival of Historical Artistic Exchanges 

Author

Related Posts

Talk to Us