The DPDP Act, 2023 aims to transform India from a “privacy-neutral” state to a “privacy-centric” digital democracy. It provides the legal backbone for India’s $1 trillion digital economy aspirations.
Context of the Act
Committee Recommendations (Justice B.N. Srikrishna Committee) emphasizing “Data Sovereignty” and the “Fiduciary” relationship.
Digital economy- With over 900 million internet users, the rapid expansion of digital payments (UPI) and digital public infrastructure (Aadhar, CoWIN) required robust safeguards.
Inadequacy of IT Act, 2000- The previous framework (Section 43A) was narrow, outdated, and lacked the “teeth” to penalize global tech giants for data breaches.
To remain a global outsourcing hub, India needed a law compatible with Global Norms. Eg- EU’s GDPR.
Data Breaches highlighted the vulnerability of citizens’ personal data. Eg- CoWIN data leak
The rise of AI-driven behavioral profiling and “dark patterns” in e-commerce necessitated “Purpose Limitation.”
Data has become the “new oil” in modern warfare, with data localization as a vital component of national security.
Salient Features of the Act
The Act is built on the philosophy of “Rightful Processing”
Tripartite Stakeholder Model- Identifies the Data Principal (individual), Data Fiduciary (entity deciding data use), and Data Processor (entity handling data).
Consent-First Approach- Processing is only lawful with “free, specific, informed, unconditional, and unambiguous” consent via a clear notice.
Rights of Data Principals- Grants the right to Access (summary of data), Correction, Erasure, and Nomination (bequeathing digital data after death).
Significant Data Fiduciaries (SDFs)- Entities handling high-volume or sensitive data (e.g., Social Media) must appoint a Data Protection Officer (DPO) and conduct annual audits.
Protection of Minors- Mandates verifiable parental consent for children (under 18) and strictly prohibits tracking or targeted advertising directed at them.
Data Protection Board of India (DPBI)- A digital-first regulatory body empowered to investigate breaches and impose fines.
Negative List for Cross-Border Flow- Permits data transfer to most countries unless specifically restricted by a government “Blocklist.”
Stringent Financial Penalties- Forgoes criminal jail terms in favor of massive civil penalties-up to for failure to prevent a data breach.
Challenges That Remain
Surveillance concerns- Section 17 allows the state to bypass most provisions for “security of the state” and “public order”.
Diligence vs. Innovation- high cost of implementing “Privacy by Design” and maintaining audit trails for MSMEs and startups.
One-size-fits-all approach- Unlike GDPR, the Indian law does not distinguish between general data and “Sensitive” data.
The Act is a right step toward Digital Sovereignty. It must move beyond mere legal text to create a “Privacy Culture” for meaningful exercise of digital autonomy.