Digital Personal Data Protection Act, 2023

14 Apr Digital Personal Data Protection Act, 2023

This article covers “Daily Current Affairs” and the Topic of  Digital Personal Data Protection Act, 2023

SYLLABUS MAPPING:

GS-02- Governance, Constitution, Polity : Digital Personal Data Protection Act, 2023

FOR PRELIMS

key features of the Act and its implications on privacy, state surveillance, and institutional independence.

FOR MAINS

Role of the Digital Personal Data Protection Act, 2023  and  there challenges India may face. 

Why in the News? 

The Digital Personal Data Protection Act (DPDA), 2023, continues to make headlines due to its pending implementation and the critical debates it has triggered. Although the Act was passed in August 2023, the government is yet to notify the rules for its enforcement. These are expected in 2024–25, and public consultations are currently underway. A major point of contention is the broad exemptions granted to government agencies, which many privacy advocates and legal experts believe could lead to unchecked surveillance. This has reignited the long-standing debate between safeguarding national security and protecting individual privacy, especially in the wake of the Pegasus spyware revelations and ongoing allegations of state surveillance.

What is DPDA-2023?

The Digital Personal Data Protection Act, 2023 (DPDA-2023) is a landmark Indian legislation that provides a structured framework for the protection and processing of digital personal data. Enacted in August 2023, it is designed to balance individual rights to data privacy with the need to process personal data for lawful and legitimate purposes such as national security, governance, and economic activities. The Act applies to data collected within India and also to foreign entities offering services or profiling individuals within Indian territory.It operationalizes the Supreme Court’s recognition of privacy as a fundamental right under Article 21, as held in Justice K.S. Puttaswamy vs Union of India (2017).

Key Highlights of the Act 2023

1. Data Fiduciary and Data Principal: The Act defines Data Fiduciary as the entity that determines the purpose and means of processing personal data and Data Principal as the individual to whom the data pertains. Fiduciaries are required to implement safeguards such as purpose limitation, data minimization, and accountability frameworks to prevent misuse.
2. Consent-Based Processing:  Personal data must be processed only after obtaining explicit, informed, and freely given consent from the individual. Consent must be presented in clear and plain language and must include details about the purpose and categories of data collected.
3. Establishment of Data Protection Board (DPB): The Act establishes the Data Protection Board of India to monitor compliance, address grievances, and levy penalties.The DPB will function like a quasi-judicial body, similar to regulatory boards like the SEBI and TRAI, but concerns remain over its independence.
4. Grievance Redressal Mechanism: Data Principals can file complaints against misuse, denial of rights, or breaches with the concerned Data Fiduciary or escalate to the Board. Time-bound response mechanisms are mandated, enhancing accountability and reducing bureaucratic delays in user redressal.
5. Cross-Border Data Transfer:  The Act allows transfer of personal data outside India to nations or territories notified by the Central Government based on their data security standards.This provision promotes global data exchange for businesses but raises questions about safeguards in less secure jurisdictions.
6. Penalties for Non-Compliance: Monetary penalties can go up to ₹250 crore for major violations like data breaches, unlawful processing, or failure to respond to user complaints. The penalty framework is tiered, making it proportionate to the severity and scale of non-compliance.
7. Government Exemptions:  The Act allows the Central Government to exempt any of its departments or agencies from the provisions in the interest of sovereignty, integrity, or public order. These sweeping powers may lead to opaque surveillance mechanisms unless subject to adequate judicial or parliamentary oversight.

Importance of DPDA Act 2023

1. Operationalises Right to Privacy (Article 21): The Act is India’s legislative response to the Puttaswamy judgment, providing statutory backing to privacy as a fundamental right. It is a crucial tool to counter surveillance capitalism and prevent indiscriminate data collection by both state and non-state actors.
2. Modernises India’s Digital Governance Framework: It replaces outdated provisions of the IT Act, 2000, offering a modern approach in line with digital realities. It builds the foundation for a “Digital India 2.0” ecosystem with legal safeguards and trust-based interactions.
3. Encourages Startups and Tech Innovation:  Clear compliance norms enable tech companies and startups to build privacy-respecting products without fear of legal ambiguity. This enhances India’s image as a responsible digital innovation hub in the global tech ecosystem.
4. Enables Global Trade and Interoperability: By aligning with international frameworks like GDPR, the Act enables data adequacy negotiations with the EU and other jurisdictions. It improves ease of doing business for multinational companies operating in India.
5. Empowers Individuals with Data Rights: Individuals can now request correction, erasure, and access to their personal data, thus shifting the control of data from corporations to citizens.It reflects a broader movement toward data sovereignty and ethical digital ecosystems.
6. Creates a Compliance-Driven Ecosystem: By requiring fiduciaries to maintain records and publish privacy notices, it strengthens transparency and auditability in data processing. This fosters user trust and enhances digital participation.
7. Protects Children’s Data and Rights:  The Act mandates verifiable parental consent for processing children’s data and prohibits tracking or targeted ads for minors. It is in line with global conventions like the UN Convention on the Rights of the Child.

Key Issues in the DPDA 2023

1. Government Overreach and Exemptions:    The law grants the government wide powers to exempt its agencies from any or all provisions without strong checks.  Critics argue this undermines the principle of informational self-determination, especially in sensitive cases like surveillance.
2. Weak Regulatory Autonomy: The Data Protection Board is not constitutionally independent, as its members and functions are largely determined by the executive. This may compromise its ability to act against powerful state or private actors in case of violations.
3. Lack of Sensitive Data Classification: Unlike GDPR, the DPDA does not differentiate between sensitive and general personal data, reducing the robustness of protection for critical information. This could lead to equal treatment of trivial and intimate data, compromising user safety.
4. Absence of Data Localization Mandates: The Act drops earlier provisions requiring mandatory storage of certain data within India, citing ease of business. However, absence of localization can lead to jurisdictional and enforcement challenges during data breaches.
5. Limited User Rights Compared to Global Norms: The “right to be forgotten” is vaguely defined and lacks clear criteria or procedures for invocation. Similarly, there’s no provision for data portability which could have empowered users to switch platforms seamlessly.
6. Ambiguous Clauses and Discretionary Language: Phrases like “reasonable purpose” or “public interest” are undefined, enabling subjective interpretation. This legal ambiguity might result in selective enforcement or misuse by authorities or corporations.
7. No Clear Compensation for Users: The Act does not provide a statutory mechanism for individuals to claim compensation for data breaches or rights violations. It weakens the deterrent effect and fails to deliver true accountability to victims.

Recommendations

1. Ensure Institutional Independence of the DPB: Appointments should be vetted by a multi-stakeholder committee involving judiciary and civil society to avoid politicisation. Board members should have fixed tenures, and their functioning must be insulated from executive interference.
2. Narrow Down Government Exemptions: Exemptions should be allowed only under specific, necessary, and proportionate conditions, with periodic judicial oversight. Incorporating sunset clauses for exemptions can prevent long-term misuse.
3. Reintroduce Sensitive Data Categorisation:  A tiered protection system for health, biometric, and financial data should be incorporated, similar to GDPR’s Article 9. This will ensure contextual safeguards are applied based on risk profiles.
4. Mandate Sectoral Data Localization: Critical sectors like finance, health, and defence must be subject to mandatory data storage in India to ensure sovereignty. Local copies should be retained for regulatory access and forensic auditing.
5. Expand Data Principal Rights: Incorporate right to data portability, algorithmic transparency, and the right to object to profiling as part of user empowerment. These rights will enhance user control in a rapidly evolving AI-driven digital ecosystem.
6. Clarify Legal Terminology and Scope: Define ambiguous terms like “reasonable purposes” or “public order” in the Act or rules to avoid arbitrary interpretation. Codified standards will also assist in judicial review and compliance assessments.
7. Introduce Compensation Framework for Victims: A statutory body or tribunal must be empowered to grant financial compensation in cases of willful or negligent data breaches. This will ensure a remedial justice mechanism for affected individuals.

Conclusion

The Digital Personal Data Protection Act, 2023 is a pioneering attempt by India to regulate personal data in the age of surveillance capitalism and digital platforms. While it lays the foundational framework for digital privacy, a balance must be struck between individual rights and state or corporate interests. The Act must evolve into a more citizen-centric, transparent, and enforceable legal instrument, especially in light of rising cybersecurity threats, algorithmic decision-making, and cross-border data flows. As India aspires to become a global tech leader, a strong, rights-based, and trust-enhancing data protection regime is not just desirable, but indispensable

Download Plutus IAS Current Affairs (Eng) 14th Apr 2025

• Author
• Recent Posts

Nishant2356

Latest posts by Nishant2356 (see all)

• BharatGen: India’s Indigenous Leap in Inclusive Multilingual AI - July 5, 2025
• Tariff Tussle: India Battles for Export Relief in Crunch Talks - July 4, 2025
• India’s Biodiversity in Bloom: 2024 Sees 683 New Faunal and 433 Floral Discoveries - July 3, 2025