Data privacy law in India, focusing on the Digital Personal Data Protection Act, 2023 (DPDP Act), its background, key provisions, challenges, and practical implications. writing this blog for a general audience with an informative tone, it incorporates recent developments, including the draft DPDP Rules released in January 2025.
India’s Data Privacy Revolution: Understanding the DPDP Act, 2023
In 2025, India stands at the forefront of the global data privacy movement with the Digital Personal Data Protection Act, 2023 (DPDP Act), its first comprehensive data privacy law. With over 760 million active internet users, India is the world’s second-largest internet market, making robust data protection critical. The landmark 2017 Supreme Court ruling in Justice K.S. Puttaswamy v. Union of India declared privacy a fundamental right under Article 21 of the Constitution, paving the way for the DPDP Act. Enacted on August 11, 2023, and awaiting full implementation, this law balances individual rights with the needs of businesses and government. This blog explores the DPDP Act’s origins, key provisions, challenges, and practical steps for compliance, offering insights for individuals and organizations in India’s digital era.
The Evolution of Data Privacy in India
Until 2023, India lacked a standalone data privacy law. The Information Technology Act, 2000 (IT Act) and its 2011 Sensitive Personal Data or Information (SPDI) Rules provided limited protections, focusing on basic security practices for digital data. The Puttaswamy judgment in 2017, recognizing privacy as a fundamental right, spurred action. Earlier attempts at comprehensive legislation, like the 2018 and 2019 Personal Data Protection Bills, faced criticism for being overly regulatory or granting excessive government exemptions. After multiple drafts and public consultations, the DPDP Bill, 2022 evolved into the DPDP Act, passed by Parliament in August 2023.
On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025, open for public feedback until February 18, 2025. These rules aim to operationalize the DPDP Act, with provisions like the establishment of the Data Protection Board of India (DPB) taking effect immediately upon final publication, while others, like consent and breach notification rules, will follow later. This phased approach reflects India’s commitment to balancing innovation with privacy in its rapidly digitizing economy, the fifth largest globally.
Key Provisions of the DPDP Act
The DPDP Act applies to digital personal data—any information identifying an individual, such as names, addresses, or online identifiers—processed within India or by foreign entities offering goods or services to Indian residents. It excludes non-digital data, publicly available data, and data processed for personal use. Key provisions include:
• Consent and Transparency: Data fiduciaries (entities controlling data use) must obtain explicit, informed consent, accompanied by a clear privacy notice in English or one of India’s 22 constitutional languages. Consent can be withdrawn, and notices must detail data use and grievance redressal options.
• Data Principal Rights: Individuals (data principals) can access, correct, erase, or restrict their data. For children (under 18) or persons with disabilities, verifiable parental or guardian consent is required.
• Data Minimization and Purpose Limitation: Data collection must be limited to what’s necessary for a specified purpose, with erasure required once that purpose is fulfilled.
• Security and Breach Notification: Data fiduciaries must implement safeguards to prevent breaches and notify the DPB and affected individuals within 72 hours of a breach.
• Significant Data Fiduciaries: Entities handling large volumes of data face stricter compliance, such as mandatory audits and data protection impact assessments.
• Penalties: Non-compliance can lead to fines up to ₹250 crore (~$30 million USD) for breaches or failure to secure data.
• Data Protection Board (DPB): The DPB, appointed by the government, oversees compliance, investigates breaches, and imposes penalties, but lacks the regulatory powers of earlier proposed bodies like the Data Protection Authority (DPA).
Notably, the Act grants exemptions for government agencies for purposes like national security or public order, raising concerns about surveillance. It also allows the government to block access to services of non-compliant data fiduciaries after repeated violations.
Challenges and Criticisms
The DPDP Act is a significant step, but it faces challenges. Government exemptions are a major concern, as the Act allows state agencies to process data without consent for benefits, licenses, or security purposes, potentially enabling unchecked surveillance. Human Rights Watch has argued this conflicts with the Puttaswamy ruling’s call for proportionate privacy restrictions. The DPB’s government-appointed structure raises questions about its independence, unlike the more autonomous regulators in the EU’s GDPR.
Cross-border data transfers remain complex. While earlier drafts restricted transfers to specific countries, the DPDP Act allows the government to set rules, but the draft Rules lack clarity on implementation. This affects global businesses, especially with India’s 750 million internet users. Additionally, the Act’s focus on digital data excludes offline data, potentially leaving gaps in protection.
Practical Steps for Compliance
For businesses, compliance with the DPDP Act is critical to avoid hefty fines and build trust:
1. Conduct Data Audits: Map data flows to identify what personal data is collected, processed, and stored. Tools like Secure Privacy or CookieYes can assist.
2. Update Privacy Notices: Ensure notices are clear, multilingual, and include consent withdrawal options.
3. Implement Security Measures: Use encryption and regular audits to prevent breaches. Notify the DPB and users within 72 hours of any breach.
4. Obtain Verifiable Consent for Children: Verify parental consent for users under 18, avoiding targeted ads or behavioral tracking.
5. Prepare for Cross-Border Compliance: Monitor forthcoming rules on data transfers to align with global operations.
For individuals, protecting your data starts with awareness:
• Exercise Your Rights: Request access, corrections, or deletion of your data from platforms or businesses. Use grievance redressal mechanisms or contact the DPB.
• Review Permissions: Limit app access to unnecessary data, like location or contacts, via privacy settings.
• Use Privacy Tools: Employ browsers like Brave or extensions like uBlock Origin to block trackers.
No comments:
Post a Comment