Authored By: Jayasmita Sahoo
Capital Law College, Madhusudan Law University, Cuttack
INTRODUCTION
India’s laws pertaining to data protection and privacy are essential for preserving people’s basic right to privacy and guaranteeing the safe and moral management of personal data. These regulations are designed to guard against possible problems related to the abuse of personal data, such as discrimination, fraud, and identity theft. Additionally, they encourage confidence and trust between people and organizations, which makes the internet a safer place. [i]
In the recent years, the concept of data privacy has changed in India. The foundation was first established under the Information Technology Act of 2000 and its revision in 2008, which focused on information security rather than complete data protection. Furthermore, the idea of privacy and data protection has been discussed in court, with some arguing that it is a basic right.
Others, on the other hand, did not see it as a right guaranteed by Article 21 of the Indian Constitution. Legislative efforts were sped up by the Supreme Court’s historic ruling in Justice K.S. Puttaswamy (Retd.) & Ors. v. Union of India in 2017, which documented the right to privacy as a fundamental right. As a result, the Digital Personal Data Protection Act of 2023 was introduced after the data protection bill was drafted.
This case was initiated through a petition filed by Justice K.S. Puttaswamy, a retired judge of the Karnataka High Court in relation to the Aadhaar Project, which was spearheaded by the Unique Identification Authority of India (UIDAI). The Aadhaar number was a 12-digit identification number issued by the UIDAI to the residents of India. The Aadhaar project was linked with several welfare schemes, with a view to streamline the process of service delivery and remove false beneficiaries. The petition filed by Justice Puttaswamy was a case which sought to challenge the constitutional validity of the Aadhaar card scheme. Over time, other petitions challenging different aspects of Aadhaar were also referred to the Supreme Court. [ii]
KEY FEATURES OF DPDP ACT
The Digital Personal Data Protection (DPDP) Act, 2023 is India’s first comprehensive law that applies across all sectors to protect personal data. It was passed after a long period of discussions that lasted over six years. The law seeks to ensure that individuals can protect their personal information while also allowing data to be processed lawfully.
This law is the fourth version in a series of drafts that began with a landmark Supreme Court decision in 2017, Justice K.S. Puttaswamy v. Union of India.
In that case, the Court recognized the right to privacy as a basic human right, but it did not clearly define what this right entails. Following this decision, the government introduced the Personal Data Protection Bill, 2019, which was based on the recommendations of the Srikrishna Committee (2018) and was influenced by the EU’s General Data Protection Regulation (GDPR). The 2019 Bill proposed a wide-ranging regulatory structure with strict rules for data handling, extensive rights for individuals, the creation of a strong Data Protection Authority (DPA), greater security for sensitive data, requirements for data localization, and penalties for violating the law. It also introduced the concept of “consent managers” and gave the government authority to regulate non-personal data. However, the Bill was criticized for being too broad and placing a heavy burden on organizations, which could lead to excessive regulation.
The government then withdrew the 2019 Bill and released a revised draft in 2022, which took a different, more flexible approach.
The 2023 DPDP Act is mainly based on this 2022 draft, but it also adds new provisions that significantly influence India’s data protection laws. This law marks a significant change from the broad, preventive approach of the 2019 Bill to a more efficient model. It raises questions about how effectively it will balance the protection of privacy rights with the needs of innovation and government interests.[iii]
SCOPE AND APPLICABILITY
EXTRA TERRITORIAL REACH
Since data flows seamlessly across borders, entities collecting it from users in different countries can potentially misuse it or gain an unfair advantage in local markets. To address this, many data protection laws incorporate provisions on extraterritorial applicability, ensuring that citizens’ data is protected regardless of where it is stored or processed. A leading example is the European Union’s General Data Protection Regulation (GDPR), 2016, which applies to any organization processing EU citizens’ data, even if the organization is based outside the EU. Article 3 of the GDPR extends its scope to entities offering goods or services to EU residents or monitoring their behaviour, with strict enforcement through heavy penalties—up to €20 million or 4% of global turnover, whichever is higher.
India’s recently enacted Digital Personal Data Protection (DPDP) Act, 2023 follows a similar approach. Under Section 3(b), the Act applies to foreign companies handling the personal data of individuals in India, prescribing penalties up to ₹250 crores for violations. However, unlike the GDPR, the Act and the upcoming DPDP Rules, 2025 (still under discussion) do not clearly define how such extraterritorial obligations will be enforced against overseas entities.[iv]
RIGHTS OF DATA PRINCIPLES
Right to Access
Section 11 of the DPDP Act grants Data Principals the right to access their personal information. They may request from the Data Fiduciary (i) a summary of the personal data being processed and the nature of processing activities, and (ii) the identities of other Data Fiduciaries and Processors with whom such data has been shared, along with details of the shared data.
Unlike international frameworks such as the GDPR (30 days, extendable by 2 months), Brazil’s LGPD (15 days), Singapore’s PDPA (30 days), and the California CCPA (45–90 days), the Draft DPDP Rules fail to specify a clear timeline for fulfilling such requests. Even India’s RTI Act prescribes a 30-day response time (or 48 hours in urgent cases) with penalties for non-compliance. In contrast, the DPDP framework only requires requests to be processed within a “reasonable time,” creating ambiguity and allowing fiduciaries wide discretion to delay responses, thereby weakening accountability.
Right to Correction and Erasure
Section 12 of the Act allows Data Principals to request (i) correction of inaccurate or misleading data, (ii) completion of incomplete data, (iii) updates reflecting changes, and (iv) erasure of personal data when consent is withdrawn or the specified purpose is fulfilled, unless retention is legally required. However, the Draft Rules again omit clear timelines for compliance. By comparison, the Reserve Bank of India requires credit information companies to make corrections within 30 days, with penalties for delay.
The GDPR provides a stronger framework, requiring controllers to inform third parties to erase or correct data where it has been shared, ensuring broader effectiveness. The DPDP Act lacks such obligations, leaving the possibility that erased data may persist across platforms. Rule 8 also introduces an auto-erasure provision, under which personal data is deleted after prolonged inactivity, with a 48-hour prior notice to the user. For large platforms like e-commerce, social media, and online gaming entities, the retention period is capped at three years. While this fixed retention period is unique to India, it contrasts with GDPR and LGPD, which follow a purpose-based retention principle, and Singapore’s PDPA, which limits retention until data is no longer needed for business or legal purposes.
Right to Grievance Redressal
Section 13 of the Act provides Data Principals with the right to grievance redressal through Data Fiduciaries or Consent Managers. If unresolved, complaints may be escalated to the Data Protection Board (DPB). Rule 13 requires entities to disclose grievance-handling timelines on their platforms and adopt technical measures for timely responses. However, the absence of a fixed legal timeframe reduces the system’s effectiveness.
Comparatively, the GDPR requires grievances to be addressed within one month (extendable to three months), with provisions for compensation in case of violations. Other regimes like the CCPA, PDPA, and LGPD rely more on regulatory or judicial enforcement. Indian precedents, such as the Consumer Protection Act (2019) and IT Rules (2021), mandate strict timeframes for grievance resolution, highlighting the gap in the DPDP framework. Moreover, concerns exist about the DPB’s ability to manage large caseloads, unlike the multi-tier system under the Consumer Protection Act. The absence of a private right of action and enforceable deadlines may undermine the accountability of fiduciaries and limit the effectiveness of grievance redressal.
Right to Nominate
Section 14 introduces the right of Data Principals to nominate one or more persons who can exercise their rights in the event of their death or incapacity. This is a progressive provision, absent in most global data protection frameworks. However, the Draft Rules provide no operational clarity on how nominations will be verified or enforced, leaving scope for misuse unless further safeguards are introduced.[v]
DUTIES OF DATA FIDUCIARIES
Under the DPDP Act, entities that collect, store, and process digital personal data are referred to as data fiduciaries, and they are subject to defined obligations. These include: (a) implementing adequate security safeguards; (b) ensuring personal data is accurate, complete, and consistent; (c) notifying the Data Protection Board of India (DPB) of any data breaches in the prescribed manner; (d) erasing data when consent is withdrawn or once the stated purpose has been fulfilled; (e) appointing a data protection officer and establishing grievance redress mechanisms; and (f) obtaining parental or guardian consent for processing the data of minors (individuals under 18 years). The Act also prohibits processing that could harm a child, including practices such as tracking, behavioural monitoring, and targeted advertising directed at them. However, the government may grant exemptions from these obligations, a provision that raises concerns since the power to exempt is broad and lacks clear guidelines.
Compared to the 2019 Bill, the 2023 Act retains most categories of obligations but significantly narrows their scope. Notably, it removes the regulator’s (previously the DPA’s) authority to issue detailed regulations on these obligations and simplifies the substantive requirements.
The Act also introduces a special category of Significant Data Fiduciaries (SDFs). The government can designate a data fiduciary as an SDF based on factors such as the volume and sensitivity of data handled, risks to data protection rights, national sovereignty, electoral democracy, security, or public order. SDFs must comply with additional requirements, including: (a) appointing a data protection officer located in India, accountable to the board of directors or governing body, and serving as the grievance redressal contact; and (b) conducting data protection impact assessments, audits, and other prescribed measures. Unlike the 2019 Bill, the 2023 Act has done away with the requirement for SDFs to register in India.[vi]
CONCLUSION
The DPDP Act, though the outcome of over five years of deliberation, merely marks the beginning of statutory personal data protection in India. Its true effectiveness will depend on how regulatory frameworks and institutional mechanisms evolve in the coming years. The Act provides a foundation, but by itself, it is insufficient to ensure strong privacy safeguards in practice.
Whether earlier drafts of the law might have offered stronger privacy protections is debatable. What is clear, however, is that the significant changes between versions reflect a shift in the government’s approach to privacy regulation. Unlike previous drafts, the current Act reduces compliance costs for businesses, which is seen as a positive step.
In essence, the legislation is modest and pragmatic, which can be welcomed. Yet, in some respects, this pragmatism may come at the expense of individual privacy. By vesting broad discretionary powers in the central government on substantive matters, the law places the future of privacy protection largely in the hands of the government’s commitment to enforce it effectively.
Reference(S):
[i] https://www.lloydlawcollege.edu.in/blog/evolution-of-data-privacy-laws-india.html
[ii] https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india-ors
[iii] https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law?lang=en
[iv] https://www.cyberpeace.org/resources/blogs/extraterritorial-application-in-data-privacy-lessons-for-indias-dpdp-act
[v] https://sflc.in/data-principal-rights-under-indias-draft-dpdp-rules-an-illusion-or-reality-a-comparative-analysis/
[vi] https://blog.ipleaders.in/data-protection-laws-in-india-2/#Important_cases
