Authored By: Shah Um E Habiba
Chembur Karnataka College of Law / University of Mumbai
Abstract
In an age where people share their names, phone numbers, and even health details online every single day, the question of who protects that information is more important than ever. India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) is the country’s most comprehensive answer to this question so far. This article explains what the law says, why it matters, and what it means for ordinary people and businesses in simple, easy-to-understand language.
Introduction
Think about the last time you signed up for a food delivery app or visited a hospital. You gave away your name, address, and maybe even your payment details. But did you ever wonder where that information goes, who can see it, or how it can be used? For a long time in India, the answer to these questions was far from clear.
India’s older law, the Information Technology Act, 2000, gave some basic protection to electronic data, but it was never built specifically to handle personal data privacy in the digital age.[1] As technology grew, so did the gaps. Multiple attempts were made to fix this including a Personal Data Protection Bill in 2019[2] but it took until August 2023 for India to finally pass a dedicated law: the Digital Personal Data Protection Act, 2023.[3]
This law is historic. It is India’s first law that deals specifically and completely with how personal data should be collected, stored, and used. It gives people real rights over their own data and puts responsibility on companies and organizations to handle that data carefully and honestly.
What Is “Personal Data” and Why Does It Need Protection?
Personal data is any information that can identify a specific person. This includes your full name, home address, phone number, email ID, bank account number, health records, and even your location on a map. In today’s world, we share such information constantly when shopping online, using social media, booking tickets, or filling out government forms.
When this data is misused, the consequences can be serious. People can become victims of fraud, identity theft, or unwanted marketing calls. In some cases, sensitive information like medical history or financial status can be leaked or sold without the person’s knowledge. This is why legal protection is not just helpful it is necessary.
India’s Supreme Court recognized this need even before the law was passed. In the landmark case of Justice K.S. Puttaswamy v. Union of India (2017), the Court unanimously held that privacy is a fundamental right of every Indian citizen under Article 21 of the Constitution.[4] The DPDPA 2023 is India’s legislative response to that constitutional recognition.
III. Key Features of the DPDPA 2023
The law introduces several important principles and mechanisms that are worth understanding.
Consent Is Mandatory
Under the DPDPA, no company or organization (called a “Data Fiduciary” under the law) can collect or use your personal data without your free, informed, and specific consent.[5] This means that the long confusing terms and conditions you normally skip must now be written in simple, clear language. You must actively agree not just assume your silence is consent. You also have the right to withdraw your consent at any time.
Special Protection for Children
The law gives extra protection to children under 18 year of age. Any platform that deals with data of a child must first get the verified consent of the child’s parent or guardian.[6] Additionally, no platform can track or monitor the behavior of a child, or target them with advertisements based on their data. This is a significant step to protect young users online.
Your Rights as a Data Principal
The law calls the person whose data is being collected a “Data Principal.”[7] You have several rights under the DPDPA: you can ask any company what data it holds about you; you can request that incorrect data be corrected; and in many situations, you can ask for your data to be deleted entirely. This right to be forgotten or the “right to erasure” is a powerful tool that allows individuals to reclaim control over their digital identity.[8]
Data Protection Board
To enforce these rights, the government will set up a Data Protection Board of India.[9] This body will receive complaints from citizens, investigate violations, and impose penalties on those who break the law. Penalties can go up to ₹250 crore for a single violation, which signals that the government is serious about enforcement.[10]
How Does India Compare to Global Standards?
Globally, the General Data Protection Regulation (GDPR) of the European Union is considered the gold standard of data protection law.[11] The GDPR gives citizens extensive rights, imposes strict obligations on companies, and has influenced privacy laws in dozens of countries. India’s DPDPA draws clear inspiration from the GDPR in areas like consent, individual rights, and accountability of data processors.
However, there are differences. Critics have noted that the DPDPA gives the central government the power to exempt certain government agencies from its requirements,[12] which has raised questions about whether citizens are equally protected when it is the government and not a private company that holds their data. Balancing national security interests with individual privacy is an ongoing challenge, and this tension is likely to be tested in courts in the years to come.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a watershed moment in India’s legal history. For the first time, every Indian citizen has a dedicated legal framework that says: your personal data belongs to you, and you have the right to control it. Companies and organizations now have a clear legal duty to handle your information responsibly, honestly, and only with your knowledge and consent.
Of course, a law is only as strong as its enforcement. How quickly the Data Protection Board is set up, how accessible it is for ordinary people to file complaints, and how consistently penalties are applied will determine whether this law truly transforms everyday digital life in India. As the rules under the Act are finalized and as courts begin interpreting its provisions, India’s data protection landscape will continue to evolve.
What is beyond doubt, however, is that the DPDPA 2023 has laid a solid and necessary foundation. In a country of over 1.4 billion people most of whom are online protecting personal data is not just a legal issue. It is a matter of dignity, trust, and democratic freedom.
Reference(S):
[1]Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).
[2]Personal Data Protection Bill, 2019, PRS Legislative Research (India).
[3]Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India) [hereinafter DPDPA 2023].
[4]Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India).
[5]DPDPA 2023, § 6.
[6]DPDPA 2023, § 9.
[7]DPDPA 2023, §§ 2(i), 8.
[8]DPDPA 2023, § 17.
[9]DPDPA 2023, § 25-28.
[10]DPDPA 2023, § 33.
[11]General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council (Apr. 27, 2016), 2016 O.J. (L 119) 1.
[12]DPDPA 2023, § 16.
