Open Access Research Article

GUARDIANS OF PRIVACY: UNRAVELING INDIA’S DATA PROTECTION FRAMEWORK BY: MS. VAISHALI & DR. SHAMMI KESH ROY

Author(s):
MS. VAISHALI DR. SHAMMI KESH ROY
Journal IJLRA
ISSN 2582-6433
Published 2024/07/05
Access Open Access
Issue 7
Download PDF Open PDF Citation Search Scholar

Published Paper

PDF Preview
Download Open

Article Details

GUARDIANS OF PRIVACY: UNRAVELING INDIA’S DATA PROTECTION FRAMEWORK
 
AUTHORED BY: MS. VAISHALI
Research Scholar, Department of Law,
 YBN University, Ranchi, Jharkhand
 
CO-AUTHOR: DR. SHAMMI KESH ROY
Supervisor, Principal - School of Legal Studies, Dean - Department of Law,
YBN University, Ranchi, Jharkhand
 
 
Abstract:
The Digital Personal Data Protection Act, 2023 (DPDP Act) stands as India’s sentinel in the realm of data privacy. In this comprehensive article, we dissect the Act chapter by chapter, exploring its provisions, impact on privacy rights, and practical implications. From informed consent to cross-border data transfers, we navigate the Act’s nuances, comparing it with global standards like the GDPR. Challenges and benefits emerge as organizations adapt to this new regulatory landscape. Join us on this journey as we unravel India’s data protection framework—one that balances innovation, individual rights, and the guardianship of privacy.
 
In a world where data flows seamlessly across borders, the DPDP Act serves as a beacon, ensuring that privacy remains paramount even in the digital age. As businesses grapple with compliance, understanding the Act’s nuances becomes crucial. We delve into the Act’s chapters, dissecting its impact on privacy rights, individual empowerment, and corporate accountability. From consent requirements to penalties for non-compliance, we explore how India’s data protection framework aligns with global standards while addressing unique challenges.
Keywords: Data Protection, Privacy Rights, DPDP Act, Informed Consent, Cross-Border Transfers, Global Standards, Individual Empowerment, Corporate Accountability
 
 
INTRODUCTION
The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant milestone in India’s legal landscape concerning data protection. The DPDP Act draws from earlier drafts, including the 2019 Personal Data Protection Bill. Unlike its predecessor, the DPDP Act takes a different approach, emphasizing both individual rights and lawful data processing. It applies to data processed in India, including online and digitized offline data. Notably, it is the first central Indian law to use gender-neutral pronouns when referring to individuals.
 
Before the DPDP Act, India lacked comprehensive legislation specifically addressing data privacy and protection. The existing legal framework primarily relied on the Information Technology Act, 2000 (IT Act). However, the IT Act did not adequately address the evolving challenges posed by digital data processing, cross-border transfers, and individual privacy rights.[1]
Internationally, data protection laws gained prominence with the implementation of the General Data Protection Regulation (GDPR) by the European Union in 2018. The GDPR set high standards for data privacy, emphasizing transparency, consent, and accountability. Its extraterritorial reach impacted Indian businesses dealing with EU citizens’ data.[2]
 
Several factors necessitated India’s shift toward a robust data protection regime:
  1. Explosion of Data: The exponential growth in digital data collection, storage, and processing demanded clear rules to safeguard individuals’ rights.
  2. Privacy Concerns: High-profile data breaches, privacy violations, and surveillance incidents raised public awareness about the need for stronger data protection.
  3. Business Imperatives: As India emerged as a global technology hub, businesses required legal certainty to navigate data-related challenges.
 
DPDP Act: A Paradigm Shift
The DPDP Act aims to strike a balance between promoting innovation and protecting individual privacy. Its key features are:
  1. Territorial Applicability: The Act applies to data processing within India and to entities outside India if they target Indian data subjects.
  2. Rights of Data Principals: The Act grants data subjects rights such as access, rectification, erasure, and data portability.
  3. Data Fiduciaries and Data Processors: The Act defines roles and responsibilities, emphasizing accountability and transparency.
  4. Consent Framework: The Act introduces stringent consent requirements, emphasizing informed and specific consent.
  5. Cross-Border Data Transfers: The Act outlines conditions for transferring personal data outside India.
  6. Enforcement and Penalties: The Data Protection Board of India will oversee enforcement, imposing fines for non-compliance.
 
OBJECTIVES AND SCOPE OF THE DPDP ACT
The Digital Personal Data Protection Act, 2023 (DPDP Act) is designed with several key objectives in mind such as-
1.      The primary goal of the DPDP Act is to safeguard individuals’ privacy rights concerning their personal data. By establishing clear rules and principles, the Act aims to prevent unauthorized access, misuse, and exploitation of personal information.
2.      The Act seeks to empower data principals (individuals whose data is processed) by granting them specific rights. These rights include the right to access their data, rectify inaccuracies, and control how their information is used.
3.      The Act places responsibility on data fiduciaries (entities processing personal data) to handle data transparently, ethically, and securely. By enforcing accountability, the Act encourages organizations to adopt robust data protection practices.[3]
 
Applicability to Personal Data Processing: -
A.     Within India
The DPDP Act applies to data processing activities conducted within India. Whether it’s an Indian company, government agency, or any other entity, if they handle personal data within our borders, they must comply with the Act’s provisions.
 
B.     Cross-Border Data Transfers
The Act also extends its reach beyond India’s boundaries. It applies to data fiduciaries transferring personal data outside India. Key points are:-
·         When personal data crosses borders, the Act mandates specific conditions for such transfers. These conditions ensure that data remains protected even when it leaves Indian territory.
·         Data fiduciaries must implement appropriate safeguards to prevent misuse or unauthorized access during cross-border transfers. These safeguards may include contractual agreements, encryption, or adherence to international standards.
·         While the Act doesn’t explicitly mandate data localization (storing data exclusively within India), it encourages data fiduciaries to prioritize local storage to enhance data security.[4]
Key Terms used in DPDP Act includes the following[5]-
a.       Personal Data- Personal data refers to any information related to an identified or identifiable natural person. It encompasses a wide range of data, including but not limited to:
  • Basic Identifiers are Names, addresses, phone numbers, and email IDs.
  • Biometric Information includes Fingerprints, retina scans, and facial recognition data.
  • Online Identifiers are IP addresses, device IDs, and cookies.
  • Sensitive Data includes Health records, financial details, and sexual orientation.
b.      Data Principal- A data principal is the individual to whom the personal data pertains. Whether you’re a customer, an employee, or a website user, you are a data principal. The Act emphasizes protecting the rights of data principals.
  1. Data Fiduciary- A data fiduciary is any entity (individual, organization, or government body) that determines the purpose and means of processing personal data. Data fiduciaries collect, store, and process data on behalf of data principals. They play a critical role in ensuring compliance with data protection norms.
The DPDP Act introduces a progressive approach by using gender-neutral pronouns throughout its text. Instead of assuming gender-specific roles (such as “he” or “she”), the Act employs terms like “they,” “their,” and “them.” This inclusive language recognizes that data subjects can be of any gender identity and promotes equality.[6]

 

RIGHTS OF DATA PRINCIPALS
The Act places significant emphasis on empowering data principals—the individuals whose data is processed. The individual rights[7] granted by the Act are:
a.      Right to Access
Data principals have the right to access their personal data held by data fiduciaries. This right allows individuals to:
  • Request information about the processing of their data.
  • Understand the purpose for which their data is collected.
  • Know who receives their data.
By providing transparency, this right ensures that individuals are aware of how their data is used and empowers them to make informed decisions.
b.      Right to Rectification
The right to rectification enables data principals to correct inaccuracies or incompleteness in their personal data. If a data principal discovers errors in their information—for example, an incorrect address or misspelled name—they can request rectification. Data fiduciaries must promptly update the data to ensure accuracy.[8]
c.       Right to Erasure (Right to Be Forgotten)
The right to erasure (commonly known as the right to be forgotten) allows data principals to request the deletion of their personal data. This right is essential when:
·         The data is no longer necessary for the purpose it was collected.
·         The data principal withdraws consent.
·         The data processing violates the law.
By granting this right, the Act empowers individuals to regain control over their data and protect their privacy.[9]
d.      Right to Data Portability
The right to data portability allows data principals to obtain and reuse their personal data across different services. For instance:
·         If you switch from one social media platform to another, you can request your data to be transferred.
·         Data fiduciaries must provide data in a structured, commonly used, and machine-readable format.
This right enhances data subjects’ autonomy and fosters competition by promoting data interoperability.
 
OBLIGATIONS OF DATA FIDUCIARIES
The critical responsibilities that data fiduciaries must adhere to under the DPDP while processing personal data. These obligations are essential for ensuring data protection, privacy, and accountability.[10]
Responsibilities of Data Fiduciaries are:-
1.      Security Measures
Data fiduciaries are obligated to implement robust security measures to safeguard personal data. These measures include[11]:
a)       Encryption: Ensuring that data is encrypted during storage and transmission.
b)       Access Controls: Restricting access to authorized personnel only.
c)       Regular Audits: Conducting periodic security audits to identify vulnerabilities.
d)       Incident Response Plans: Developing protocols to handle data breaches and security incidents promptly.
2.      Accuracy and Data Quality
Data fiduciaries must maintain accurate and up-to-date personal data. Responsibilities include:
a)       Data Minimization: Collecting only necessary data for the intended purpose.
b)       Rectification: Promptly correcting inaccuracies when data principals request it.
c)       Retention Policies: Defining data retention periods and deleting obsolete data.[12]
3.      Breach Reporting
When a data breach occurs, data fiduciaries must:
a)       Notify Data Principals: Inform affected individuals about the breach, its impact, and mitigation steps.
b)       Report to Authorities: Notify the Data Protection Board of India within a specified timeframe.
c)       Mitigate Harm: Take necessary actions to minimize harm to data principals.
4.      Appointment of Data Protection Officers (DPOs)
a)       Data fiduciaries meeting specific criteria (such as processing large-scale data or handling sensitive information) must appoint a DPO.
b)       The DPO’s role includes monitoring compliance, handling data subject queries, and acting as a liaison between the organization and data principals.
 
CRITICAL ASPECTS OF CONSENT AND DATA PROCESSING
Consent is the cornerstone of ethical data processing, ensuring that individuals have control over how their personal data is used.[13] The Consent requirements can be understood as under:-
1.      Informed and Specific Consent
The DPDP Act emphasizes that consent must be:
a)       Informed: Data principals (individuals) must fully understand what they are consenting to. Organizations must provide clear, concise, and transparent information about data processing purposes, categories of data, and potential risks.
b)       Specific: Consent should be specific to the intended purpose. Generic or blanket consent is insufficient. For example, if an app collects data for both marketing and analytics, separate consents are required.
2.      Freely Given and Withdrawable
a)       Freely Given: Consent must be voluntary. Organizations cannot coerce or condition services on consent. For instance, denying access to a website unless users agree to extensive data collection violates this principle.
b)       Withdrawable: Data principals have the right to withdraw consent at any time. Organizations must make it easy for individuals to revoke consent without detriment.[14]
 
Challenges in Obtaining Informed Consent are explained below:-
a)    Complexity of Information, in simple language, the Privacy policies and consent forms often contain complex legal language. Data principals may struggle to comprehend their rights and risks.
b)   Lengthy privacy policies discourage thorough reading. Users tend to click “Agree” without understanding the implications.
c)    Organizations hold more power than individual data subjects. Consent can become a mere formality, especially when users have no viable alternatives.
d)   Offering a single “Accept All” button for various purposes (e.g., marketing, analytics, third-party sharing) undermines specific consent.
e)    Consent obtained for one purpose may not cover future data processing. As technology evolves, data may be repurposed, leading to unforeseen consequences.
f)    Striking a balance between granularity (specific consent for each purpose) and usability is challenging.[15]
 
CROSS-BORDER DATA TRANSFERS AND
STATUTORY ASPECTS
The DPDP Act recognizes that data flows across borders are integral to today’s interconnected world. However, it also emphasizes the need to protect personal data during such transfers.[16] The provisions related to international data transfers are:
1.      Restricted Transfers- A restricted transfer refers to the movement of personal data from one jurisdiction (such as India) to another (outside India).
The DPDP Act places specific rules on such transfers to ensure that data subjects’ rights remain intact even when their data crosses borders.
2.      Adequacy Regulations- The Act considers whether the country or territory where the receiver is located has “adequacy regulations.”
Adequacy regulations imply that the recipient jurisdiction provides an adequate level of data protection comparable to India’s standards. If adequacy regulations exist, data transfers can proceed without additional requirements.
3.      Appropriate Safeguards
When adequacy regulations are absent, data fiduciaries must implement “appropriate safeguards” to compensate for the lack of data protection in the recipient country.[17]
Examples of appropriate safeguards include:
a)      Binding Corporate Rules (BCRs): Internal rules governing data transfers within multinational companies.
b)      Standard Data Protection Clauses: Pre-approved contractual clauses adopted by the relevant authorities.
c)      Supervisory Authority-Authorized Contractual Clauses: Customized contractual clauses approved by a supervisory authority.[18]
 
Limitations and Challenges of Cross Border Framework are: -
1.      Navigating diverse legal frameworks across countries can be complex. Data fiduciaries must ensure compliance with both Indian laws and the recipient country’s regulations.
2.      Data subjects often lack bargaining power when dealing with global corporations. Negotiating individualized safeguards can be challenging.[19]
3.      Data purposes may evolve over time, making it difficult to predict future uses. Safeguards must adapt to changing contexts.
4.      While cross-border data transfers are essential for innovation and global business, privacy rights must not be compromised. Organizations must strike a balance by respecting data subjects’ rights while facilitating legitimate data flows.[20]
ENFORCEMENT AND PENALTIES
1.      The enforcement mechanism includes:
a.       The Data Protection Board (DPB)
The DPDP Act establishes the Data Protection Board (DPB) as the central authority responsible for enforcing data protection regulations in India. It’s role and functions are:
The DPB comprises experts from various fields, including law, technology, and privacy. Its independence ensures impartial decision-making and effective oversight.[21]
Key Functions are:-
·         The DPB monitors data fiduciaries’ compliance with the Act. It conducts audits, investigations, and assessments to ensure adherence to data protection norms.
·         The DPB provides guidance to data fiduciaries, data principals, and other stakeholders. It clarifies legal provisions, interprets guidelines, and promotes best practices.
·         Individuals can file complaints with the DPB regarding data breaches, privacy violations, or non-compliance. The DPB investigates and takes necessary actions.
·         If a data fiduciary violates the Act, the DPB can impose penalties, issue warnings, or order corrective measures.
2.      Penalties for Non-Compliance includes: -
a.       Administrative Fines
The DPDP Act empowers the DPB to levy administrative fines on non-compliant data fiduciaries.
These fines serve as a deterrent and encourage organizations to prioritize data protection.
b.       Tiered Approach
The Act adopts a tiered approach to penalties based on the severity of violations. Fines can range from a fixed amount to a percentage of the data fiduciary’s global turnover.
3.      Repeated Offenses
For repeated offenses, penalties escalate. Persistent non-compliance may lead to higher fines, suspension of data processing, or even criminal liability.
While penalties are essential, the DPB aims to strike a balance between enforcement and fostering a culture of data protection. Education, awareness, and cooperation are equally crucial for achieving robust compliance.[22]
 
IMPACT OF DPDP ACT ON PRIVACY RIGHTS IN INDIA
The DPDP Act, 2023 represents a significant leap forward in safeguarding privacy rights in India. Below stated are the instances of how it enhances privacy and empowers individuals:
1.       Individual Control
a)      Informed Consent- The Act emphasizes informed and specific consent. Data subjects now have a clearer understanding of how their personal data is used.
b)      Right to Erasure- Individuals can request the deletion of their data, giving them greater control over their digital footprint.
2.      Accountability and Transparency
a)      Data Fiduciaries’ Responsibilities- The Act places obligations on data fiduciaries to handle data transparently, accurately, and securely.
b)      Data Protection Board (DPB)- The DPB oversees compliance, ensuring organizations are accountable.[23]
 
Challenges and Benefits faced by Organisations are:-
1.      Organizations must adapt to new regulations, which can be challenging and resource-intensive.
2.      Balancing data flows with privacy rights remains a delicate task.
3.      As technology evolves, ensuring data protection for unforeseen purposes is complex.
 
Points of benefits are:-
1.      The Act fosters trust by prioritizing data privacy.
2.      India’s commitment to privacy aligns with global standards.
3.      The DPDP Act positions India as a leader in digital privacy.
While challenges exist, the DPDP Act provides a framework for responsible data handling. Organizations that prioritize privacy will not only comply with the law but also build trust with their users.[24]
 
CONCLUSION AND RECOMMENDATIONS
In our journey through the Digital Personal Data Protection Act, 2023 (DPDP Act), we’ve navigated its chapters, dissecting its impact on privacy rights and practical implications. Let’s distill our findings into actionable insights:
The Act places informed consent at the heart of data processing. Organizations must prioritize transparent communication with data subjects. Implementing user-friendly consent mechanisms ensures that individuals truly understand the purpose and risks associated with their data. Regularly reviewing and updating consent as data use evolves is essential to maintain trust.
 
As businesses operate in a globalized landscape, adherence to the Act’s provisions for international data flows becomes critical. Organizations must implement appropriate safeguards—such as standard contractual clauses—when transferring data outside India. Balancing data localization with the need for seamless data exchange ensures a harmonious global data ecosystem.
 
Data fiduciaries bear significant responsibilities. Accurate data handling, robust security measures, and timely breach reporting are non-negotiable. Regular audits of data practices ensure alignment with the Act. Educating employees and stakeholders on privacy norms fosters a culture of compliance.
 
While challenges exist—legal complexity, dynamic data use—the benefits far outweigh them. Trust-building, global recognition, and India’s position as a privacy-conscious leader underscore the Act’s positive impact. Organizations that prioritize privacy not only comply with the law but also build lasting trust with their users.
 
As guardians of privacy, let us champion data protection, ensuring that innovation and individual rights coexist seamlessly in the digital age.

[1] Burman, A. (2023, October 3). Understanding India’s new data protection law. Carnegie India. https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624
[2] Wolford, B. (2023, September 14). What is GDPR, the EU’s new data protection law? GDPR.eu. https://gdpr.eu/what-is-gdpr/
[3] Dowden, M. (2023, August 25). India Welcomes Landmark Data Protection Law. https://natlawreview.com/article/india-welcomes-landmark-data-protection-law.
[4] What is the Applicability of the DPDP Act. (n.d.). https://www.leegality.com/consent-blog/dpdp-applicability
[5] Briefing, I. (2023, December 20). India’s Digital Personal Data Protection (DPDP) Act, 2023. India Briefing News. https://www.india-briefing.com/news/indias-digital-personal-data-protection-act-2023-key-provisions-29021.html/
[6] Bindal, S. (2023, September 11). Empowering Gender Neutrality: DPDP Act’s use of feminine pronouns to refer to all genders. Fox Mandal. https://www.foxmandal.in/empowering-gender-neutrality-dpdp-acts-use-of-feminine-pronouns-to-refer-to-all-genders/#:~:text=In%20a%20remarkable%20stride%20towards,address%20individuals%20of%20all%20genders.
[7] Sahoo, N. (2023, October 10). Rights of a data principal under the DPDP Act. VISTA InfoSec. https://www.vistainfosec.com/blog/dpdp-act-data-principal-rights/
[8] India’s DPDPA 2023 | Rights & Business Compliance Guide. (2024, April 19). https://secureprivacy.ai/. https://secureprivacy.ai/blog/india-dpdp-act-data-principal-rights-and-requests
[9] Tsaaro. (2024, January 22). Digital Personal Data Protection Act, 2023 - Tsaaro Consulting. https://tsaaro.com/blogs/rights-and-duties-under-the-digital-personal-data-protection-act-2023/
[10] Top 6 operational impacts of India’s DPDPA – Obligations of data processing entities. (n.d.). https://iapp.org/resources/article/operational-impacts-of-indias-dpdpa-part3/
[11] Decrypting India’s new data protection law: key insights and lessons learned. (n.d.). Bird & Bird. https://www.twobirds.com/en/insights/2023/global/decrypting-indias-new-data-protection-law-key-insights-and-lessons-learned
[12] Barat, D. (2023, December 22). The importance of being ‘Significant’: significant data fiduciaries under India’s proposed data protection regime. S&R Associates. https://www.snrlaw.in/the-importance-of-being-significant-significant-data-fiduciaries-under-indias-proposed-data-protection-regime/
[13] Consent - General Data Protection Regulation (GDPR). (2021, October 22). General Data Protection Regulation (GDPR). https://gdpr-info.eu/issues/consent/
[14] DataGrail, Inc. (2023, February 14). Consent for data processing of personal data | DataGrail. DataGrail. https://www.datagrail.io/glossary/consent-for-data-processing/
[15] Consent Managers under Digital Personal Data Protection Act. (n.d.). https://www.lakshmisri.com/insights/articles/consent-managers-under-digital-personal-data-protection-act/
[16] Chauhan, B. S. D. G. &. A. S., & Law, L. (2023, May 25). Live law. Live Law. https://www.livelaw.in/articles/cross-border-data-transfer-regulations-global-trade-digital-services-data-protection-229472
[17] The roadmap to cross-border data transfer. (2023, June 7). BusinessLine. https://www.thehindubusinessline.com/opinion/the-roadmap-to-cross-border-data-transfer/article66943043.ece
[18] Pti. (2023, August 4). Data Protection bill to enable easier cross-border data transfer, act as an enabler for startups: experts. The Economic Times. https://economictimes.indiatimes.com/tech/startups/data-protection-bill-to-enable-easier-cross-border-data-transfer-act-as-an-enabler-for-startups-experts/articleshow/102433437.cms?from=mdr
[19] Parsheera, S. (2022, August 31). What’s shaping India’s policy on Cross-Border data flows? - Data Governance, Asian Alternatives: How India and Korea are creating new models and policies. Carnegie Endowment for International Peace. https://carnegieendowment.org/2022/08/31/what-s-shaping-india-s-policy-on-cross-border-data-flows-pub-87769
[20] Atkinson, R. D., & Cory, N. (2021). Cross-Border Data Policy: opportunities and challenges. In China and globalization (pp. 217–232). https://doi.org/10.1007/978-981-16-5391-9_20
[21] Legal Dimensions of Data Protection: Examining Penalties under the DPDP Act 2023 | Rainmaker Blog. (2023, September 27). https://rainmaker.co.in/blog/view/legal-dimensions-of-data-protection-examining-penalties-under-the-dpdp-act-2023
[22] Usercentrics. (2024, February 21). India Digital Personal Data Protection Act (DPDP Act): An Overview. Consent Management Platform (CMP) Usercentrics. https://usercentrics.com/knowledge-hub/india-digital-personal-data-protection-act-dpdpa/
[23] Bareh, C. K. (2024). Reviewing the Privacy Implications of Indias Digital Personal Data Protection Act (2023) from Library Contexts. DESIDOC Journal of Library and Information Technology, 44(1), 50–58. https://doi.org/10.14429/djlit.44.1.18410
[24] Data Protection Act 2023’s Impact on Consumer Businesses: The Way forward. (2023, October 19). Grant Thornton Bharat. https://www.grantthornton.in/insights/blogs/data-protection-act-2023s-impact-on-consumer-businesses-the-way-forward/

Article Information

GUARDIANS OF PRIVACY: UNRAVELING INDIA’S DATA PROTECTION FRAMEWORK BY: MS. VAISHALI & DR. SHAMMI KESH ROY

Authors: MS. VAISHALI, DR. SHAMMI KESH ROY

  • Journal IJLRA
  • ISSN 2582-6433
  • Published 2024/07/05
  • Issue 7
Citation Download Paper Full Details Search on Google Search on Google Scholar

About Journal

International Journal for Legal Research and Analysis

  • Abbreviation IJLRA
  • ISSN 2582-6433
  • Access Open Access
  • License CC 4.0

All research articles published in International Journal for Legal Research and Analysis are open access and available to read, download and share, subject to proper citation of the original work.

Creative Commons

Disclaimer: The opinions expressed in this publication are those of the authors and do not necessarily reflect the views of International Journal for Legal Research and Analysis.

Current Issue

Ethics and Policy

For Authors