As India takes rapid steps towards a digital economy, the protection and security of personal data becomes inevitable. Every time you scroll through social media, shop online or use a government service, you leave your digital footprint. This trail, containing your personal data ( i.e. your name, address, AADHAAR number, etc), paints a detailed picture of who you are. But do we know who controls the picture? Who can access it? Where is it stored? These important questions had long been left unanswered. The Digital Personal Data Protection Act, 2023 was an attempt to answer these.

The Central Government (CG) withdrew the earlier Personal Data Protection Bills of 2019 & 2022 due to multiple modifications that included several concerns about data localization, transparency, compliance requirements, etc. The current Bill was created following the Supreme Court’s 2017 ruling in Justice K.S. Puttaswamy v. Union of India, which upheld the “Right to Privacy” as a component of the fundamental right “Right to Life” guaranteed by Article 21 of the Indian Constitution. The Court also recommended that the Central Government establish a law or other framework to protect personal data. The principal aim of the Act is to institute a thorough structure for safeguarding and handling personal information, which is defined below:
“The Act provides for the processing of digital Personal Data in a manner that recognizes both the rights of the individuals to protect their Personal Data and the need to process such Personal Data for lawful purposes and matters connected therewith or incidental thereto”.

To understand the key areas of concern, it is important to analyze some contentious features of the Act. The first is related to the entity that determines the purpose and means of processing, known as the “data fiduciary,” which is required to ensure data accuracy and erase data when no longer needed, along with other duties. In certain situations, the data principal’s rights and the data fiduciaries’ duties (apart from data security) will not be applicable. The central government may notify specific activities that are not subject to the Act’s provisions. These consist of (i) processing carried out by governmental bodies for the aim of maintaining public order and state security and (ii) processing for statistical, archival, or research reasons.

Also, there are issues with the creation of the Data Protection Board. As per the Act, the government will establish procedures for the appointment and selection of the board members. The board is an autonomous body with a restricted mandate. The Act does not specify the number of members that must be on the board, or that one must be a legal expert. Given that one of the board’s primary responsibilities is to impose penalties and directives for noncompliance, this final clause seems problematic.

However, the implementation of these features of the DPDP Act raises concerns and doubts. To start with, in the Puttaswamy ruling.the Supreme Court ruled that any interference with one’s right to privacy must be commensurate with the need for it. The State may collect, process, and retain more data than is necessary if it is granted exemptions. This might not be appropriate and could go against the privacy rights that are fundamental.

The Act gives the Central government the authority to waive any or all of the requirements about processing carried out by government agencies in the interest of maintaining public order and state security. Moreover, it does not mandate that government organizations destroy personal information once the processing goal has been satisfied. Under the aforementioned exclusions, a government agency may gather information about a citizen in order to compile a 360-degree profile for monitoring purposes on the grounds of national security.

Retrospectively, internet outages have been employed as a tactic to quell dissent and stop the dissemination of information during farmer protests and demonstrations in Kashmir. Opponents see this as an infringement on the right to free speech and information access, but the government says keeping the public order is important. Also, the national identity program Aadhaar gathers demographic and biometric data and many questions using the data for mass monitoring.

Another point of concern is the risks of injury resulting from the processing of personal data, which the Act does not regulate. On this issue, The Srikrishna Committee noted that processing personal data may result in different harms, such as monetary loss, identity theft, etc.

The national government may, by notification, limit the flow of personal data to specific nations. Data held outside of India may be more susceptible to breaches or unauthorized sharing with foreign governments and business companies if that country does not have strong data protection regulations. An instance would be the 2021 Air India data breach, where the personal data of passengers was leaked, and the data was stored in a US-based company’s servers.

However, the DPDP Act does provide support for India’s progress toward the adoption of artificial intelligence (AI) and other future technologies while protecting personal data. The Act also establishes the framework for several additional legislations and other industry-specific rules regarding privacy and data protection. Notably, the Act is the first central statute in India to refer to individuals using she/her pronouns. However, it is believed that several implementation-related elements need to be clarified, which could happen if the Data Protection Board of India is established and the Act’s rules are published. The Act, in its totality, attempts to promise data protection and privacy but also has loopholes that could be manipulated and exploited, thereby infringing the fundamental right to life and personal liberty (Article 21).

*The Kautilya School of Public Policy (KSPP) takes no institutional positions. The views and opinions expressed in this article are solely those of the author(s) and do not reflect the views or positions of KSPP.