By Pratha Jain
In an unexpected turn, India’s Digital Personal Data Protection Act, 2023 (hereinafter referred to as “the Act”) was passed with remarkable speed. Introduced in Parliament, it was passed by both Houses within a week, bypassing debate and committee consideration. Receiving Presidential assent on August 11, 2023, the Act awaits notification in the Official Gazette for its provisions to take effect. The Minister for Electronics and Information Technology (hereinafter referred to as “IT” ) indicated that compliance timelines could range from six months to under two years after industry consultations.
Until now, India was one of the most economically and politically significant countries, alongside the United States, without a comprehensive data privacy law. Five years after the Justice B.N. Srikrishna committee recommended an impactful, international standard framework, the current Act represents a diluted culmination of successive government revisions and a parliamentary committee report.
While inheriting many weaknesses, it veers closer to a fresh draft than a redraft of previous versions. The absence of consultation during its formulation highlights the influence of an increasingly centralized political system. This article delves into the Act’s implications, assessing which societal interests, Indian businesses, foreign corporations, individuals, or the government, stand to benefit the most from its provisions.
Scope of the Act
The Act applies to all levels of government in India (Central, State and local), and to the private sector, all of which come within the meaning of ‘Data Fiduciaries’ (s2(i)). In Indian legislation, ‘the State’ encompasses all these levels of government, and this is crucial in this Act. However, it excludes paper-based transactions unless digitized, significantly narrowing its applicability compared to international norms like the EU’s General Data Protection Regulation (hereinafter referred to as “GDPR”).
“Personal data” is defined under Section 2(t) as data identifying an individual. However, the Act does not recognize “sensitive personal data” categories, such as those concerning race, caste, health, or biometrics, which are protected under GDPR. This omission marks a departure from earlier drafts, including the Srikrishna Committee’s recommendations (2018), which advocated for special protection for sensitive data. Furthermore, Section 3(c) excludes publicly available data from protection, a loophole that risks misuse in the age of social media.
Notably, children’s data receives special protection under Section 9, prohibiting targeted advertising and requiring parental consent. However, grouping individuals with disabilities under the same category as children reflects a lack of nuanced consideration.
Business and Government-Friendly Features
Broad Exemptions for the State:
The Central Government’s extensive powers to exempt itself or other entities from compliance dilute the Act’s protective framework. Section 17(2)(a) allows complete exemptions for state instrumentalities based on ambiguous grounds such as “sovereignty” or “public order.” Similarly, Sections 17(4) and 17(5) enable indefinite retention and accumulation of personal data by the government, bypassing obligations like data erasure and accuracy.
These provisions raise constitutional concerns, particularly under the proportionality test established in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017).
The Supreme Court, in this landmark judgment, recognized privacy as a fundamental right under Article 21 of the Indian Constitution, necessitating a rational nexus between state aims and measures adopted and quoted :
“Privacy constitutes the foundation of all liberty because it is in privacy that the individual can decide how liberty is best exercised.”
“An invasion of life or personal liberty must meet the threefold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.”
Minimal Obligations for Businesses:
For businesses, the Act provides a “compliance-light” regime. Penalties for breaches, capped at ₹250 crore (approximately USD 31 million), are unlikely to deter large corporations. Moreover, the absence of stringent data localization requirements, contrary to the Reserve Bank of India’s mandate for payment data, favours corporate flexibility over consumer safeguards.
Data Localisation and International Transfers: While the Act avoids explicit data localization mandates, existing laws such as Section 94 of the Companies Act, 2013, and the Reserve Bank of India’s 2018 circular on payment data storage, already enforce localization in specific sectors. Additionally, Section 16 empowers the government to restrict data transfers to blacklisted countries, although the criteria for blacklisting remain undefined.
This contrasts with GDPR’s adequacy framework, which evaluates a country’s data protection standards before allowing transfers. The outsourcing exemption under Section 17(1)(d) further complicates international compliance. For instance, Indian service providers handling European Union citizens’ data must rely on Standard Contractual Clauses (SCCs), as India has failed to secure an adequacy decision from the EU. This situation mirrors challenges faced post-Schrems II (2020), where the Court of Justice of the European Union invalidated the EU-US Privacy Shield.
Data Fiduciary Obligations and Data Principal Rights
Obligations of Data Fiduciaries:
Section 8 outlines fiduciary responsibilities, including:
Ensuring data accuracy and security.
Implementing organizational measures akin to GDPR’s “accountability” principle.
Providing breach notifications to affected individuals and the Data Protection Board (DPB).
However, these obligations are undermined by exemptions for state entities under Section 17(4). Notably, data erasure obligations are waived if retention is required by law (Section 12(3)), creating a loophole for indefinite data storage.
Rights of Data Principals:
Sections 11-14 enumerate individual rights, including:
Access: Summaries of processed data and entities with whom data is shared.
Correction and Erasure: Subject to limitations like legal retention requirements.
Grievance Redressal: Complaints must first be addressed to fiduciaries before escalating to the DPB.
However, these rights are constrained by significant exclusions. For example, publicly available data or third-party collected data are excluded from correction or deletion rights. Additionally, the absence of judicial remedies, as seen in GDPR’s provisions for representative actions, weakens enforcement.
The Data Protection Board: Independence and Limitations
The DPB, established under Section 18, is tasked with oversight and enforcement. Despite being labelled “independent,” its two-year member tenure, budgetary dependence on the government, and lack of autonomous investigatory powers cast doubt on its impartiality. Comparatively, GDPR-compliant authorities like the European Data Protection Board (EDPB) enjoy greater operational autonomy.
Section 27 empowers the DPB to impose penalties and issue directions but excludes compensatory remedies. In effect, there is a right of re-hearing by the Board (perhaps the whole Board) for businesses affected by any penalties or directions, after which hearing it may change its order under Sec. 27 (3).
There is also a right of appeal to the Appellate Tribunal (Telecom Dispute Settlement and Appellate Tribunal ) within 60 days under Sec 29. The TDSAT is regarded as already overloaded. 13 Data Principals have no such appeal rights. This omission contravenes international norms, where courts or data protection authorities can award damages for breaches.
Regional and Global Implications:
India’s DPDP Act influences neighbouring countries like Sri Lanka and Bangladesh, which are drafting their data privacy laws. However, its deviation from international standards may hinder India’s integration into global frameworks. For example, the absence of protections for sensitive data erodes its adequacy prospects with the European Union.
On the other hand, countries like Japan and South Korea, which align closely with GDPR, have secured appropriate decisions, enhancing their cross-border data flow capabilities. India’s reliance on SCCs for international transfers could deter foreign businesses from outsourcing to Indian firms, particularly in data-sensitive industries.
Comparing the DPDP Act with GDPR:
The DPDP Act’s omissions, compared to GDPR, include:
Protections for sensitive data.
Rights to data portability and automated decision-making restrictions.
Judicial remedies for individuals.
Restrictions on data exports based on adequacy assessments.
Proportionality in data processing.
These gaps deteriorate India’s standing in global data privacy rankings and risk constitutional challenges under Puttaswamy.
Constitutional Concerns:
The Supreme Court’s Puttaswamy judgment emphasized legality, necessity, and proportionality in privacy infringements. The DPDP Act’s broad exemptions and undefined terms, such as “legitimate uses” under Section 7 may fail this test. For example, the Act permits expansive government surveillance without sufficient safeguards, violating informational privacy rights recognized in Puttaswamy.
NGOs or individuals could challenge the Act’s constitutionality, especially provisions enabling indefinite data retention and unregulated state exemptions.
India’s South Asian neighbours may be affected by India finally having a law, and by its content. Sri Lanka already has a law. Pakistan’s Bill (recently agreed to by Cabinet, but not yet introduced to Parliament), and Bangladesh’s Bill (only a government proposal as yet) might be amended before enactment. These are the last significant countries in Asia not to have a data privacy law. For most practical purposes, all of Asia will soon be a region of data privacy laws.
Conclusion: The DPDP Act, while a milestone in India’s data privacy journey, prioritizes business and governmental interests over consumer protections. Its broad exemptions, weak enforcement mechanisms, and departure from global standards sabotages its potential. As Supreme Court of India prepares to adjudicate on privacy rights, the Act’s constitutionality and long-term credibility remain uncertain.
For Indian businesses, the Act offers operational flexibility, but at the cost of global credibility. For consumers, it represents a minimal safeguard, riddled with gaps that expose them to risks of misuse and surveillance. Future amendments and judicial interventions will be crucial in bridging these gaps and aligning India’s data privacy framework with international norms.
—Pratha Jain is a third-year law student of University of Mumbai Law Academy