Following the Supreme Court’s recognition of privacy as a fundamental right, the Government of India enacted the Digital Personal Data Protection Act to safeguard individual privacy. Can individuals truly exercise autonomy in a digital ecosystem where their personal information is constantly collected, analysed and monetised?
By Ibrahim H Khatri
In the relentless surge of the digital age, data has become the new oil, propelling the transformative power of artificial intelligence and the Internet of Things in the 21st century, akin to how oil fuelled the industrial revolution of the 20th century. The control of oil reserves by a select few nations shaped the global power dynamics in the last century; similarly vast troves of user data are now concentrated in the hands of a limited number of multinational corporations.
This concentration raises critical questions about the control and utilisation of this valuable resource. While oil reserves are geographically concentrated, data is constantly generated and dispersed across a vast digital landscape. This abundance of data, while holding immense potential for innovation and progress, also presents a significant challenge—the erosion of individual privacy. Can individuals truly exercise autonomy in a digital ecosystem where their personal information is constantly collected, analysed and monetised?
In the last decade, India has emerged as one of the most significant data consumers in the world. In 2023 (the last available data), India had 759 million internet users, a figure expected to reach 900 million by 2025. On an average, an internet user in India consumes approximately 19.5 GB of data every month, surpassing even several developed nations. While factors like internet infrastructure, cheap smartphones, and the availability of reasonable data packs have propelled the digital economy, a natural side effect of this growth is a threat to the privacy of personal data shared by individuals across multiple apps, social media, and e-commerce platforms. In this context, governments are faced with wide-ranging concerns, including data collection without consent, the integrity of processing processes, transferring personal data across borders, grievance redressal, and more. The answer to these concerns lies in establishing robust frameworks to govern the usage of personal data.
Following the Supreme Court’s recognition of privacy as a fundamental right in a landmark decision, the Government of India enacted the Digital Personal Data Protection Act (DPDPA), 2023. This law aims to safeguard individual privacy while fostering innovation and growth in the nation’s digital economy. The DPDP law lays emphasis on informed consent and the innovative role of consent managers. The vision behind the law is to empower individuals and ensure responsible data practices, ultimately fostering a more balanced and secure digital environment.
The DPDPA represents a significant leap forward in India’s legal framework. It strengthens individual privacy through refined data management practices. Central to this effort is the concept of informed and explicit consent. The law empowers individuals, designated as “Data Principals”, with significant control over their personal data. The Act clarifies that for children, their parents, or guardians, act as Data Principals, and for those with disabilities, legal guardians assume this role.
The DPDP law applies in cases where the processing of digital personal data takes place within Indian territorial boundaries. It also applies when the processing of digital personal data takes place overseas, but offers its goods and services to the people living in India. It is important to mention here that the definition of a “person” under the DPDPA is expansive, encompassing individuals, Hindu joint families, companies, firms, registered or unregistered associations, the state as defined by the Indian Constitution, and other legal entities.
The DPDPA establishes clear guidelines for consent:
Freely given: Consent must be voluntary, without coercion or misleading incentives.
Specific and informed: Individuals must fully understand the scope and purpose of data collection before consenting.
Unambiguous: Consent requires a clear, deliberate action, such as checking a box. It cannot be inferred from inactivity or pre-ticked boxes.
The DPDP law clearly mentions that every request for consent is required to be presented to individuals in clear and plain language, giving them the option to access such requests in English or any language specified in the Eighth Schedule of the Indian Constitution. Under the Act, the request for consent should further provide the contact details of a pre-authorised person who will remain responsible in respect of responding to communications from Data Principals if and when they choose to exercise their rights. Similarly, the DPDPA requires the consent withdrawal process to be made as easy as it was to provide consent in the first place. If consent could be provided with a single click, such consent should be similarly retractable, says the law.
A groundbreaking feature of the DPDPA is the establishment of “Consent Managers”. These entities act as trusted intermediaries between Data Principals (individuals whose personal data is being processed) and “Data Fiduciaries” (those who control the purpose and means of handling personal data—businesses of all sizes, from start-ups to banks). Consent Managers go beyond facilitating consent. They manage consent withdrawal, address data handling grievances and ensure that the highest data protection standards are upheld. This role is critical in empowering Data Principals and ensuring responsible data processing.
The law also recognises “Data Processors”, who handle data on behalf of Data Fiduciaries. Notably, the government can designate a Data Fiduciary as “significant” based on factors like data volume, sensitivity, or potential risk to national security or elections.
The concept of Consent Managers was first introduced in the Personal Data Protection Bill, 2019. Their role is pivotal under the DPDPA as well. The DPDPA, 2023, defines a Consent Manager as “a person registered with the Board who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform”.
Consent Managers play a prominent role in ensuring compliance. They verify that consent meets the legal standards and implement mechanisms to address grievances, providing Data Principals with a streamlined process for resolving concerns. By managing consent transparently, Consent Managers build trust, fostering strong business relationships and regulatory compliance. Also, Consent Managers benefit Data Fiduciaries by enabling easier compliance with consent-related statutory requirements. Furthermore, they facilitate Data Principals by providing an efficient mechanism to grant and manage their consent. The improved efficiency of consent management also improves the overall speed, security and efficiency of personal data flows. Additionally, Consent Managers assist Data Principals in exercising their right of grievance redressal with more ease and efficiency.
Importantly, Consent Managers will be subjected to regulatory oversight by the Data Protection Board. As per Section 27 (c) of the DPDPA, the Board shall exercise and perform their powers and functions “on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act”. In effect, Consent Managers will remain accountable to individual consent givers (“Data Principals”). If a question on consent arises in this regard during a proceeding, an organisation will be required to prove that a notice was indeed given, and consent was indeed provided, according to the law.
Businesses must adapt to the DPDPA by implementing robust consent management mechanisms. This includes using clear opt-in mechanisms (like checkboxes) to ensure active consent from Data Principals (consumers). Simultaneously, transparency regarding data collection purposes and Consent Manager involvement is also essential. Businesses must provide clear and accessible methods for withdrawing user’s consent and maintain meticulous records of all consent-related transactions for accountability and compliance. Notably, the DPDPA expressly excludes publicly available information from the scope of data protection. Therefore, publicly available information may be freely used by businesses—including through their artificial intelligence and machine learning—for training, analytics, evaluation, targeted advertising, and profiling.
The introduction of the DPDPA is likely to have a ripple effect beyond India’s borders. As businesses strive to comply with this new legislation, it has the potential to become a benchmark for data protection practices, worldwide. The DPDPA’s emphasis on informed consent and robust data governance sets a high standard that other countries may look to emulate. This could lead to a more uniform approach to data privacy on a global scale, benefiting both individuals and businesses. The DPDPA significantly strengthens personal data governance in India. It empowers individuals with unprecedented control over their information, meeting international data protection standards and prioritising individual rights in the digital age.
To ensure compliance with the DPDPA, organisations may need to conduct privacy training and awareness programmes for employees and contractors who handle personal information and monitor consent. As businesses adapt, the DPDPA’s framework is poised to become a global benchmark, influencing data protection practices and corporate governance strategies, worldwide.
—The writer is CEO and founder of Privezi Solutions and has developed data privacy frameworks and operationalised privacy programmes for enterprises