See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/380360250

DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE
DATA PROTECTION AND PRIVACY LAW IN INDIA

Article · May 2024

CITATIONS READS

0 1,438

1 author:

Pradip Kashyap
Teerthanker Mahaveer University
44 PUBLICATIONS 6 CITATIONS

SEE PROFILE

All content following this page was uploaded by Pradip Kashyap on 06 May 2024.

The user has requested enhancement of the downloaded file.

12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…
Prof NR Madhava Menon ICREP
Cochin University of Science and Technology
ICREP JOURNAL OF INTERDISCIPLINARY STUDIES
(ISSN 2583-8237)

DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA
PROTECTION AND PRIVACY LAW IN INDIA
Volume 2 Issue I Year 2023

Dr. Pradip Kumar Kashyap

Assistant Professor (Law), Teerthanker Mahaveer University, Moradabad
[email protected]

Table of Contents

1.ABSTRACT
2.INTRODUCTION
3.DEVELOPMENT OF THE RIGHT TO PRIVACY UNDER INDIAN LEGAL SYSTEM
4.THE INTERPLAY OF RIGHT TO PRIVACY AND DATA PROTECTION
5.DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A BASIC ANALYSIS
6.DPDP ACT AND THE ASSURANCE OF PRIVACY IN DIGITAL WORLD
7.CONCLUSION

ABSTRACT
In an era defined by an unprecedented proliferation of digital data and the relentless
evolution of technology, safeguarding personal data has become a paramount
concern for individuals, organizations, and governments worldwide. The effect of social
media on individuals' right to privacy has been the subject of some debate. The
importance of data protection has skyrocketed in the past couple of decades, reaching
new heights that were previously unimaginable due to the digitalization around the
globe including in India. The term, “privacy”, is an idea that has been around since the
beginning of human society. However, understanding privacy may be challenging.
There is no universally accepted definition of "privacy" among scholars since the
concept evolves with society. The term right to privacy has evolved to include right
such as the right to be left alone or to maintain one's anonymity, have emerged
throughout the course of human history. Protecting this right is crucial in the modern
day because of the prevalence of digital media. The introduction of Digital Personal
Data Protection Act, 2023 is pivotal in the sense the legislation establishes protocols for
the lawful processing of personal data, thereby granting authority and safeguarding
the rights of individuals. At its essence, the DPDP Act strives to establish a heightened
level of accountability and responsibility for entities operating within the Indian

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 1/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

jurisdiction, including internet firms, mobile applications, and businesses involved in the
acquisition, retention, and manipulation of citizens' information. With a strong focus on
upholding the 'Right to Privacy,' this legislation aims to ensure that these entities
operate with transparency and are held accountable for their handling of personal
data, thereby giving precedence to the privacy and data protection rights of individual.
Therefore, an analysis of the Digital Data Protection Act 2023 seems relevant through
the lens of privacy.

KEY WORDS: - Data Protection, Privacy, Rights, Transparency, Accountability

INTRODUCTION
In an era dominated by the never-ending exchange of digital information and the
ever-changing environment of technology, protecting personal data has become a top
priority for individuals, corporations, and governments all over the world. The
exponential expansion of social media, e-commerce, and digital transactions has
altered how we interact, work, and live our lives, but it has also highlighted the critical
need for strong data security and privacy rules. The introduction of the Digital Personal
Data Protection Act, 2023 (DPDP Act) in India marks a pivotal moment in the data
protection and privacy. This landmark legislation seeks to establish a new paradigm,
one that strikes a delicate balance between the benefits of technological innovation
and the imperative of safeguarding individual privacy rights.
The 'right to privacy' is a fundamental human right that is recognized in the Universal
Declaration of Human Rights 1948 (UDHR), the International Covenant on Civil and
Political Rights, 1976 (ICCPR), the United Nations Convention on Migrant Workers and the
United Nations Convention on the Protection of the Child, 2003 as well as in many other
international and regional treaties. The right to privacy is explicitly recognized in several
international human rights agreements, conventions, and human rights courts[1]. It is
the bedrock upon which other rights and liberties, such as the freedoms of speech,
association, and belief, are built. However, the right to privacy has emerged as an issue
of critical importance in this era of big data. The idea of privacy in itself may be seen
from two different perspectives. The information or personal data, and the extent to
which it is shared with other parties. The researchers and analysts working with data
now aims to address privacy concerns and guarantee that any data obtained is kept
safe. The widespread use of the internet and the development of more efficient
methods for storing and retrieving massive quantities of data have had far-reaching
effects on how people see the concept of privacy in modern society. The focus of the
current privacy debate is on the practices of third parties regarding the information
they collect and store, including whether or not it is secured or preserved, who has
access to it, and under what conditions they may do so.[2] Usually the government and

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 2/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

commercial players gather, develop, and own extensive databases. The majority of
these enormous datasets are either gathered by private technology businesses,
managed by private stakeholders, or collected by the government in order for the
government to be able to deliver welfare services.[3] For instance, several government
agencies in India, such as the Unique Identification Authority of India (UIDAI), the
Census of India, the Stock Exchange, the Ministry of Rural Development for the Mahatma
Gandhi National Rural Employment Guarantee (MGNREGA), and the Income Tax
Department, all retain vast amounts of data. In addition to these, the Indian
government maintains big data for additional initiatives, such as the Central Monitoring
System, Human DNA Profiling, the Smart Cities Mission, and the Digital India
programme.[4] Big data analytics are being used to promote enterprises by a variety of
non-state players in addition to the government, such as online travel firms, online
retail outlets, and telecom providers. There are some positive aspects of big data, and
the majority of big-data oriented programs have a clearly laid out privacy policy.
However, there is a lack of properly articulated access control mechanism, and there
are doubts over important issues such as data ownership. This is because the majority
of projects involve public private partnership, which involves private organizations
collecting, processing, and retaining large amounts of data[5]. This actually poses a
data security concern as far as protection of data is concerned. Therefore, the article
tries to evaluate how the legislation redefine the contours of data protection and
privacy concerns in India.

DEVELOPMENT OF THE RIGHT TO PRIVACY UNDER INDIAN LEGAL SYSTEM

Prior to the year 1950, there were no legally recognized guarantees relating to privacy in
India. After the Constitution came into force, there was no specific protection of any
basic principle respecting the right to one's privacy. The Fundamental Rights are
guaranteed under Part III of the Constitution from Articles 14-30 of the Indian
Constitution. Judicial activism of the Constitutional courts played a decisive role for the
inclusion of the right to privacy. The Supreme Court, via an expansive reading of the
word "personal liberty," arrived at concluding that the right to privacy is inextricably
linked to the right to life and personal liberty, which are both guaranteed by Article 21.[6]
Since the adoption of the Indian Constitution, the country's judicial system view issues
relating to personal privacy either from the perspective of basic rights or from the
jurisprudence of common law. The debate in relation to it dates back to the decision of
the Supreme Court in the cases of M.P. Sharma and Kharak Singh, where the Supreme
Court initially ruled against recognizing such a right within the Constitution. In the case
of M.P. Sharma, the Court argued that if the framers of the Constitution had not
included it, there was no justification for interpreting the Constitution to include the right
to privacy. Similarly, in the Kharak Singh case, the Court relied on the privacy doctrine
established in the U.S. case of Wolf v. Colorado and rejected the notion that the right to
https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 3/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

privacy was a fundamental right. In Kharak Singh v. State of Uttar Pradesh, the Supreme
Court bench consisting of seven judges, dealt with the fundamental question as to
whether or not it was appropriate for the police to conduct surveillance on people who
had criminal records and make domiciliary visits under the Regulation 236(b) of the UP
Police Regulation. The petitioner challenged it in the court, arguing that it was a breach
of personal liberty, protected under Article 21 of the constitution. It was observed that
the domiciliary visits by police personals during night is unconstitutional[12] thereby,
infringing the fundamental right of the petitioner. Therefore, court held that the
domiciliary visit violated the right of the petitioner to live a dignified and free life.
In the case of Govind v. State of Madhya Pradesh[13], the Supreme Court discussed the
question of privacy once again. The petitioner challenged the validity regulation 855
and 856 of the Madhya Pradesh Police Regulations related to surveillance by the police
personal on the accused. It included domiciliary visit resulted in false accusation on the
petitioner. Though Supreme court dismissed the petition, it directed to make necessary
amendments to the Madhya Pradesh Police Regulation. Justice Mathew observed thus:
"Rights and freedoms of citizens are set forth in the Constitution in order to guarantee
that the individual, his personality, and those things stamped with his personality shall
be free from official interference as long as there is not a reasonable basis for
intrusion."

In para 3 of the judgment, The court happened to quote the slogan articulated by
Professor Corwin which is "Liberty against government,". When seen in this light, a
significant number of the basic rights enjoyed by people may be interpreted as having
some bearing on the right to privacy.
In People's Union for Civil Liberties v. Union of India it was held that phone tapping in the
name of executive surveillance is infringement of the fundamental right throwing light
on the right to privacy in Indian legal regime. Therefore, it was held that the very act is
an infringement of rights provided under Article 21 of the Constitution of India.
In the case of Unique Identification Authority of India &Anr. v. Central Bureau of
Investigation[15], Supreme court held that the biometric data shall not be shared with
any agency or third party without the consent of the individuals. A written consent will
be sufficient for obtaining biometric data from them. Additionally, the honorable court
also specified that individuals cannot be denied access to any services for not
possessing an Aadhar number. Various authorities were instructed to revise their
circulars and forms promptly so that the mandatory requirement of an Aadhaar
number is no longer necessary to fulfill the requirements outlined in the Court's interim
order.
However, in 2017, the Supreme Court in a landmark judgment in K.S. Puttaswamy v.
Union of India[16], overturned both the M.P. Sharma and Kharak Singh[8] decisions. The

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 4/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

central issue in the case was whether the Constitution guaranteed right to privacy. The
Attorney General of India contended that privacy was not encompassed within the
fundamental rights guaranteed to Indian citizens. It was held that the right to privacy is
a fundamental right. Justice D.Y. Chandrachud, in his opinion, emphasized the
necessity of creating a robust framework for data protection to safeguard the interests
of both the State and its citizens. Justice S.A. Bobde, affirmed that the right to privacy is
an integral aspect of personal liberty and is guaranteed under Article 21 of the
Constitution.

THE INTERPLAY OF RIGHT TO PRIVACY AND DATA PROTECTION

The normative truth that there exists a link between the right to privacy and the data
protection legislation which is indisputable under any circumstances. In spite of the
fact that these two abstract ideas are likely to be conceptually inextricable from one
another, there is a real connection that exists between the right to privacy and the right
to data protection. The fact that the right to privacy has been acknowledged as a basic
right is the precise basis for the claim that data protection regulations have gone such
a long way. However, for the purposes of the Data Protection law, there has to be a
clear and precise definition of the right to privacy[17]. The right to privacy is an abstract
notion, and there is a great deal of uncertainty among the legislators of the various
countries, when it comes to providing a precise definition of the right to privacy.
One of the most widely accepted interpretations of the right to privacy in the context of
the protection of personal information is as follows: "Privacy is the claim of individuals,
groups, or institutions to determine for themselves when, how, and to what extent
information about them is communicated to others”[18]. That is the "Right to self-
determination". It is an idea that has a great deal of weight in any democratic
framework, and as a result, it has a great deal of sway over the people. Though there is
right to self-determination, the data once shared must be protected from sharing with
others thereby respecting the privacy of individuals. Therefore, its critical to understand
what is data protection.
The term "data protection" refers to the procedures, protections, and legally
enforceable laws that have been put into place to secure the personal information you
provide and to guarantee that you retain control over it. In a nutshell, one should be
able to choose whether or not one needs to disclose certain information, who needs to
be given access to it, for how long, and for what purpose; the right of one to edit some
aspects of this information and so forth. According to the opinions of jurists, the phrase
"data protection" is a catch-all terminology that is used to describe anything that is
linked with the processing of personal data. This is because the word "data protection"
is used to denote everything associated with the processing of personal data.[19]

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 5/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

Generally, "Personal data" and "processing" are two tenets of data protection laws.[20]
Since, the meaning of the word "processing" is as broad as the whole legislation of data
protection itself, it should be defined in a way that is generous in order to increase the
scope of the protection that is bestowed by the law. A material action that has a direct
influence on the data is referred to as processing, and this would go on to cover the
gathering of data, its storage, utilization, and distribution. The vast majority of
sophisticated data protection regimes advocate for interpreting the word in the
broadest sense feasible. It is necessary to acknowledge that the whole goal of having a
data protection legislation would be undermined if the meaning of the word
"processing" were allowed to be interpreted in an overly broad manner. The second
component of the Data Protection Laws is, unsurprisingly, the idea of "Personal Data."
This phrase refers to anything that may be used to identify a person or any information
that can be related to the individual identity of a person. It also refers to anything that
can be used to identify a group of people.[21]
In accordance with this same line of thinking, one must decide whether or not a
category of data may be categorized as personal. Once these aspects of data
protection laws have been clarified, one will be in a position to have a better
understanding of the whole notion of data protection laws. When it comes to the
processing of personal data, protection here refers to a reasonable degree of fairness
that is in line with the standards that have been established. The rules governing data
protection, however advanced significantly due to digitalization all over the world. Now
the legislations in India try to provide predominant consideration to informational self-
determination and informational autonomy. Informational self-determination is the
right of an individual to select the circumstances under which their personal data may
be revealed in the first place. This right is sometimes referred to as the right to privacy.
[22] Taking this into consideration, one can frame the definition of data protection laws

as, "a set of rules that protect the dissemination, collection, using, erasure, storage, and
destruction of all this information".[23]
The notion of having the right to be left alone is credited with being the seed that grew
into other data protection principles, such as the principle of purpose restriction, the
principle of fairness of processing, and the right to deletion, among others. However, the
introduction of Digital Personal Data Protection Act, 2023 is a new light into the privacy
legal regime in India. It sets out the standards for data fiduciaries (entities handling
digital data) concerning their data principals (individuals to whom the data pertains).
This legal framework has offered significant reassurance of protection of personal data.

DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A BASIC ANALYSIS

After about a decade of work, on August 9, 2023, the Rajya Sabha "unanimously"
enacted the Digital Personal Data Protection Bill (DPDP), 2023[24]. As a result, it has
understandably sparked a range of responses. The government acknowledged that
https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 6/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

one of the primary aim of the Act is to find a middle ground between safeguarding
personal data and allowing the use of such data for authorized reasons, in order to
facilitate innovation and boost economic development. On July 5, the Union Cabinet
approved this critical legislation, which was tabled at the ongoing Monsoon Session of
Parliament, which began on July 20, 2023. It went through the legislative process
quickly, getting approval in the lower house (Lok Sabha) on August 7 and the upper
house (Rajya Sabha) on August 9. After getting the President's approval on August 11,
2023, the DPDP Bill, 2022 became the Digital Personal Data Protection Act,2023.[25] The
Act has not come into force as the official notification is yet to come.
The DPDP Act covers the processing of digital personal data within India in two
scenarios; firstly, when such data is obtained in digital format from data principals; and
secondly when such data is initially gathered in non-digital form and then digitized. As
a result, the DPDP Act does not apply to non-digitalized personal data
processing. Furthermore, the scope of the statute has been broadened. It has an
extraterritorial applicability, which includes the processing of digital personal data
outside of India's boundaries if it relates to the provision of goods or services to data
principals in India. Notably, the DPDP Act does not expressly state whether its provisions
apply to the processing of personal data belonging to data principals located outside
of India. It grants certain exceptions to the startup from the stringent provisions. The
term “Personal Data” has been introduced in the Act. It imposes an obligation on data
fiduciaries to secure personal data in their custody by implementing reasonable
security measures to avoid breaches. The data fiduciary is required to notify both the
Board and the impacted data principals in the case of a data breach. The method of
notification, however, is left to be determined. When it comes to the processing of
Personal Data, the Act clearly defines it to include collection, recording, organization,
storage, adaptation, retrieval, utilization, alignment, combination, indexing, sharing and
disclosure of personal data. With regards to the processing of personal data of a child,
the act mandate to obtain the consent of the parent.[26]
The notion of a 'data principal' has been significantly broadened.[27] It now not only
covers individuals but also encompasses parents or legal guardians of children whose
personal data is in question. Furthermore, the definition has been expanded to include
legal guardians of 'individuals with disabilities.' The Act deals with data fiduciary as well.
According to the DPDP Act, a data fiduciary is anyone, whether individually or in
collaboration with others, who determines the objectives and methods for processing
personal data. Data fiduciaries are permitted to handle personal data only for lawful
purposes, subject to obtaining consent. This consent needs to meet certain criteria: it
must be freely given, specific, informed, unconditional, and unambiguous. It requires an
explicit affirmative action from the data principal to indicate their agreement to the
processing of their personal data for the specified and necessary purpose.[28] When
requesting consent, the following conditions must be met.

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 7/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

The request must be presented in a clear and easily understandable manner, with the
option to access the request in either English or any of the 22 languages listed in the
Eighth Schedule to the Indian Constitution[29]. The request must include contact
information for the data protection officer or an authorized representative who can
handle communications from the data principal.
Additionally, a data fiduciary must provide a comprehensive notice to the data
principal either during or before seeking consent. This notice should cover several
important elements, firstly, explanation of the personal data to be collected and the
purpose for which it will be processed. Secondly, description of the data principal's
rights, including the right to correction, withdrawal of consent, and the procedure for
filing complaints with the Board. Thirdly, clarity on how a complaint can be lodged with
the Board.
In cases where consent was granted before the enactment of the DPDP Act, the data
fiduciary must provide such notice "as soon as it is reasonably practicable." This notice
should be presented in plain language, either as a separate document, electronically,
or in a manner as specified by regulations.[30]
Under the DPDP Act, certain violations, including the failure to prevent personal data
breaches, can result in penalties of up to INR 250 crore. Importantly, the previous cap of
INR 500 crore for single-instance penalties has been eliminated. Unlike earlier versions,
this law does not allow data principals affected by breaches to seek compensation
from data fiduciaries. Instead, the Board can now impose penalties of up to INR 10,000
on data principals who fail to fulfill their obligations.[31]

DPDP ACT AND THE ASSURANCE OF PRIVACY IN DIGITAL WORLD

The emergence of world wide web and technological advancement has improved the
quality of individuals’ life. It provided easy access to the information, access to varies
services and speedy communication. However, it has unlocked new threats such as
credit card fraud, phishing, hacking, and spamming which raised concerns on the
digital data protection. Since the information technology plays pivotal role in
everyone’s life, the protection of digital data is need of the hour. Therefore, the
European Union and United States had their stringent law on data protection during
late 90’s.
In India the Information Technology Act 2000 was enacted in compliance with Model
Law on Electronic Commerce 1998, by United Nations Commission on International
Trade Law (UNCITRAL). It provided legal recognition to e- commerce in India. The term
Cyber crime is not defined under the legislation. However, the Act mention few
instances of the cyber related crimes. The privacy of digital data was not
comprehensively dealt under the Act. However, the Act assign duty on the body
corporate which includes firms which engaged in commercial and professional

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 8/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

services to protect the sensitive personal data.[32] However, the term sensitive personal
data is not adequately defined causing confusions as to what constitute sensitive
personal data.
The Act also deals with intermediary liability. It prescribes that intermediary has duty to
retain the information as per the format prescribed by the Central government.[33] In
Shreya Singhal Case the court observed that the intermediary should observe due
diligence in exercising their duty and they must refrain from publishing sensitive
information of individuals affecting their privacy. The court held that the intermediary
can take down such content on the order of the court. But the Act was not sufficient to
protect the digital data of the individual. Therefore, need for a comprehensive data
protection law was most the debated area.
The DPDP Act is a pivotal legislation in India’s data governance. It provides manner of
processing personal data for lawful purpose in India. The Act defines the personal data
and personal data breach. Unlike the IT Act which failed to define sensitive personal
information, the Act clearly defines what include personal data. It provides a clarity to
the object of the Act. The personal data means to include any information in relation to
an individual.[35] The personal data breach includes unauthorized processing,
disclosure, destruction or loss of personal data.[36] Therefore, the Act mandate the data
fiduciary to obtain consent from data principals before processing the personal data
for lawful purpose.[37] When it comes to processing the personal data of children below
the age of 18 years old, the data fiduciary has to obtain consent from the parent or
guardian of the Child.[38] However, the Act is hugely criticized for its vagueness and lack
of clarity in many provisions of the Act. The excessive reliance on delegated legislation
provides discretion to various administrative agencies to obtain data and the use of
phrase ‘prescribed by the law ‘raises concerns about the lack of clarity and ambiguity.
Though, Data Protection Board was a mechanism envisaged under the provision of
the Act, the award of compensation to aggrieved Data Principals is not mentioned and
the penalties imposed by the board on Data Fiduciary in violation of any provision of
the Act will be credited into Consolidated Fund of India. The Act does not mandate data
fiduciaries to obtain consent from data principals prior to exchanging data with other
data fiduciaries or data processors. This limits the power of data principals over their
personal data. The local storage of data is not required under the Act and any business
entity can transfer data to foreign countries which are not in the negative list to be
notified by the government. However, the criteria of negative listing are unknown. The
Act creates uncertainty in some areas of legislation relating to data portability, data
storage obligations, and non-digital personal data processing. This paves way for
potential abuses of the Act.[39]

CONCLUSION

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 9/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

In today's digital age, data protection and privacy are fundamental to safeguarding
personal information. The identity details of individuals are essential for safety reasons.
[40] The Digital Personal Data Protection Act, 2023 represents a significant step in India's

journey to establish comprehensive data protection regulations. It has been

commended as a robust standalone data protection framework.[41] When an individual
shares their data with legitimate organizations they may under the pretext that the
information is secure and will not be shared with any other third parties or agency
without their consent. The DPDP Act is a step forward towards it. As data privacy
remains pivotal, India's progress in this domain is crucial to align with global standards.
However, the DPDP Act is hugely criticized for hasty passing the Digital Personal Data
Protection Bill, 2023 in both houses of Parliament without any meaningful discussion.
Some provisions are subject to Central Government determinations, raising worries
about unchecked rule-making and potential gaps in regulation. Moreover, it seems
paradoxical that the DPDP Act imposes duties on data principals where, its aim was to
protect their rights. It includes not to impersonate oneself while sharing the data with
other, to comply with law and regulations from time to time, not to suppress any
material information not to file a frivolous complaint against data fiduciary and to
furnish the information which is authentic.[42] The legislation is also criticized for diluting
the RTI Act, whereby the personal information of public officials will not be disclosed.
The overriding effect of the Act on RTI Act was an area of concern amongst citizens.
However, it is a reality that no data protection regulation can, strictly speaking, provide
total informational self-determination. On the other hand, a strong law may guarantee
protection to the data shared and thereby protect privacy.

References

1. Kuner, Christopher, An International Legal Framework for Data Protection: Issues and Prospects, 25
Computer Law & Security Review 307-317 2009, https://ssrn.com/abstract=1443802
2. NANDAN KAMATH, Law Relating To Computers, Internet, And E-Commerce: A Guide To Cyber Laws
And The Information Technology Act, 2000 121 (Kamal Law House, Calcutta,1st Ed. 2020).
3. Jason Asbury, Maria McClelland, Kris Torgerson, India Vincent & Jennifer Boling, Law and Business
Technology: Cyber Security & Data Privacy Update, 20 Transactions: TENN. J. BUS. L. 1065, 1067-71
(2019).
4. Ibid.
5. Dhiraj R. Duraiswami, Privacy and Data Protection in India, 6 J.L. & CYBER WARFARE 166, 169-172
(2017)
6. Kumar, Rahul, Jurisprudence of Right to Privacy in India, 2020, https://ssrn.com/abstract=3664257
or http://dx.doi.org/10.2139/ssrn.3664257
7. MP Sharma v Satish Chandra, (1954) 1 SCR 1077
8. Kharak Singh v. State of U.P and others, 1964 SCR (1) 332
9. Ibid.
10. 338 U.S. 25 (1949).

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 10/12
12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

11. Supra note 9.

12. SUPREME COURT OBSERVER, https://www.scobserver.in/journal/right-to-privacy-court-in-review
(last visited Sep.27, 10:01 A.M).
13. State of Madhya Pradesh,Govind v. State of Madhya Pradesh, 1975 AIR 1378.
14. Peoples Union for Civil Liberties v. Union of India AIR 1997 SC 568
15. Unique Identification Authority of India & Anr. v. Central Bureau of Investigation, Special Leave to
Appeal (Crl) No(s).2524/2014.
16. K.S. Puttaswamy v. Union of India, ((2017) 10 SCC
17. Systems Thinking, Big Data, and Data Protection Law, 18 Eur. J.L. Reform 478 (2016).
18. Orla Lynskey, Deconstructing Data Protection: The Added-Value of a Right to Data Protection in
the EU Legal Order, 63 INTL & COMP. L.Q. 569, 577-81 (2014).
19. Paul Crocetti, Peterson, Senior, Kim Hefner, What is data protection and why is it important?,
TECHTARGET NETWORK(Aug. 12,2023,11:15 AM)
https://www.techtarget.com/searchdatabackup/definition/data-protection
20. Anneliese Roos, Core principles of data protection law,39 The Comparative and International Law
Journal of Southern Africa 102, 104- 108(2006).
21. Supra note 17.
22. D Bruschi, Not just GDPR. In D. Wittkower (Ed.), Computer Ethics - Philosophical Enquiry (CEPE)
Proceedings, 9(*2019)
https://digitalcommons.odu.edu/cepe_proceedings/vol2019/iss1/9
23. Silvia Lucia Cristea & Viorel Banulescu, The Right to Personal Data Protection. The Right to Privacy.
A Comparative Law Approach, 64 Analele Stiintifice Ale Universitatii Alexandru Ioan Cuza Din Iasi
Stiinte Juridice 1, 3-5 (2018).
24. The Digital Personal Data Protection Act, 2023, No.22, Acts of Parliament, 2023(India).
25. Khyati Anand and Melissa Cyrill, Indias Digital Personal Data Protection Act, 2023: Data Privacy
Compliance,INDIA BRIEFING (Aug.15,2023, 12:30 PM), https://www.india-briefing.com/news/indias-
digital-personal-data-protection-act-2023-key-provisions 29021
26. Supra note 21
27. The Digital Personal Data Protection Act, 2023, 2(j), No. 22, Acts of Parliament, 2023(India).
28. Supratim Chakraborty and Himeli Chatterjee, Indias Digital Personal Data Protection Act, 2023
Impact on Hospitality Sector, SCCONLINE (Aug. 12, 2023, 11:40 AM)
https://www.scconline.com/blog/post/2023/08/22/indias-digital-personal-data-protection-act-
2023-impact-on-hospitality-sector/
29. AZBPARTNERS, https://www.azbpartners.com/bank/digital-personal-data-protection-bill-2023-
key-highlights last visited (Aug 15, 2023).
30. Ibid
31. Ibid.
32. The Information Technology Act, 2000, 43A, No. 21, Acts of Parliament, 2000(India).
33. The Information Technology Act, 2000, 67C, No. 21, Acts of Parliament, 2000(India).
34. Shreya Singhal v Union of India, AIR 2015 SC 1523.
35. The Digital Personal Data Protection Act, 2023, 2(t), No. 22, Acts of Parliament, 2023(India).
36. The Digital Personal Data Protection Act, 2023, 2(u), No. 22, Acts of Parliament, 2023(India).
37. The Digital Personal Data Protection Act, 2023, 4(1), No. 22, Acts of Parliament, 2023(India).

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 11/12
View publication stats

12/20/23, 3:00 PM DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN I…

38. The Digital Personal Data Protection Act, 2023, 9, No. 22, Acts of Parliament, 2023(India
39. John Brittas,Aneesh Babu, What Lies Beneath the PR Blitz on the New Data Protection Act?, THE
WIRE, (Sep 27, 2023, 02:11 PM)
https://thewire.in/government/what-lies-beneath-the-pr-blitz-on-the-new-data-protection-act
40. DUBEY,R.K.,VERMA,A.DATA PROTECTION AND PRIVACY IMPLEMENTATION: INDIA PERSPECTIVE 12
(Independently published 2019).
41. Isha Suri, Rajat Kathuria, Digital Personal Data Protection Act: The speedbumps ahead, INDIAN
EXPRESS (Sep 1, 2023, 10:05 AM)
https://indianexpress.com/article/opinion/columns/digital-personal-data-protection-act-
ashwani-vaishanw-pdpb-2023-rajya-sabha-8902839
42. The Digital Personal Data Protection Act, 2023, 15, No. 22, Acts of Parliament, 2023(India).
0

https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1 12/12