Digital Data Protection Act of India, 2023: Crucial Points and Comparisons with GDPR
In this modern, tech-driven world, your personal data holds immense worth, serving both moral and commercial significance. Protecting it thus becomes crucial - not just to safeguard your privacy, but also to prevent potential harms like identity theft or discrimination, and to maintain trust in the digital sphere.
One might be surprised to learn the true value of their personal information, especially in the context of social media, where data fuels immense economic value.
Events that Shaped India's Data Protection Landscape
Justice K.S. Puttaswamy Case v. Union of India (2018)
The landmark Supreme Court verdict in the Justice K.S. Puttaswamy case marked a significant turning point in India. The judgment recognized the right to privacy as an intrinsic part of the fundamental right to life and personal liberty. It emphasized the need for a data protection law, paving the way for a comprehensive data protection framework in India.
Proposal for Data Protection: The DPDA Act
The DPDA Act, proposed by Justice BN Srikrishna Committee, offers a solution. This committee, constituted by India's Union ministry of Electronics and Information Technology in 2017, was tasked with identifying key issues of data protection and proposing a way forward, which they did in 2018 with the Personal Data Protection Bill.
The bill includes several key recommendations:
- The law should be technology-neutral, adaptable, and comply with evolving technologies and standards.
- It should apply to both private organizations and the government.
- Consent should be genuine and data processing should be minimal, only for essential purposes.
- There should be strong penalties for improper data processing.
- Data localization may be required in specific sensitive sectors, but it's not recommended universally.
Digital Personal Data Protection Act, 2023 (DPDA Act, 2023)
The DPDA Act, enacted on August 11, 2023, recognizes the need to balance individual rights to protect personal data with the need for lawful data processing. The Act applies to processing within India and outside India in connection with offerings of goods or services within India.
Addressing stakeholder concerns about data localization, the DPDA Act allows default cross-border data transfer without requiring adequacy decisions or specific transfer mechanisms. However, the Central Government can designate certain countries where data transfer may be prohibited. Other restrictions may apply under applicable laws.
As of June 2025, the Draft Rules for implementation have been published for public consultation, promising stricter data protection regulations for businesses in India.
Key Rules of the Draft DPDA Rules
Rule 3: Data Fiduciaries must provide clear, easy-to-understand notices outlining the personal data being processed, its purpose, and the services involved, along with simple instructions for withdrawing consent and exercising rights under the law.
Issue: Describing vast amounts of personal data in detail for AI model training could be challenging, potentially hindering economic growth in developing countries like India where the latest technology like AI is still in development.
Rule 5: State and its instrumentalities can process personal data for providing services, benefits, or licenses, adhering to specified standards.
Issue: Holding individual departments or employees accountable for data processing in large organizations might prove difficult.
Rule 6: Data Fiduciaries must implement security safeguards to protect personal data from breaches, through measures like encryption, access control, monitoring, etc.
Issue: For small organizations, implementing these safeguards may present an additional financial burden.
Additional Obligations for Significant Data Fiduciaries under Rule 12
Significant Data Fiduciaries must conduct regular Data Protection Impact Assessments and audits, verify that no risk to Data Principals' rights is posed by algorithmic software, and avoid transferring specific personal data outside India.
Issue: The draft rules have not specified which organizations will be designated as significant data fiduciaries, potentially causing concerns for companies investing in India.
Exercising Rights of Data Principals under Rule 13
To access or erase their personal data, Data Principals can make requests to the Data Fiduciary. However, complications may arise when Data Principals withdraw consent during the training period of AI models.
Processing Personal Data Outside India under Rule 14
Data transfer outside India is subject to restrictions. The Data Fiduciary must comply with conditions set by the Central Government.
Issue: The present draft rules do not specify which countries will be blacklisted.
Similarities and Differences between GDPR and DPDA Act
The DPDA Act shares several principles with the General Data Protection Regulation (GDPR) of the European Union but also exhibits differences. Terms equivalents in both acts include Data Principal (DPDP Act) and Data Subject (GDPR), and Data Fiduciary (DPDP Act) and Data Controller (GDPR).
Similarities include both laws regulating personal data handling, allowing processing for health emergencies, public interest, or legal obligations, mandating consent for personal data processing, and granting Data Subjects/Data Principals the right to access, correct, and delete their personal data, among other rights.
Differences, however, include the applicability of DPDA only to digital personal data, designated organizations having additional obligations under DPDA Act, lack of provisions relating to contractual necessity or legitimate interests in DPDA, and no provisions on special categories of personal data, data portability, or automated decision-making in DPDA.
In summary, the Digital Personal Data Protection Act (DPDP Act) marks a significant step towards comprehensive data protection in India, addressing concerns arising in the digital age and balancing individual privacy rights with the need for lawful data processing. As India's technology landscape continues to evolve, so too will its data protection framework and regulations.
- The value of personal data extends beyond privacy and individual rights, impacting finance, business, and education, as seen in the digital economy where data fuels significant economic value.
- The implementation of data protection services is crucial to prevent potential harms like identity theft or discrimination, ensure business continuity and public trust in the digital sphere.
- The enactment of the Digital Personal Data Protection Act (DPDA Act, 2023) in India sets a foundation for balancing individual rights to protect personal data with the need for lawful data processing.
- With the DPDA Act, data localization may be required in specific sensitive sectors, but cross-border data transfer is allowed by default, subject to specific conditions and restrictions set by the Central Government.
- The ongoing evolution of technology and cloud computing in India necessitates the need for adaptable and evolving data protection laws and regulations, such as the DPDA Act, to support education and self-development in data-driven fields.
