ABSTRACT
The Digital Personal Data Protection Act, 2023, marks a watershed moment in India’s data – governance landscape by introducing a comprehensive statutory regime governing digital personal data. Enacted in the aftermath of the Supreme Court’s recognition of privacy as a fundamental right in Justice K. S. Puttaswamy (Retd) v. Union of India [(2017) 10 SCC 1], the Act imposes stringent duties on Data Fiduciaries, including consent management, purpose limitation, breach reporting, governance safeguards, and heightened obligations for compliance obligations and significant financial exposure arising from non – compliance.
Keywords: DPDP Act, Data, Fundamental Rights, Duties, Compliance
INTRODUCTION
India’s rapid digitalisation has led to the unprecedented collection and processing of personal data by private companies, financial intermediaries, digital platforms and emerging technology businesses. Until the enactment of the Digital Personal Data Protection Act, 2023, the country lacked a unified statutory framework governing digital personal data. The constitutional foundations for such legislation stem from the Supreme Court’s nine – judge bench decision in Justice K.S. Puttaswamy (Retd.) v. Union of India, [(2017) 10 SCC 1], which held the right to privacy to be inherent to the right of life and personal liberty under Article 21 of the Constitution of India. The Court stressed informational autonomy and decisional privacy, creating an obligation upon the State to establish a data – protection law that ensures transparency, purpose limitation, and proportional use of personal information. Rulings of K.S. Puttaswamy (Aadhaar-5J.) v. Union of India, [(2019) 1 SCC 1] and Anuradha Bhasin v. Union of India, [(2020) 3 SCC 637] have repeatedly affirmed that data processing by either State or non – State actors must satisfy the proportionality and necessity standard. These constitutional standards form the bedrock of the DPDP Act, which introduces statutory mechanisms that directly regulate corporate behaviour.
COMPLIANCE RISKS AND OBLIGATIONS FOR COMPANIES UNDER THE DPDP ACT, 2023
The DPDP Act creates a consent – centric model of data processing. Sections 4, 6 and 7of the Act, 2023, companies can handle personal data only for a lawful and clearly defined purpose, and they must first obtain consent that is genuinely informed, freely given and unambiguous. The Supreme Court’s prominence on consent in both K.S. Puttaswamy (Retd.) v. Union of India, [(2017) 10 SCC 1] and K.S. Puttaswamy (Aadhaar-5J.) v. Union of India, [(2019) 1 SCC 1] clearly established that informational autonomy lies at the core of privacy. The Courts have repeatedly notified digital platforms against collecting data which is unnecessary. In Google LLC v. CCI, [2023 SCC OnLine Del 2681], Delhi High Court made it clear that digital platforms cannot burden users with disproportionate or intrusive data – processing requirements. Although the case arose in a competition law context, its reasoning closely aligns with the DPDP Act.
The Act also secured the rules around transparency. Section 5, requiring companies to clearly inform users about what data they are collecting, why they are collecting it and what rights individuals have over their information. In WhatsApp LLC v. CCI, [2021 SCC OnLine Del 1347], the Delhi High Court expresses concern over misleading privacy disclosures, mentioning a wider judicial shift against opaque data practices. The DPDP Act transform those expectations into mandatory obligations, and ignoring them can independently activate penalties.
Security related duties pose another significant compliance burden. Section 8 requires companies to maintain appropriate technical and organisational safeguards, prevent data breaches, and delete personal data once the purpose of processing has been served. The Madras High Court in Malay K. Mahadevan v. State of Tamil Nadu, [2022 SCC OnLine Mad 403], held that state bodies liable for improperly exposing student information, highlighting that any entity whether public or private handling personal data must act with care. Under the DPDP Act companies could invite serious consequences, particularly regarding breach reporting and accountability.
Significant Data Fiduciaries (SDFs) face even more extensive obligations. Section 10 of the Act, 2023 requires SDFs to appoint a Data Protection Officer, conduct periodic Data Protection Impact Assessment, and undergo independent audits. These duties reflect constitutional benchmarks laid down in K.S. Puttaswamy v. Union of India, [(2019) 1 SCC 1], where the Supreme Court insisted on intensified safeguards for entities handling large volumes of sensitive personal data.
The Act, 2023 also introduces rigorous obligations relating to children’s data under Section 9. Companies crucial Children’s data must obtain verifiable parent’s consent and are prohibited from behavioural monitoring, tracking or targeted advertising. These requirements echo the Supreme Court’s concern for child safety online in In Re: Prajwala Letter, [(2018) 3 SCC 30], where the Court demanded powerful safeguards against digital exploitation of minors. Violations involving children’s data attract some of the highest penalties under the Act, boosting the compliance risk for companies operating in educating technology, gaming, entertainment, and social media sectors.
Cross – border data transfer initiates another critical compliance risk. Section 16 of the Act, 2023 permits transfer except to jurisdictions restricted by the Central Government. Companies must therefore conduct transfer – risk assessments and ensure contractual and technical protections. Although the Act does not yet mandate data localisation, the Supreme Court in K.S. Puttaswamy (Retd.) v. Union of India, [(2017) 10 SCC 1], emphasised the duty of the State to protect privacy even where processing occurs outside the country.
CRITICISMS OF THE DPDP ACT
Despite the fact that it is India’s first comprehensive data protection law, the DPDP Act has drawn criticism for granting the government broad exemptions that may dilute individual privacy rights. The Central Government can exempt its agencies from key obligations such as consent requirements or data – processing limits on wide grounds like national security, raising concerns about unchecked scrutiny. The Act also lacks strong provisions for an independent regulator, as the Data protection Board’s structure leaves room for executive influence. Additionally, the absence of clear data – localisation rules, limited safeguards for algorithmic decisions – making, and vague definitions particularly around “legitimate uses” have been criticised. The Act also sets out obligations for companies, it remains relatively silent on state accountability, resulting in an imbalance framework which may not realise the privacy protections as envisioned by the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017).
CONCLUSION
The Digital Personal Data Protection Act, 2023, marks a significant shift in India’s privacy framework and places substantial compliance obligations on companies in the digital economy. Duties relating to consent, transparency, purpose limitation, security safeguards, children’s data, and cross border require organisations to overhaul their data – management practices. Although the Act, 2023 strengthens privacy protections, concerns about broad government exemptions, limited user rights and the independence of the regulatory Board indicate that India’s data protection regime will continue to evolve.
“PRIME LEGAL is a full-service law firm that has won a National Award and has more than 20 years of experience in an array of sectors and practice areas. Prime legal falls into the category of best law firm, best lawyer, best family lawyer, best divorce lawyer, best divorce law firm, best criminal lawyer, best criminal law firm, best consumer lawyer, best civil lawyer.”
WRITTEN BY- SUSMITA ROYCHOWDHURY
