DPDP Act : Digital Privacy is Now a Legal Right

Introduction

In today’s digital world, almost every activity involves sharing personal information—whether we are using mobile apps, shopping online, opening bank accounts, booking tickets, filing taxes, or accessing social media platforms. Information such as mobile numbers, Aadhaar details, PAN, bank account data, browsing habits, and location details is continuously being collected and processed.

To safeguard the privacy of individuals in the digital ecosystem, the Government of India introduced the Digital Personal Data Protection Act, 2023 (DPDP Act). This landmark legislation establishes a comprehensive legal framework governing how digital personal data is collected, stored, used, and shared.

The law aims to strike a balance between:

• Protecting the individual’s right to privacy; and
• Enabling lawful and efficient use of data for innovation, governance, and economic growth.

Key Terms Under the DPDP Act

Understanding a few basic terms makes the law easier to understand:

1. Data Principal

The individual to whom the personal data relates. In simple words, you are the Data Principal when your personal information is collected by any company, app, institution, or government authority.

2. Data Fiduciary

Any person, company, organization, government body, or entity that determines why personal data is collected and how such data will be processed. Examples include:

• Banks
• E-commerce platforms
• Hospitals
• Social media apps
• Educational institutions

3. Data Processor

A person or entity that processes personal data on behalf of a Data Fiduciary. For example, a cloud-storage company or a third-party payroll processor handling data for another business.

Scope and Applicability of the Act

The DPDP Act has applies to:

A. Processing of Digital Personal Data within India: The law applies to digital personal data collected online, or collected offline and later digitized.

B. Processing Outside India: The Act also applies to companies or entities located outside India if they process personal data for offering goods or services to individuals in India. This means many international platforms and global technology companies fall under the scope of the Act.

C. Data Not Covered: The Act generally does not apply to purely offline personal data that is never digitized, personal or domestic use of data, or certain exempted categories notified by the Government.

Rights of Individuals Under the DPDP Act

1. Right to Notice and Consent

Before collecting personal data, companies must provide a clear notice explaining what data is being collected and for what purpose, and obtain consent in clear and plain language. Consent should be free, informed, specific, unconditional, and capable of being withdrawn. Individuals may also manage or withdraw consent through registered Consent Managers or through the platform itself.

2. Right to Access Information

Individuals have the right to ask a company for a summary of personal data being processed, details regarding processing activities, and information about third parties with whom the data has been shared.

3. Right to Correction and Erasure

If personal data is inaccurate, incomplete, or outdated, individuals can request correction or updation. Further, upon withdrawal of consent or closure of an account, the company must erase personal data unless retention is required under any law.

4. Right to Grievance Redressal

Every Data Fiduciary is required to establish a grievance redressal mechanism. If a company fails to address complaints properly, individuals may approach the Data Protection Board of India (DPBI) established under the Act.

5. Right to Nominate

An individual may nominate another person who can exercise rights on their behalf in the event of death or incapacity.

Legitimate Uses Where Consent May Not Be Required

The Act recognizes certain situations where personal data may be processed without explicit consent. These are referred to as “Legitimate Uses”. Examples include:

• Compliance with legal obligations
• Medical emergencies
• Disaster management
• Employment-related purposes
• Provision of government benefits or services
• Prevention and detection of fraud

Exemptions Under the Act

Certain exemptions have been provided under the DPDP Act.

1. Personal or Domestic Use: Personal data used purely for household or personal activities—such as maintaining contact lists or family photographs—is generally outside the scope of the Act.

2. Legal and Judicial Purposes: Processing of personal data necessary for enforcing legal rights, defending legal claims, judicial proceedings, or court-related functions is exempt from core data fiduciary obligations and notice requirements to ensure unhindered judicial processing.

3.Government and Security Exemptions: Certain government agencies may be exempted by the Central Government in the interests of sovereignty and integrity of India, security of the State, public order, or prevention and investigation of offences.

Special Protection for Children’s Data

The Act imposes stricter obligations regarding children’s personal data. Under the DPDP Act, a child means a person below 18 years of age. Data Fiduciaries are prohibited from undertaking targeted advertising directed at children, or tracking and monitoring children for behavioural advertising. Parental consent is generally required before processing children’s personal data.

Data Protection Board of India (DPBI) & Penalty Framework

The Act establishes the Data Protection Board of India (DPBI) as the adjudicating authority responsible for monitoring compliance, handling grievances, conducting inquiries, and imposing penalties for violations.

To ensure accountability, the Act prescribes substantial monetary penalties for violations. The actual penalty depends on factors such as the nature and gravity of the breach, duration of default, and mitigating measures taken.

#Duties of Individuals

While the law grants rights, it also imposes responsibilities. A person may face penalties up to ₹10,000 for misconduct, such as filing false or frivolous complaints, or furnishing false particulars and impersonating another person.