The Platform
Latest Articles
by Mohammad Ibrahim Fheili
by Mohammad Ibrahim Fheili
by Miracle Adebayo
by Adnan Isaq
by Collins Chong Yew Keat
by Ervin Ramadhan Imannulloh
by M Habib Pashya
by Syed Inam Ali Naqvi
by Mugdha Joshi
by Mohammad Ibrahim Fheili
by Mohammad Ibrahim Fheili
by Miracle Adebayo
by Adnan Isaq
by Collins Chong Yew Keat
by Ervin Ramadhan Imannulloh
by M Habib Pashya
by Syed Inam Ali Naqvi
by Mugdha Joshi
India’s Struggle for Digital Rights
India’s Digital Personal Data Protection Act (DPDPA), inspired by Europe’s GDPR, marks progress in data privacy but faces criticism for its narrow scope, vague provisions, and potential for state overreach.
India’s Digital Personal Data Protection Act (DPDPA) of 2023 marks a pivotal moment in the country’s evolving approach to data privacy. Drawing heavily from Europe’s General Data Protection Regulation (GDPR), the DPDPA incorporates key principles such as lawfulness, fairness, transparency, data minimization, and accountability. Much like the GDPR, it grants individuals significant rights over their data—such as access, rectification, erasure, portability, and the ability to object to its processing—and sets the stage for ensuring proper safeguards in cross-border data transfers.
Despite these similarities, the differences between the two frameworks are striking and consequential. The DPDPA, for instance, focuses exclusively on “digital personal data” processed within India, applying to Indian businesses and foreign entities offering goods or services to Indian citizens. In contrast, the GDPR adopts a more global scope, regulating any organization handling the personal data of EU residents, regardless of where the organization is based. The DPDPA also enforces stricter requirements for obtaining valid consent for data processing, setting it apart as a more focused yet potentially more restrictive regime.
However, one of the most glaring disparities lies in data breach notification protocols. The GDPR mandates that breaches be reported to the Supervisory Authority within 72 hours and, in certain cases, to affected individuals. On the other hand, the DPDPA requires that Data Fiduciaries notify the Data Protection Board within 72 hours but does not specify clear timelines or obligations for informing the individuals affected—referred to as Data Principals. This ambiguity raises questions about transparency and accountability, leaving consumers in the dark during critical moments of data vulnerability.
Similarly, the rules surrounding cross-border data transfers reveal another area of uncertainty. The GDPR provides explicit mechanisms, including standard contractual clauses and binding corporate rules, to ensure secure international data exchanges. The DPDPA, by contrast, lacks comparable provisions, leaving businesses without clear guidance on compliance in a globalized digital economy.
Equally contentious is Section 5 of the DPDPA, which allows the state and its instrumentalities to process citizens’ personal data for purposes such as providing subsidies, benefits, or services. Critics have argued that this clause creates a loophole for potential misuse, enabling state overreach in ways that could undermine citizens’ rights. Organizations such as the Internet Freedom Foundation have highlighted this concern, suggesting that the provision violates the foundational principles of the Indian Supreme Court’s landmark Puttaswamy judgment.
In the Puttaswamy case, Justice D.Y. Chandrachud emphasized the intrinsic connection between privacy, human dignity, and autonomy, rejecting the notion that privacy is a privilege reserved for the elite. Citing legal theorist Gary Bostwick, Chandrachud underscored privacy as both a personal right and a collective societal value—a cornerstone of democratic governance. According to Bostwick, privacy encompasses a dual mandate: restricting state interference in personal lives and compelling the state to safeguard individuals against privacy intrusions by private entities. His perspective resonates strongly in today’s debates on digital privacy, where the tension between state authority and individual rights becomes more pronounced.
Yet, the DPDPA’s exclusive focus on digital data may leave broader privacy concerns unaddressed. For example, the Act does not adequately protect individuals from intrusive surveillance or violations of their physical privacy, which are key components of a holistic approach to data protection. As Bostwick argues, privacy must extend beyond digital boundaries to fully safeguard individuals’ autonomy and dignity.
While the DPDPA represents a significant step forward, it is far from comprehensive. Its narrow scope, coupled with ambiguities surrounding key provisions such as data breach notifications and cross-border data transfers, underscores the need for further refinement. Additionally, its potential to enable state overreach demands rigorous checks and balances to ensure the Act fulfills its promise of protecting individual rights without compromising democratic values.
To evolve into a robust framework, the DPDPA must address these shortcomings and embrace a more expansive vision of privacy—one that balances individual freedoms with the need to foster trust in India’s rapidly growing digital economy. Only then can it achieve its goal of establishing a secure and equitable digital landscape for all citizens.
Khushi Mishra is a law student at Guru Gobind Singh Indraprastha University, New Delhi.