Unpacking India’s Digital Personal Data Protection Act: A New Dawn or a False Start?

by | Aug 22, 2023

author profile picture

About Aditi Kanoongo and Harshitha Adari

Aditi Kanoongo is a third-year student at the National Academy of Legal Studies and Research, Hyderabad. She is passionate about Constitutional Law and Socio-Legal Issues, and how they coalesce.  Harshitha Adari is a third-year student at the National Academy of Legal Studies and Research, Hyderabad. Her areas of interest include Human Rights Law and the intersection of public law and technology.   

The Government of India recently passed the Digital Personal Data Protection Act 2023, with the primary purpose of regulating the processing and protection of individuals’ personal data, whilst laying down obligations of the data fiduciaries. While this legislation marks a milestone as India’s first-ever privacy Act, there has also been pushback against its plausible adverse implications for human rights. 

Firstly, Section 18(2) of the Act provides a blanket exemption to the “instrumentality of the State” from any or all provisions, with no procedural safeguards to process data in the “interest of state security or maintenance of public order.” Further, the powers conferred under Section 8 give the government carte blanche, allowing the State to process personal data without the data principal’s express consent, coupled with no obligation to erase the data after the purpose of processing. This protection for data processing, collection, and retention by various government agencies could have significant consequences for citizen profiling and surveillance.

In 2017, a nine-judge bench of the Supreme Court in KS Puttaswamy v Union of India reaffirmed the right to privacy as a fundamental right under Article 21. It is questionable whether the exemptions under this Act meet the threshold of the proportionality test as laid down in Puttaswamy. The test was later strengthened in Anuradha Bhasin v Union of India,noting that every invasion of privacy must fulfill certain requirements. Moreover, the Act does not draw a distinction between sensitive and non-sensitive personal data. Unlike the 2019 and 2022 Bills, wherein the State had the authority to process sensitive information of the data principal only upon consent, the current Act leaves the sensitive personal data with no special protection. Thus, it opens up more avenues for privacy breaches.

Secondly, the Act has institutionalised the denial of information by omitting Section 8(1)(j) of the Right to Information Act 2005, which allows access to personal information, if sought for the larger public interest. It is pertinent to note that the Right to Information Act was introduced as a vanguard for robust government accountability. The Apex Court in Raj Narain v The State of Uttar Pradesh also recognised that the Right to Information as indispensable to the Right of Freedom of Speech and Expression under Article 19(1)(a). Thus, the changes introduced by the Act not only infringe upon this right but also have the potential to cause grave ramifications such as increased electoral fraud, as well as corruption and compromised government transparency.

Through Section 37(1)(b), the government is empowered to censor content “if it is in the interest of the general public.”This ambiguous ground further expands the government’s power to curtail information at its discretion. In doing so, it goes beyond the scope provided in Section 69A of the Information Technology Act 2000 and the reasonable restrictions laid down under Article 19(2) of the Constitution.

Thirdly, the Editors Guild and DIGIPUB have raised concerns about implications of the Act for journalistic freedom. The Justice Srikrishna Committee’s recommendation on the earlier version of the Bill suggested exempting journalists from the consent requirement. The lack of such an exemption would make it difficult for journalists to access significant information in the wider public interest. In this regard, the government has failed to satisfactorily balance the Right to Privacy and the Right to Information.

While the Act serves as a step forward in the Indian data protection regime, such ‘unchecked powers’ conferred upon the government through its exemptions pose a threat to a variety of rights, ranging from compromised privacy to restricted press freedom. Although India is in need of a comprehensive statutory response to protect data – having suffered the second-highest data breaches in 2022, followed by grave instances such as CoWIN and SBI employees’ data leaks – the shortcomings of this legislation are concerning. It is uncertain whether it will prove adequate in tackling such recurrent challenges to the ever-evolving data ecosystem.

Want to learn more?

Share this:

Related Content


Submit a Comment