“DATA PROTECTION LAW IN INDIA AND THE WORLD”

A DISSERTATION SUBMITTED IN PARTIAL FULFILLMENT OF THE

REQUIREMENT FOR THE DEGREE OF MASTER OF LAWS (LL.M.)- (2023-24)

UNDER THE GUIDANCE & SUPERVISION OF

DR. AMANDEEP SINGH

ASSISTANT PROFESSOR (LAW)

DR. RMLNLU, LUCKNOW

SUBMITTED BY:

ROHAN PRAKASH

230102014

DR. RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY,

LUCKNOW
 CERTIFICATE

This is to certify that this dissertation titled “DATA PROTECTION LAW IN

INDIA AND THE WORLD” is being submitted to Dr. Ram Manohar Lohiya
National Law University, Lucknow by Mr. ROHAN PRAKASH, student of
L.L.M., Enrolment No. 230102014 for the award of degree of Master of Law
(LLM) with specialization in Intellectual Property Rights Law is an independent
and original work carried out by him under my supervision and guidance and
that it is fit for evaluation.

Date:___________ DR. AMANDEEP SINGH

Place: Lucknow Assistant Professor (Law)

Dr. RMLNLU, Lucknow

i
 DECLARATION

I hereby declare that the work embodied in this dissertation entitled “DATA
PROTECTION LAW IN INDIA AND THE WORLD” is a bonafide work
undertaken by me under the guidance and supervision of Dr. Amandeep Singh,
Assistant Professor of Law, Dr. Ram Manohar Lohiya National Law University,
Lucknow for the partial fulfilment of the requirement of the degree for LL.M.
To the best part of my knowledge and beliefs, this dissertation or any part
thereof has not been submitted, part or in full, to this or any other university for
any degree, diploma or any other similar title except where due reference is
made in the dissertation itself.

Rohan Prakash

Enrolment No.- 230102014

LL.M.

ii
 ACKNOWLEDGEMENT
It was a matter of great pleasure and satisfaction for me to work on this topic for dissertation
as part of my LL.M. course at Dr. Ram Manohar Lohiya National Law University, Lucknow.

The completion of this dissertation has become possible because of the kind support of many
individuals, and I would like to express my sincere thanks to every one of them. I would like
to express my profound gratitude to my supervisor Dr. Amandeep Singh sir for giving me
his exemplary guidance, monitoring and constant encouragement throughout the dissertation
work. He helped me in understanding the details of the topic which was extremely helpful for
me in doing research for this dissertation.

I would like to thank Hon’ble Vice Chancellor and Dean (Academics) for providing me with
all the necessary resources for working on the dissertation.

I would also like to thank librarian of Dr. Madhu Limaye Library for providing me with the
relevant books and journals on the topics which was extremely crucial for me for completing
my dissertation.

I also express my deep gratitude towards my parents and my batchmates of RMLNLU for
providing me their kind help and motivation which greatly helped me while working on this
dissertation. Their constant support immensely helped me in completion of this dissertation.

Rohan Prakash

iii
 LIST OF ABBREVIATIONS

Abbreviation Description

AIR All India Reporter

CERT-In Indian Computer Emergency Response Team

DPDP Act Digital Personal Data Protection Act, 2023

DPIA Data Protection Impact Assessment

DPO Data Protection Officer

EEA European Economic Area

EU European Union

GDPR General Data Protection Regulation

IT Act Information Technology Act, 2000

JPC Joint Parliamentary Committee

PUCL People's Union for Civil Liberties

RTI Act Right to Information Act, 2005

SAR Subject Access Request

SCC Supreme Court Cases

SDF Significant Data Fiduciaries

TDSAT Telecom Disputes Settlement and Appellate Tribunal

UIDAI Unique Identification Authority of India

UNCITRAL United Nations Commission on International Trade Law

UNCTAD United Nations Conference on Trade and Development

iv
 LIST OF CASES

Gobind v. State of Madhya Pradesh (1975) 2 SCC 148. .................................... 26

K.S. Puttaswamy v. Union of India (2017) 10 SCC 1. .......................................... 9

Kharak Singh v. State of UP AIR 1963 SC 1295 ................................................ 25

M.P. Sharma v. Satish Chandra AIR 1954 SC 300............................................. 25

Maneka Gandhi v. Union of India AIR 1978 SC 597. ........................................ 27

Mr. ‘X’ v. Hospital ‘Z’ (1998) 8 SCC 296. .......................................................... 29

PUCL v Union of India (2003) 4 SCC 399 ......................................................... 29

PUCL v. Union of India (1997) 1 SCC 301 ....................................................... 28

R. Rajgopal alias R.R. Gopal v. State of Tamil Nadu (1994) 6 SCC 632. .......... 27

RM Malkani v. State of Maharashtra (1973) 1 SCC 471. .................................. 26

Selvi v. State of Karnataka (2010) 7 SCC 263 .................................................... 29

State of Orissa v. Radhey Shyam Meher (1995) 1 SCC 652. .............................. 80

Vivek Narayan Sharma v. Union of India (2023) 3 SCC 1. ................................ 83

v
 TABLE OF CONTENTS

CERTIFICATE ......................................................................................................................... i

DECLARATION......................................................................................................................ii

ACKNOWLEDGEMENT ..................................................................................................... iii

LIST OF ABBREVIATIONS ................................................................................................ iv

LIST OF CASES ...................................................................................................................... v

TABLE OF CONTENTS ....................................................................................................... vi

Chapter- 1: Introduction ............................................................................................................. 1

1.1 Background of the Study ................................................................................................. 1

1.2 Statement of Problem ....................................................................................................... 3

1.3 Research Hypothesis ........................................................................................................ 4

1.4 Research Questions .......................................................................................................... 4

1.5 Literature Review............................................................................................................. 5

1.6 Objectives of the Study .................................................................................................... 8

1.7 Research Methodology .................................................................................................... 8

1.8 Scope of the Study ........................................................................................................... 8

1.9 Chapterisation .................................................................................................................. 9

Chapter- 2 : Evolution of Right to Privacy .............................................................................. 12

2.1 Understanding privacy ................................................................................................... 12

2.2 Historical Development of Privacy in India .................................................................. 13

2.3 Judicial Approach to Right to Privacy ........................................................................... 17

Chapter- 3: Contemporary Issues Raising Data Privacy Concerns ......................................... 26

3.1 Mass Surveillance - Edward Snowden case, Facial Recognition tools and Pegasus ..... 27

3.2 Using Personal data for political purpose – the Cambridge Analytica scandal ............. 31

3.3 Targeted advertising and invasion of privacy ................................................................ 34

3.4 Social media and growing echo chambers ..................................................................... 37

vi
 3.5 Cyber Crimes and data privacy ...................................................................................... 38

Chapter- 4: Data Protection Regime in India before DPDP Act 2023 .................................... 40

4.1 Information Technology Act, 2000 ................................................................................ 40

4.2 Other laws dealing with data privacy- ........................................................................... 45

Chapter- 5: Digital Personal Data Protection Act, 2023 .......................................................... 47

5.1 Legislative History ......................................................................................................... 47

5.2 Features of the 2019 Bill ................................................................................................ 50

5.3 Salient Features of the DPDP Act, 2023 ........................................................................ 52

Chapter- 6: Areas of Concern Under the DPDP Act, 2023 ..................................................... 75

Chapter- 7: Data Protection Laws in Other Jurisdictions and Comparison with DPDP Act ... 84

7.1 Data Protection Law in Europe - GDPR ........................................................................ 84

7.2 Data Protection Law in UK............................................................................................ 92

7.3 Germany’s data protection law ...................................................................................... 93

7.4 Australia’s Approach to data protection ......................................................................... 94

7.5 Data Protection Framework in USA .............................................................................. 96

7.6 Comparison of DPDP Act with the GDPR .................................................................... 98

8. Conclusion and Suggestions .............................................................................................. 104

Bibliography .......................................................................................................................... 105

vii
 Chapter 1 – Introduction

1.1 Background of the Study

In the current age of digitization and globalisation, technology has entered into every aspect
of our lives. Technology has made it very easy for us to communicate with each other, and it
has also helped in making a lot of tasks very simple, which earlier took a lot of time and
efforts. Whether it is online shopping, digital banking, posting photos and blogs on social
media, filling forms for jobs or availing government services, using emails and video
conferencing applications for office works, or just watching movies or playing games, all
these wide range of activities can now be done through computers and mobile phones through
internet. This has not only made our easier, but it has also helped in rapid growth of our
information technology sector as well. This sector has witnessed multi fold growth in the past
decade.

However, as technology and internet has made its presence even in the most personal matters
of human lives, it has also raised the concerns regarding protection of personal data of the
users. In present times, there are a lot of concerns with regard to the privacy of individuals
and potential risks of breach of privacy of individuals, especially by the big Multinational
Companies, who could misuse the large amount of personal data stored by them for profit
motives. Data is the new currency in the current age of technology, and hence it is very
important to have a legal regime for protection of personal data of individual and to protect
their privacy.

Right to Privacy has now been recognised as a fundamental right in the K.S. Puttaswamy1
judgment, and thus it is necessary to protect the privacy of individuals. The concerns
regarding protecting individual’s privacy in the present age of social media and internet had
been raised in the above judgment. Justice D.Y. Chandrachud have aptly raised his concerns
in following words: “Every transaction of an individual user and every site that she visits,
leaves electronic tracks generally without her knowledge. These electronic tracks contain
powerful means of information, which provide knowledge of the sort of person that the user is
and her interests. Individually, these information silos may seem inconsequential. In
aggregation, they disclose the nature of the personality: food habits, language, health,
hobbies, sexual preferences, friendships, ways of dress and political affiliation. In

1
K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.

1
aggregation, information provides a picture of the being: of things which matter and those
that do not, of things to be disclosed and those best hidden.”

Similarly, Justice S.K. Kaul observed that “….As we move towards becoming a digital
economy and increase our reliance on Internet-based services, we are creating deeper and
deeper digital footprints – passively and actively….These digital footprints and extensive
data can be analysed computationally to reveal patterns, trends, and association, especially
related to human behaviour and interactions and, hence, is valuable information, This is the
age of ‘big data’….Thus, there is unprecedented need for regulation regarding the extent to
which such information can be stored, processed and used by non-State actors. There is also
a need for protection of such information from the State.” Thus, considering the threat to right
to privacy of individuals because of deep and pervasive presence of internet and technology
in our lives, Supreme Court had directed the government to bring a legal regime for
protection of personal data of individuals. The existing Information Technology Act, 2000,
was not sufficient to address this issue adequately.

The Digital Personal Data Protection Act, 2023 “

As a result of the Puttaswamy judgment, in 2017, Ministry of Electronics and Information

Technology had appointed Justice B.N. Srikrishna Committee for examining data protection
issues and drafting a data protection law for the country. In 2018, Committee released draft
Personal Data Protection Bill 2018 for public consultation. Based on public feedback, it was
refined and finally, Personal Data Protection Bill, 2019 was approved by the cabinet and
tabled in the Lok Sabha on December 11, 2019. The bill was then referred to the Joint
Parliamentary Committee (JPC) for review. In December 2021, JPC released its report after
analysing the provisions of the bill. In August 2022, the government withdrew the draft Data
Protection Bill. In November 2022, Ministry of Electronics and Information Technology
released a new draft of Digital Personal Data Protection Bill, 2022, which had significant
changes from the earlier draft, for public consultation. Finally, the Union Cabinet approved
the draft Digital Personal Data Protection Bill, 2023 on 5th July 2023. The updated version of
the bill was introduced on 3rd August 2023 in Lok Sabha. Subsequently, it was passed in both
the Lok Sabha and Rajya Sabha, and it received the President’s assent on 11th August 2023.”

The Digital Personal Data Protection Act, 2023 (hereinafter as, DPDP Act) brings a complete
overhaul in the data protection structure in the country. It has recommended setting up of a
Data Protection Board for implementation of the DPDP Act. However, many provisions of

2
the Act have come under severe criticism from several sections of the society. Civil society
and RTI activists have raised concerns regarding the Act, alleging that the act dilutes the
effectiveness of the RTI Act.2 Concerns have also been raised regarding wide ranging powers
of the Central Government under the Act, and its power in appointing members of the Board.
Central Government and its agencies are given immunity and exemptions under various
provisions.3 Also, there is over reliance on delegated legislation, and there is lack of clarity
and specificity in various provision, which can give room to government to take arbitrary
actions.4 Similarly, there are other criticisms as well. “

Hence, it becomes necessary to analyse the new data protection law of the country, the DPDP
Act, and understand the ramifications of this law. We also need to look at how other countries
around the globe, especially United States and European Countries address the issue of
personal data protection, and what are the data protection laws in those countries. We would
also look at the General Data Protection Regulation (GDPR), the model data privacy law of
the European Union (which is considered as the strictest of all data protection laws around
the globe) and compare it with the DPDP Act. Finally, we would look at what needs to be
done to resolve the issues that have been the areas of concern with regard to DPDP Act,
2023.”

1.2 Statement of Problem

India’s new personal data protection law, the Digital Personal Data Protection Act, 2023 has
received the President’s assent on 11th August 2023. However, ever since the passing of the
law, it has come under criticism from various legal luminaries and civil society groups for
various provisions of the Act. They allege that this law dilutes the powers that are provided to
citizens under RTI Act, and Central Government have been given a lot of power under the
act, and there is a risk that these powers could be used by the government in an arbitrary
manner. Exemptions have been given to Central Government for actions done in good faith,
and it could also exempt certain data fiduciary from compliance of certain provisions. Also,
various ambiguities are there in law and there is excessive delegated legislation.

2
Himanshu Nitnaware, “New data protection law dilutes RTI, will impact marginalised and poor: Experts”
(Down to Earth, 16th August 2023), Available at <https://www.downtoearth.org.in/news/governance/new-data-
protection-law-dilutes-rti-will-impact-marginalised-and-poor-experts-91183> Accessed 05th February 2023.
3
“John Brittas and Aneesh Babu, “What Lies Beneath the PR Blitz on the New Data Protection Act?”, (The
Wire, 27th August 2023). Available at <https://thewire.in/government/what-lies-beneath-the-pr-blitz-on-the-
new-data-protection-act> Accessed 06th February 2024.”
4
Ibid.

3
So, these are some of the key areas concern in the new Act, and to address these issues, we
would look at the data protection laws in other countries and the model GDPR of European
Union and to see how these concerns are addressed in those legislations.

1.3 Research Hypothesis

The current research is based on the assumption that the new Digital Personal Data Protection
Act (DPDP Act) was necessary to prevent the misuse of personal data by the big data
fiduciaries (like social media companies, online shopping companies etc.), especially when
internet and technology has invaded every aspect of our personal lives. The right to privacy
of users could not have been protected under the existing legal regime, and the new DPDP
Act impose various safeguards to prevent misuse of personal data by these entities. Also, this
could not be ignored that to provide various facilities and services, there is a need for
processing of personal data for lawful purposes (which have also been stated as one of the
objects of the Act), and hence, there could not be blanket ban on processing personal data. So,
the current Act is aimed at balancing both the aspects. Central government have been given
powers under various sections to ensure proper functioning of the Act and protection of
personal data.

Also, it is assumed that the DPDP Act have been made after extensive research and
deliberations, and thus the significant aspects GDPR and data protection laws of other
countries have been incorporated, while various deviations have also been made to suit the
Act to specific conditions of our country.

1.4 Research Questions

1. How the right to privacy has evolved over time in India?

2. What are the concerns regarding right to privacy in the present age of social media?
3. Why there is a need for a new data protection legislation in the country and why the
issues could not be addressed by the existing laws?
4. What are the significant highlights of the Digital Personal Data Protection Act, 2023?
5. What are the areas of concern and criticism in the newly passed DPDP Act 2023?
6. What are the other significant data protection laws in other countries around the
world?
7. In what ways the DPDP Act similar with those laws and what are the aspects in which
it is different?

4
1.5 Literature Review

Although the statute relating to data protection has been passed recently only in August 2023,
areas relating to data privacy and data protection had been explored by multiple scholars in
their research from many years. Following literature has been studied by the researcher while
conducting the study:

Dhiraj R. Duraiswami, (2017) “Privacy and Data Protection in India”, Journal of Law
and Cyber Warfare. 5

In this article, the author focussed on the legal regime that was present in India to address the
issues of data breach and data privacy. Since, the article is of 2017, it provided a good insight
on how India’s data protection regime was there before the advent of the DPDP Act, and what
were the remedies that could have been used by any user in case of data breach. He also
highlighted the need for having a comprehensive legislation on this topic.

Vrinda Bhandari, (2018) “Privacy Concerns in The Age of Social Media”, India
International Centre Quarterly. 6

The author starts this article with the important observations of Justice Chandrachud and
Justice Kaul in the Puttaswamy case, highlighting the grave risk on personal data of users in
the age of social media. She has discussed the existing legal regime regarding the protection
of digital personal data and has also given her opinions regarding the draft bill that was
drafted by the Justice Srikrishna committee for data protection. However, the major point of
focus of her article was how the private entities are using personal data for profiling users and
the darker side of social media on this aspect.

Anirudh Barman, (2023) “Understanding India’s New Data Protection Law”, Carnegie
India.7

In this article, Anirudh Barman had very deeply analysed the different provisions of the
current Act and has also compared it with the earlier Bills on data protection. He concluded
that it is not sufficient for de facto data privacy to materialize. He also appreciated the fact the
2023 version of the law, as compared to the earlier ones, imposes much lower costs on Indian

5
“D.R. Duraiswami,. “Privacy and Data Protection in India.” Journal of Law & Cyber Warfare, 6 (1), 2017.
Available at <http://www.jstor.org/stable/26441284> Accessed 6 February 2024.”
6
“Vrinda Bhandari, “Privacy Concerns in The Age Of Social Media” India International Centre Quarterly,
45(3), 2018. Available at <http://www.jstor.org/stable/45129854> Accessed 7 February 2024.”
7
“Anirudh Barman, “Understanding India’s New Data Protection Law”, (Carnegie India, 03 October 2023),
Available at <https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624#>
Accessed 06th February 2024.”

5
businesses and hence is a positive step. Concluded that overall, the law is modest and
pragmatic, and since lot of discretionary powers are vested in Central Government, the
success of the legislation would depend a lot upon how well the government is committed to
protecting privacy.

Glenn Greenwald's, (2014) No Place to Hide: Edward Snowden, the N.S.A., and the U.S.
Surveillance State.8

This book talks about the shocking fact of our time regarding breach of privacy by the US
government. Chapter four of the book looks into aspect of privacy in the current times, and
how mass surveillance by the State is inherently repressive. It shows how mass surveillance
is abused by the authorities for political benefit. He explains that most people act differently
when they know they are under surveillance and tend to follow commonly accepted social
behaviour to avoid the shame of being seen as deviant.

Jim Bronskill and David Mckie (2016), “Your Right to Privacy - Minimize Your Digital
Footprint.”9

The book discusses issues around hacking, surveillance, and data extraction in today's digital
landscape. It underscores the necessary measures to safeguard crucial personal data from the
grasp of emerging technologies. Furthermore, it explores strategies to reduce digital
footprints, thus shielding one's vital information from potential misuse. “

Martin Brinnen and Daniel Westman, (2019) “What’s wrong with the GDPR?
Description of the challenges for business and some proposals for
improvement”, Svenskt Naringsliv - Swedish Enterprise.10”

In this paper, authors have analysed the provisions of the GDPR and the challenges in the
proper implementation of the GDPR. The authors concluded that the GDPR has led to
significant increase in the administrative burden of the companies. However, it has also
increased awareness for the requirement of a data privacy law today’s digitized society It is
debatable that whether improvements to privacy protection of individuals are proportionate to
the costs, nevertheless, there is a broad consensus that the fundamental parts of the reform

8
“Glenn Greenwald's, No Place to Hide: Edward Snowden, the N.S.A., and the U.S. Surveillance State
(Metropolitan Books, New York, 2014).”
9
“Jim Bronskill & David Mackie, “Your Right to Privacy - Minimize Your Digital Footprint”, Self-counsel Press
Legal Series (2016).”
10
“M. Brinnen and D. Westman, “What’s wrong with the GDPR? Description of the challenges for business and
some proposals for improvement”, (Svenskt Naringsliv – Swedish Enterprise, December 2019), Available at
<https://www.svensktnaringsliv.se/material/skrivelser/xf8sub_whats-wrong-with-the-gdpr-
webbpdf_1005076.html/What%27s+wrong+with+the+GDPR+Webb.pdf> Accessed 06th February 2024.”

6
were necessary. They concluded that GDPR is good enough and there needs to be increase in
harmonization within the EU member countries.

Gautam Bhatia, (2017) “The Supreme Court's Right to Privacy Judgment”, Economic
and Political Weekly.11

The article examines the core themes and ramifications of a recent privacy case (Writ Petition
(Civil) No. 494 of 2012). It delves into how the judgment has delineated privacy into three
main facets: the rights pertaining to bodily and mental integrity, informational privacy, and
decisional autonomy. Notably, the court has emphasized the significance of individual
privacy, prioritizing the safeguarding of private spaces over notions of home and family.

Graham Greenleaf, (2011) “Promises and Illusions of Data Protection in Indian Law”.12

The author argues that India's data protection legislation is insufficient to protect an
individual's privacy. This paper discusses the lack of legislation in dealing with data
protection and how some of the legal provisions are structured ostensibly to protect
individual rights but are doing the surveillance of an individual. The 2008 amendment to the
I.T. Act 2000 is not effective in protecting against privacy breaches, and the legislature needs
to further develop data protection laws.

T.L. Yang, (1996) “Privacy: A Comparative Study of English and American Law”.13

The author in this paper highlights the development of privacy right by the American courts.
The author compares privacy right under the English and American jurisdiction. It is pointed
out that privacy is not entirely ignored under English common law, but the protection of
rights is not complete because it is indirectly protected. The right in England is only protected
incidentally, and the right to peace of mind and emotional pain are ignored. The paper
discusses the history and development of privacy law through leading cases in the country.

Joshua A.T. Fairfield, (2017) “Owned: Property, Privacy, and the New Digital
Serfdom”.14

11
Gautam Bhatia, “The Supreme Court’s Right to Privacy Judgment”, Economic & Political Weekly, Vol.52
Issue No. 44 (2017). Available at “<https://www.epw.in/journal/2017/44/commentary/supreme-courts-right-
privacy-judgment.html>” Accessed 05th February 2024.
12
G. Greenleaf, “Promises and Illusions of Data Protection in Indian Law” “1 International Data Privacy Law
(2011).”
13
Yang, T.L “Privacy: A Comparative Study of English and American Law,” The International and Comparative
law Quarterly Vol.15, Cambridge University Press (1996).
14
Joshua A.T. Fairfield, “Owned: Property, Privacy, and the New Digital Serfdom”, Cambridge University
Press, Cambridge, 2017.

7
The author in this book discussed that property law should be given a proper place in the
digital field. Because of not relying on property law, we are not able to protect the privacy of
individual aptly. He advocates that having property law in this field will genuinely allow
consumers to own their data and also protect the creator's interests. “

1.6 Objectives of the Study

The study is undertaken with following objectives:

1. To understand the historical evolution of right to privacy in Indian context.

2. To evaluate the growing concerns regarding right to privacy of internet users in this
age of technology and social media.
3. To understand and highlight the important features of the Digital Personal Data
Protection Act, 2023.
4. To identify the problematic aspects of the DPDP Act, 2023, which have been
criticised by various stakeholders.
5. To have an overview of the European Union’s GDPR and other data protection laws
of the other countries.
6. To suggest steps that could be taken to address the various criticisms of the DPDP
Act, 2023.” “

1.7 Research Methodology

The methodology of this research work would be doctrinal. In order to complete this
research, both primary and secondary sources were used. The primary sources used for this
research are the Constitution of India, Acts of the Indian Parliament, as well as statutes of
other countries and of European Union, and the judgments of the Indian Supreme Court. The
researcher has also conducted a study of various secondary sources such as textbooks,
newspaper and journal articles, and books and articles on websites on the relevant subject
matter.”

1.8 Scope of the Study “

The study would start from looking at the how the judiciary have interpreted right to privacy
and its journey which culminated in right to privacy becoming a fundamental right under
Article 21 of the Constitution in Puttaswamy judgment. The study would focus primarily on
the aspect of safeguarding of digital private data of the citizens, as it is the main area of
concern in data privacy in present times.”

8
Then the study would analyse provisions of the DPDP Act, 2023 and the major areas of
concern and criticism in them. While looking at the laws of data protection in other
jurisdictions, the major focus would be on the GDPR, and the laws in US, UK and Australia.
The intention would be to compare them with the Indian law and find out if any good aspect
could be borrowed from them. At the end, after doing all the analysis, the study would
attempt to give suggestions that could be incorporated in our Act to address the concerns in
the DPDP Act, 2023.

1.9 Chapterisation

The dissertation paper would be divided into following chapters:

Chapter- 1: Introduction

This chapter would give an introduction about data privacy. It would give a brief outline of
the data privacy in the present scenario, especially in the light of observation of the court in
Puttaswamy judgment. This chapter would also briefly look at the developments post in this
judgment for enacting a new law for data protection in India, and what are some of the issues
pertaining to it.

In this chapter, researcher will also emphasis upon the need for undertaking the study in this
area, and the statement of problem that would be addressed in the paper. A review of the
literature in this field will also be provided to show what are the existing studies that have
been undertaken in the topic of privacy and data security and what are the research gaps that
are still present. This chapter would also provide the scope of the study and the research
questions that would be addressed in the dissertation.

Chapter - 2: Evolution of Right to Privacy “

The chapter would first give an outlook about the meaning and functions of privacy and then
it would look at the historical development of right to privacy in India and how it has now
been recognised as a fundamental right. It would look at various judgments of the Indian
Supreme Court in the field of right to privacy of citizens, how courts approached the question
of individual’s privacy in the earlier times, and how it looks at privacy now in the modern
context. A watershed moment in this field came in 2017 when the apex court recognised right
to privacy as a fundamental right under Article 21 of the Constitution of India. This chapter
would also look at the various aspects of that judgment and how it would affect various other
laws in the country.”

9
Chapter- 3: Contemporary Issues Raising Data Privacy Concerns “

This chapter would focus on the different contemporary issues and challenges which relate to
data privacy, that has come up because of the rapid advancement in the realm of information
technology and social media. This chapter would also look at the Edward Snowden case in
2013 and the Cambridge Analytica scandal and other cases which showed that how personal
data on the internet is very unsafe and is at the risk of being misused. Increase in the number
of promotional calls and mails, and cyber frauds are also the result of sensitive data over
internet getting leaked.”

Chapter-4: Data Protection Regime in India before DPDP Act 2023 “

This chapter would look at what are the legal provisions that were prevailing before coming
of the DPDP Act, 2023. The major law on the subject was the Information Technology (IT)
Act, 2000 and the Information Technology Rules 2011, which were later replaced by the IT
Rules, 2021. Apart from the IT Act, various aspects of data breach were covered under Indian
Contract Act, 1872 as well if the relationship was arising out of contractual obligations. Also,
if the data breach had resulted in violation of intellectual property rights like copyright upon
any particular work of any person, then it could have been covered under Copyright Act,
1957. However, there was absence of any single streamlined act that specifically dealt with
data privacy as a result of which, it was required to have a new dedicated law for the
protection of digital personal data of individuals.” “

Chapter-5: Salient Features of Digital Personal Data Protection Act 2023”

This chapter would explore the salient features and the scheme of the DPDP Act, 2023. Key
definitions like that of ‘data principal’, ‘data fiduciary’, ‘consent manager’, ‘data protection
officer’, ‘personal data breach’, ‘significant data fiduciary’ etc. would be discussed. Also,
powers and role of the Data Protection Board and Appellate Tribunal would be analysed.
General Rights and duties of the different entities under the Act would also be covered.

Chapter-6: Areas of Concern in the DPDP Act 2023

In this chapter, the area of focus would be those provisions of the Act which are a cause of
concern and are subjected to various criticisms. It would include criticism surrounding
increased powers of the Central government under the Act, dilution of the Right to
Information Act, 2005 because of the provisions of the DPDP Act, ambiguities regarding
certain provisions of the Act etc.

10
Chapter- 7: Comparison of DPDP Act with Data Protection Laws in Other
Jurisdictions “

This chapter would aim at comparing the Indian legislation and its provisions with some
other data protection statutes of the world, especially with the European Union’s GDPR,
since it is considered as one of the most stringent, comprehensive and consumer friendly data
protection laws in the world. It would look at the data protection regime in United States,
UK, and Australia.”

Chapter- 8: Conclusion and Suggestions “

In this, we would finally conclude our research to see whether Indian law meets the global
standards and what improvements could be brought in the law, especially to address the
concerns regarding some of the provisions of the Act.”

11
 Chapter -2 : Evolution of Right to Privacy
The need for having a law for protection of personal data is founded on the basic principle
that every individual has a personal right to privacy, and there should be a legislative
framework to protect the data privacy of users which could be compromised in the modern
technological age. So, it is essential to recognise the individual’s right to privacy for
advocating a law for protection of data privacy. However, right to privacy was not always
recognised by the courts in India. There is a long history of evolution of right to privacy
before it became a fundamental right in the Puttaswamy judgment in 2017. This chapter
would trace this journey of right to privacy in the Indian context.

2.1 Understanding privacy

Privacy is a universally recognized value ingrained in people's behaviour worldwide. Yet, the
significance of privacy can vary depending on individuals and circumstances. It stands as a
fundamental requirement for individuals to live with dignity, extending beyond individuals to
encompass groups and institutions. Privacy empowers them to dictate the terms of sharing
information they possess, determining what, when, where, and how it is shared with others. It
provides individuals with the ability to control access to the information they hold.

Privacy affords individuals the opportunity to temporarily withdraw from broader society,
thereby preserving their individuality. During these moments of solitude, people are more
inclined to nurture their emotions and values. Such periods often stimulate creativity, leading
to the generation of ideas and solutions that address not only personal challenges but also
societal issues. It's crucial for individuals to have the freedom to think openly without the fear
of judgment or ridicule from others. Moreover, privacy within relationships is essential for
personality development. Individuals should feel comfortable expressing their thoughts and
emotions freely with their loved ones. These intimate exchanges provide emotional release,
allowing individuals to shed the societal masks they wear in public and express their true
feelings. In trustworthy relationships, individuals fulfil their responsibilities without the need
for constant surveillance of their activities.

In contemporary society, the study of privacy law has gained unprecedented significance,
primarily due to the rapid advancements in technology and communication. The ever-
advancing growth of technology has facilitated the creation of vast surveillance networks,
posing a significant threat to our privacy. Our digital activities, including transactions, social
media interactions, phone calls, and travel histories, are now subject to constant monitoring. “

12
The dominant forces driving technological progress on the internet are businesses and
governments, both of which work on having elaborate databases of individual information.
These advancements underscore the urgent need to strike a delicate balance between a
person's right to privacy and society's requirements for access to data.”

2.2 Historical Development of Privacy in India “

Concept of privacy was present in India in ancient times as well. Various scriptures and epics
talk about the importance of privacy in an individual’s life and certain actions infringing
one’s privacy were deemed inappropriate or punishable. These included observing sleeping
women who were not one's wife, encountering unveiled women in public, engaging in
physical contact with women who were not one's wife, causing harm to a sleeping individual,
disrupting someone's meditation, and other similar instances.15 These actions were considered
morally wrong or socially unacceptable within the frameworks of those epics, and
transgressions could result in punishment or social consequences. Words like ‘ekant’, ‘gupta’,
‘upasana’ etc. depict the importance of privacy in ancient culture and that is why I.P. Massey
opined that it would be wrong to presume that concept of privacy was not there in Indian
culture.16 Even during Medieval period, existence of concept of ‘purdah’ or veil system,
concept of hijab and abaya shows about the importance of privacy of body against the outer
world.” “

During British period, privacy right was not developed much since they feared that more
privacy right would help in increased conspiracy against them. Hence initially, privacy was
protected only through custom and easement law only. Later on, with the growth of
urbanisation and industrialisation, British government felt the need to protect certain aspects
of privacy. Education has played a crucial role in the development of privacy rights,
particularly as educated individuals began to recognize the importance of safeguarding their
personal information from public scrutiny and government authorities. Against this backdrop,
the evolution of privacy rights in India commenced through the codification of various
existing aspects of privacy within common law.” “

It is noteworthy that privacy was not initially acknowledged as a fundamental human right
during this period; rather, it was confined to specific domains already recognized in ancient
and medieval India. The evolution of the right to privacy within Indian culture was largely

“Kiran Deshta, Right to Privacy under Indian Law (Deep & Deep Publications., New Delhi, 2011) 87-94.”
15

“I.P. Massey, Constitutionalization of Right to Privacy in India, in B.P. Sehgal (edn.), Human Rights in India
16

(Deep & Deep Publications, New Delhi, 1999) 310-311.”

13
influenced by its social structure. Rather than enacting separate legislation to protect this
right, privacy was safeguarded through various existing laws. Consequently, provisions were
incorporated, and committees were established to address the privacy concerns of
individuals.” “

Various bills also incorporated ideas of privacy. The Constitution of India Bill of 1895 is one
of the earliest documents to articulate the idea that every citizen has an inviolable sanctuary
within their home. Similarly, the Commonwealth of India Bill of 1925 aimed to safeguard
individuals from unwanted interference in their dwellings without due process. This
sentiment was echoed in the Nehru Report of 1928, which also advocated for similar rights
concerning the protection of individuals' homes and privacy.”

2.2.1 Legislations Enacted to Protect Certain Aspects of Privacy Before

Independence

Even before independence, the Indian legal framework incorporated various provisions aimed
at safeguarding privacy rights:

- The Indian Penal Code includes restrictions against intruding upon the privacy of women.17

- The Divorce Act empowers courts to conduct proceedings, or parts thereof, in closed doors,
thereby protecting privacy in matrimonial cases.18

- The Indian Easement Act addresses customary easements and protects home privacy by
restricting the erection of new windows that could invade a neighbour’s privacy.19

- The Banker's Book Evidence Act of 1891 safeguards customer information from
unauthorized dissemination, preventing banks from divulging information in cases where
they are not a party.20

- The Code of Criminal Procedure of 1898 protects privacy interests through specific
mandates for women's arrest and property search and seizure.21

- The Indian Evidence Act of 1872 ensures privacy of documentary evidence, specifying that
documents prepared for personal interest are not for general inspection22, while also
protecting privileged communication between spouses and professional communication23.

17
Indian Penal Code 1860, section 509.
18
Divorce Act 1869, section 53.
19
Indian Easement Act 1882, section 18.
20
Bankers’ Books Evidence Act, section 5.
21
Code of Criminal Procedure 1898.

14
- The Indian Contract Act of 1872 allows parties to include a "privacy clause" in contracts to
regulate the collection and use of personal information.24

- The Telegraph Act of 188525 and the Indian Post Office Act of 189826 were enacted to
safeguard privacy of communication. “

- The Official Secrets Act, 1923 were incorporated with the aim of protecting secrecy of
official records.27” “

2.2.2 Right to Privacy in Constituent Assembly debates” “

Constituent Assembly was formed in the year 1946 as a result of the British Cabinet Mission
Plan, and an Advisory Committee was formed by the Constituent Assembly in the year 1947
to draft the provisions on fundamental rights.28 Under the chairmanship of Acharya J. B.
Kripalani, a fundamental right subcommittee was established within the main committee.
This subcommittee was tasked with addressing the concerns surrounding the basic
fundamental rights of citizens. Members of the assembly were deeply concerned about the
suppression of fundamental rights by British authorities, particularly in the context of the
aftermath of World War II.” “

K.T. Shah advocated for the right to privacy and security of individuals' person, papers,
property, and homes, demanding protection against unreasonable search or seizure for all
citizens. Similarly, K.M. Munshi proposed provisions for safeguarding privacy rights,
including the privacy of one's home, secrecy of correspondence, protection against arbitrary
state actions, and freedom from interference in family relations.29” “

Harnam Singh, inspired by the Art. 12 of Czechoslovakian Constitution of 1919, emphasized

that “every dwelling shall be inviolable”, focusing on physical space privacy rather than
bodily privacy.” “

Dr. B.R. Ambedkar also supported the right to privacy, extending it to all individuals, not just
citizens, and recognizing the importance of security against unreasonable search and seizure

22
Indian Evidence Act 1872, section 75.
23
Ibid, sections 122, 126.
24
Indian Contract Act 1872.
25
Indian Telegraph Act 1885, sections 5 and 24.
26
“Indian Post Office Act 1898, section 26.”
27
“Official Secrets Act 1923.”
28
“B. Shiva Rao, The Framing of India’s Constitution (Universal Law Publishing Co., Delhi, 2006) 56.”
29
“Venkatesh Nayak, “Evolution of Right to Privacy in India”, (RTI foundation, 10th August 2015). Available at:
<http://www.rtifoundationofindia.com/evolution-right-privacy-india#.XvojTi9h2u5> Accessed 16th March
2024.”

15
for persons, homes, documents, and effects. However, he did not advocate for an absolute
right to privacy, suggesting that under probable cause supported by oath or affirmation,
certain limitations on privacy rights could be justified.” “

In March 1947, the sub-committee on fundamental rights approved a draft that included
provisions for the privacy of home and correspondence. Subsequently, in April 1947, the final
draft formulated by the sub-committee, and approved by the Advisory Committee,
incorporated the right to privacy. This provision was a combination of drafts presented by
K.T. Shah, K.M. Munshi, and Dr. B.R. Ambedkar. Dr. B.R. Ambedkar’s draft advocated for
what was called “the right of the people to be secure in their persons, house, papers and
effects against unreasonable searches and seizures shall not be violated and no warrants
shall issue but upon probable cause, supported by oath of affirmation and particularly
describing the place to be searched and the persons or things to be seized” in the State and
Minority Report.30” “

However, when it was put to debate, objections were raised against introducing provisions
guaranteeing the right to secrecy of correspondence and protection against unreasonable
search and seizure. Sir Alladi Krishnaswamy Ayyar emerged as a vocal critic, arguing that
such protections would transform every private correspondence into a state document and
impede prosecution efforts. Consequently, the protection against unreasonable searches and
seizures was omitted, citing that such safeguards were already provided under the Criminal
Procedure Code.31” “

It was pointed out that even the U.S. Constitution does not guarantee the secrecy of
correspondence. In his dissenting note, Sir Alladi Krishnaswamy Ayyar received support from
K.M. Panikar and Sir B.N. Rau. Dr. B.N. Rau emphasized that such protections would
significantly hamper police investigations, as warrants from the court would be required for
every search. Ultimately, the provision recognizing the right to privacy as fundamental was
excluded by the advisory committee. Further attempts were made by K.S. Karimuddin and
Pandit Thakur Das Bhargava for incorporating safeguard against search and seizure bu they
could not be incorporated.”

30
“Bhaskar Chakravarty, “Historical Background and Constitutional Intent of Right to Life and Personal
Liberty”, Department of Law, Gauhati University. Available at:
<http://shodhganga.inflibnet.ac.in/bitstream/10603/68264/8/08_chapter%202.pdf> Accessed 17 th March 2024.”
31
Ibid.

16
It's noteworthy that the Constituent Assembly didn't outright reject the concept of privacy as a
right. Instead, it specifically excluded the right to privacy and secrecy in only two areas:
correspondence and search and seizures. H.V. Kamath highlighted during the debate that
these rights could be safeguarded through established legal procedures. The argument put
forth was that explicitly enshrining such provisions in the Constitution wasn't necessary as
similar rules already existed in the Criminal Procedure Code (Cr.PC). Therefore, if any future
infringements on the right to privacy concerning correspondence or search and seizure were
to occur, the Parliament could address them through legislation.

2.3 Judicial Approach to Right to Privacy “

The Supreme Court of India serves as the guardian and interpreter of constitutional values,
understanding the central purpose and themes of the Constitution. It interprets the
Constitution as a living document, aiming for the welfare of society, and has given broader
interpretations to constitutional values such as dignity, liberty, equality, and freedom.” “

In recent times, the jurisprudence surrounding the right to privacy as a fundamental right has
actively developed. Through a series of judgments, the Supreme Court has recognized the
right to privacy as fundamental, guiding the nation's development towards an egalitarian
democracy. Initially, the Supreme Court provided a static interpretation of constitutional
rights, hindering the growth of the right to privacy. However, over time, it realized the
Constitution's goals and expanded its interpretation of fundamental rights.” “

One of the earliest cases after independence where the issue of privacy came into dispute was
M.P. Sharma v. Satish Chandra.32 In this case, search warrants were issued by the District
Magistrate against Dalmia group of companies at 34 different places, and various documents
were confiscated. Petitioners alleged that such act was violative of fundamental rights under
Ar. 19(1)(f) and 20(3) of the Constitution. The Supreme Court said that search was not
unlawful. Supreme Court also refused to recognise right to privacy as a fundamental right as
it was not expressly mentioned in the Indian Constitution.”

The next important case in this respect was Kharak Singh v. State of U.P.33 In the case, the
issue of surveillance came under scrutiny. The case questioned whether surveillance, as
defined under Regulation 236 of the U.P. Police Regulation, constituted a violation of
fundamental rights, particularly whether the right to privacy was a fundamental right

32
“M.P. Sharma v. Satish Chandra AIR 1954 SC 300.”
33
“Kharak Singh v. State of UP AIR 1963 SC 1295.”

17
protected under the Indian Constitution. Kharak Singh was charged in a dacoity matter in
1941, but later on released on lack of evidence. However, under U.P. police regulations, he
was put under strict surveillance, and police even visited his house during night. He
contended it violated his fundamental right under Ar. 19(1)(d) and 21 of the Constitution.
While acknowledging right to sleep, court struck down regulation allowing domiciliary visits
at night. However, majority upheld other regulations as valid. “

The Supreme Court's verdict in this case concluded that the right to privacy was not explicitly
recognized as a fundamental right guaranteed by the Constitution. Therefore, the mere act of
surveillance, as described in Regulation 236, did not constitute a violation of a fundamental
right under Part III of the Indian Constitution. However, the court acknowledged that Article
21 (right to life) served as the repository of residual personal rights and acknowledged the
existence of the common law right to privacy.” “

Justice Subba Rao gave his dissenting opinion, and noted that privacy is an essential element
of personal liberty under Ar. 21. Minority was of view that all the surveillance regulations
were violative of Ar. 21.”

Similarly, in RM Malkani v. State of Maharashtra34, court refused to recognise right to

privacy where the question of admissibility of phone tapping recording as evidence was
involved. Court held such evidence was admissible and there is no fundamental right to
privacy. “

Next significant case was Gobind v. State of Madhya Pradesh35. Although this case was
similar to the Kharak Singh case in some respects, the judicial approach taken was notably
different. The Supreme Court upheld the validity of the Madhya Pradesh Police Regulation
Act of 1961, considering it to impose reasonable restrictions.” “

The court acknowledged the existence of the right to privacy within the framework of the
guarantees provided by Part III of the Indian Constitution. However, it also recognized that in
the absence of specific legislative provisions, the right to privacy would need to evolve
through a case-by-case development process. This approach was deemed necessary because a
single case might not be sufficient to fully explore the exceptions and consequences
associated with the right to privacy. So, although regulations were upheld by Supreme Court,
but the court realised the need for recognising right to privacy as a fundamental right.”

34
“RM Malkani v. State of Maharashtra (1973) 1 SCC 471.”
35
“Gobind v. State of Madhya Pradesh (1975) 2 SCC 148.”

18
Despite this, the Govind case significantly broadened the scope of Article 21 of the
Constitution, paving the way for the inclusion of the right to privacy within its ambit. “

In the landmark case of Maneka Gandhi v. Union of India36, the Supreme Court adopted a
broad interpretation of Article 21 of the Indian Constitution. The court held that the term
"natural law," which encompassed the rights to personal liberty and personal security, was
implicit within Article 21. Court also opined that fundamental rights do not operate in silos,
but are connected to each other, and there is a golden triangle between Ar. 14, 19 and 21.
Court also said that Ar. 21 encompasses due process of law instead of procedure established
by law. Thus, this case marked a significant turning point as it led to a wide-ranging
interpretation of the Fundamental Right to Life. It is after this case that the broad
interpretation of Ar. 21 allowed various other rights to be incorporated under right to life and
personal liberty under Ar. 21. Importantly, it also played a crucial role in recognizing the right
to privacy as falling within the scope of the Right to Life. Thus, the Maneka Gandhi case
contributed to expanding the understanding and protection of individual rights under the
Indian Constitution.” “

The next landmark case regarding the point of balance between freedom of speech and right
to privacy was R. Rajgopal alias R.R. Gopal v. State of Tamil Nadu37. Here, the petitioners
were editor and publisher of a Tamil magazine ‘Nakkheera’ and wanted to publish in series
form an autobiography of a convict name Auto Shankar, who was on death row. After first
few issues were published, its further publications was stopped because of the objections
raised by prison authorities citing prison rules.” “

The main contention before the court revolved around whether a citizen could prevent
another person from writing and publishing their life story without authorization, and whether
such unauthorized writing constituted a violation of the citizen's right to privacy.
Additionally, the court deliberated on the remedies available in cases of infringement of the
right to privacy.” “

The court addressed two key aspects of the right to privacy: firstly, it discussed the general
law of privacy as applicable in tort law, and secondly, it considered the constitutional
recognition of privacy rights. Regarding privacy rights in tort law, the court emphasized that
using a person's name or likeness without their consent constituted a violation of privacy.
This principle has now acquired constitutional status, as it has been recognized as a

36
“Maneka Gandhi v. Union of India AIR 1978 SC 597.”
37
“R. Rajgopal alias R.R. Gopal v. State of Tamil Nadu (1994) 6 SCC 632.”

19
fundamental right in various cases by the Supreme Court. Furthermore, Article 8 of the
European Convention on Human Rights (ECHR) also addresses the protection of privacy
rights.” “

B.P Jeevan Reddy J. ruled in favour of the petitioner and asserted that neither the State nor its
officials possess the authority to obstruct publication. The bench emphasized that the right to
life and liberty, guaranteed to citizens, inherently encompasses the right to be left alone.
Privacy was deemed implicit within the right to life and personal liberty, with the judgment
acknowledging various dimensions of privacy such as family, marriage, motherhood,
education, and more. Additionally, the court highlighted that an individual who willingly
relinquishes their right to privacy cannot later claim it.” “

However, the court also delineated certain exceptions to the right to privacy. It clarified that if
a publication is based on public records, including court records, the right to privacy does not
apply. Nonetheless, an exception exists for cases involving female victims of sexual assault,
kidnapping, rape, or similar offenses. Furthermore, in instances where public officials are
fulfilling their public duties, the right to privacy is not applicable, rendering such matters
legitimate subjects for publication.”

The court established broad principles regarding the right to privacy in India and echoed
Justice Mathew's opinion that this right cannot be confined to a specific ambit, but rather
must evolve on a case-by-case basis. In ruling in favour of the petitioner, the court affirmed
their right to publish Auto Shankar's life story as long as it is based on information available
in public records. However, if the publication extends beyond that and infringes upon Auto
Shankar's right to privacy, the petitioner would be liable to him. “

Next important ruling regarding privacy was in the case of People’s Union of Civil Liberties
(PUCL) v. Union of India38. This case was related to the reports regarding phone tapping of
politicians’ phones by the CBI. Constitutional validity of s. 5(2) of Indian Telegraph Act,
1885 was also challenged in this case. Justice Kuldip Singh, while addressing the issue of
privacy as a fundamental right, observed that the right to privacy is inherent within the right
to life and liberty guaranteed by Article 21 of the Constitution. However, he emphasized that
the right to privacy is not absolute and can only be restricted in accordance with established
legal procedures. The court acknowledged that although privacy rights were not explicitly
identified in the Constitution, progressive judicial interpretation has expanded the scope of

38
“PUCL v. Union of India (1997) 1 SCC 301.”

20
Article 21 to encompass privacy concerns. Regarding contemporary life, the court
highlighted that telephone conversations are integral to modern life, and any unauthorized
intrusion into them violates the right to privacy. While the court recognized the right to
privacy as fundamental, it noted that this aspect of rights protection was not widely endorsed
in the public sphere, with many privacy cases centred around issues of surveillance.”

In the case of Mr. ‘X’ v. Hospital ‘Z’39, the question of maintaining balance between two
fundamental rights, namely right to health and right to privacy came up. Here, Mr. X was
HIV +ve and this confidential information was disclosed by the hospital to his fiancé, due to
which his marriage got cancelled. Mr. X alleged that hospital had violated his right to privacy,
but the court opined that it was done to protect the right to lead a healthy life of her fiancé.
Thus, his right to confidentiality and privacy is subject to public health and interest.

Similarly, in PUCL v Union of India40, there was conflict between voter’s right to know his
candidate’s antecedents with the candidate’s right to privacy. Section 33B of RPA, 1951
provided that candidates were not required to disclose cases against them, their assets and
liabilities, and their educational qualifications. Here, Supreme Court held s. 33B of RPA,
1951, as unconstitutional as it infringed voter’s right to know, that was provided under Ar.
19(1)(a). (Ar. 19(1)(a) provide for freedom of speech and expression, and voting in elections
is a manifestation of this right, which could not be exercised effectively if voters’ do not
know the antecedents of their candidates). “

One of the most important judgments regarding bodily privacy was the Selvi v. State of
Karnataka.41 The decision rendered by a three-judge bench of the Supreme Court, led by
Justice K.G. Balakrishnan in 2010, significantly influenced laws concerning the utilization of
scientific techniques in criminal cases. The crucial question before the court revolved around
the involuntary administration of scientific methods such as narco-analysis, polygraph
examinations, and the BEAP test to enhance investigations. This issue is pivotal as it involves
balancing the necessity for effective investigation with the individual's liberty. The major
question was whether involuntary use of such techniques was violation of Ar. 20(3) of the
Constitution and whether it violates right to privacy under Ar. 21 of the Constitution.”

The court emphasized that Article 20(3) should be interpreted in conjunction with Article 21
and other fundamental rights, as established in the Maneka Gandhi case. The interrelationship

39
“Mr. ‘X’ v. Hospital ‘Z’ (1998) 8 SCC 296.”
40
“PUCL v Union of India (2003) 4 SCC 399.”
41
“Selvi v. State of Karnataka (2010) 7 SCC 263.”

21
between these articles, particularly regarding the right to privacy and Article 20(3), needed
careful consideration to assess the constitutionality of involuntary administration of these
techniques.

Considering the provisions of the Evidence Act, the court ruled that involuntary confessions
obtained through such techniques are inadmissible. It underscored the importance of
respecting individuals' autonomy in choosing whether to remain silent or speak. Therefore,
the court deemed the use of these technologies without the consent of the person as
unconstitutional. Subjecting individuals to these techniques without their consent was
deemed a violation of privacy rights. Article 21, in addition to physical privacy, also
safeguards mental privacy.

Puttaswamy Judgment

The most landmark judgment regarding privacy came in the year 2017 when in the case of
Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India42, a nine-judge bench of the
Supreme Court unanimously held that right to privacy is a fundamental right under Ar. 21 of
the Indian Constitution. The background of the case was that in 2009, the Government of
India brought Aadhar scheme to store biometric data of the citizens and provide them with a
unique 12-digit identification number by UIDAI. UIDAI was set up in 2009 with Nandan
Nilekani as its chairman and its aim was to implement Aadhar scheme. “

In 2012, former Karnataka High Court Judge K.S. Puttaswamy J. challenged the mandatory
requirement of Aadhaar for every individual and the government's plan to link Aadhaar with
various government schemes. In his petition, he argued that this government scheme was not
constitutionally valid as it violated the right to privacy and equality. In response, the Supreme
Court issued an interim order stating that no individual should face adverse consequences for
not possessing an Aadhaar card.” “

In 2015, a three-judge bench referred the matter to a five judge bench, which was
subsequently referred to a nine judge bench, since it required that correctness of M.P. Sharma
and Kharak Singh be examined which were decided by larger benches. (Kharak Singh was
decided by a 6 judge bench while M.P. Sharma was decided by a 8 judge bench). The verdict
was delivered on 24th August 2017 where court unanimously affirmed the right to privacy.”

42
Supra note 1.

22
In the verdict spanning 547 pages, the Supreme Court overturned previous decisions (notably
M.P Sharma and Kharak Singh) that had denied the inclusion of the right to privacy within
Fundamental Rights. Notably, the judgment was unanimous, with all nine judges concurring
on the final verdict. The court firmly established that the right to privacy is indeed a
fundamental right and emphasized that it need not be viewed in isolation but can be
comprehended within the framework of Articles 14, 19, and 21 of the Indian Constitution.

The court underscored that the right to privacy is an inherent and inalienable right that
safeguards individuals, and any state action that risks infringing upon this right would be
subject to judicial review. This ruling marked a significant milestone in affirming and
protecting privacy rights in India. “

Indeed, while affirming the right to privacy as a fundamental right, the Supreme Court also
emphasized that it is subject to reasonable restrictions, signifying that it is not an absolute
right. The court recognized that states have the authority to impose reasonable restrictions on
the right to privacy to protect state interests. However, any such restrictions must adhere to a
three-pronged test to ensure they are justified:” “

i. Existence of a justifiable law: There must be a valid law in place that addresses
the encroachment on privacy.
ii. Legitimate state aim: The content of this law should align with legitimate state
objectives, ensuring that it falls within the scope of reasonable restriction and
guards against arbitrary state action.
iii. Proportionality: The means adopted by the state must be proportionate to the
objectives and needs that the law seeks to fulfill.”

These three tests serve as safeguards to ensure that any restrictions imposed on the right to
privacy are reasonable, proportionate, and serve a legitimate state interest.

Views of different judges – “

In his plurality opinion, Justice Chandrachud asserts that the right to privacy is inherently
intertwined with the other freedoms guaranteed by Part III of the Constitution. He views it as
a fundamental aspect of human dignity and an inalienable natural right. Chandrachud
emphasizes the informational dimension of privacy, its vital connection to human dignity and
autonomy, and dismisses the notion that privacy is an elitist concept.”

Throughout his opinion, Chandrachud delves into the implications of privacy within the
digital economy, highlighting the risks associated with data mining. He emphasizes the
23
necessity for the State to fulfill positive obligations in safeguarding privacy and advocates for
the enactment of a robust data protection law.

Furthermore, Chandrachud elucidates the dual nature of privacy, delineating between its
negative and positive elements. The negative aspect serves to prevent unjust state interference
in individuals' privacy, while the positive aspect imposes an obligation on the State to
establish legislative frameworks that curtail unauthorized intrusions by others. “

Justice Chelameswar delineates the right to privacy into three essential components: repose,
sanctuary, and intimate decision. Repose entails freedom from unwarranted stimuli, sanctuary
involves protection from intrusive observation, and intimate decision refers to autonomy in
making personal life choices. Similarly, Justice Nariman subscribes to Gary Bostwick's
conceptualization of privacy, emphasizing its dimensions of repose, sanctuary, and intimate
decision-making.”

Justice Nariman further elaborates on the right to privacy by categorizing it into three distinct
domains. Firstly, it encompasses situations where the State encroaches upon an individual's
physical body. Secondly, it includes information privacy, which addresses unauthorized uses
of personal data. Lastly, it involves privacy of choice, which pertains to individual autonomy
over fundamental personal decisions.

According to Justice Bobde, fundamental rights serve a dual purpose: firstly, they curtail
legislative powers, and secondly, they establish conditions conducive to individual
development and dignity. Like Justice Chandrachud, he acknowledges both the positive and
negative dimensions of enforcing fundamental rights. However, Justice Bobde emphasizes
that the enforcement of fundamental rights primarily falls under the purview of the State,
distinguishing them from other legal claims. “

Justice Kaul acknowledges the importance of privacy claims against both the State and non-
State actors. He highlights concerns regarding government surveillance and profiling, as well
as the impact of technology, particularly in terms of the widespread generation, collection,
and utilization of data in a digital economy. Justice Kaul emphasizes the influence of big data
and its potential to affect individual actions, noting the chilling effect it may have on free
speech and expression. He underscores the necessity of safeguarding certain information
from both government and private entities.” “

24
In contrast, Justice Sapre focuses his opinion on the significance of the Preamble to the
Constitution, emphasizing the principles of liberty, dignity, and fraternity enshrined within
it.”

Summing up, This case unequivocally established the fundamental nature of privacy rights,
laying the groundwork for a new jurisprudence surrounding these rights. The judgment
shifted the focus towards individual privacy rights rather than collective ones, recognizing the
individual as the primary unit and granting greater autonomy in personal decision-making. “

A significant aspect of the judgment was its emphasis on safeguarding the sanctity of various
aspects of an individual's life, including their body, mind, personal information, space,
relationships, and private decisions. This comprehensive approach provided a robust
framework for addressing privacy-related matters.”

Furthermore, the case introduced the proportionality standard for limiting the right to privacy.
It stipulated that any restriction imposed by the State must be supported by an exceedingly
persuasive justification. This standard ensures that any infringement on privacy rights is
carefully weighed against the legitimate interests of the State, thereby striking a balance
between individual liberties and societal concerns. “

In addition to the implications of the Supreme Court's judgment on the right to privacy, there
are further considerations that have emerged. Recognizing the complexities involved, the
Supreme Court has underscored the necessity for comprehensive legislation on the right to
privacy. To address this need, the government established a committee chaired by Retired
Justice B.N. Srikrishna, tasked with examining various issues related to privacy.”

The Committee submitted its report in 2018 and on the basis of its recommendations, the
draft Personal Data Protection Bill was introduced in 2019. This legislative history would be
dealt in Chapter 5.

25
 Chapter- 3: Contemporary Issues Raising Data Privacy Concerns
With the Right to privacy gaining the status of a fundamental right with the Puttaswamy
judgment, it has become increasingly important to preserve the privacy of the people from
getting infringed by state or any non- state entity. If there is any breach in this privacy, it can
have very disastrous consequences for the people. Data protection and privacy have become
increasingly complex and crucial in the modern digital age. With the proliferation of new
technologies and business models, as well as the widespread collection and utilization of
data, safeguarding individuals' personal information has become a paramount concern.

The biggest threat to privacy in today’s times could be through leaking of sensitive and
confidential data of people. This data could be used for cyber-crimes and frauds. That is why,
it is important to create a dedicated law specifically dealing with the issue of protection of
personal data of the users.

Data protection encompasses various measures aimed at ensuring that individuals retain
control over their personal data. This includes establishing rules and regulations governing
how companies and governments can collect, store, process, and share data. Additionally, it
involves empowering regulators to enforce these laws and hold entities accountable for any
violations. In today's interconnected world, where digital interfaces and platforms collect vast
amounts of data on human behaviour, protecting privacy is essential for upholding
democratic principles and ensuring effective governance. From wearable devices to smart
home systems, the data generated and tracked by these technologies underscores the need for
robust data privacy measures.

Overall, as there is advancement in technology and data becomes increasingly ubiquitous,

prioritizing data protection and privacy will remain essential for maintaining trust, upholding
individual rights, and fostering a healthy digital ecosystem.

This chapter would focus on different harmful effects of breach of data privacy to highlight
the growing importance of having a legal regime for protection of users’ personal data. There
are various case studies which would be thoroughly looked at to understand the contemporary
data privacy related issues.

26
3.1 Mass Surveillance - Edward Snowden case, Facial Recognition tools and
Pegasus

One of the purposes of breaching data privacy could be mass surveillance. Mass surveillance
means monitoring and collecting data from people, observing their behaviour actions. 43 It is
often done without the knowledge or consent of people involved. Mass surveillance presents
significant concerns regarding privacy, security, and individual freedoms. With advancements
in technology, particularly in the realm of digital communication and data processing, mass
surveillance has become more pervasive and sophisticated. It is done mostly by government
agencies, but it could be done by private entities as well. “

The major justification given for such mass surveillance is that it is required for enhancing
security of the citizens, especially from terror attacks. Governments officially refuse to accept
that they do mass surveillance. However, in May 2013, Edward Snowden, a former
employee of NSA contractor Booz Allen Hamilton, revealed certain sensitive material to The
Guardian and the Washington Post, which revealed that US Government was involved in a
large-scale mass surveillance program.44 It was termed as “the most significant leak in US
history”. The leaked reports provided significant insight into the extent of internet
surveillance programs conducted by the NSA (National Security Agency) in the United
States. These revelations sparked widespread debate and raised serious concerns about
privacy and civil liberties.”

Among the programs disclosed in the leaked reports were:

1. PRISM: This program reportedly allowed the NSA to collect vast amounts of data directly
from major technology companies, including emails, chats, photos, videos, and other user
information. It was reported that several major tech companies, including Google, Facebook,
Microsoft, and Apple, were participating in this program, although many of these companies
denied providing direct access to their servers.

2. XKeyscore: XKeyscore was described as a powerful surveillance tool used by the NSA to
collect and analyze internet data on a global scale. It purportedly allowed analysts to search

43
“Lisa Wilson, “Mass Surveillance in the Digital Age: The Rise of Co-Appearance Tracking”, (The Pioneer,
15th March 2023). Available at <https://thepioneeronline.com/47465/uncategorized/mass-surveillance-in-the-
digital-age-the-rise-of-co-appearance-
tracking/#:~:text=Mass%20surveillance%20is%20the%20use,collection%2C%20and%20much%20bigger%20i
nvasions.> Accessed 24th March 2024.”
44
H.T. Tavani and Frances Grodzinsky, “Trust, Betrayal, and Whistle-Blowing: Reflections on the Edward
Snowden Case”, ACM SIGCAS Computers and Society 44 (3) (September 2014).

27
through vast amounts of internet traffic, including emails, online chats, and browsing
histories, without requiring a warrant.

3. Tempora: Tempora was a British intelligence program operated by the Government

Communications Headquarters (GCHQ). It involved the interception of vast quantities of
internet traffic through undersea fiber-optic cables. The program reportedly allowed the
GCHQ to store and analyze both content and metadata of communications, including emails,
web browsing history, and online chats.

The leaked reports also revealed the NSA's collection of metadata from telephone
interceptions in both the United States and Europe. Metadata includes information about the
communication itself, such as the time, duration, and participants involved, but not the actual
content of the communication.

These revelations sparked widespread outrage and led to calls for greater transparency,
accountability, and oversight of government surveillance programs. Critics argued that the
programs revealed in the leaks represented a significant intrusion into individual privacy and
civil liberties, without adequate safeguards or oversight. While the US government was of
view that such program was necessary for crime prevention, investigation and national
security purpose.45 It was required to be done so that any further attack like 9/11 attack does
not take place. However, it still raises a question that how much the government can invade
in citizens’ privacy in the garb of national security.

Individuals may have their personal communications, online activities, and even physical
movements monitored without their knowledge or consent. Mass surveillance allows law
enforcement organisations to view all our online activity including social media usage,
browsing history, emails etc. Also, nowadays, there is an increase in use of facial recognition
technology by law enforcement agencies.

Facial Recognition Tools and Privacy- “

The debates surrounding racism, profiling, and bias in face scanning and surveillance
technologies have become increasingly prominent as these technologies are deployed in
various contexts, including law enforcement, border control, and public surveillance. Use of
facial recognition technology has sparked debates in US.” “

45
Supra note 44.

28
Facial recognition technology is used to identify or verify individuals based on their facial
features. It works by capturing images or video frames of faces and then comparing them
against a database of known faces to find matches. There are also new features that keep
coming up. Vintra is one US company who have a n expertise in surveillance and video
analytics technology. Its technology is also equipped with co-appearance feature which
identifies the patterns with whom persons are in proximity in regular basis. 46
Thus, such
technology can identify with whom persons spend time with and thus it takes the surveillance
technology to a next level.” “

While facial recognition technology offers potential benefits in terms of security and
efficiency, concerns have been raised about its accuracy, reliability, and potential for misuse.
One of the key issues raised in debates about facial recognition technology is the potential for
racial bias and discrimination. Studies have shown that facial recognition algorithms can
exhibit higher error rates when attempting to identify individuals with darker skin tones, as
well as individuals who are female or elderly. This bias can result in disproportionate
surveillance and scrutiny of certain demographic groups, leading to concerns about racial
profiling and unfair treatment.”

In addition to concerns about accuracy and bias, there are also broader questions about the
ethics and privacy implications of facial recognition technology. Critics argue that
widespread use of facial recognition technology could erode privacy rights and civil liberties,
as it enables constant surveillance and monitoring of individuals in public spaces without
their consent. There are also concerns about the potential for misuse of facial recognition
data, such as tracking individuals without their knowledge or consent, or using facial
recognition technology for discriminatory purposes.

In response to these concerns, some cities and states in the United States have implemented
restrictions or bans on the use of facial recognition technology by government agencies,
particularly in law enforcement. These measures aim to mitigate the risks of bias,
discrimination, and privacy violations associated with facial recognition technology, while
also promoting transparency and accountability in its use. “

Overall, the debates surrounding racism, profiling, and bias in face scanning and surveillance
technologies highlight the complex ethical, legal, and social issues raised by the use of these
technologies in society. As facial recognition technology continues to advance and become

46
Ibid.

29
more widespread, it will be important for policymakers, technologists, and civil society to
engage in informed discussions and decision-making to ensure that these technologies are
used responsibly and ethically.”

Hence, this intrusion into private lives by mass surveillance programs raises ethical questions
about the balance between security measures and personal freedoms. Moreover, mass
surveillance can also lead to abuses of power by governments or other entities conducting the
surveillance. There have been instances where surveillance programs have been used to target
political dissidents, suppress free speech, or discriminate against certain groups based on
characteristics such as race or religion.

Pegasus spyware

Another recent case study of surveillance is about Pegasus spyware. Pegasus is created by
NSO group, an Israeli spyware vendor. Pegasus is a spyware that can be installed in a
smartphone in a stealth manner and allows the other person to gain access to everything on
the phone including camera and microphone.47 It can be installed on mobile phones and
devices having Android, iOS, Blackberry or Symbian operating system and could convert it
into surveillance devices. NSO said that they sell this product only to governments for
tracking criminal and terrorists, but it is alleged that it was used by the governments for
keeping surveillance and political opponents and journalists and curbing down dissent.48

It has serious impact on right to privacy as it can monitor every detail on the target’s phone. It
does not require cooperation with telecommunication companies and could easily overcome
encryption and protocols, and thus it could be indiscriminately used for mass surveillance
without obtaining any proper legal authorization or oversight. This can lead to the violation
of individuals' right to privacy and may be used for political repression, human rights abuses,
or other unlawful activities. It would also have a chilling effect on freedom of speech and
expression. Also, if such spyware gets into the hands of scamsters, such sensitive personal
information could be used for financial frauds, blackmailing and identity theft.

Whether its PRISM, facial recognition technologies, or Pegasus, such mass surveillance
programs compromise citizens’ privacy and make government a ‘big brother’ (like in George

47
“David Pegg and Sam Cutler, “What is Pegasus spyware and how does it hack phones?”, (The Guardian, 18
July 2021). Available at <https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-
does-it-hack-phones> Accessed 22nd March 2024.”
48
“Tamar Kaldani and Zeev Prokopets, “Pegasus Spyware and its impact on human rights”, Council of Europe,
Information Society Department DGI (2022) 04. Available at <https://rm.coe.int/pegasus-spyware-report-
en/1680a6f5d8> Accessed 23rd March 2024.”

30
Orwell’s dystopian novel “1984”. Such surveillance technology turns the novel’s quote “big
brother is watching you” into a reality!). This would be antithetical to the right to privacy,
freedom of speech and expression, and ultimately democracy.

Furthermore, the sheer volume of data collected through mass surveillance poses challenges
in terms of data security and protection. Storing and analyzing large amounts of data
increases the risk of breach of data security, hackers gaining unauthorized access, and
inappropriate use of personal information. “

In response to these concerns, there have been calls for greater transparency, accountability,
and oversight of surveillance programs. Legal frameworks and regulations are needed to
ensure that surveillance activities are conducted lawfully, with proper safeguards in place to
protect individuals' rights and privacy.” “

Overall, while surveillance technologies can have legitimate uses for maintaining security
and public safety, it's essential to strike a balance between these objectives and safeguarding
individual privacy and civil liberties.”

3.2 Using Personal data for political purpose – the Cambridge Analytica
scandal

3.2.1 Role of social media in politics -

Social media has become an important part of everyone’s lives. That has helped up in
connecting with the people across the globe. Social media had brought a revolution as the
ideas are not limited to any territorial boundaries. Different types of political and social
thoughts, ideas and cultures could now be propagated across anywhere in the world with such
an ease and comfort which was never seen before. Earlier, it was very difficult to spread
ideas, especially when they are critical the ruling establishment. Government censorship on
books and movies tried to limit their propagation. Also, even if one is saved from government
intervention, it was still quite costly and cumbersome to spread any idea to a large number of
population, especially in foreign territories. Although, still many revolutionaries were able to
do this in that era because of the zeal and passion to spread their thought. The ideas of liberty,
equality and fraternity of French Revolution, or of the socialism of Russian Revolution, had
occurred despite these obstacles.

However, in today’s times, it would be easier and faster to spread these ideas or mobilise
people. One of the modern-day examples of social media in bringing about revolution is the

31
Arab Spring, for which the major credit is given to the social media for spread of ideas
against dictatorship.

It all started when on 17th December 2010, a young Tunisian name Mohamed Bouazizi who
was a vegetable seller immolated himself to protest against the government corruption and
police harassment.49 Although Mohamed Bouazizi died on 4th January 2011, but his
profound act sparked a viral movement that resonated deeply within Tunisia and beyond. His
self-immolation, driven by frustration over economic hardships and governmental
oppression, galvanized widespread protests against President Zine El Abidine Ben Ali and the
soaring cost of living.

In a remarkable turn of events, Ben Ali's iron-fisted 23-year reign crumbled just 10 days later
as he fled to Saudi Arabia, marking a historic moment as the first Arab leader to be ousted by
popular uprisings.50

The Tunisian protests served as a catalyst, igniting a wave of revolts across the Arab world.
From Egypt to Libya, Yemen to Syria, people took to the streets to demand an end to
authoritarianism, corruption, and poverty, ushering in an era of unprecedented social and
political upheaval known as the Arab Spring. Bouazizi's sacrifice became emblematic of the
collective struggle for freedom and dignity that swept across the region during this
tumultuous period.

Thus, social media played a very crucial role in bringing in revolution in these Arab
countries. Even in Indian context also, the role of social media in political awareness and
change cannot be denied. In 2011 itself, Anna Hazare started a movement “Indian against
Corruption” to bring in the Jan Lokpal Bill to tackle rising governmental corruption. This
movement became massively popular in India, and many famous personalities joined this
movement. Many political scientists argue that this movement acted played one of the crucial
role in turning public mood against UPA government and which resulted in their loss in the
next elections. Many commentators say that one of the major reasons for the success of this
movement was the wide use of social media.51

49
““What is the Arab Spring, and how did it start?”, (Al Jazeera, 17th December 2020). Available at
<https://www.aljazeera.com/news/2020/12/17/what-is-the-arab-spring-and-how-did-it-start> Accessed 22nd
March 2024.”
50
A. Dhillon, "Social Media & Revolution: The Importance of the Internet in Tunisia’s Uprising" Independent
Study Project (ISP) Collection. (2014).
Available at <https://digitalcollections.sit.edu/isp_collection/1938> Accessed 22nd March 2024.
51
Usha M. Rodrigues, “Social media’s impact on journalism: A study of media’s coverage of anti-corruption
protests in India”, Global Media Journal, (2022) Vol 16 Issue 1. Available at

32
Thus, these events show that social media can prove to be a very useful tool for revolution,
movements or spreading political ideas among the masses. However, as the social media
became more powerful, politicians became aware of this and sensed an opportunity in using
social media for their gain.

3.2.2 The Cambridge Analytica Scandal -

In March 2018, the world was jolted by revelations about a data scandal involving Cambridge
Analytica, a British political consulting firm. The scandal exposed the unethical use of
personal data harvested from Facebook users for political purposes, sparking global outrage
and raising profound questions about privacy, manipulation, and the intersection of
technology and democracy.

Cambridge Analytica, founded in 2013, purported to specialize in data analysis and strategic
communication for electoral processes. It gained notoriety for its involvement in several
high-profile political campaigns, including the Brexit referendum and Donald Trump's 2016
presidential campaign.52 At the heart of its operations lay the exploitation of vast amounts of
personal data, obtained through Facebook's platform. “

Data Harvesting: The scandal erupted when it was revealed that Cambridge Analytica had
improperly obtained data from tens of millions of Facebook users without their consent. This
data was collected through a personality quiz app developed by Aleksandr Kogan, a
researcher affiliated with Cambridge University.53 While the app was initially presented as a
tool for academic research, it surreptitiously harvested not only the data of the app's users but
also that of their Facebook friends, resulting in the unauthorized collection of vast troves of
personal information.”

Manipulation and Influence: The harvested data was then used to create psychographic
profiles of individuals, allowing Cambridge Analytica to tailor political advertisements and
messages with unprecedented precision. By exploiting users' psychological vulnerabilities
and targeting them with highly personalized content, the firm sought to influence their

<https://www.hca.westernsydney.edu.au/gmjau/?p=802> Accessed 22nd March 2024.

52
“Dan Patterson, “Facebook data privacy scandal: A cheat sheet”, (Tech Republic, 30th July 2020). Available at
<https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/> Accessed 20th March
2024.”
53
“Carole Carwalladr and Emma Graham, “Revealed: 50 million Facebook profiles harvested for Cambridge
Analytica in major data breach”, (The Guardian, 17th March 2018). Available at
<https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election>
Accessed 22nd March 2024.”

33
political beliefs and behaviour. This manipulation of public opinion raised profound concerns
about the integrity of democratic processes and the potential for undue influence in elections.

Ethical Implications: The Cambridge Analytica scandal exposed glaring ethical lapses in the
tech industry and the political sphere. It highlighted the perils of unchecked data collection
and the need for robust privacy protections in the digital age. Moreover, it underscored the
ethical responsibilities of companies like Facebook to safeguard user data and prevent its
misuse for commercial or political ends. The scandal prompted widespread calls for greater
transparency, accountability, and regulatory oversight to prevent similar abuses in the future.

Impact and Fallout: In the wake of the scandal, Cambridge Analytica filed for bankruptcy
and faced investigations and legal proceedings in multiple countries. Facebook came under
intense scrutiny for its lax data practices and faced mounting pressure to overhaul its privacy
policies and business model. Mark Zuckerberg has to publicly apologize for the issue.54 He
acknowledged the misuse of data and called it a mistake and breach of trust. He promised to
improve data protection thereafter. The incident also sparked broader debates about the role
of social media in democracy, the power of big data analytics, and the need to balance
innovation with ethical considerations in the tech industry.

Thus, The Cambridge Analytica scandal was a wake-up call for society, exposing the dark
underbelly of data-driven politics and the erosion of privacy in the digital age. It underscored
the urgent need for comprehensive reforms to protect individuals' rights and democratic
processes from exploitation and manipulation.

3.3 Targeted advertising and invasion of privacy

In 2006, a British mathematician and data science entrepreneur, Clive Humby famously said,
“Data is the new oil. It’s valuable, but if unrefined it cannot really be used. It has to be
changed into gas, plastic, chemicals, etc. to create a valuable entity that drives profitable
activity; so data must be broken down, analyzed for it to have value.”55

With time with rapid growth in information technology and this phrase became quite popular.
The comparison of information to oil, with analytics as the combustion engine, has become a
widely cited analogy to highlight the importance of data in the 21st century. Just as oil fuelled

54
“Julia Carrie Wong, “Mark Zuckerberg apologies for Facebook’s ‘mistake’ over Cambridge Analytica”, (The
Guardian, March 22, 2018). Available at <https://www.theguardian.com/technology/2018/mar/21/mark-
zuckerberg-response-facebook-cambridge-analytica > Accessed 16th March 2024.”
55
“Ritu Janegar, “Data is the new oil”, (The Commerce Society, SRCC, 7th January 2028). Available at
<https://comsocsrcc.com/data-is-the-new-oil/> Accessed 22nd March 2024.”

34
the industrial economy of the past, data now drives the digital economy, shaping industries,
innovation, and society at large.

The transition from oil to data as the most valuable resource underscores the transformative
power of digital technology. With advancements in artificial intelligence and robotics, data
has become the cornerstone of innovation, enabling the development of sophisticated
technologies such as humanoid robots like Sophia and AI-powered systems like AlphaGo.56
Leading companies like Apple, Amazon, Facebook, Microsoft, and Alphabet (Google's parent
company) have embraced data-driven approaches, leveraging vast amounts of data to drive
business strategies, improve customer experiences, and fuel growth. 57 The reliance on data
has led to the emergence of a "data economy," where companies recognize the value of data
as a strategic asset. “

So, companies are increasingly using data for targeted advertising for consumers after the
preferences of each and every person. Nowadays, whenever we visit any website, it asks us to
give permission to website to read cookies. Targeted advertising relies on gathering various
types of data about users to tailor ads to their interests and preferences. This data can include
demographic information such as age, gender, location, and income level, as well as
behavioural information like browsing history, search queries, and interactions with ads.”

Browser cookies play a crucial role in this process by storing information about users' online
activities. When a user visits a website, the site may place a cookie in their browser, allowing
it to track their behaviour across the web. This information is then used by advertising
networks to serve ads that are relevant to the user's interests.58

For example, if a user visits a website selling hiking gear and explores various products, a
cookie may be placed in their browser to remember this activity. Later, when the user visits a
different website that uses the same advertising network, the network can recognize the
cookie and display ads for hiking gear, thereby targeting the user based on their previous
behaviour.

56
Ibid.
57
Rohit Sharma, “Is Data Really the New Oil in 2024?”, (upGrad, 28th March 2023). Available at
<https://www.upgrad.com/blog/why-data-is-the-new-oil/> Accessed 22nd March 2024.
58
“Targeted Advertisements – An Invasion of Privacy?”, (AmLegals Legal Strategists, 6th October 2022).
Available at <https://amlegals.com/targeted-advertisements-an-invasion-of-privacy/#> Accessed 23rd March
2024.

35
While targeted advertising can enhance the relevance of ads and improve the user experience,
it also raises privacy concerns about the collection and use of personal data without users'
explicit consent.

Harms in Targeted Advertising-

Targeted advertising, while often viewed as a strategic tool for businesses to reach specific
audiences, also raises concerns about privacy invasion due to its reliance on collecting and
analysing user data. Here's how targeted advertising can invade privacy:

1. Data Collection: Targeted advertising relies on extensive data collection about individuals'
online activities, including their browsing history, search queries, social media interactions,
and even offline behaviour through tracking technologies like cookies, device identifiers, and
location data. This collection of personal information can occur across various platforms and
devices, often without users' explicit consent or knowledge.59

2. Profiling and Segmentation: Once collected, user data is analysed to create detailed
profiles of individuals based on their demographics, interests, preferences, and behaviour.
These profiles are then segmented into specific audience segments or categories, allowing
advertisers to target users with personalized ads tailored to their characteristics and
preferences. However, this profiling can lead to the categorization and labelling of
individuals based on sensitive attributes, potentially resulting in discriminatory practices or
stereotyping.60

3. Behavioural Tracking: Targeted advertising often involves tracking users' online

behaviour across websites and platforms to deliver relevant ads. This tracking can create a
detailed record of individuals' digital footprints, including their interests, habits, and
interactions. While tracking is intended to improve ad relevance and effectiveness, it also
raises concerns about surveillance, tracking consent, and the potential for user profiling
without transparency or control.61

4. Privacy Risks: The extensive collection and analysis of user data for targeted advertising
purposes raise significant privacy risks. Users may feel their privacy is invaded when they
realize the extent of data collection and profiling conducted by advertisers and technology

59
Ibid.
60
“Suzanne Labarre, “Targeted ads aren’t just annoying, they can be harmful. How to fight back”, (Fast
Company, 31st July 2021). Available at <https://www.fastcompany.com/90656170/targeted-ads-arent-just-
annoying-they-can-be-harmful-heres-how-to-fight-back> Accessed 22nd March 2024.”
61
Ibid.

36
companies without their explicit consent. Moreover, the misuse or unauthorized access to
personal data can lead to identity theft, money related scams, or other breaches of privacy .62

5. Lack of Transparency and Control: Many users are unaware of the data collection
practices underlying targeted advertising and have limited visibility or control over how their
information is used. The complexity of online tracking and data-sharing ecosystems can
make it challenging for users to understand who has access to their data and how it is being
used for ad targeting purposes. Additionally, the opt-out mechanisms provided by advertisers
and platforms may be insufficient or ineffective in protecting users' privacy rights.

6. Algorithmic Bias and Discrimination: Targeted advertising algorithms may inadvertently

perpetuate bias and discrimination by relying on flawed or biased data inputs. For example, if
certain demographic groups are underrepresented or misrepresented in the data used to train
advertising algorithms, the resulting ad targeting may reinforce existing stereotypes or
inequalities. This can have adverse effects on marginalized or vulnerable communities,
leading to discriminatory outcomes in areas such as housing, employment, and financial
services. “

Overall, while targeted advertising offers benefits in terms of ad relevance and effectiveness,
it also poses significant challenges and risks to user privacy. Addressing these concerns
requires a careful balance between advertising innovation and privacy protection, with a
focus on transparency, user control, and ethical data practices.”

3.4 Social media and growing echo chambers

Social media algorithms constantly study our use and behaviour patterns, and they create
filter bubbles where internet users are only exposed to that type of digital content that aligns
with their existing beliefs and preferences. The users get only those content on social media
that confirm their existing understanding. This is also called confirmation bias when people
tend to believe only those facts which confirm their views. It leads to a virtual echo chamber
where people are surrounded by only their type of content.63 The lack of access to other’s
perspective leads to people becoming increasingly stubborn about their viewpoint. It leads to
a society where there is increased extremism and intolerance, and increased polarization,

62
“Nik Froehlich “The Truth in User Privacy And Targeted Ads”, (Forbes Technology Council, 24th February
2022). Available at <https://www.forbes.com/sites/forbestechcouncil/2022/02/24/the-truth-in-user-privacy-and-
targeted-ads/?sh=11dfb3be355e> Accessed 23rd March 2024.”
63
Matteo Cinelli et al., “The echo chamber effect on social media”, (PNAS, 23rd February 2021). Available at
<https://www.pnas.org/doi/10.1073/pnas.2023301118> Accessed 23rd March 2024.

37
especially on political views or on views about religion, race, or gender. Thus, it could
increase divisiveness and hostility in the society.

In this way constant personal data monitoring by social media apps could lead to people be
trapped in their respective echo chambers, and ultimately increasing factionalism and
divisiveness in the society.

3.5 Cyber Crimes and data privacy

In October 2023, a US Company named Resecurity revealed that personal data of the Indian
citizens is available on the dark web.64 Also, the seller of the data was providing very
sensitive and verifiable information like name, phone number, aadhar number and address
about 81 crore citizens for a sum of $80,000. 65 This seriously highlights the vulnerability of
our personal data in the modern times. Such personal data could be used for variety of crimes
and frauds. This necessitates that a stringent law has to be made for personal data protection
and those responsible should be severely punished.

With the advent of new technology day by day, scamsters are rapidly improving their ways of
committing frauds Cybercrime poses a significant threat to the data privacy of consumers,
and it manifests in various forms like - “

i. Distributed Denial-of-Service (DDoS) Attacks: Hackers launch DDoS attacks to

overwhelm a network or system with an influx of traffic, causing it to become
inaccessible to legitimate users. During the chaos, hackers may exploit vulnerabilities
and gain unauthorized access to sensitive information.66” “
ii. Identity Theft: Cybercriminals steal personal information from consumers, such as
social security numbers, financial data, and login credentials, to impersonate them
online. This stolen identity can be used to conduct fraudulent activities, make
unauthorized purchases, or even commit crimes in the victim's name.”
Many cases have come up where scamsters make fake Facebook or other social media
id by getting users’ personal information and then ask money from the friends’ and
relatives of that user. Also, with the growing Artificial Intelligence, scamsters copy the

64
“Srinivas Kodali, “Indians’ Personal Data Breached Yet Again, but No Sign That Gaps Will Be Plugged”, (The
Wire, 30th October 2024). Available at <https://thewire.in/tech/indians-personal-data-breached-yet-again-but-no-
sign-that-gaps-will-be-plugged> Accessed 24th March 2024.”
65
“Mishi Choudhary, “We want a Digital India. Just not the one we are living in”, (Indian Express, 26th
December 2023). Available at <https://indianexpress.com/article/opinion/columns/cyber-security-cyber-frauds-
in-india-digital-india-data-protection-bill-9082569/> Accessed 24th March 2024.”
66
“Arjun Kapur, “Cybercrime: A Threat to Data Privacy”, (LiveLaw.in, 1st March 2023). Available at
<https://www.livelaw.in/columns/cybercrime-a-threat-to-data-privacy-222766> Accessed 22nd March 2024.”

38
 voice module of a user by using any audio/ video posted by him on social media, and
then use the AI to create exactly similar voice modulation, which is then used to call his
friends and relatives and ask for money.67
iii. Online Scams: Cybercriminals employ various tactics, such as fraudulent emails, fake
websites, and deceptive advertisements, to trick consumers into divulging sensitive
information or transferring money. These scams often promise lucrative rewards or
offer false assurances to lure victims into sharing their personal or financial details. “
iv. Phishing: Phishing attacks involve the use of deceptive emails, messages, or websites
to trick individuals into revealing their confidential information, such as passwords,
usernames, or credit card numbers. These phishing attempts often mimic legitimate
organizations or individuals to gain the victim's trust before exploiting their data.”
v. Malware and Malicious Software: Cybercriminals develop and distribute malicious
software, such as viruses, ransomware, and spyware, to compromise the security of
consumers' devices and steal their sensitive data. These malicious programs can infect
computers, smartphones, and other devices, allowing attackers to monitor user activity,
steal personal information, or extort money from victims.

Cybercrime in India has been on a persistent rise. In August 2019, the Ministry of Home
Affairs (MHA) launched a National Cyber Crime Reporting Portal to facilitate the reporting
of such incidents by the public. The number of reported cases surged beyond expectations,
surpassing three hundred thousand within just under two years.68

Overall, cybercrime poses a serious threat to consumers' data privacy and security, requiring
proactive measures, such as robust cybersecurity protocols, user awareness training, and
effective law enforcement efforts, to combat these malicious activities and safeguard
individuals' digital identities. On above of all that, we need a strict law for protecting private
data of users which will help in reduction of cyber-crimes.

67
“Vishal Upadhyay, “What is AI voice scam and how not to become a victim? – Explained”, (India TV news,
18th November 2023) Available at <https://www.indiatvnews.com/technology/news/how-ai-voice-scams-work-
and-tips-to-stay-safe-2023-11-18-903302> Accessed 22nd March 2024.”
68
“3.17 lakh cybercrimes in India in just 18 months, says govt”, (The Hindu, 9th March 2021) “Available at
<https://www.thehindu.com/sci-tech/technology/317-lakhs-cybercrimes-in-india-in-just-18-months-says-
govt/article34027225.ece#:~:text=%22As%20per%20the%20data%20maintained,a%20written%20reply%20to
%20a.> Accessed 23rd March 2024.”

39
 Chapter-4: Data Protection Regime in India before DPDP Act 2023
In August 2023, the Parliament passed the Digital Personal Data Protection Act to overhaul
the data protection structure in our country. However, before delving into the new Act, we
would first need to look at what were the laws that were prevailing before this Act, and how
the cases relating to data privacy were managed till now. This chapter would look at this issue
in detail.

Data privacy was an issue that was covered by different laws until now depending upon
different aspects of it. The major law to govern digital data privacy was the Information
Technology Act, 2000. While various other types of issues were governed by criminal laws,
laws relating to intellectual property rights and contract.

4.1 Information Technology Act, 2000

The utilization and transmission of personal data were primarily governed by the IT Act,2000
and IT Rules, 2011. These legislative instruments establish regulations pertaining to the
collection, transmission, and utilization of personal information. While the primary objective
of the act is to safeguard electronic data and aspects of information technology, such as
cybercrimes and electronic commerce, it should be noted that its main focus lies in e-
commerce rather than privacy. Its inception was largely influenced by the adoption of the
UNCITRAL model law on e-commerce in 1996. The IT Act underwent an amendment in
2008, receiving presidential assent in 2009. Following this amendment, the act was equipped
with specific provisions addressing data protection concerns. It now mandates privacy
policies and outlines penalties for breaches thereof. Following sections are relevant for data
protection – “

Section 2(1)(o) of the act outlines the definition of "data," considering it as the representation
of information, knowledge, facts, and concepts, either in the process of preparation or already
formalized.69 This data is intended for processing or has already undergone processing within
a computer system or network, or it's internally stored within computer memory. Notably, this
definition does not encompass a specific definition for personal data.” “

On the other hand, Section 2(1)(v) provides the term "information" to include various forms
such as data, messages, texts, images, sounds, voices, codes, computer programs, software,
databases, microfilms, or computer-generated microfiche.” “

69
Information Technology Act 2000, section 2(1)(o).

40
Section 43 of the act addresses several matters that establish civil liability against offenders
and allows for damages to individuals affected by defined instances. Notably, compensation
for cyber contravention under this section is only applicable when an individual is directly
affected by unauthorized access, disruption, denial, etc.”

Section 43A was introduced as a pertinent provision for data privacy protection. It mandates
any corporate entity handling sensitive personal data through computer resources to establish
and uphold adequate security measures and procedures. According to this provision, the
corporate entity can be held liable for compensation only if an action results in wrongful loss
or wrongful gain to any individual. “

Under this provision, liability cannot be avoided by the company based on the absence of
negligence in implementing or maintaining reasonable security practices. Reasonable security
practices and procedures are defined as measures aimed at safeguarding information from
unauthorized access, damage, use, modification, disclosure, or impairment, as outlined in
agreements between parties or specified by applicable laws. In the absence of such
agreements or laws, the central government has the authority to prescribe security practices
and procedures after consulting with professional bodies and associations.70”

Section 43A does not specifically address "Personally-Identifying Information," and its
definition of "Sensitive Personal Data" (SPD) is quite limited. It offers a civil remedy under
Section 43A only in cases of negligence by the corporate body resulting in wrongful loss or
gain to others. Additionally, the provision does not explicitly mention its applicability beyond
national borders. Sections 43 and 43A also fail to establish a cap on compensation amounts,
leading to potential misuse by companies. Consequently, there have been instances where
companies have filed frivolous claims against former employees who have transitioned to
other firms within the same industry. The Act includes provisions for residual penalties or
compensation in cases of non-compliance with its provisions.71

Furthermore, it holds any individual accountable if they dishonestly or fraudulently fail to

adhere to the provisions mentioned in Section 43.72

Additionally, certain new provisions were introduced to address the complexities of

cybersecurity and cybercrimes, albeit indirectly. Sections 66A to 66F, incorporated through
the 2008 amendment, encompass a broad spectrum of cyber offenses, such as those involving

70
Id., section 43A Explanation (ii).
71
Id., section 45.
72
Id., section 66.

41
the transmission of offensive messages via computer resources or communication devices,73
or dishonestly receiving/ retaining any stolen resource/ communication device74. Also,
provisions were inserted to punish dishonestly or fraudulently using e-signature, password or
other identification features75, cheating by personation by using computer resource76,
violation of privacy77, and cyber terrorism.78

Section 66E is a specific provision that pertains to the protection of an individual's privacy.
The primary objective of this section is to prohibit voyeuristic behaviour facilitated by video
technology, particularly clandestine photography or recording. “

The act also addresses the transfer of obscene material in electronic form79, as well as the
punishment for publishing or transmitting material containing sexually explicit acts in
electronic form80, and the transmission of material depicting children engaged in sexually
explicit acts in electronic form 81.”

Role of Intermediaries: “

Intermediaries have been defined under s. 2 (1)(w) of the Act, and it has a very wide
definition includes any person who on behalf of another person receives, stores or transmits
that record or provides any service with respect to that record and includes telecom service
providers, network service providers, internet service providers, web-hosting service
providers, search engines, online payment sites, online-auction sites, online-market places
and cyber cafes.82 Intermediaries have been imposed with the obligation for preservation and
retention of data received by them.83 Under s. 69, Centre and State Governments have been
vested with power to issue directions for interception or monitoring or decryption of any
information through any computer resource. Central government has also been vested with
powers to issue directions for blocking public access of any information through computer
resource.84”

73
Id., section 66A.
74
Id., section 66B.
75
Id., section 66C.
76
Id., section 66D.
77
Id., section 66E.
78
Id., section 66F.
79
Id., section 67.
80
Id., section 67A.
81
Id., section 67B.
82
Id., section 2(1)(w).
83
Id., section 67C.
84
Id., section 69A.

42
Another significant provision in the act is Section 72, which provides punishment for
breaching of confidentiality and privacy85. Section 72A further elaborates on privacy law,
particularly concerning the disclosure of information in violation of lawful contracts. Unlike
the previous Section 72, which only penalized individuals legally authorized to access
electronic records and documents, Section 72A extends liability to intermediaries and other
parties for breaching privacy and confidentiality under lawful contracts.86 “

Section 72A does not specifically address the extra-territorial applicability for data protection
and privacy. While it criminalizes breaches of confidentiality and privacy, it lacks provisions
for compensation in cases where criminal penalties cannot be imposed for such violations.
Additionally, it appears narrowly drafted as it only applies to information obtained within
contractual relationships between parties. Consequently, there is a deficiency in legal
protection for information collected without authorization and subsequently compromised,
leading to breaches of data privacy in electronic transactions.” “

Undoubtedly, certain provisions of the act address privacy concerns, but they are insufficient
to provide the necessary level of protection, especially concerning personal data protection.
While the amendments to the IT act were innovative when introduced, the rapid growth of the
digital economy has rendered them inadequate. Some provisions can be easily circumvented
through contractual agreements, and the act primarily applies to companies rather than
governments. Moreover, sections of the act are limited to individuals granted powers under it,
and it fails to adequately address instances of inadvertent privacy violations.”

The IT Act of 2000, along with its 2008 amendment, falls short in effectively addressing
concerns regarding data protection, privacy, and security in electronic transactions. While the
introduction of the IT Rules in 2011 aimed to address these issues, they also prove to be
inadequate. These rules establish provisions for security practices and procedures that must
be adhered to when handling Sensitive Personal Data (SPD) by corporate entities or
individuals acting on their behalf. These regulations govern the collection, disclosure,
transfer, and storage of sensitive personal data. “

The Sensitive Personal Data (SPD) Rules were enacted under Section 43A of the IT Act,
which holds corporate entities accountable for compensation due to negligence in
implementing and maintaining reasonable security practices and procedures when handling
sensitive personal data or information. These rules broaden the scope of reasonable practices

85
Id., section 72.
86
Id., section 72A.

43
and procedures outlined in the act. They provide a definition for sensitive personal data 87 and
require the implementation of policies for handling such data88. Additionally, various
conditions, including consent requirements89, lawful purposes90, purpose limitations91, and
procedures for withdrawing consent92, are imposed on corporate entities collecting such
information.”

The SPD Rules mandate obtaining prior consent from the provider of information before
disclosing sensitive personal data to a third party.93 However, transfer of such data outside
India is allowed only if the receiving country ensures a similar level of data protection as
stipulated by the SPD Rules applicable to the corporate entity.94 Moreover, a corporate entity
is considered to have adhered to reasonable security practices if it meets security standards
and maintains comprehensive data security policies.95 “

While the SPD Rules represented a pioneering effort in data protection when introduced, the
rapid evolution of the digital economy has revealed certain shortcomings over time. For
instance, the definition of sensitive personal data is overly narrow, excluding several
categories of personal information from its protective scope. Additionally, the obligations
outlined in the SPD Rules do not extend to governmental entities and may, under a strict
interpretation of Section 43A of the IT Act, be superseded by contractual agreements.
Furthermore, both the IT Act and SPD Rules have encountered implementation challenges,
partly due to delays in appointing adjudicatory bodies as mandated by the IT Act. Some of
these issues are not unique to India but are prevalent across various jurisdictions.”

While the SPD Rules made efforts to safeguard various facets of personal information, their
provisions are not exhaustive enough to fully protect the rights of data owners. The rules
primarily focus on Sensitive Personal Data (SPD) in relation to the collection, retention,
disclosure, and transfer of information. However, the definition of SPD provided in the rules
is limited compared to international standards. Non-sensitive information has been
overlooked entirely, with protection restricted solely to sensitive information. Additionally,

87
“Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011, rule 3.”
88
“Id., rule 4.”
89
“Id., rule 5(1).”
90
“Id., rule 5(2).”
91
“Id., rule 5(4) and (5).”
92
Id., rule 5(7).
93
Id., rule 6.
94
Id., rule 7.
95
Id., rule 8.

44
Rule 4(1) lacks clarity regarding the procedures to be followed if a corporate entity changes
its privacy policy, particularly concerning whether notice of such changes must be provided
to affected parties.”

Another layer of complexity arises from the fact that half of the rules do not impose
obligations directly on data subjects but rather on the providers of information. Furthermore,
the scope of duties assigned to the Grievance Officer is limited, primarily concerning the
expeditious processing of information by the corporate entity. Additionally, the application of
data protection rules is constrained in terms of their extra-territorial reach, particularly in
safeguarding data privacy in electronic transactions. As the rules apply only to Indian
corporate entities and do not cover situations where the entity is located outside India or does
not utilize any computer resource within India, their application becomes limited. However, a
press release issued by the Ministry of Communications and Information Technology in 2011
stated that entities located outside India, which receive and store data pursuant to a contract,
are bound by the rules.

The right of providers to withdraw their information and the corresponding right of corporate
bodies to retract sales and service provision could potentially impede the growth of electronic
businesses. Additionally, it remains unclear whether data must be deleted if a provider
chooses to withdraw their information. A significant concern is that data protection rules do
not extend to government entities, despite government organizations being the largest
processors of personal and sensitive personal information (SPI) in our country. Furthermore,
IT rules grant broad and systematic access to information of users held by the private entities
to government security agencies.

4.2 Other laws dealing with data privacy- “

The Indian Penal Code of 1860 does not explicitly address data protection concerns.
However, Section 403 imposes criminal liability for dishonest misappropriation or conversion
of movable property for one's use. Sections 405 and 409 cover the criminal breach of trust,
while Section 378 pertains to the theft of movable property. While these provisions offer
some legal recourse, they are not entirely satisfactory for protecting individual rights related
to data protection.” “

The Indian Copyright Act of 1957 provides protection for various forms of creative works,
including literary, dramatic, musical, artistic, and cinematographic works. Computer
databases are included within the scope of cinematographic works under this act. Section 63B

45
specifically addresses infringing copies of computer programs. However, the challenge arises
in distinguishing between data protection and database protection within the act. As a result,
the scope of protection remains limited primarily to safeguarding the creativity of
individuals.” “

The Credit Information Companies Regulation Act of 2005 mandates adherence to privacy
norms when collecting credit information pertaining to individuals in India. Additionally,
various other acts and regulations, including the Insolvency and Bankruptcy Code of 2016,
the Payment and Settlement System Act of 2007, and SEBI Regulations, also provide
provisions for data privacy in financial matters. Similarly, within the health sector,
organizations such as NASSCOM and Business Process Outsourcing (BPO) companies have
implemented provisions for privacy protection.”

The rapid advancement of technology highlighted the pressing concern for India having a
dedicated statute for protection of personal data of users. As a result, government formed
Srikrishna Committee in 2017 which ultimately paved the way for Digital Personal Data
Protection Act, 2023.

46
 Chapter- 5: Digital Personal Data Protection Act, 2023

5.1 Legislative History

5.1.1 Attempts before Puttaswamy: “

The first serious attempt for having a dedicated legislation for protecting personal data dates
back to 2006, when former Rajya Sabha MP, Vijay J. Darda introduced a private member bill
titled Personal Data Protection Bill, 200696 in Rajya Sabha. Consisting of 14 sections, the bill
primarily focused on regulating the use and disclosure of personal information. Its main
concern centred around preventing the misuse of personal data by marketing companies. The
bill imposed obligations on both government and private organizations, prohibiting them
from disclosing information for the purpose of direct marketing or any commercial gain.
However, the bill was not passed, and it lapsed.” “

In October 2010, Department of Personnel Training of Government of India issued an

approach paper for legislation on privacy to get public opinion on this issue. The paper
underscored the necessity for legislation addressing privacy concerns, notwithstanding
existing corporate norms aimed at addressing privacy breaches. It also examined the
challenge of harmonizing data legislation with other statutes. The paper emphasized the
importance of distinguishing between personal sensitive data and the right to personal data,
advocating for all entities collecting data to be subject to the legislation. After scrutinizing
privacy laws in 13 different jurisdictions, the paper recommended the formulation of privacy
laws tailored to India's context. It highlighted the growing trend of centralizing government
databases and the increasing involvement of private entities in data collection as key drivers
necessitating such legislation.” “

In 2011 a draft bill on Right to Privacy was drafted for providing citizens of India with Right
to Privacy. The bill aimed to regulate the collection, maintenance, use, and dissemination of
individuals' personal information while also outlining penalties for violations. It addressed
various aspects of privacy protection, including surveillance, health information, DNA, and
other data, each covered under separate chapters. The establishment of a Data Protection
Authority, including qualifications, term of office, powers, removal, and functions, was also
detailed in the bill. Additionally, the bill empowered the Cyber Appellate Tribunal,
established under the IT Act, to adjudicate disputes arising under its provisions. Certain laws,

“The Personal Data Protection Bill, 2006. Rajya Sabha Secretariat. Available at:
96

<http://164.100.24.219/billstexts/rsbilltexts/asintroduced/xci_2006.pdf> Accessed 22nd March 2024.”

47
such as the Right to Information Act, were exempted from privacy rights under Section 90 of
the bill. Furthermore, both civil and criminal remedies were provided to aggrieved
individuals under the bill. However, this bill also could not see the light of the day.” “

In 2012, the former Planning Commission established a group of experts on Privacy, chaired
by Justice A.P. Shah. This Export group presented a Report97 that specified the constitutional
basis of the right to privacy. They outlined nine pivotal principles for privacy rights,
including notice, choice, and consent; collection limitation; purpose limitation; access and
correction; disclosure of information; security; openness; and accountability. The committee
recommended a comprehensive framework for privacy protection and proposed the
establishment of a co-regulatory system. The report advocated for the appointment of privacy
commissioners at both the central and state levels, as well as additional protection for
Sensitive Personal Data (SPD). The report also identified certain exceptions to privacy rights,
including considerations for national security, public order, disclosure in the public interest,
criminal offenses, and other rights. However, it emphasized that these exceptions should be
evaluated against principles of proportionality, legality, and necessity. Justice Shah noted that
social networking sites and search engines, which have their own privacy codes, would need
to either adhere to the model outlined in the proposed act or establish a self-regulatory
mechanism approved by the privacy commissioner.”

In November 2014, Vijay J. Darda again introduced a bill in Rajya Sabha which was similar
to 2006 version.98 In 2016, Lok Sabha MP Om Prakash Yadav introduced “Right to Privacy
of Personal Data Bill, 2016”99. In addition to addressing security concerns regarding data
breaches, the bill proposed the establishment of a National Do-Not-Disturb Registry aimed at
minimizing unwanted communications. It also aimed to raise awareness about personal data
protection. Furthermore, the bill included provisions for setting up the National Research
Centre for Excellence in Data Management and making education about privacy of personal
data compulsory in educational institutions.

97
“Report of the Group of Experts on Privacy, 2012”, Planning Commission. Available at: “
<https://niti.gov.in/planningcommission.gov.in/docs/reports/genrep/rep_privacy.pdf> Accessed 19th March
2024.”
98
“The Personal Data Protection Bill, 2014, Rajya Sabha Secretariat. Available at:
<http://164.100.47.4/billstexts/rsbilltexts/asintroduced/data%20-e.pdf> Accessed 20th March 2024.”
99
“The Right to Personal Data Bill, 2016, Lok Sabha Secretariat. Available at:
<http://164.100.47.4/billstexts/lsbilltexts/asintroduced/3365.pdf> Accessed 20th March 2024.”

48
5.1.2 Developments Post Puttaswamy:

Before Puttaswamy judgment, although multiple bills relating to protection of data privacy
were tabled in Parliament, they all were private members’ bill, not having the approval of
cabinet and that is the reason none could be passed.100 There are already very low chances of
a private members bill being passed, and that happened with the data protection bills as well.

However, situation changed when in the Puttaswamy judgment in 2017, Supreme Court
recognised that privacy is a fundamental right and privacy of personal data is an essential part
of right to privacy. The observations of Supreme Court in this case mandated the government
to take steps in this regard to develop a legislative framework for data privacy from both
State and non- state actors. Following the observations of the court government appointed an
Expert Committee with under the chairmanship of retired Justice B.N. Srikrishna.101 In 2018,
the committee submitted its report. “

The draft bill presented by the Srikrishna committee was extensive, consisting of 15 chapters
and 112 sections. It introduced the terms "data principal" and "data fiduciary" to empower
individuals whose data is utilized. The bill delineated the rights of data principals and the
obligations of data fiduciaries. It allowed for exceptions in certain cases such as national
security, legal proceedings, and journalistic purposes. Additionally, the bill defined Sensitive
Personal Data (SPD) and imposed stricter grounds for processing SPD, requiring explicit
consent. It proposed the establishment of a national-level Data Protection Authority tasked
with supervising and regulating data fiduciaries. The bill also addressed the transfer of
personal data outside the country under certain permissible circumstances, with SPD being
treated as particularly critical. Furthermore, it outlined offenses and penalties for non-
compliance.” “

The government released the draft PDP bill, 2018 for public consultation and feedback.102
After taking suggestions from public and other stakeholders, a revised Draft Bill of 2019 was
introduced in Lok Sabha by then IT Minister Mr. Ravi Shankar Prasad on 11 December 2019.

100
“Prabhash K Dutta, “Right to Privacy: 5 bills yet no law, how Parliament has dealt with personal data
protection” (India Today, 24th August 2017). Available at <https://www.indiatoday.in/india/story/right-to-
privacy-fundamental-right-parliament-1031136-2017-08-24> Accessed 22nd March 2024.”
101
“Surabhi Agarwal, "Justice BN Srikrishna to head Committee for data protection framework". (The Economic
Times, 1 August 2017). Available at <https://economictimes.indiatimes.com/news/politics-and-nation/justice-
bn-srikrishna-to-head-committee-for-data-protection-framework/articleshow/59866006.cms> Accessed 22nd
March 2024.”
102
“The Personal Data Protection Bill, 2018, Available at
<https://www.thehinducentre.com/resources/article24561526.ece/binary/Personal_Data_Protection_Bill,2018_0.
> Accessed 22nd March 2024.”

49
The bill was referred to a Standing Committee which considered the bill for two years, and
presented their final report in December 2021. However, in 2022 the PDP bill was
withdrawn.103 The reasons reported were that so much numerous changes were suggested
(over 80 changes were suggested) that the government deemed it fit to take back the bill and
replace it with a new bill.104 In November 2022, government issued a fresh draft named as
draft Digital Personal Data Protection Bill, 2022 for public feedback.105 It was quite different
from earlier versions of the bill. After consulting public and other stakeholders, the
government introduced the Digital Personal Data Protection Bill on 3rd August 2023. It was
passed in Lok Sabha on 7th August and in Rajya Sabha on 9th August. It received presidential
assent on 11th August 2023 and hence, India got its first Digital Personal Data Protection
Act.”

5.2 Features of the 2019 Bill

The first government version of the law, the Personal Data Protection Bill, 2019, was
introduced in Parliament in December 2019. This version had a broad scope and proposed
comprehensive data protection regulation across various sectors of the economy. It aimed to
establish an all-encompassing data protection regulator, the Data Protection Authority (DPA),
with significant powers. The 2019 bill emphasized a preventive framework, imposing several
obligations on entities collecting personal data.106 These obligations included providing
notice and obtaining consent from individuals, securely storing accurate data, and using it
solely for purposes outlined in the notice. Furthermore, businesses were required to delete
data once its purpose was fulfilled and grant consumers rights to access, erase, and port their
data. The bill also mandated businesses to maintain security measures, transparency
requirements, and implement "privacy by design" principles. Additionally, it introduced

103
“Report of the Joint Committee on the Personal Data Protection Bill, 2019,” “17th Lok Sabha Secretariat,
December 16, 2021. Available at
<https://eparlib.nic.in/bitstream/123456789/835465/1/17_Joint_Committee_on_the_Personal_Data_Protection_
Bill_2019_1.pdf.> Accessed 23rd March 2024.”
104
Malavika Raghvan, “Are we there yet? The long road to nowhere: The demise of India’s draft data protection
bill” “(Future of Privacy Forum, 11th October 2022). Available at <https://fpf.org/blog/are-we-there-yet-the-
long-road-to-nowhere-the-demise-of-indias-draft-data-protection-bill/> Accessed 22nd March 2024.”
105
“The Digital Personal Data Protection Bill, 2022, Ministry of Electronics & Information Technology,
Government of India. Available at
<https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C
%202022_0.pdf.> Accessed 23rd March 2024.”
106
Anirudh Burman, “Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth?,”
“(Carnegie India, 9th March, 2020). Available at <https://carnegieindia.org/2020/03/09/will-india-s-proposed-
data-protection-law-protect-privacy-and-promote-growth-pub-81217.> Accessed 23rd March 2024.”

50
"consent managers" as intermediaries responsible for collecting and providing consent to
businesses on behalf of individuals.107

The bill categorized personal data into various groups and mandated heightened standards of
safeguard for "sensitive" and "critical" personal data. Additionally, it designated certain
businesses as "significant data fiduciaries," and imposed extra obligations on them like
registration in India, conducting data audits, and performing data impact assessments.
Moreover, the bill introduced localization restrictions on the cross-border transfer of certain
categories of data. The Data Protection Authority (DPA) was granted the authority to penalize
businesses for non-compliance with these regulations. Furthermore, the bill proposed
criminalizing activities associated with the deanonymization of individuals from anonymized
datasets.

The 2019 legislation contained provisions granting certain entities exemptions from the
obligation to provide notice and obtain consent under particular conditions. These exceptions
encompassed lawful state activities, emergency health services in times of pandemics,
instances of public disorder, the handling of data in relation to employment, efforts to prevent
and uncover illegal activities, whistleblower protection, and credit retrieval, among other
scenarios.

Furthermore, the bill empowered the government to regulate non-personal data. It allowed the
government to mandate private entities to provide specific non-personal data upon request,
subject to conditions it prescribed. In essence, the 2019 bill proposed a comprehensive, cross-
sectoral framework based on preventive requirements for businesses, defined as "data
fiduciaries," and established rights for individuals or consumers, referred to as "data
principals."

The regulatory framework outlined in the 2019 bill largely followed the 2018 draft bill
suggested by the Srikrishna Committee. This committee, chaired by Justice B.N. Srikrishna, a
retired Supreme Court judge, was established in July 2017 to give its suggestion in
formulating data privacy law. The committee's recommendations were influenced by major
regulatory developments, particularly the European Union's General Data Protection
Regulation (GDPR), which was highly regarded during the committee's proceedings.108

107
Ibid.
““Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data
108

Protection Regulation),” EU Official Journal, 4th May 2016. Available at “<https://eur-lex.europa.eu/legal-

content/EN/TXT/PDF/?uri=CELEX:32016R0679> Accessed 24th March 2024.”

51
While the general preventive framework of the 2019 bill was seen as positive, its extensive
scope posed challenges. It introduced numerous compliance requirements that would have
impacted both large and small firms in the economy. Moreover, it proposed the establishment
of a Data Protection Authority (DPA) endowed with significant regulation-making and
supervisory powers. These regulations would have further elaborated on the already
substantial compliance requirements in the bill.

The novelty of the proposed law and the lack of prior experience in implementing such a
comprehensive data protection legislation raised concerns about the potential for
overregulation or under-regulation.109

DPDP Act is based on the November 2022 draft of the government which adopted a quite
different approach for data protection. The next section discusses features of this Act.

5.3 Salient Features of the DPDP Act, 2023

Compared to the 2019 version of the bill, the Data Protection and Digital Privacy Act (DPDP
Act), 2023, is more modest in its approach. It reduces obligations for businesses and
protections for consumers. While the regulatory structure is simpler, it also grants the central
government unguided discretionary powers in certain cases. “

The DPDP Act introduces numerous compliance requirements for the collection and
processing of personal data, with many details left to be prescribed by the Central
Government. A memorandum regarding delegated legislation within the DPDP Act outlines
matters yet to be addressed by rules enacted under the main statute. These matters include
notice requirements, functions of consent managers, procedures for data breach notifications,
parental consent for children's data, grievance mechanisms, exemptions for personal data
processing, and redressal procedures. This inclusion likely responds to criticisms that the
earlier 2022 version ("2022 Bill") left too much to be covered by rules.”

Additionally, the DPDP Act provides several additional illustrations compared to the 2022
Bill to clarify its provisions. The proposed Data Protection Board of India (the "Board") will
serve as the adjudicatory body responsible for enforcing the DPDP Act.

109
Anirudh Burman, “The Withdrawal of the Proposed Data Protection Law Is a Pragmatic Move,” “(Carnegie
India, August 22, 2022). Available at <https://carnegieindia.org/2022/08/22/withdrawal-of-proposed-data-
protection-law-is-pragmatic-move-pub-87710.> Accessed 24th March 2024.”

52
Analysis of the Key Provisions:

5.3.1 Applicability of the Act: “

The DPDP Act applies to all the “processing of personal data within the territory of India”110.
However, it covers only that data, which is either collected in digital format, or collected in
non-digital form but is later converted into digital format. Hence, it does not apply to non-
digital personal data. Clause (b) of Section 3 provides that the Act also applies to processing
of personal data outside of Indian territory, if such processing is done in relation to activity of
providing goods/ services to data principals within the Indian territory. Thus, Act could be
applied extra-territorially if such organization provides goods and services to people within
India.”

The DPDP Act defines “personal data” as “any data about an individual who is identifiable by
or in relation to such data”111. Hence, it does not cover anonymous data. It also defines
“processing” relating to personal data which means “wholly or partly automated operation or
set of operations performed on digital personal data, and includes operations such as
collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment
or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise
making available, restriction, erasure or destruction.”112.

Clause (c) of Section 3 talks about the non-applicability of the Act if – “

• Personal data is processed for personal or domestic use, or

• Personal data is made available to public by the data principal himself, or he was
required to make it available to public under any law in force in India.113”

5.3.2 Concept of Data Principal, Data Fiduciary and Data Processor

The provisions of DPDP Act revolve around 3 key players- “

• Data Principal – He is the person to whom the personal data is related to. Also, if in
case of child, it includes his parents or guardian. Similarly, for persons with disability,
it includes his lawful guardian.114”

110
“Digital Personal Data Protection Act 2023, section 3.”
111
Id., section 2 (t).
112
Id., section 3 (x).
113
Id., section 3 (c).
114
Id., section 2 (j).

53
 • Data Fiduciary – He is the person who either “alone or in conjunction with other
persons determines the purpose and means of processing of personal data”115.
• Data Processor – He is “any person who processes personal data on behalf of a Data
Fiduciary”116

5.3.3 Requirements to give Notice and obtaining Consent.

Under the DPDP Act, it is made mandatory on a data fiduciary to give notice to the data
principal and take his consent before processing his personal data.

Section 5 provides that the notice given for obtaining consent must provide information to
data principal regarding: “

• Private data which would be processed and the purpose for processing the data.
• The way in which the data principal could exercise his rights provided under the Act.
• The procedure for complaining the Board in case of any dispute. The more detailed
nuances of notice would be given under the rules that would be later issued under the
act.”

If consent for processing personal data has been already given by the data principal, the data
fiduciary must provide notice containing above details “as soon as it is reasonably
practicable”117 However, it does not provide any exact time as to what would be “reasonably
practicable” for providing notice.

Section 6 of the Act talks about Consent. It requires that “The consent given by the Data
Principal shall be free, specific, informed, unconditional and unambiguous with a clear
affirmative action, and shall signify an agreement to the processing of her personal data for
the specified purpose and be limited to such personal data as is necessary for such specified
purpose.”118 It also provides an Illustration to explain the scenario: “A person ‘X’ downloads
a tele-medicine application ‘Y’, and ‘Y’ requests for ‘X’s consent to (i) process personal data
for providing tele-medicine services and (ii) accessing ‘X’s contact list in the smartphone,
and ‘X’ give consent to both. Here the consent would be limited to accessing personal data
and not for accessing contact list, since contact list is not necessary for providing tele-
medicine services.”

115
Id., section 2 (i).
116
Id., section 2 (k).
117
“Id., section 5 (2).”
118
“Id., section 6 (1).”

54
Hence, if data fiduciary is able to get the consent that extends beyond the stated purpose, it is
considered that data principal has given limited consent. Data fiduciary could process other
personal data that is not required for the stated objective.

In essence, the DPDP Act’s provisions regarding consent and specified purpose would require
data fiduciaries to be more transparent and specific in obtaining consent and articulating the
purpose for which processing of personal data will be done.

Section 6(2) provides that any consent that is obtained in violation of the DPDP Act or any
other law would be deemed invalid upto the extent of violation. For example, if a notice
requires a data principal to give his consent to waive his right of filing complaint with the
Board, then such consent would be considered invalid under the Act. This provision ensure
that consent is obtained in a lawful and compliant manner, and the rights provided to the data
principals under the DPDP Act or any other applicable laws are respected and are not taken
away.

Also, to ensure that the consent is real and meaningful, it is provided under Section 5(3) that
“The Data Fiduciary shall give the Data Principal the option to access the contents of the
notice referred to in sub-sections (1) and (2) in English or any language specified in the
Eighth Schedule to the Constitution.”119 The condition to provide consent in languages
supported by online platforms may pose challenges for entities, particularly those that
primarily operate in English. To ensure accessibility and compliance, it would be advisable
for platforms to offer consent options in all languages supported by the platform. This
approach would help facilitate understanding and engagement among users who may not be
proficient in English or who prefer to communicate in their native languages. By providing
consent options in multiple languages, platforms can enhance transparency, inclusivity, and
compliance with regulatory requirements.

Withdrawing of Consent – The Act provides data principals with the right to take back their
consent, if it serves as the basis for the processing of their data. The process for withdrawing
consent should be as convenient as the process for giving consent initially.120 Upon
withdrawing consent, the data principal and any associated data processors must discontinue
processing of the personal data “within a reasonable time”.121 This provision ensures that data

119
Id., section 5(3).
120
“Id., section 6(4).”
121
“Id., section 6(6).”

55
principals maintain authority over their personal information and can revoke consent when
desired, with minimal inconvenience.

Consent Managers – The DPDP Act have provided a new concept of consent managers. It
defines them as: “a person registered with the Board, who acts as a single point of contact to
enable a Data Principal to give, manage, review and withdraw her consent through an
accessible, transparent and interoperable platform”122 Section 6(7) provides that “data
principal may give, manage, review or withdraw her consent to the Data Fiduciary through a
Consent Manager.”123

Data fiduciaries are obligated to establish processes enabling consent managers to execute
actions on behalf of data principals. Further details regarding the framework for consent
managers are anticipated once rules and regulations pertaining to them are formulated.

Consent managers would be held responsible to data principals and must operate on their
behalf in accordance with prescribed obligations.124 The Data Protection Board is provided
with the power to impose penalty on consent managers under specific circumstances.

Processing for Legitimate Purposes: “

DPDP Act provides certain exceptions where personal data of the data principals can be used
without seeking his consent, for certain legitimate uses125, which are:

1. When data principal has voluntarily given personal data for a certain specified period
to the data fiduciary and has not expressed non-consent for using her personal data for
that purpose.
2. In respect of the state/ its instrumentalities, for providing subsidies, benefits, services,
certificates, licenses, or permits as prescribed, subject to standards for processing data
yet to be defined. This is allowed under certain conditions:
• If the data principal has earlier given consent for processing of her personal data
by state/ its instrumentalities for specified purpose.
• If the data principal’s personal data is already available in any database, book,
register or other document that is maintained by state/ its instrumentality and is
subsequently digitized or is already available in digitized format.

122
Id., section 2(g).
123
Id., section 6(7).
124
Id., section 6(8).
125
Id., section 7.

56
 3. For performing any function by the state/ its instrumentality under any law that is in
force in India, or in the interest of sovereignty, integrity or security of India.
4. For fulfilment of any obligation under any law in force in the territory of India which
provides for disclosing the information to state/ its instrumentalities, provided that
processing of data aligns with the information disclosure requirements under any
other prevailing law.
5. To comply with any judgment, decree, or order of any court issued under any law in
force in India, or any order/judgment which relates to contractual or civil claims under
any law prevailing outside the territory of India.
6. To respond to any medical or health emergency threatening the life or immediate
health of the data principal or any other individual.126
7. To provide health service or medical treatment during an epidemic, outbreak of any
disease, or any other hazard to public health.127
8. To ensure the safety of individuals, and to provide assistance/ service in times of
disaster, or for addressing breakdowns in public order, in accordance with the
definition of “disaster” provided under the Disaster Management Act, 2005.
9. For purposes in relation with employment, protecting employers from loss/liability
like preventing corporate espionage, maintaining confidentiality, protection of
intellectual property rights, secret information, or to provide services/ benefits to data
principals who are employees.128”

This provision acknowledges that individuals may voluntarily share their personal data for
specific purposes without necessarily needing the data fiduciary to request or prompt it. In
such cases, where the data principal autonomously provides personal data for a specified
purpose, the data fiduciary can process the data for that purpose without having to comply
with the usual notice and consent requirements. This provision respects the autonomy and
discretion of the data principal in determining the scope and purpose of data processing in
certain situations.

5.3.4 Rights of Data Principals and their Duties

Chapter III provides certain rights to data principals with respect to their personal data which
are elaborated below:

126
Id., section 8(4).
127
Id., section 8(5).
128
Id., section 8(7).

57
 a) Access to information regarding their personal data: Section 11 provides this right
as “The data principal has the right to obtain
(i) a summary of personal data which is being processed by such data
fiduciary and the processing activities undertaken by that data fiduciary
with respect to personal data
(ii) identities of all the data fiduciaries and data processors with whom the
personal data has been shared by the data fiduciary along with the
description of the personal data so shared and;
(iii) any other information related to the personal data of such data principal
and its processing as may be prescribed by the Central Government.”129

The conditions outlined in (ii) and (iii) are not relevant when personal data is
shared between data fiduciaries authorized by law to access such information,
given that the sharing is done while responding to a written request aimed at
preventing, detecting, or investigating offenses or cyber incidents, or for
prosecuting or penalizing offenses. This exemption concerning the investigation
of offenses implies that if a law enforcement agency requests the personal data of
a data subject, there's no requirement to disclose the identity of such agencies to
the data principal.

b) Correction, completion, updation, erasure of personal data: Section 12(1) provides

that “a Data Principal shall have the right to correction, completion, updating and
erasure of her personal data for the processing of which she has previously given
consent, including consent as referred to in clause (a) of section 7, in accordance
with any requirement or procedure under any law for the time being in force.”130

Whenever a data fiduciary receives such request, he has to – “

i) do correction of the inaccurate/ misleading personal data

ii) complete any incomplete personal data, and
iii) update relevant personal data.” “

The data principal also has the right to request the erasure of their personal data if
it's no longer needed for the original purpose for which it was processed, unless
retention is required for legal purpose. Upon receiving a erasure request, the Data

129
Id., section 11.
130
Id., section 12(1).

58
 Fiduciary must erase the personal data unless its retention is essential for the
stated purpose or for compliance with any law for the time in being force.131
According to DPDP Act’s language, a request for erasure does not need to be
adhered to if the data is necessary to be retained for the purpose specified at the
time of obtaining consent.132 Hence, if a data principal aims to stop all processing
of their data rather than deletion, they must submit a request to withdraw their
consent.”

c) Redressal of grievance: Section 13 (1) provides that “A Data Principal shall have
the right to have readily available means of grievance redressal provided by a
Data Fiduciary or Consent Manager in respect of any act or omission of such Data
Fiduciary or Consent Manager regarding the performance of its obligations in
relation to the personal data of such Data Principal or the exercise of her rights
under the provisions of this Act and the rules made thereunder.”133
The requisite time for to respond to any complaint by the data fiduciary/ consent
manager would be provided under the rules. Also, before making complaint to the
Board, data principal shall first exhaust the grievance redressal mechanism
provided under this section.
d) Right to Nominate: Section 14 provides with the data principal with the right to
nominate any other person who can exercise his rights under DPDP Act in the
event of his death/incapacity. It would be interesting to see in which manner it
would be prescribed, especially in the situation if an obligation is provided for the
option of ‘nominee’ while taking consent of the data principal.

Section 15 also provides certain duties that must be observed by data principal:

a) Ensure that while submitting personal data, he does not do impersonation of some
other person.
b) Ensure that whenever he is submitting personal data to state/ its instrumentalities for
any official document/ unique identifier/ proof of identity/ address, he does not
withhold any essential information.
c) Not lodging any false/ trivial complaint to the data fiduciary.

131
Id., section 12(3).
132
Id., section 12(3).
133
Id., section 13(1).

59
 d) While exercising his right to correct/ erase, he provides only genuinely verifiable
information.

If data principal does not follow his duties under section 15, a penalty could be imposed on
him which may extend upto Rs.10,000.134 Such prohibition seems to have some overlap with
the provision under IPC, which prohibits giving false information to public servants.135
However, it is pertinent to note that even if Data Principal fail to carry out his duties, the
obligations of Data Fiduciary under DPDP Act would not be diluted and would remain as it
is.

5.3.5 Obligations imposed on Data Fiduciary

Any data fiduciary can engage/ utilize/ involve a data processor for processing personal data
on his behalf to offer any goods/ services to data principals. But he can do so only under a
valid contract.136 Section 8 provides general obligations that has to be fulfilled by data
fiduciary:

• Ensure that the provisions of DPDP Act are complied with, regardless of whether any
other data processor/ fiduciary is carrying out data processing on his behalf, or even if
data principal has failed to fulfil his obligations.
• Implementation of suitable technical measures to effectively adhere to obligations
imposed under the Act. “
• Ensure protection of personal data that is in his control/ possession, by implementing
reasonable measures to ensure security and prevent breach of any personal data.
However, the Act does not mention the standards that need to be implemented.” “
• Whenever the personal data being processed by data fiduciary is likely to be used to
make a decision that could affect data principal, or could be disclosed to another data
fiduciary, he has to make sure that the data is complete, accurate and consistent.
• In case of any breach of personal data, he had to notify the Board as well as data
principal as maybe prescribed.”
• The contact information of a Data Protection Officer (DPO), or a person who could
address the queries regarding processing of data principal’s personal data, must be
published as maybe prescribed. “

134
Id., The Schedule.
135
Indian Penal Code 1860, section 177.
136
“Digital Personal Data Protection Act 2023, section 8(2).”

60
 • Unless retention of data is required to comply with any other law for the time being in
force, the data fiduciary should ensure erasure of personal data whenever data
principal withdraws her consent or as soon as the specified purpose in no longer being
served, whichever happens earlier.”

If we broadly look at the responsibilities that are assigned on data fiduciary, they do not
appear overly burdensome. These must be able to ensure the integrity and security of the
personal data of data principals. Moreover, the omission of specific technical measures
for ensuring safeguarding of personal data, could be seen as a move to balance the
interests of the business entities since specifying each and every measure could bring
more hassles for the data fiduciaries. This approach allows for the evolution of industry-
specific standards over time, considering factors like data sensitivity, associated risks, and
industry characteristics. These standards can then be adopted by entities within the
respective industries.

5.3.6 Classification of SDFs (Significant Data Fiduciary) “

The DPDP Act provides the concept of Significant Data Fiduciaries. The Central Government
is given the power to classify certain data fiduciaries as significant data fiduciaries, taking
into account various factors like the quantity and the sensitivity nature of the data they
handle, the potential risk to data principals, potential effect on the India’s sovereignty and
integrity.137 Section 10 provides that SDFs would be subjected to additional responsibilities
like”- “

• appointment of a Data Protection Officer (DPO) based in India who would

represent data fiduciary for the purposes of this Act. He would act as a point of
contact for redressal of grievances under this Act,
• appointment of an independent data auditor to carry out audit and ensure
compliance of the SDFs with provisions of the Act,”
• undertake periodic Data Protection Impact Assessment (DPIA), which shall be a
process for assessing the risk to the rights of data principals while processing of
data,
• undertake periodic audit.

137
Id., section 10(1).

61
5.3.7 Exemptions from obligations under the Act

Section 17 of the DPDP Act provides exemptions to data fiduciaries from certain obligations,
with the exception of remaining responsible for their data processors and implementing
reasonable security measures. These exemptions apply in specific circumstances, including: “

- When processing personal data is necessary for enforcing any legal right or claim.
- When personal data is processed by a court, tribunal, or any other authorized
body in India entrusted by law with judicial, quasi-judicial, regulatory, or
supervisory functions, and such processing is necessary for the performance of
such functions.
- When personal data is processed in the interest of preventing, detecting,
investigating, or prosecuting any offense or violation of the law.
- When personal data of data subjects not within the territory of India is processed
under a contract with a person outside India by a person based in India.
- When processing is necessary for a merger, amalgamation, or similar arrangement
approved by a competent court, tribunal, or authority.
- When processing is required to ascertain the financial situation of a person who
has defaulted on a loan or advance provided by a financial institution.”

Moreover, the Act also empowers Central Government to provide exemption from the
application of the law through a notification in the following situations: “

- Exemption of a State instrumentality (which may encompass entities financially,

functionally, and administratively dominated by or under the control of the Central
Government) from compliance with the law in the interest of India's sovereignty
and integrity, state security, diplomatic relations with foreign countries,
maintenance of public order, or prevention of incitement to any cognizable offense
related to these concerns. The DPDP Act also exempts the processing of any
personal data furnished to the Central Government by such instrumentality.
Ideally, this exemption should be subject to procedural safeguards ensuring
necessity, proportionality, and legality.138
- Exemption of the applicability of the DPDP Act to the processing of personal data
necessary for research, archiving, or statistical purposes, provided that such

138
Id., section 17(2)(a).

62
 processing does not involve making decisions specific to a data subject and is
conducted in accordance with prescribed standards.139”

Furthermore, Section 17 (3) of the Act provides Central Government with the power to notify
certain data fiduciaries (like startups) who could enjoy exemptions from certain provisions.
These include requirements of notice under Section 5, obligations relating to data disclosed to
another data fiduciary or erasure of personal data (under clause (3) and (7) of Section 8),
additional obligations of SDFs under Section 10, and right of data principal to access
personal data under Section 11. “

The rationale behind the selection of these particular provisions in the DPDP Act is not
explicitly stated. Moreover, it remains unclear which other types of data fiduciaries may be
excluded through this provision. Given that "start-ups" are specifically mentioned, it's
plausible that the intention is to encompass similar entities such as micro, small, and medium
enterprises.” “

Furthermore, it's important to clarify that the exemption for the processing of personal data
by courts/tribunals extends to judicial bodies outside India as well. Litigation proceedings
involving Indian multinational companies may occur globally, and disputes involving Indian
parties are increasingly being adjudicated in foreign institutional arbitrations.” “

The DPDP Act exempts outsourcing activities140, meaning that personal data of individuals
outside India processed in India under a contract is exempted from the provisions of the Act.
However, any cross-border transfer restrictions applicable to specific countries may still
apply to such data transfers.141” “

Additionally, it's noteworthy that the State and its instrumentalities are relieved from the
obligation to erase data once processing concludes or when the purpose of collecting the
personal data has been fulfilled.142 This exemption could potentially result in the arbitrary
retention of data for extended periods without sufficient justification.” “

Moreover, the exemption from compliance requirements for processing personal data for
research, archiving, or statistical purposes (provided it doesn't impact decisions concerning a
data subject) might be considered excessive. This exemption could lead to the government

139
Id., section 17(2)(b).
140
Id., section 17(1)(d).
141
Id., section 16.
142
Id., section 17(4).

63
becoming a central repository of personal data, raising concerns about privacy and data
protection.”

5.3.8 Retention of Personal Data

Section 8(7) provides two circumstances under which the data fiduciary is required to erase
the personal data:

- Upon receiving a withdrawal request from the data principal.

- When it becomes reasonable to assume that the specified purpose for processing the
data is no longer being served, whichever event occurs earlier. However, data
retention may still be necessary to comply with any current applicable law.

5.3.9 Cross Border Transfers “

The DPDP Act grants authority to the Central Government to limit the transfer of personal
data by a data fiduciary to countries or territories outside of India that have been officially
notified. Therefore, transfers would be allowed to all countries until any of them are
blacklisted by the government.143” “

However, if any Indian law, particularly sectoral laws, imposes a higher level of protection or
imposes restrictions on the transfer of personal data outside India, then such laws would
remain applicable and take precedence over the DPDP Act.144” “

Given the broad definition of "personal data," this section of the DPDP Act applies to all
types of data, regardless of whether it is sensitive or not. Furthermore, since the DPDP Act
has extraterritorial applicability, particularly in cases where foreign companies offer goods or
services to Indian data principals and in situations where a country is blacklisted, the transfer
of data to companies in such a country would not be permitted. This restriction could also
extend to the primary collection of data by companies from such blacklisted countries,
potentially limiting their ability to conduct business in India, especially in online models,
where basic personal data is typically required to provide goods or services.”

143
Id., section 16(1).
144
Id., section 16(2).

64
5.3.10 Personal Data of Minors and Persons with Disabilities

Section 9 provides that “Data fiduciaries must obtain verifiable consent prior to processing
the child’s personal data (from the parent), or personal data of a person with disability (from
the lawful guardian) who has a lawful guardian, in a form as may be prescribed.” “

Under the DPDP Act, a 'child' is defined as an individual below eighteen years of age.145
However, the DPDP Act does not mandate data fiduciaries to conduct Know Your Customer
(KYC) checks to verify if a user is indeed a child. Additionally, it is unclear how data
fiduciaries will determine whether a person has a disability.” “

Hence, there is uncertainty regarding whether obligations related to the processing of

personal data of children or persons with disabilities would apply solely when users disclose
that they are children or have disabilities.” “

Regarding children's personal data, data fiduciaries are subject to additional obligations:

1. Prohibition on processing children's personal data likely to cause harm, as determined

by regulations prescribed by the Central Government.146
2. Prohibition on tracking and behaviourally monitoring children, as well as directing
targeted advertising at them.147” “

However, the Central Government retains the authority to exempt data fiduciaries from one
or more of the aforementioned restrictions concerning children, particularly for children
above a certain age. This exemption may be granted if the government is convinced that a
data fiduciary has implemented measures to ensure that the processing of personal data of
such children is conducted in a verifiably safe manner.148 Such exclusions may be restricted
to specific classes of data fiduciaries and subject to certain specified conditions.” “

It appears there may be a drafting error in the wording of the prohibition on tracking and
targeted advertising, as it is not explicitly linked to the processing of personal data of a child,
unlike the previous subsection.” “

Moreover, the Guidelines for the Prevention of Misleading Advertisements and Endorsements
for Misleading Advertisements, 2022 ("Misleading Ads Guidelines") issued by the Central
Consumer Protection Authority, already contain comprehensive provisions regulating

145
Id., section 2(f).
146
Id., section 9(2).
147
Id., section 9(4).
148
Id., section 9(5).

65
advertisements targeting or addressing children. These guidelines apply to all forms, formats,
or mediums of advertisements. As such, provisions under the Misleading Ads Guidelines,
being a specific law dealing with such matters, should be considered for deletion from the
DPDP Act.”

5.3.11 Establishment of Data Protection Board of India

DPDP Act proposes to establish an adjudicatory body – The Data Protection Board. The
DPDP Act stipulates that the Central Government will establish the Data Protection Board as
a body corporate149 The Board would be headed by a Chairperson and it would also have a
specified number of members, as determined and notified by the Central Government. “

Civil courts are prohibited from entertaining suits or proceedings related to matters within the
adjudicative authority of the Board under the DPDP Act. Additionally, courts are barred from
issuing injunctions regarding any action taken or to be taken by the Board under the DPDP
Act.”

The Board will primarily operate digitally, aiming to be digital by design in various aspects
such as receiving complaints, conducting hearings, making decisions, and performing other
functions. It will adopt technological and legal measures as prescribed to facilitate its
operations.150

Other Features of the Board:

(i) Independence of Board

While the Board is described as an 'independent body,' key aspects such as its
composition, selection process, removal procedures, terms and conditions of appointment,
and services are not given expressly and are left to be specified by the Central
Government. The Chairperson of the Board, its members and officers, as well as
employees are considered as public servants. “

Moreover, the Chairperson appointed to oversee the Board's operations will be appointed
by the Central Government, and the terms and conditions of service will be determined by
the Central Government as well. Consequently, the extent of the Board's independence is
ambiguous given these provisions.”

149
Id., Section 18.
150
Id., Section 28.

66
 (ii) Qualification of Members of the Board

Normally, laws establishing statutory bodies outline the composition and qualifications of
the members within the statute itself rather than delegating it to executive. However, apart
from specifying that the Chairperson and Members should possess ability, integrity, and
standing, along with special knowledge or practical experience in certain fields, and
mandating the inclusion of at least one legal expert, the DPDP Act does not detail the
qualifications of Board members. Considering that the Board is expected to carry out
adjudicatory functions, it is advisable for the Board to include at least one judicial
member and one technical member for each determination. Certain individuals are also
disqualified from serving as Board members if they have acquired a financial or other
interest that could potentially affect their functions impartially.

5.3.12 Manner of Proceedings Before the Board:

(i) Power of inquiry “

Upon receiving an intimation, complaint from a data principal, or a reference from the
Central Government, the Board will assess whether there are adequate grounds to initiate an
inquiry.151 If the Board deems that there are insufficient grounds, it reserves the right, with
reasons documented in writing, to terminate the proceedings.” “

If the Board concludes that there are sufficient grounds to warrant an inquiry, it possesses the
authority to investigate the conduct of any individual to ascertain compliance with the DPDP
Act, after recording the reasons in writing. Throughout its proceedings, the Board is
mandated to adhere to the principles of natural justice.”

(ii) Powers during conduct of Proceedings “

The Board is endowed with powers akin to those of a civil court, including the authority to
summon individuals, receive evidence, and request the production of data, books, etc., during
its proceedings.152 Additionally, the Board is empowered to enlist the assistance of a police
officer to facilitate the discharge of its functions.” “

However, the Board is not permitted to restrict access to any premises or confiscate
equipment in a manner that might negatively impact the day-to-day operations of an
individual.”

151
Id., section 27(1)(a).
152
Id., section 28(7).

67
(iii) Orders that could be passed by the Board “

a) Interim Orders:153 The Board has the authority to issue interim orders during the
course of an inquiry if it deems it necessary, provided that the reasons are documented
in writing and the individual concerned is given an opportunity to be heard.” “
b) Final Orders154: Upon completion of the inquiry and after affording individuals an
opportunity to be heard, the Board may either close the proceedings or impose
monetary penalties, with reasons recorded in writing.” “
c) Orders in Case of Data Breaches155: Upon receiving notification from a data
fiduciary regarding a personal data breach, the Board may direct urgent remedial or
mitigation measures, and may also conduct an inquiry and impose penalties.” “
d) Orders Referring Parties to Alternative Dispute Resolution (ADR)156: The DPDP
Act encourages the use of alternative dispute resolution mechanisms, and the Board is
authorized to refer concerned parties to mediation for resolving disputes if it believes
that complaints may be resolved through mediation.” “
e) Orders Accepting Voluntary Undertakings157: The Board may accept voluntary
undertakings offered by parties involved.” “

If the Board determines, at any stage after receiving a complaint, that the complaint is false or
frivolous, it has the authority to issue a warning to the complainant or impose costs on
them.158 Additionally, the Board is empowered to issue directions aimed at effectively
fulfilling its functions.159 Furthermore, upon receiving a representation from an affected
individual or a representation from the Central Government, the Board may modify, suspend,
withdraw, or cancel any direction it has issued, subject to imposing conditions as it deems
appropriate.160”

(iv) Appeals “

The Telecom Disputes Settlement and Appellate Tribunal (TDSAT), established under the
Telecom Regulatory Authority of India Act, 1997, has also been designated as the Appellate

153
Id., section 28(10).
154
Id., section 28(11).
155
Id., section 27(1)(a).
156
Id., section 31.
157
Id., section 32(1).
158
Id., section 28(12).
159
Id., section 27(2).
160
Id., section 27(3).

68
Tribunal under the DPDP Act.161 Any appeals from orders and directions issued by the Board
must be filed before the TDSAT within 60 days from the receipt of such order or direction, or
within a longer period if the TDSAT finds sufficient cause for the delay.162 The manner and
form of the appeal, as well as the procedure to be followed by the TDSAT, will be prescribed
through rules.” “

The TDSAT has the authority, after affording the parties to the appeal an opportunity to be
heard, to pass orders confirming, modifying, or setting aside the appealed order.163” “

The DPDP Act mandates that the TDSAT adjudicate on appeals as expeditiously as possible
and endeavour to dispose of them within 6 months from the date they are presented. 164 If
there is a delay beyond this period, the TDSAT must provide written reasons for the delay.165
Notably, the TDSAT is required to operate as a "digital office," ensuring that the receipt of
appeals, hearings, and decision pronouncements are conducted in an online or digital
mode.166” “

The orders issued by the TDSAT will be regarded as decrees of a civil court, and for
execution purposes, the TDSAT will possess the powers of a civil court.167 It may also
transmit its orders to a civil court for execution. Appeals against any order of the TDSAT
must be made to the Supreme Court within 90 days of such order.”

5.3.13 Voluntary Undertaking “

The concept of voluntary undertaking has also been introduced under the DPDP Act.168 The
Board has the authority to accept a voluntary undertaking concerning compliance with the
provisions of the DPDP Act from any individual at any stage of complaint proceedings. This
voluntary undertaking may entail requirements for the individual to undertake or refrain from
specific actions.169 Furthermore, the terms of the voluntary undertaking may be subsequently
modified by the Board.” “

The voluntary undertaking serves as a bar on proceedings related to the subject matter of the
undertaking, unless the individual fails to comply with its terms. In the event of non-

161
Id., section 2(a).
162
Id., section 29(2).
163
Id., section 29(4).
164
Id., section 29(6).
165
Id., section 29(7).
166
Id., section 29(10).
167
Id., section 30(2).
168
Id., section 32.
169
Id., section 32(2).

69
compliance, such breach is treated as a violation of the DPDP Act, and the Board may impose
a penalty for such breach.170 Additionally, the Board may require the voluntary undertaking to
be publicized.171”

5.3.14 Personal Data Breaches

“Personal Data Breach” has been defined under Section 2(u) “as any unauthorized processing
of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of
or loss of access to personal data, that compromises the confidentiality, integrity or
availability of personal data.”172 The DPDP Act puts an obligation on the data fiduciary/
processor to notify the Data Protection Board along with the affected data principal in case
there is any event of a personal data breach.173 “

The requirement to notify data principals is currently not mandated by Indian law. It is
unclear why both the Board and the data principal must be informed initially. Ideally, the
obligation should be restricted to informing the Board first. Subsequently, upon the Board
determining the necessity of notifying the data principal based on the severity of the issue or
its potential impact on the data principal, such notification may be made.” “

Furthermore, even if data principals are to be informed initially, this communication should
be limited to situations where specific action is necessary on the part of the data principal for
security reasons, such as changing a password.” “

Currently, reporting obligations in case of "cyber security incidents" are regulated by the
Information Technology (The Indian Computer Emergency Response Team and Manner of
Performing Functions and Duties) Rules, 2013 ("2013 Rules"), as well as the recently
introduced directives related to "information security practices, procedures, prevention,
response, and reporting of cyber incidents for Safe & Trusted Internet" issued by the Indian
Computer Emergency Response Team (CERT-In). Under the Information Technology Act,
2000 ("IT Act"), CERT-In, as a statutory body empowered to address cyber security issues,
possesses the authority to issue guidelines, directives, etc., to entities in response to cyber
security incidents.” “

Similarly, the DPDP Act also empowers the Board to instruct data fiduciaries to adopt urgent
measures to address personal data breaches or mitigate harm caused to data principals and to

170
Id., section 32(5).
171
Id., section 32(2).
172
Id., section 2(u).
173
Id., section 8(6).

70
investigate such breaches. Consequently, in cases of incidents reportable under both laws, an
entity may be required to report the breach to two statutory bodies and comply with directives
issued by two separate entities.”

Furthermore, there may be concerns regarding whether the Board possesses the necessary
expertise to comprehend the intricacies of data breaches in order to issue measures that
effectively remedy a breach or mitigate harm.

5.3.15 Information furnishing and powers to block “

The Central Government has been granted authority to compel not only the Board but also
any Data Fiduciary or intermediary to provide information as deemed necessary.174 No
safeguards or guidance have been provided in this context, such as specifying the nature of
information that may be requested, the circumstances under which such information may be
sought, or whether these entities can refuse to provide such information. These aspects should
be explicitly outlined in the Act itself. The procedure for making such requests may be
prescribed in the rules, similar to the framework under the IT Act.” “

Additionally, if the Board has (a) held a Data Fiduciary liable for penalty on more than two
occasions, and (b) believes that any information stored on a computer resource, which
enables such Data Fiduciary to conduct activities offering goods or services to data principals
in India, should be blocked in the interest of the general public, it may refer such matter to the
Central Government.175” “

If the Central Government determines that it is necessary to block access to such information
in the interest of the general public, it may, after affording the data fiduciary an opportunity to
be heard, instruct any government agency or intermediary to block access to such
information. Intermediaries are explicitly obligated to adhere to such blocking orders.” “

Under Section 69A, the Central Government is indeed empowered to direct intermediaries to
block access to information based on specified grounds, which are related to restrictions on
freedom of speech and expression as outlined in Article 19(2) of the Constitution of India.
However, it's important to note that these grounds do not explicitly include the interest of the
general public. In the past, intermediaries such as Internet Service Providers (ISPs) and
Telecommunications Service Providers (TSPs) have been instructed to block access to
websites containing unlawful content under Section 69A.” “

174
Id., section 37.
175
Id., section 37(1).

71
Also, under Article 19(6) of the Indian Constitution, the Central Government is empowered
to impose reasonable restrictions on the right to carry out occupations, trades, and businesses
in the interest of the general public. Therefore, reasonable restrictions can be imposed on data
fiduciaries' rights to conduct their occupations, trades, and businesses in the interest of the
general public.” “

The scope of the ground "in the interest of the general public" does indeed appear broad and
may require interpretation based on judicial precedents. For instance, the Supreme Court has
construed this phrase to encompass various considerations such as public health and morals,
economic stability, prevention of fraud, and the implementation of the Directive Principles
outlined in Part IV of the Constitution of India. Additionally, the Supreme Court has ruled
that government policies serving the public interest would supersede business interests.”

In cases where there is no discernible public interest objective justifying the blocking of
websites under this provision, such blocking orders may be subject to challenge.

5.3.16 Ouster of Civil Court’s Jurisdiction

The DPDP Act explicitly excludes the jurisdiction of the civil courts to hear any suits or
proceedings related to matters within the purview of the Board's authority. Additionally, no
court or other authority is permitted to issue injunction orders regarding any actions taken or
to be taken pursuant to the powers granted under the Act.176

5.3.17 Penalties

(i) Quantum of penalties and Factors to be considered while imposition of penalties “

Upon conducting an inquiry, if the Board determines that a breach of any provision of the
DPDP Act by a person is significant, it may impose a monetary penalty as per the
Schedule.177 The Schedule outlines varying penalties for different types of breaches, with the
maximum penalty set at INR 2.5 billion (approximately USD 30 million) for failure by a Data
Fiduciary to implement reasonable security safeguards to prevent personal data breaches.178
Failure to report a personal data breach incurs a maximum penalty of INR 2 billion
(approximately USD 24 million).179 The Central Government reserves the right to amend the
schedule and increase penalties, up to twice the specified amounts.” “

176
State of Orissa v. Radhey Shyam Meher (1995) 1 SCC 652.
177
Digital Personal Data Protection Act 2023, section 33(1).
178
Id., section 33(1).
179
Id., section (1).

72
When determining the amount of the monetary penalty, the Board will take into account
factors180 such as (a) the nature, severity, and duration of the breach, (b) the type and
sensitivity of the personal data affected, (c) whether the breach is a repeat occurrence, (d)
whether the person has gained or avoided losses as a result of the breach, (e) any measures
taken to mitigate the breach and their effectiveness, and (f) the likely impact of the penalty on
the person.”

(ii) Parties on whom penalties could be imposed

Under the DPDP Act, the Data Protection Board is empowered to impose penalties on the
following parties under the given scenarios: “

a) On a data fiduciary, concerning a personal data breach or a breach of its obligations

regarding personal data, or failure to adhere to data principal's rights.
b) On a consent manager, regarding a breach of its obligations regarding data principal's
personal data, or violation of any conditions of registration.
c) On an intermediary, for failure to comply with its obligation to block access to
information as directed by the Central Government. The Board will investigate such
breaches upon referral by the Central Government.” “

Unlike previous drafts, the DPDP Act does not allow affected data principals to seek
compensation for breaches committed by data fiduciaries. This lack of provision may
discourage individuals from pursuing costly adjudication before the Board. Moreover, the
penalties imposed by the Board are mandated to be credited to the Consolidated Fund of
India.”

5.3.18 Rule-Making Powers “

Section 40 of the DPDP Act grants the government rule-making powers concerning twenty-
five matters, and the list is not exhaustive.181 Consequently, the scope of obligations and
restrictions remains open-ended at present. These matters encompass various aspects such as
the format and procedure for personal data breach notifications, registration and obligations
of consent managers, requirements for parental consent for processing personal data of
children, composition of the Board, and procedures for conducting data protection impact
assessments and audits, among others. It is advisable that appropriate legislative guidance be

180
Id., section 33(2)(a).
181
Id., section 40.

73
provided for each rule-making power to ensure clarity and coherence in the implementation
of the DPDP Act.” “

The DPDP Act includes a memorandum concerning delegated legislation, which lists the
matters yet to be prescribed by the Central Government through rules under the DPDP Act. It
asserts that these matters involve details and therefore cannot be feasibly provided for within
the DPDP Act itself. This inclusion is likely a response to criticism directed at the 2022 Bill,
which left many aspects to be addressed through rules enacted under the main statute.”

74
 Chapter – 6 Areas of Concern Under the DPDP Act, 2023
After receiving the assent of the President, the DPDP Act became the first dedicated statute in
India which dealt with the issue of privacy and protection of personal data and framework for
data processing. However, as soon as it is passed the Act met with several criticism and
concerns regarding its various provisions. This chapter deals with the areas of concerns in the
DPDP Act that has been criticised by the various stakeholders which are dealt as follows:

6.1 Too Much Reliance on Delegated Legislation “

Delegated legislation confers significant discretion upon various administrative bodies,

opening the door to potential abuse or the wielding of undue authority. By ostensibly
streamlining legislation, the Government has intentionally placed this legislation under the
control of subordinate agencies. In a dissenting opinion in the Supreme Court's ruling on
demonetization182, Justice B.V. Nagarathna cautioned that unregulated and boundless powers
granted through delegation would inherently be arbitrary and could violate constitutional
principles.” “

The Act's heavy reliance on the phrase "as may be prescribed" raises concerns regarding the
lack of clarity and specificity in its provisions. There is an abundance of delegated legislation,
as the Act largely avoids detailing the specifics of its implementation. It appears that the
government's favoured catchphrase "as may be prescribed" is the focal point of this DPDP
Act. This phrase appears 28 times in a 21-page Act consisting of 44 sections.183 The
intentional ambiguity allows for arbitrary decision-making by the government. If a significant
portion of the clauses in any legislation rely on the "as may be prescribed" provision, it
cannot be considered foolproof. Therefore, it becomes solely the discretion of the executive
government to make decisions as it sees fit. This not only diminishes the transparency of the
legislative process but also hampers the public's understanding of the law's scope and
implications.”

6.2 Scepticism regarding Independence of Data Protection Board “

Seeking justice for aggrieved parties (without compensation) involves seeking recourse to the
Data Protection Board, making its independence essential. However, the DPDP Act allows

182
Vivek Narayan Sharma v. Union of India (2023) 3 SCC 1.
“John Brittas and Aneesh Babu, “What Lies Beneath the PR Blitz on the New Data Protection Act?”, (The
183

Wire, 27th August 2023). Available at <https://thewire.in/government/what-lies-beneath-the-pr-blitz-on-the-

new-data-protection-act> Accessed 16th March 2024.”

75
the Union government to appoint the chairperson and board members without outlining any
selection procedure, thus compromising its independence.” “

This provision directly contradicts the recommendations of the Joint Parliamentary

Committee on the 2019 Personal Data Protection Bill. The Committee proposed the
nomination of board members by a Selection Committee consisting of bureaucrats along with
the Attorney General of India, an independent expert from domains like data protection,
information technology, or cyber laws, and Directors of an IIT and an IIM.”

The arbitrary nature of appointment undermines the very essence of the Board's
independence. Such discretionary power in appointments restricts the Board's autonomy,
conflicting with the fundamental principle of establishing an independent body.

6.3 Voluntary Undertaking- an escape route for rule breakers “

At the core of the DPDP Act lies Section 32, which introduces the concept of 'Voluntary
Undertaking.' This provision empowers the Data Protection Board to accept voluntary
undertakings from individuals or entities found to be in non-compliance with the Act's
provisions, effectively halting further investigation. The true significance of this provision
lies not in its seemingly benign nature but in the potential it holds to offer a shield for
wrongdoers to evade penalties.” “

Such a scenario could enable offenders to evade fines of up to a significant Rs 250 crore per
offense simply by providing an undertaking, effectively neutralizing the deterrent effect of
the legislation. By allowing data fiduciaries to avoid penalties for non-compliance, the
legislation inadvertently creates a loophole that could be exploited by those with dishonest
intentions. This loophole has the potential to weaken the accountability framework of the Act
and lead to insufficient enforcement measures.”

6.4 Lack of Compensation and Accountability “

A significant gap in the legislation is the lack of provision for the Data Protection Board to
award compensation to aggrieved data principals. While the Board can impose penalties on
data fiduciaries for violating the Act's provisions, with the fines going to the Consolidated
Fund of India as per section 34, it lacks the authority to provide compensation to aggrieved
data principals. This deficiency undermines the legislation's effectiveness in addressing the
actual harm suffered by individuals due to data breaches or privacy infringements.

76
Interestingly, the Act imposes penalties of up to Rs 10,000 on data principals for failing to
adhere to certain provisions of the Act.”

The absence of compensatory measures demonstrates a skewed focus on punitive actions

rather than restorative justice, a situation made more concerning in light of the implications
of the 'voluntary undertaking' provision mentioned earlier.

6.5 Lack of Clarity on Reasonable Security Safeguards and transgression into the
domain of IT Act “

While sub-section (5) of section 8 of the Act ostensibly empowers the Data Protection Board
to take action against a Data Fiduciary for failing to fulfil their obligation to implement
'reasonable security safeguards' against personal data breaches, with the authority to levy
penalties up to Rs 250 crores, it falls short in defining the term 'reasonable security
safeguards'. This lack of clarity creates ambiguity and opens the door to interpretation and
potential abuse.” “

The Act neglects to outline the specifics of reasonable security safeguards or mandate the
Government to clarify them through rules. This omission could lead to a superficial
appearance of compliance, allowing entities to exploit minor safeguards to avoid liability.
Without a clear definition in the legislation, how can the Data Protection Board determine if a
data fiduciary has failed to implement reasonable security safeguards in cases of personal
data breaches? Turning 'reasonable security safeguards' into an ambiguous concept
undermines the guarantee of data protection.” “

The Act's proposed omission of sections 43A and 87(2)(ob) of the Information Technology
Act, 2000, highlights this artful manipulation. Section 44(2)(a) of the DPDP Act aims to
eliminate section 43A of the IT Act, 2000. Section 43(A) of the IT Act, 2000 allowed an
affected individual (Data Principal) to seek damages as compensation from a corporate body
for any negligence in implementing and maintaining reasonable security practices and
procedures while processing, dealing, or handling any sensitive personal data or information
in a computer resource owned, controlled, or operated by the said corporate body.” “

Similarly, section 44(2)(c) of the DPDP Act intends to abolish section 87(2)(ob) of the IT Act,
which was supposedly the sole provision mandating the central government to prescribe
through rules what constitutes "sensitive personal data or information" and what are the
"reasonable security practices and procedures" to be followed by a corporate body while
processing, dealing, or handling any sensitive personal data or information in a computer

77
resource owned, controlled, or operated by it. Breach of these provisions would allow an
affected party (Data Principal) to demand compensation from a corporate body under section
43A of the IT Act.” “

Indeed, the government's actions not only prevent a data principal from seeking
compensation for data breaches under the DPDP Act but also clandestinely remove two
enabling provisions from the Information Technology Act, 2000, achieving multiple
objectives simultaneously. By eliminating these provisions in the IT Act, the DPDP Act
restricts avenues for affected parties to seek compensation for data breaches, exacerbating
their vulnerable position. This trajectory sharply contrasts with the European Union's General
Data Protection Regulation (GDPR), which robustly ensures the right to compensation for the
breach of personal data.”

6.6 Wide Exemptions to Central Government eroding Accountability “

A notable vulnerability emerges from the array of exemptions scattered throughout the Act.
Section 17 gives the Union government unrestricted authority to exempt government
agencies and data fiduciaries, including startups, from various provisions. The broad
exemption granted to government agencies, ostensibly justified by concerns about the
sovereignty and integrity of India, the security of the State, friendly relations with foreign
States, maintenance of public order, or prevention of incitement to any cognizable offense
related to these, raises concerns about the unchecked exercise of executive power and could
lead to undue infringement of privacy rights.” “

The disproportionate exemptions granted to government entities may inadvertently facilitate

the circumvention of data protection mandates, undermining the core intent of the legislation.
Moreover, the extensive powers granted to the Union government to exempt data fiduciaries
or categories of data fiduciaries from various provisions of the Act could be subject to misuse
and jeopardize the effectiveness of the legislative framework, enabling certain entities to
evade their responsibilities.”

Similarly, there are no restrictions on the government's use of available data, whether digital
or non-digital, that has been later digitized and government could store it for any duration.
Data principals have no 'right to be forgotten' concerning the government and its
instrumentalities.

78
6.7 Blunting the rights provided under RTI Act

This concern has been raised by many RTI Activists and NGOs, that the provisions of DPDP
Act dilute the effectiveness of RTI Act. The potential impact of the DPDP Act on the Right to
Information Act, 2005 is a matter of significant concern. Section 44(3) of the DPDP Act
effectively nullifies the essence of Section 8(1)(j) of the RTI Act, thereby excluding the
majority of information from the RTI's ambit. Previously, Section 8(1)(j) of the RTI Act
allowed for the disclosure of personal information if it served a larger public interest or
related to any public activity, even if such disclosure infringed on individual privacy. It also
mandated the provision of all personal information that cannot be denied to the Parliament or
a State Legislature.184 However, these provisions have been eliminated in the Digital Personal
Data Protection Act, 2023, resulting in the exemption of all personal information from
disclosure. “

The consequence would be that Public Information Officers could reject a significant number
of RTI applications under the pretext of personal information, should they choose to do so.
This alarming shift would fundamentally undermine the RTI Act, endangering transparency
and accountability in governance. It would restrict public access to information, eroding the
foundational principles of democracy.”

6.8 Lack of Accountability of data processor “

The Act's tendency to diminish data processor accountability is evident. In its earlier version
as the 2022 Bill, data processors shared equal responsibility for safeguarding personal data
and reporting data breaches to the Board and Data Principals. However, the 2023 Act
abandons this obligation, potentially allowing data processors, often multinational
corporations, to avoid direct legal consequences for data breaches. This shift towards
favouritism compromises the accountability of data processors in protecting personal data
and undermines the principle of shared responsibility.”

6.9 Dilution of data fiduciary’s liability “

Under the provisions of 2022 Bill, a data fiduciary was held accountable for the lapses or
wrongful actions of another data fiduciary with whom they shared data. However, this
provision has been removed in the 2023 Act. This alteration weakens the accountability

184
Right to Information Act 2005, section 8(1)(j).

79
structure and diminishes the incentive for data fiduciaries to ensure proper handling and
careful sharing of personal data.”

6.10 Rights of data principal “

The 2023 Act also does not mandate data fiduciaries to obtain consent from data principals
before sharing data with other data fiduciaries or data processors. This undermines data
principals' control over their personal data and raises concerns about uninformed and
uncontrolled data sharing.” “

Similarly, the 2023 Act no longer requires data to be stored locally. Businesses can now
transfer data to foreign countries that are not included in the negative list to be notified by the
Indian government. Questions arise regarding the criteria for such a negative listing and
whether it could be used as leverage to influence foreign countries to comply with the Union
government's directives. Additionally, the omission of the requirement for local data storage
raises concerns about data being transferred to foreign jurisdictions without well-defined
criteria, necessitating a closer examination of diplomatic dynamics and the protection of
national interests.”

6.11 Exemption for minor’s data processing “

Although the Act aims to introduce some protection for children's data in section 9, it
undermines these objectives by introducing exemptions in the same section. Section 9(4) of
the Act permits the government to designate certain classes of Data Fiduciaries which would
be exempted from the general restrictions on processing children's personal data. These
exemptions may include requirements such as obtaining verifiable consent from the parent or
guardian of the child and refraining from tracking or behavioural monitoring of children or
targeted advertising directed at them. However, these exemptions are subject to conditions as
prescribed by Rules.” “

Equally concerning is section 9(5), which allows the government to exempt any Data
Fiduciary from the requirement to obtain parental consent for processing personal data of
specific age groups of children. Additionally, it permits a data fiduciary to undertake tracking,
behavioural monitoring, or targeted advertising directed at children without parental consent
if the government deems the data processing history of that Data Fiduciary to be verifiably
safe. This provision raises concerns about potential tracking, behavioural monitoring, and
targeted advertising aimed at children without the knowledge or consent of their parents.”

80
6.12 Broad exemptions under Section 7 “

A complex network of exemptions undermines the integrity of the Act. Sections 7(b), 7(c),
7(e), and 7(i) grant data fiduciaries extensive latitude to process personal data for various
purposes, often without explicit consent. This could unintentionally enable unwarranted
surveillance, discrimination, or coercion.” “

The provisions in Section 7(b) and 7(c) grant expansive permissions to Data Fiduciaries for
the processing of personal data by the State and its instrumentalities. Section 7(b) allows for
the use of personal data for any government purpose without explicit consent, including the
conversion of non-digital data to digital form without the data principal's permission.
Similarly, Section 7(c) provides blanket permission for Data Fiduciaries to process any
personal data for the State or its instrumentalities in the name of the sovereignty, integrity, or
security of the state. These clauses could potentially be exploited for surveillance and
manipulation under the pretext of governmental functions.” “

Section 7(e) allows Data Fiduciaries to process personal data to comply with foreign
judgments or orders related to contractual or civil claims without obtaining permission from
Indian courts. This provision effectively sidesteps the established legal framework in India
for complying with foreign judgments through courts of competent jurisdiction, raising
concerns about the Act's adherence to due process. It permits the direct execution of foreign
judgments without the involvement of Indian courts, bypassing the Code of Civil Procedure,
1908, and circumventing relevant provisions regarding the compliance of foreign judgments
through courts of competent jurisdiction in India, as outlined in sections 13, 14, and 44A,
read with 2(5) and 2(6) of the Code of Civil Procedure, 1908. Section 7(i) grants employers
the authority to process personal data for employment-related purposes, potentially
compromising the privacy and rights of employees.”

6.13 Lack of Protection from Data Profiling “

Clause 4(2) of the 2022 Bill aimed to bring foreign data processing of Indian individuals
related to 'data profiling' under the scope of the legislation. However, 'profiling' has been
omitted from section 3(b) of the 2023 DPDP Act, limiting its applicability to foreign data
processing associated only with the activity of offering goods or services to data principals in
India. Data processing related to profiling is a crucial area, and its omission raises concerns
about the potential misuse of personal data for profiling and targeted marketing. This

81
exclusion contradicts international trends and overlooks the significance of profiling in the
modern digital landscape.”

6.14 Excluding of non-digital data “

The Act's omission of non-digital personal data, anonymized data, and non-personal data
from its scope raises concerns about the comprehensiveness of the legislation. These
exclusions contradict the recommendations of the Joint Parliamentary Committee on the
previous Personal Data Protection Bill, 2019, and overlook potential privacy risks associated
with these data categories.”

6.15 No Right of Data Portability “

The Act's omission of the right to data portability is a notable deficiency, particularly given
that the 2019 version of the bill, the Joint Parliamentary Committee Report, and international
regulations like the GDPR recognize this right. The absence of this provision curtails users'
control over their own data.”

6.16 No Distinction between sensitive and critical data “

The government's choice to eliminate the distinction between sensitive and critical personal
data in the 2023 Act removes the requirement for enhanced protection for specific categories
of personal data. This decision dilutes the safeguards provided for sensitive information. The
differentiation between various categories of personal data was suggested by Justice B. N.
Srikrishna and was incorporated in both the Personal Data Protection Bill, 2019, and the
recommendations of the Joint Parliamentary Committee. Now, all data falls under the
category of 'digital personal data' without any distinct protection or right to compensation.”

6.17 Lack of Compensation in case of harm “

The removal of the concept of "harm to data principal" from the Act, with a focus instead on
protecting the "rights of data principals," is a significant change. However, the Act does not
include provisions that enable data principals to seek compensation for infringements on their
deemed rights.” “

The 2019 Bill, the JPC Report on the 2019 Bill, and the 2022 Bill had all defined 'harm'.
Therefore, the DPDP Act should have included provisions delineating the types of "harm" to
data principals resulting from breaches of personal data. The occurrence of such harm would
provide standing to a data principal to raise a claim for compensation by approaching the
Data Protection Board or Appellate Tribunal.”

82
6.18 The dilemma surrounding personal freedoms “

The Digital Personal Data Protection Act, 2023, falls short of ensuring comprehensive data
protection, with concerns ranging from potential misuse of children's data to granting
excessive power to the State. The Act's shortcomings include the omission of critical
elements such as the absence of a definition of reasonable security safeguards, lack of
provisions for compensation, and the government's unfettered power to grant exemptions.
This represents a missed opportunity to establish a robust framework for safeguarding
individuals' digital rights.” “

The Act's lack of specificity, clarity, and accountability creates a labyrinthine journey fraught
with uncertainties and ambiguities. These shortcomings impact data principals and the
broader data protection landscape in India. Striking a harmonious balance between individual
rights and emerging digital exigencies remains an enduring challenge.” “

The ambiguities, omissions, and exemptions within the Act may lead to inadequate
enforcement, reduced accountability, and diminished transparency. As such, addressing these
issues is essential to ensure effective data protection and uphold the rights of individuals in
the digital age.” “

The Right to Privacy has been deemed essential to human existence, representing an inherent
aspect of human dignity and autonomy. Recently, in light of instances involving surveillance
software like 'Pegasus', the Supreme Court highlighted that the “The right to privacy is
directly infringed when there is surveillance or spying done on an individual, either by the
State or by any external agency”. The extensive collection and storage of personal data
without consent infringes upon the principles of personal informational privacy, raising
concerns about individual autonomy and data protection.” “

The Constitution Bench of the Supreme Court in the landmark case of Justice K.S.
Puttaswamy (Retd.) v. Union of India and Ors.185 unequivocally affirmed that the right to
privacy is protected as an intrinsic component of the right to life and personal liberty under
Article 21, as well as a part of the freedoms guaranteed by Part III of the Constitution.
Consequently, the responsibility lies with the Indian legal system to ensure that the Digital
Personal Data Protection Act 2023 withstands the scrutiny of judicial review and paves the
way toward data sovereignty. This entails ensuring that the legislation is not marred by half-

185
Supra, note 1.

83
measures or veiled compromises, but instead upholds the fundamental rights enshrined in the
Constitution, particularly the right to privacy.”

Chapter- 7: Data Protection Laws in Other Jurisdictions and

Comparison with DPDP Act
According to the United Nations trade agency UNCTAD, about 70% of the countries around
the world (137 out of 194 countries) have some or the other form of law regarding data
protection.186 Thus, while analysing the Indian legislation, it is also necessary to look at how
other countries have tried to protect the data privacy of their citizens. So, this chapter would
deal the analysis of the data protection regime in some other countries around the world.

7.1 Data Protection Law in Europe - GDPR

In Europe, the law relating to the protection of personal data is the GDPR. GDPR is
considered to be one of the most comprehensive and stringent data privacy laws around the
world. There are two key aspects to GDPR. Firstly, it's a data protection regulation
originating from European Union, designed to grant the individuals in the EU/EEA the right
and control over their personal information. Secondly, it establishes specific rules and
principles that businesses around the world must adhere to in order to legally process this
valuable data.187 “

The GDPR has established a unified data protection legal framework across all European
Union member states, as well as Iceland, Lichtenstein, and Norway, which are part of the
EEA single market.” “

It's important to stress that the GDPR prioritizes the individual rights of data subjects—the
people whose information is collected by entities, whether offline or online—above all else.
Furthermore, it holds businesses accountable for data leaks and breaches, underscoring the
importance of robust data protection measures and compliance.”

186
““Data Protection and Privacy Legislation Worldwide”, UNCTAD. Available at <https://unctad.org/page/data-
protection-and-privacy-legislation-worldwide> Accessed 24th March 2024.”
187
“Guide to the General Data Protection Regulation (GDPR)”, (it governance, 2nd May 2019). “Available at
<https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation> Accessed 26th March
2024.”

84
7.1.1 History of GDPR

While GDPR was initially approved by the leaders of the EU in 2016, it became applicable
from May 25, 2018. It gave EU member states and businesses around the world a two-year
preparation period.188 “

Although two years may seem like ample time to prepare, many organizations remained
uncertain about the GDPR requirements and whether and when they needed to comply. This
uncertainty, coupled with a lack of preparation, exposed them to significant fines for
noncompliance.” “

The GDPR replaced the EU's Data Protection Directive (DPD), which had been in force since
1995.189 The data landscape had evolved considerably between the mid-90s and 2016. In 90s,
The internet was still in its infancy, and smartphones were not yet ubiquitous among
consumers. The DPD had been implemented separately by EU and EEA member states,
leading to significant variations in regulations across jurisdictions. In contrast, the GDPR's
text was directly applicable, affecting all EU member states uniformly, and its language better
aligned with modern data collection practices.” “

In fact, the GDPR has been utilized to regulate emerging technologies like artificial
intelligence (AI) in countries such as Italy. For instance, in 2022, the Italian supervisory
authority fined Clearview AI €20 million for storing biometric and geolocation data without a
proper legal basis under the GDPR (IAPP).190”

The GDPR has also served as a model for other nations around the world, inspiring them to
adopt laws with similar principles and provisions in relation to data protection. This
demonstrates that the GDPR will undoubtedly leave a lasting impact on our lives globally.

7.1.2 Application of GDPR

The GDPR is applied on businesses and other entities around the world that are involved in
processing of personal data and involve EU/EEA data subjects either in direct or indirect
manner, in either of the following ways: “

188
Ibid.
189
“Directive 95/46/EC, The European Parliament and The Council, 24 October 1995. Available at <https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=NL> Accessed 27th March 2024.”
190
“Facial recognition: Italian SA fines Clearview AI EUR 20 million”, (European Data Protection Board
official website, 10th March 2022).“Available at <https://www.edpb.europa.eu/news/national-news/2022/facial-
recognition-italian-sa-fines-clearview-ai-eur-20-million_en> Accessed 25th March 2024.”

85
 a. Offering goods or services that are available to individuals in the EU/EEA, even if no
monetary transaction occurs.
b. Monitoring the online behaviours of individuals in the EU/EEA.”

This broad application means that businesses operating outside of Europe may come under
the GDPR's legal purview as either data controllers or data processors. “

It is also noteworthy how inclusive the GDPR is in terms of who it covers. The regulation
protects individuals in the EU or EEA, regardless of their nationality or citizenship status, and
refers to them as data subjects, as outlined in Chapter 1, Article 3 of the regulation. ”

7.1.3 Data Covered under GDPR

At the core of the GDPR lies the concept of personal data. This includes such information
that enables the identification of a living individual, either directly or indirectly, from the
available data. There could be various types of personal data, from obvious identifiers like
name, address, username of an individual, to less immediately apparent details like IP
addresses and cookie identifiers. “

Additionally, the GDPR provides enhanced protections for certain categories of sensitive
personal data. These categories include information pertaining to racial or ethnic origin,
political opinions, religious beliefs, membership of trade unions, genetic and biometric data,
health information, and data concerning a person's sex life or sexual orientation.191” “

Individuals, organizations, and companies that act as 'controllers' or 'processors' of personal

data are subject to the provisions and obligations set forth by the GDPR. This means they are
obligated to comply with the requirements for lawful and fair processing, as well as ensuring
the protection of individuals' rights and freedoms concerning their personal data.192”

7.1.4 Principles under GDPR

The GDPR is based on seven fundamental principles which are outlined in Article 5 of the
regulation. These principles function as guiding tenets for the handling of individuals' data of
individuals. While they do not function as rigid rules, they provide an overarching framework
designed to delineate the overarching purposes of the GDPR.

191
“Juliana De Groot, “What is the General Data Protection Regulation (GDPR)? Everything You Need to
Know”, (Digital Guardian, 28th December 2022). Available at <https://www.digitalguardian.com/blog/what-
gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection> Accessed 26th
March 2024.”
192
Ibid.

86
The GDPR encompasses seven key principles:

1. Lawfulness, fairness, and transparency - Under the GDPR, all data processing
conducted by any entity must adhere to the principles of lawfulness and fairness. This
entails processing the collected information in a legal manner and in the best interests
of the data subjects involved. In practical terms, businesses are prohibited from
deceiving users regarding their data processing purposes or practices. Instead, they are
obligated to transparently inform users about the data collected from them, the legal
basis for such collection, and how the data will be utilized.

2. Purpose limitation –“Under the GDPR, businesses are required to collect and
process personal data solely for the purposes they have explicitly specified to the
concerned data subjects. This principle is known as purpose limitation. It means that
personal data should not be processed for purposes beyond those explicitly stated,
unless further processing is deemed compatible with the original purposes for which
the data was collected. However, there are exceptions to the purpose limitation
principle. Archiving data for public interest, scientific or historical research purposes,
or statistical purposes is not bound by purpose limitations, as long as all provisions
outlined in Chapter 9, Article 89 of the GDPR are adhered to.”

3. Data minimization –“Businesses subject to the GDPR must adhere to the principle
of data minimization. This means that they can only collect personal data that is
adequate, relevant, and limited to what is necessary for the purposes outlined to the
data subjects for the data processing. In essence, businesses should only collect the
data required for the stated processing purpose and cannot arbitrarily gather excessive
amounts of data.”

4. Accuracy - According to the GDPR, it is essential for businesses to take reasonable

measures to ensure that the personal data they collect is accurate and up-to-date,
where necessary. This obligation arises because processing inaccurate information can
pose significant risks to data subjects.

5. Storage limitation –“The GDPR unequivocally stipulates that businesses should not
retain personal data for longer than necessary for the purpose for which it was initially
processed. This principle is referred to as storage limitation.

The only exception to this principle pertains to archival purposes related to the public
interest, scientific or historical research, or statistical purposes. In such cases,

87
 businesses may retain the data for extended periods as specified in Chapter 9, Article
89 of the GDPR.”

6. Integrity and confidentiality (security) –“Under the GDPR, it is imperative for your
business to implement appropriate technical and organizational measures to safeguard
personal data against unauthorized or unlawful processing, accidental loss,
destruction, and damage. Failure to responsibly handle the personal data of data
subjects can lead to severe consequences. The GDPR holds businesses financially
accountable if they become victims of cybercrime due to inadequate security
measures that could prevent or contain a significant personal data breach.” “

Furthermore, businesses are required to promptly notify the relevant data protection
authority about any data leaks or breaches, without undue delay, and no later than 72
hours from the moment they become aware of such incidents.”

7. Accountability - Under the GDPR, accountability is a fundamental principle aimed

at ensuring that companies can demonstrate their compliance with the regulation by
documenting how personal data is handled and the measures taken to uphold data
protection principles. Moreover, organizations engaged in "regular and systematic
monitoring" of individuals on a large scale or processing significant volumes of
sensitive personal data must appoint a data protection officer (DPO). While this might
entail hiring new personnel for some entities, larger businesses and public authorities
may already have individuals fulfilling this role. The DPO's responsibilities include
reporting to senior management, ensuring GDPR compliance, and serving as a point
of contact for employees and customers.

The accountability principle assumes paramount importance in instances where an

organization faces investigations for potential breaches of GDPR principles.
Maintaining accurate records of all operational systems, data processing methods, and
error mitigation measures will aid organizations in demonstrating to regulators their
earnest commitment to GDPR compliance.

7.1.5 Rights of an individual under GDPR

While GDPR imposes significant responsibilities on data controllers and processors, its
primary aim is to safeguard the rights of individuals. Accordingly, GDPR delineates eight
rights for individuals. These rights enable individuals to access the data held about them more
easily and request its deletion under certain circumstances. “

88
The comprehensive GDPR rights for individuals include: the right to be informed, the right of
access, the right to rectification, the right to erasure, the right to restrict processing, the right
to data portability, the right to object, as well as rights pertaining to automated decision-
making and profiling.”

Some important rights are –

Access to Data “

Right of Access to data is contained in Article 15 of the GDPR. If you wish to discover what
data a company or organization has about you, you can submit a Subject Access Request
(SAR). It's important to note that you cannot request information on behalf of someone else,
although a designated representative, such as a lawyer, can make a request on another
person's behalf. Upon making a SAR, individuals are legally entitled to receive confirmation
that an organization is processing their personal data, a copy of this personal data (unless
exemptions apply), and any other relevant supplementary information. Organizations are
required to respond to SARs within one month.193”

Alongside providing the requested information, organizations must also furnish details
regarding the purpose of processing the personal data, how it's being utilized, and the
intended duration of retention.

Automated Processing and Erasure of Data, and data portability

The GDPR enhances individuals' rights regarding automated data processing. According to
the Article 22 of GDPR, individuals have the right to not be subjected to a decision making
solely based on automated decision-making including profiling.194 While there are
exceptions, individuals generally must be provided with an explanation of any automated
decisions made about them. “

Moreover, the regulation empowers individuals to have their personal data erased under
certain conditions. This includes situations where the data is no longer necessary for its
original purpose, consent has been withdrawn, there is no legitimate interest, or the data was
processed unlawfully.”

Data portability has been a prominent concept within the GDPR framework, but its
implementation has been relatively limited. The idea behind data portability is to enable the

193
Becky White, “Subject Access Requests”, (Harper James, 6th July 2023). Available at
<https://harperjames.co.uk/article/what-is-a-subject-access-request/> Accessed 26th March 2024.
194
Article 22, General Data Protection Regulation (Regulation (EU) 2016/679).

89
seamless transfer of information from one service to another. A notable example of data
sharing is Facebook's feature that allows users to automatically transfer their photos to a
Google Photos account. This functionality was developed as part of the Data Transfer Project,
which involves major tech companies such as Apple, Google, Facebook, Twitter, and
Microsoft collaborating on data portability initiatives.

7.1.6 Compliance Requirements for Businesses under GDPR

Under GDPR, businesses that deals with processing of personal data have to fulfil certain
obligations. These are:

• Provide Transparency through Privacy Notices and Policies: Organizations should

inform individuals (data subjects) about their data processing activities through
transparent and easily accessible privacy notices and policies. These documents should
clearly outline how personal data is collected, processed, stored, and shared, as well as
the purposes for which it is used. “
• Appoint a Data Protection Officer (DPO): Designate a DPO who serves as the main
point of contact and expert on data privacy matters within the organization. The DPO
should ensure compliance with data protection regulations, provide guidance to staff,
and act as a liaison with data protection authorities. The rules regarding DPO are
provided under Articles 37-39 of GDPR.”
• Manage Data Subject Rights Efficiently: Organizations must be prepared to handle data
subject requests promptly and effectively. Data subjects have various rights under
regulations like the GDPR, including the right to access, rectify, delete, and restrict the
processing of their personal data. Organizations should establish processes to handle
these requests within specified timeframes. “
• Regulate Responsibility between Controller and Processor: Clearly define the roles and
responsibilities of data controllers (organizations that determine the purposes and
means of data processing) and data processors (entities that process data on behalf of
controllers). Implement Data Processing Agreements (DPAs) to establish rules for how
processors may use personal data in compliance with contractual agreements and data
protection laws.”
• Maintain a Data Inventory: Keep a comprehensive record of all data processing
activities, including the types of data collected, purposes of processing, data storage
locations, and any third-party recipients. This data inventory helps organizations

90
 demonstrate accountability and compliance with regulatory requirements, such as those
outlined in Article 30 of the GDPR.
• Establish Data Breach Response Procedures: Develop and implement protocols to
manage data breaches effectively within a 72-hour timeframe, as required by
regulations like the GDPR. In the event of a data breach, organizations should take
immediate action to mitigate risks, notify relevant authorities and affected individuals,
and implement measures to prevent future incidents.
• Conduct Data Protection Impact Assessments (DPIAs): Perform DPIAs to evaluate the
potential risks and impacts of new data processing activities on individuals' rights and
freedoms. This assessment helps organizations identify and mitigate privacy risks early
in the development process, ensuring compliance with regulations like Article 35 of the
GDPR.195

By following these essential steps, organizations can demonstrate their commitment to

protecting personal data, promoting transparency, and upholding the rights of individuals in
an increasingly data-driven world. Compliance with data protection regulations not only
helps mitigate legal and financial risks but also fosters trust and confidence among customers
and stakeholders.

7.1.7 Breach of conditions of GDPR and penalties

Contravening the General Data Protection Regulation (GDPR) carries substantial penalties
and subjects the offenders to public scrutiny. According to Article 83(5) of the GDPR, entities
found to have committed significant breaches of the regulation may face fines amounting to a
maximum of €20 million ($22.5 million) or 4% of their annual global turnover, whichever
sum is greater. Conversely, less egregious violations, delineated in Article 83(4) of the
GDPR, incur penalties capped at €10 million ($12 million) or up to 2% of the annual global
turnover of the offending entity.196

Furthermore, regulatory bodies possess the authority to issue public admonitions or impose
restrictions on data processing activities, such as prohibiting companies from handling the
personal information of GDPR subjects. Such constraints may be enforced either temporarily
or permanently.

195
“Matt Burgess, “What is GDPR? The summary guide to GDPR compliance”, (Wired, 24th March 2020).
Available at <https://www.wired.com/story/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018/>
Accessed 27th March 2024.”
196
Ibid.

91
7.2 Data Protection Law in UK

Following the UK's departure from the European Union, the UK government has
implemented the General Data Protection Regulation (GDPR) as national law, resulting in the
creation of the UK GDPR. This move involved making technical adjustments to the GDPR to
reflect the UK's status as a sovereign nation, such as updating references from "Member
State" to "the United Kingdom." “

These changes were enacted through the Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. Despite these
modifications, the fundamental obligations placed on data controllers and processors remain
largely consistent between the UK GDPR and the original EU GDPR.”

In essence, the UK GDPR preserves the core principles and requirements established by the
EU GDPR, ensuring continuity and consistency in data protection standards within the
United Kingdom. However, it also provides the UK with the flexibility to tailor certain
aspects of data protection law to suit its specific needs and circumstances.

The Data Protection Act 2018 (DPA) continues to serve as the primary national data
protection law in the UK, complementing the UK GDPR framework.197 It addresses areas
that were subject to permitted deviations and exemptions from the EU GDPR, such as
provisions for processing special category data based on substantial public interest grounds
and specific exemptions from certain GDPR provisions like data subject rights. Moreover: “

- Part 3 of the DPA incorporates the Law Enforcement Directive (EU) 2016/680 into
UK legislation, establishing a data protection framework specifically tailored for the
processing of personal data by law enforcement authorities.
- Part 4 of the DPA updates the data protection framework concerning processing of
personal data for national security purposes.
- Parts 5 and 6 delineate the Information Commissioner's jurisdiction and enforcement
powers, defining the scope of her authority and establishing various criminal offenses
related to personal data processing.198”

197
“An overview of UK Data Protection Law: The UK GDPR, DPA 2018 and EU GDPR” (it governance, 7th
June 2020). “Available at <https://www.itgovernance.co.uk/data-protection> Accessed 28th March 2024.”
198
Ibid.

92
These provisions collectively provide a comprehensive legal framework for data protection in
the UK, covering various sectors and contexts, including law enforcement, national security,
and general data processing activities.

7.3 Germany’s data protection law

The passage of the new German Federal Data Protection Act (Bundesdatenschutzgesetz –
"BDSG") in conjunction with the General Data Protection Regulation (GDPR) marks a
significant step in aligning German data protection laws with European Union (EU)
standards. The BDSG, which came into force on May 25, 2018, alongside the GDPR, serves
the dual purpose of implementing the GDPR requirements and addressing specific national
concerns through the utilization of the GDPR's opening clauses.199

The BDSG plays a crucial role in adapting Germany's legal framework to the GDPR by
providing detailed specifications and restrictions on data processing activities. As the GDPR
allows Member States to establish additional regulations and tailor certain provisions to
national contexts, the BDSG seizes this opportunity to customize data protection
requirements within Germany.

Part 3 of the BDSG specifically addresses the implementation of the Law Enforcement
Directive (EU) 2016/680, which complements the GDPR by establishing rules for the
processing of personal data by law enforcement authorities for criminal justice purposes. This
part of the BDSG ensures that Germany meets its obligations under the Law Enforcement
Directive while maintaining consistency with the broader framework established by the
GDPR.200

Overall, the BDSG represents a significant milestone in Germany's data protection landscape,
providing clarity, consistency, and legal certainty for businesses, organizations, and
individuals alike. By aligning with EU standards set forth in the GDPR and addressing
national concerns through tailored regulations, the BDSG reinforces Germany's commitment
to protecting personal data and upholding privacy rights in the digital age.

199
“Germany- Data Privacy and Protection”, (Privacy Shield Framework, 23rd August 2023). “Available at
<https://www.privacyshield.gov/ps/article?id=Germany-Data-Privacy-and-Protection> Accessed 29th March
2024.”
200
Ibid.

93
7.4 Australia’s Approach to data protection

Australia's approach to data privacy and protection is characterized by a combination of

federal, state, and territory laws, aimed at safeguarding individuals' personal information
across various sectors and jurisdictions. At the federal level, the cornerstone of data privacy
regulation is the Privacy Act 1988 ("Privacy Act"), which establishes a framework for the
handling of personal information by private sector entities and government agencies.201 “

The Privacy Act applies to private sector entities with an annual turnover of at least AU$3
million, encompassing a wide range of entities such as corporations, partnerships, trusts, and
unincorporated associations. Additionally, all Commonwealth Government agencies and
Australian Capital Territory Government agencies are subject to the Privacy Act, ensuring
consistency in data protection standards across government bodies at the federal and territory
levels.202”

Central to the Privacy Act are the Australian Privacy Principles (APPs), which set out the
rules governing the collection, use, disclosure, and handling of personal information by
covered entities. The APPs provide individuals with rights regarding their personal data and
impose obligations on organizations to handle personal information responsibly and
transparently. These principles cover key aspects such as the purpose of data collection,
consent requirements, data security measures, and individuals' access to and correction of
their personal information. “

The Privacy Act oversees the management of personal data by relevant entities. Under this
Act, the Information Commissioner holds the authority to conduct investigations, including
those initiated independently, to uphold the Privacy Act. In cases of serious or repeated
breaches of privacy principles (APPs) where remedial efforts have not been implemented,
civil penalties can be sought.”

The majority of States and Territories in Australia (excluding Western Australia and South
Australia) have enacted their own legislation concerning data protection. These laws apply to
both relevant State or Territory government agencies, as well as private businesses engaging
with these entities. Some of these Acts include: “

- Information Privacy Act 2014 (Australian Capital Territory)

201
“Understanding Australia’s Privacy Act: A comprehensive guide”, (pandectes, 11th January 2023). “Available
at <https://pandectes.io/blog/understanding-australias-privacy-act-a-comprehensive-guide/> Accessed 28th
March 2024.”
202
Ibid.

94
- Information Act 2002 (Northern Territory)

- Privacy and Personal Information Protection Act 1998 (New South Wales)

- Information Privacy Act 2009 (Queensland)

- Personal Information Protection Act 2004 (Tasmania)

- Privacy and Data Protection Act 2014 (Victoria)”

In addition to the Privacy Act and the APPs, various sector-specific regulations and
guidelines further supplement Australia's data privacy framework. For instance, the My
Health Records Act 2012 governs the handling of electronic health records, while the
Telecommunications Act 1997 includes provisions relating to the privacy of
telecommunications data.203 Furthermore, specific industry regulators, such as the Office of
the Australian Information Commissioner (OAIC), oversee compliance with the Privacy Act
and provide guidance to organizations and individuals on data privacy matters.

Other important privacy and data protection laws are – “

• The Telecommunications and Other Legislation Amendment (Assistance and Access)

Act 2018 ("AA Act") - It provides law enforcement agencies with access to encrypted
data for serious crime investigation and imposes obligations on "Designated
Communications Providers".204 However, the AA Act may inadvertently have a much
broader ambit with limited judicial oversight and has been the subject of much
criticism from local and global technology firms which have stated the legislation has
the potential to significantly impact security / encryption solutions in Australia.” “
• The Security of Critical Infrastructure Act 2018 ("SOCI Act") - applies to
organisations that own or operate (or hold a direct interest in) assets in a range of
sectors including communications, energy, defence, financial services, transport, data
processing or storage, supermarket / grocery supply chains, health and medical,
education and space.205” “
• Consumer Data Right - The CDR allows a consumer to obtain certain data held about
that consumer by a third party and require data to be given to accredited third parties

203
“Data Protection Laws of the World – Australia”, (DLA Piper, 21st February 2022). “Available at
<https://www.dlapiperdataprotection.com/index.html?t=law&c=AU> Accessed 29th March 2024.”
204
Ibid.
205
“Guide to data protection in Australia”, (Lander & Rogers, 7th April 2022). “Available at
<https://www.landers.com.au/legal-insights-news/terralex-guide-to-data-protection-2021> Accessed 29th March
2024.”

95
 for certain purposes. By requiring businesses to provide public access to information
on specified products they have on offer, it is intended that consumers' ability to
compare and switch between products and services will be improved, as well as
encouraging competition between service providers, which could lead to better prices
for customers and more innovative products and services.”

While these laws may vary in scope and applicability, they generally align with the principles
and objectives outlined in the Privacy Act and the APPs.

Overall, Australia's multi-tiered approach to data privacy regulation reflects a commitment to

protecting individuals' personal information while accommodating the diverse needs and
interests of stakeholders across different sectors and jurisdictions. By combining federal
legislation with state and territory laws, Australia aims to maintain robust privacy standards
and foster trust in the handling of personal data by public and private entities alike.

7.5 Data Protection Framework in USA

The United States lacks a comprehensive national privacy law, resulting in a complex
patchwork of federal, state, and local privacy regulations. While the federal level has sector-
specific privacy and data security laws, states have also started introducing their own privacy
laws, starting with California. Other states in the US are also expected to follow the trend,
creating further variations in privacy regulations across the country.206

Federal privacy laws and regulations in the United States cover various sectors including
finance, telecommunications, credit reporting, healthcare, driving records, children’s privacy,
telemarketing, email marketing, and communications privacy. These laws apply to certain
specific industries and govern certain aspects such as data protection, security, and consumer
privacy rights. “

Additionally, individual states have their own privacy and data security laws which may
overlap with federal regulations. While some state laws are partially pre-empted by federal
laws, others are not. These state-level regulations encompass a wide range of issues such as
data security, secure destruction, Social Security number privacy, online privacy, biometric
information privacy, and data breach notifications.207 Each state's laws typically apply to
personal information about residents of that state or activities within its jurisdiction.”

206
“Data Protection Laws of the World – USA”, (DLA Piper, 3rd July 2022). “Available at
<https://www.dlapiperdataprotection.com/index.html?t=law&c=US&c2=> Accessed 29th March 2024.”
207
Ibid.

96
Businesses operating in the United States must navigate not only federal privacy laws but
also comply with the varying requirements of state privacy and security laws, creating a
complex regulatory landscape.

For e.g. California has a significant impact on privacy regulations in the United States, with
more than 25 state privacy and data security laws. The California Consumer Privacy Act,
2018 (CCPA), along with its recent amendments under the California Privacy Rights Act
(CPRA), 2020 is one of the most notable. The CCPA introduced enhanced definitions,
individual rights, and stricter requirements regarding the collection, use, and disclosure of
personal information.208

The state privacy laws of Colorado, Connecticut, Utah, and Virginia share substantial
similarities in key aspects, although they are not identical. Unlike the California Consumer
Privacy Act (CCPA), these laws generally do not apply to personal information collected in
the context of employee and business relationships. “

However, while there are practical similarities between the CCPA and these state laws, the
CCPA introduces more detailed definitions, requirements, and restrictions, differing
significantly from these laws. Notably, the CCPA applies to personal information collected
from California residents in both employment and business-to-business (B2B) contexts,
setting it apart from the privacy laws of Colorado, Connecticut, Utah, and Virginia.”

Enforcement of Unfair and Deceptive Trade Practices “

In the United States, consumer protection laws targeting unfair and deceptive business
practices offer a means to enforce privacy and security standards against businesses. At the
federal level, the US Federal Trade Commission (FTC) wields authority to combat unfair or
deceptive trade practices under Section 5 of FTC Act, allowing it to take enforcement actions
against companies for privacy and data security practices that are materially unfair. This
includes actions against companies failing to implement adequate data security measures,
providing misleading privacy statements, disregarding industry self-regulatory principles, or
mishandling personal information in M&A transactions without proper disclosure.”

208
“California Privacy Rights Act: A Compliance Guide”, (Shipman & Goodwin LLP Guide, June 2021).
“Available at <https://www.shipmangoodwin.com/a/web/mJypcVotn5Sj7EyWiyLi6t/california-privacy-rights-
act-a-compliance-guide.pdf> Accessed 29th March 2024.”

97
7.6 Comparison of DPDP Act with the GDPR

While there are multiple data protection laws around the world, GDPR is one of those law
which is considered to be the most comprehensive and user centric. Thus, it would be fit to
compare the Indian DPDP Act with the GDPR to analyse it provisions.

The Indian data protection law DPDP Act has a lot of similarities with the EU’s GDPR. It
could be said that GDPR acted as the backbone for many of the provisions under the Act with
little or no changes. However, there are also some provisions where there are significant
differences between the two laws where changes were made by the Indian government to
meet their policy objectives. Below is a comparison of different concepts under the DPDP
Act and GDPR -

1. Application of Act on ‘Personal Data’ – The provisions of both the DPDP Act and GDPR
are made applicable on ‘personal data’. The definition in both are almost similar.
However, one major difference is that while GDPR is applicable on both digital as well as
non-digital personal data, DPDP Act applies only on digital personal data. Also, personal
data that is publicly made applicable are exempted from obligations under DPDP Act.
Also, both give exemption to anonymous data. Both the GDPR and the DPDP recognize
that anonymized data, which cannot lead to the identification of an individual, falls outside
the scope of data protection regulations. This means that the requirements and obligations
imposed by these laws do not apply to such data. This recognition of anonymized data
aims to balance privacy protection with the promotion of data-driven innovation and
research activities.209
2. ‘Data Principal’ and ‘Data Fiduciary’ - The concept of ‘data principal’ (individuals to
whom the data relates) and ‘data fiduciary’ (who determine the purpose and means of data
processing) under DPDP Act are almost similar to the concept of ‘data subjects’ and ‘data
controller’ under GDPR respectively. They have same purpose but only nomenclature is
different.
3. ‘Data Processor’- The concept of ‘data processor’ (who process data on behalf of the data
controller or data fiduciary) is similar in both the laws. However, while the Indian law
recognizes the role of data processors, it doesn't impose specific obligations on them
unlike the GDPR. Under the GDPR, processors have explicit obligations including

209
“GDPR v. India’s DPDP Act: Key Differences and Compliance Implications” (The Legal 500, 1st March
2024). “Available at <https://www.legal500.com/developments/thought-leadership/gdpr-v-indias-DPDP Act-
key-differences-and-compliance-implications/#_ftnref32> Accessed 30th March 2024.”

98
 implementing appropriate technical and organizational measures and processing data only
under a binding contract with the data controller.210 In the absence of specific obligations
under the DPDP Act, data fiduciaries engaging processors must ensure their contracts are
robust, as the ultimate liability rests on them. Therefore, data fiduciaries need to assess
whether their contracts with processors adequately capture their obligations and protect
them from any lapses on the processor's part. “
4. Significant Data Fiduciary- Unlike the GDPR, the DPDP Act introduces a new category of
data fiduciaries which are called as 'Significant Data Fiduciaries' (SDFs). The Indian
government can designate any data fiduciary or class of data fiduciaries as SDFs based on
factors such as the volume and sensitivity of personal data processed, risk to data
principals' rights, and impact on India's national security. SDFs have heightened
obligations, including appointing a data protection officer, conducting independent data
audits, performing data protection impact assessments, and complying with additional
measures prescribed by the government. It's anticipated that the government will designate
certain business sectors, like health-tech or fintech companies, as SDFs instead of
individually notifying each company.211”
5. Consent Manager: The DPDP Act introduces the concept of "consent managers," which
are individuals registered with the Data Protection Board and are responsible for managing
data principals' consents through accessible platforms. This concept is not present in the
GDPR.
6. Processing Without Consent: Both the DPDP and the GDPR allow for processing of
personal data without explicit consent in specific circumstances. These circumstances
typically involve situations where processing is necessary for certain legitimate purposes,
such as employment, medical emergencies, legal obligations, or providing services
mandated by the State. While consent is a foundational principle, both laws recognize that
there are instances where processing without consent may be justified.
7. Quality of Consent: Both the DPDP and the GDPR emphasize that consent must be freely
given, specific, and informed for processing personal data to be lawful. Additionally, both
laws require a legitimate purpose or lawful basis for processing personal data. The
principles surrounding consent are similar under both regulations, aiming to ensure that
individuals have control over their personal data and understand how it will be used.

Ibid.
210
211
“India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison” “(Latham & Watkins,
December 2023). Available at <https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-
Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf> Accessed 30th March 2024.”

99
 The DPDP Act imposes an additional obligation regarding the accessibility of consent
requests by requiring them to be provided in multiple languages, allowing data principals
to choose the language they prefer. This provision enhances accessibility and ensures that
individuals from diverse linguistic backgrounds can understand and provide informed
consent. 212
8. Data Protection Officers (DPOs): Both the DPDP and the GDPR require certain entities to
appoint Data Protection Officers (DPOs) or similar roles to oversee data protection
compliance. In the GDPR, organizations that process large volumes of personal data or
engage in systematic monitoring of individuals' behaviour are mandated to appoint a DPO.
Similarly, under the DPDP, significant data fiduciaries, which may include entities
processing a significant volume of sensitive personal data, are required to appoint a Data
Protection Officer based in India.
9. Data Protection Impact Assessment: Under GDPR, a Data Protection Impact Assessment
(DPIA) is necessary when certain processing activities, especially those involving novel
technologies, are expected to pose a significant risk to the rights and freedoms of
individuals. This assessment considers factors such as the nature, extent, context, and
objectives of the processing. However, under DPDP Act, only Significant Data Fiduciaries
are required to conduct such assessment.213
10. Data Categorisation: Under GDPR different types of personal data are categorized into
type of the data, while some type of personal data is categorized as ‘sensitive’ personal
data like racial/ethnic origin, biometric data, data relating to health, sexual orientation etc.
While processing such data, additional compliance obligations has to be fulfilled by data
processors. However, under DPDP Act, no such distinction is made and all personal data
have to be treated in same way.214
11. Processing of data concerning Children: The age of majority in DPDP Act is provided as
18 years, while in GDPR it is not defined since different EU members have different age
of majority ranging between 13- 16 years. Also, under GDPR, in cases where the
individual is below the age of consent, the entity handling data must exert "reasonable
efforts" to obtain parental consent. Although not explicitly defined in the GDPR,
regulators consider two factors to determine what constitutes "reasonable efforts": inherent
212
Ibid.
213
Ibid.
214
Arun Prabhu et. al., “India’s New Data Protection Law: How Does it Differ from GDPR and What Does that
Mean for International Businesses?” (Cyril Amarchand Mangaldas Blogs, 10th October 2023). “Available at
<https://corporate.cyrilamarchandblogs.com/2023/10/indias-new-data-protection-law-how-does-it-differ-from-
gdpr-and-what-does-that-mean-for-international-businesses/> Accessed 31st March 2024.”

100
 risk and available technology.215 For example, requesting a child's email address for a
newsletter subscription poses lower risk compared to allowing participation in an
unmoderated chatroom. Consequently, age verification for the former would require less
effort compared to the latter.
However, situation is different under DPDP Act. Under the DPDP Act, anyone under 18 is
considered a child, and for processing their personal data, ‘verifiable consent’ of
parent/guardian is required. Similar ‘verifiable consent’ is required in case of disabled
persons. Moreover, the DPDP Act prohibits behavioural monitoring, targeted advertising,
or any processing on children’s personal data that could harm a child's well-being.
Although certain data fiduciaries and processing purposes are exempt, these will be
clarified in subsequent rules. The requirement for "verifiable parental consent" in the
DPDP Act resembles the obligation in the US COPPA Rule.216 The specific standard for
such consent will be outlined in rules.
12. Notice Requirement: The DPDP requires notice to be provided only when consent is the
basis for processing data, whereas the GDPR mandates notice requirements whenever data
is collected from data subjects, regardless of the legal basis for processing. Also with
regard to the contents of the notice, there is some difference. The DPDP specifies elements
that must be included in the notice provided to data principals, such as details about the
nature and purpose of data collection, withdrawal of consent procedures, and grievance
redressal mechanisms, which are more focused and detailed compared to GDPR
requirements.
13. Grounds for Processing – legitimate interests v. legitimate uses: Both the GDPR and the
DPDP Act require identifying a legal basis, such as consent, for processing personal data.
The GDPR offers six legal bases, including consent and 'legitimate interests', which
provides flexibility and is commonly used by businesses complying with the GDPR.
Examples of legitimate interests under the GDPR include direct marketing, fraud
prevention, and ensuring network security.217

215
Ibid.
216
““What are the rules about an ISS and consent?”, Information Commissioner’s Office, Available
at: <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/children-and-
the-uk-gdpr/what-are-the-rules-about-an-iss-and-
consent/#:~:text=The%20controller%20shall%20make%20reasonable,taking%20into%20consideration%20avai
lable%20technology> Accessed 26th March 2024.”
217
““What does ‘grounds of legitimate interest’ mean?”, European Commission, Available
at <https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-
grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-

101
 In contrast, the DPDP Act allows processing personal data for certain 'legitimate uses', but
it's not as expansive as the GDPR's 'legitimate interests' ground. The DPDP Act specifies
nine legitimate uses, including voluntary data provision for specified purposes,
compliance with Indian laws, and employment-related purposes. However, this provision
doesn't permit a wide range of data processing activities like the GDPR's legitimate
interests ground.218 Also, processing of personal data for the purpose of performance of
obligations under a contract is not considered a legal basis under DPDP Act, but under
GDPR, it has been recognised under Article 6(1)(b). Overall, the DPDP Act is more
focused on consent and has a narrower range of legitimate uses compared to the GDPR.
14. Voluntary Disclosure: The DPDP allows entities facing non-compliance actions to submit
voluntary undertakings to the Data Protection Board, which, if accepted, may serve as an
alternative to formal enforcement proceedings, promoting voluntary compliance and
easing regulatory burden. Such provision is not present in GDPR. “
15. Cross Border Flow of Data: The GDPR operates on a whitelist or adequacy system,
permitting the transfer of personal data outside the European Economic Area if the
receiving country provides an adequate level of data protection as assessed by the
European Commission. Alternatively, personal data can be transferred using standard
contractual clauses, Binding Corporate Rules sanctioned by data protection authorities, or
with explicit consent from individuals.219”
Unlike the GDPR, the DPDP Act operates on a blacklist system, allowing data transfers
unless the destination country is specifically notified by the government. This approach
facilitates free and flexible data transfers by default, without explicit restrictions.
However, the DPDP Act does not outline the criteria for notifying countries on the
blacklist. Presumably, these criteria could be influenced by India's geopolitical
relationships with respective countries.
16. Rights of data principals/subjects: In both, Data principals/ subjects have been provided
with right to access, rectify, erase data or withdraw his consent. However, GDPR provides
additional rights such as right to object and restrict processing, right to data portability,

mean_en#:~:text=Your%20company%2Forganisation%20has%20a,security%20of%20your%20IT%20systems>
Accessed 26th March 2024.”
218
“Luke Irwin, “What Is Legitimate Interest Under the GDPR?”, (it governance, 3rd May 2020). Available
at <https://www.itgovernance.eu/blog/en/the-gdpr-legitimate-interest-what-is-it-and-when-does-it-apply>
Accessed 25th March 2024.”
219
“Indian Data Protection Law versus GDPR – A Comparison” “(AZB & Partners, 18th August 2023).
Available at <https://www.azbpartners.com/bank/indian-data-protection-law-versus-gdpr-a-comparison/>
Accessed 31st March 2024.”

102
 right not to be subjected to automated decision making; which are not provided in DPDP
Act.
17. Notification of Data Breach: The DPDP Act mandates data fiduciaries to notify both the
Data Protection Board and affected data principals in all the events of a data breach.
Whereas the GDPR provides certain risk thresholds and it requires notification only when
there is a high risk to individuals' rights and freedoms.220 “
18. Data Retention Periods: The GDPR doesn't specify a set retention period for data
collected. Instead, it mandates that entities keep data only for as long as necessary for the
purposes it was collected. This provision grants some flexibility to data processing entities
to decide on the appropriate retention period, although it's not an unlimited discretion. The
DPDP Act employs a similar principle regarding data retention but takes a more
prescriptive approach in determining when a purpose is fulfilled. It specifies that if a user
doesn't use the service or exercise their rights for a certain period, the purpose is
automatically considered fulfilled. For example, if a user downloads an app but doesn't use
it for a specified number of months, the purpose is deemed served, and the user data must
be deleted. The government will define this specific period through subsequent rules.
Consequently, the DPDP Act offers less flexibility in data retention periods, requiring
companies in India to update their data retention policies to align with the timelines set by
the regulations.”

220
Ibid.

103
 8. Conclusion and Suggestions
Earlier, the data protection regime in India was scattered around different laws and rules, and
there was not a dedicates legislation and framework for data privacy. This problem was
highlighted in Puttaswamy judgment, where the Supreme Court stressed upon the need for
having a dedicated data protection law for the country. As a result, Srikrishna Committee was
formed, and after multiple debates and draft bills, finally DPDP Act was passed in 2023.

It had provided a robust framework for data privacy, and have various similarities to the EU’s
GDPR, which is considered to be one of the best data protection laws around the globe. This
brings a lot of hopes that the data security and protection structure in the country would
become stronger and protection of personal data of users would be greatly enhanced, stopping
any changes of misuse by big tech companies, who handle a lot of sensitive personal data of
users. It also brings concept of Significant data fiduciaries (SDFs), who have to follow
additional compliance requirements. This is a welcome step since SDFs handle more amount
of personal data and hence should follow more security measures. In many ways, DPDP Act
tries to balance the interests of data principals and data fiduciaries.

However, there were some areas of concern in the bill. These were particularly related to the
heavy powers and exemptions that are provided to the Central government and its
instrumentalities. Also, appointment of the members of the Data Protection Board is totally in
the hands of the Central Government which raises doubts about the independence of the
Board. Also, there is too much reliance on delegated legislation in the Act. But one of the
main concerns is that it dilutes the provisions of RTI Act as it exempts personal data from
disclosure in all cases, and it cannot be disclosed even for larger public interest.

These are some of the concerns which need to be addressed. The appointment of members of
Data Protection Board should be made by a committee which had representation of members
of both government, opposition leaders as well as judiciary. Also, RTI Act provisions should
not be diluted. Also, exemptions provided to the Central government should be narrowed
down so that those exemptions can be used only in rare and necessary cases. If these issues
are addressed, then it would become more transparent and would be very beneficial for larger
public interest.

So, DPDP Act 2023 marks as a milestone in the Indian data privacy structure, and it is hoped
that it will bring a positive change in improving the data protection framework in the country.

104
 Bibliography

Statutes:

Indian:

• Constitution of India, 1950

• Digital Personal Data Protection Act, 2023
• Information Technology Act, 2000
• Right to Information Act, 2005
• Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011

Foreign:

• General Data Protection Regulation, 2016. (EU Regulation 2016/679 of the European
Parliament and of the Council of 27 April 2016)
• Data Protection Act 2018 of UK
• California Consumer Privacy Act, 2018 (CCPA),
• California Privacy Rights Act (CPRA), 2020
• Privacy Act, 1988 of Australia.

Books:

• Kiran Deshta, Right to Privacy under Indian Law (Deep & Deep Publications, 2011).
• G.E. Kennedy, Data Privacy Law: A Practical Guide to the GDPR (RR Bowker
Publishers, 2019).
• Glenn Greenwald's, No Place to Hide: Edward Snowden, the N.S.A., and the U.S.
Surveillance State (Metropolitan Books, 2014).
• Javid Ahmad Dar, Privacy & Data Protection Laws in India, USA & European Union
(Walnut Publication, 2019).
• Bruce Schneier, Data and Goliath – The Hidden Battles to Collect Your Data and
Control Your World (W. W. Norton & Company, 2015).
• Jim Bronskill & David Mackie, Your Right to Privacy - Minimize Your Digital
Footprint (Self-counsel Press Legal Series, 2016).

105
 • Joshua A.T. Fairfield, Owned: Property, Privacy, and the New Digital Serfdom,
(Cambridge University Press, 2017).
Articles:

• Prashant Phillips and Sameer Avasarala, “Pacing towards a data protection law:
Analysing the Digital Personal Data Protection Bill, 2023”, Lakshmikumaran &
Sridharan Attorneys. Available at
<https://www.lakshmisri.com/insights/articles/analysing-the-digital-personal-data-
protection-bill-2023/#> Accessed 05th January 2024.
• Mihir R, “Digital Personal Data Protection Act, 2023: A missed opportunity for
horizontal equality”, Supreme Court Observer, 23rd August 2023. Available at
<https://www.scobserver.in/journal/digital-personal-data-protection-act-2023-a-
missed-opportunity-for-horizontal-equality/> Accessed 06th January 2024.
• Ishwar Ahuja and Sakina Kapadia, “Digital Personal Data Protection Act, 2023 – A
Brief Analysis”, Bar and Bench, 22nd August 2023. Available at
<https://www.barandbench.com/law-firms/view-point/digital-personal-data-
protection-act-2023-a-brief-analysis> Accessed 07th January 2024.
• John Brittas and Aneesh Babu, “What Lies Beneath the PR Blitz on the New Data
Protection Act?”, The Wire, 27th August 2023. Available at
<https://thewire.in/government/what-lies-beneath-the-pr-blitz-on-the-new-data-
protection-act> Accessed 06th January 2024.
• “India’s Digital Personal Data Protection Act, 2023: History in The Making”, 07th
August 2023, Nishith Desai Associates. Available at
<https://www.nishithdesai.com/NewsDetails/10703> Accessed 06th January 2023.
• Duraiswami, Dhiraj R. “Privacy and Data Protection in India.” Journal of Law &
Cyber Warfare, vol. 6, no. 1, 2017, pp. 166–86. Available at
<http://www.jstor.org/stable/26441284>. Accessed 6 Jan. 2024.
• Bhandari, Vrinda. “Privacy Concerns in The Age Of Social Media.” India
International Centre Quarterly, vol. 45, no. 3/4, 2018, pp. 66–81. JSTOR,
http://www.jstor.org/stable/45129854. Accessed 7 Jan. 2024.
• Anirudh Barman, “Understanding India’s New Data Protection Law”, 03 October
2023, Carnegie India. Available at
<https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-
law-pub-90624#> Accessed 06th January 2024.

106
• Gautam Bhatia, “The Supreme Court’s Right to Privacy Judgment”, Economic &
Political Weekly, Vol.52 Issue No. 44 (2017). Available at
<https://www.epw.in/journal/2017/44/commentary/supreme-courts-right-privacy-
judgment.html> Accessed 05th January 2024.
• Graham Greenleaf, “Promises and Illusions of Data Protection in Indian Law” 1
International Data Privacy Law 47-69 (2011).
• Bhandari, V., Kak, A., Parsheera, S., & Rahman, F. (2017). An Analysis of
Puttaswamy: The Supreme Court's Privacy Verdict. IndraStra Global, 11, 1-5.
Available at <https://nbn-resolving.org/urn:nbn:de:0168-ssoar-54766-2> Accessed
23rd March 2024.

107