Concerns regarding the Digital Personal Data Protection Act, 2023

The DPDP Act, 2023, signifies a landmark moment in India’s data protection arena from a user’s perspective. The establishment of this statutory framework for data privacy is commendable, emphasizing the absolute need for businesses to adhere to specific standards in managing personal data, an important aspect in today’s technology-driven era.[1]

The law mandates obtaining consent before processing personal data, giving users the right to access, store, update and delete their data, and includes security measures for children’s data. It seems these systems are promising in protecting individual privacy. However, a closer look raises multiple issues. Exceptions to consent, particularly in government service settings, raise concerns about potential pooling of databases. The broad exemption for investigative, prosecutorial, and national security purposes governs the exemption of state actions from formal data privacy requirements, which could unnecessarily jeopardize privacy rights.[2]

The government’s discretionary rule-making authority carries with it a significant amount of uncertainty. This power to grant exemptions to businesses within a five-year period, without clear guidelines, creates a potential for misuse that could undermine the very purpose of the law. Additionally, the government’s broad discretion to exempt businesses from specific children’s data requirements lacks transparency and leaves room for possible abuse. Another area of concern is the structure of the Digital Protection Board (DPB). As its mandate is limited, questions arise about the board’s composition, particularly its sole reliance on one legal expert and the potential absence of internal functional separation. This raises concerns about the board’s ability to operate with impartiality. It is important for users to have trust and confidence in the DPB to ensure that it functions fairly and without bias.[3]

During a recent roundtable meeting organized by the Observer Research Foundation and The Dialogue, several concerns were raised regarding the current state of data protection in India. Provisions such as the “right to be forgotten” were found to be missing, and there is ambiguity surrounding the rules for handling sensitive personal data. More specifically, the panel pointed out the lack of clear definitions and consent guidelines for biometric data, as well as the absence of regulations for data fiduciaries. While the DPDP Act may be beneficial for the financial industry, it must also address the challenges posed by emerging technologies. A specific concern highlighted by the health data panel was the need for a dedicated healthcare bill, consolidated laws, and improved cybersecurity expertise.[4]

The DPDP Act is certainly a step in the right direction for protecting user privacy. However, the raised concerns serve as a reminder of the crucial need for careful implementation and following the principles outlined in the legislation. Users are anxiously observing how the government handles these potential challenges to ensure that the guaranteed data privacy measures are not compromised in reality.

[1] Gupta, A. (2023, August 25). Decoding Digital Personal Data Protection Act, 2023. KPMG; KPMG. https://kpmg.com/in/en/home/insights/2023/08/decoding-digital-personal-data-protection-act-2023.html

[2] Burman, A. (2023). Understanding India’s New Data Protection Law. Carnegie India. https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624

[3] Krishna, N. (2023, September 3). The Digital Personal Data Protection Act, 2023: Some relief but many questions. Times of India Blog; Times of India. https://timesofindia.indiatimes.com/blogs/niveditas-musings-on-tech-policy/the-digital-personal-data-protection-act-2023-some-relief-but-many-questions/

[4] Amoha Basrur. (2023, October 30). The Digital Personal Data Protection Act, 2023: Recommendations for Inclusion in the Digital India Act. ORF; Observational Research Foundation. https://www.orfonline.org/research/the-digital-personal-data-protection-act-2023/

Written By: Jaanvi Sharma