This article is written by Olalekan Fathia Mojisola, University Of Ibadan, Faculty Of Law, 2025. During his internship at LeDroit India.
ABSTRACT
Before the year 2023, there was absence of comprehensive and dedicated legal framework governing the protection of personal data in India. Hence, the reliance primarily on the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The recognition of the right to privacy as a fundamental right under Article 21 of the Constitution by the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) marked a significant turning point in India’s data protection jurisprudence. This judicial development accelerated the legislative efforts that culminated in the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act).
This article examines the evolution of data protection law in India and provides an in-depth analysis of the DPDP Act, 2023, focusing on its scope, objectives, and key definitions. It explores core concepts such as personal data, data principals, data fiduciaries, data processors, significant data fiduciaries, and consent managers, while also outlining the rights conferred on individuals and the corresponding obligations imposed on organizations handling digital personal data. This paper highlights the Act’s emphasis on lawful processing, accountability, transparency, and enhanced protection for individuals in the digital ecosystem, positioning the DPDP Act, 2023 as India’s first comprehensive personal data protection regime.
Key words: fundamental rights, individual, data protection law, right to privacy, data fiduciary, data principals, data processors.
INTRODUCTION
Until 2023, there was no standard law or framework guiding Data protection In India. The Information Technology Acts 2000(IT ACT) and rules served as the basis from which Data Protection Law evolved. This included The IT Rules, 2011 (privacy rules).
In 2017, in the case of Justice K.S Puttas Wamy (Retd) v. Union of India (writ petition NO. 494/2012), a constitutional bench of 9 judges of the Supreme Court of India upheld that privacy is a fundamental right entrenched in Article 21 (Right to Life and Liberty) of India constitution. This led to the process of formulating a comprehensive data protection bills and recommendations from different stakeholders, the minister of Electronic and IT (MEITY), Government of India , released the draft of the Digital Personal Data Protection Acts bill in 2022.
After the consideration of the Bill by India parliament , on August 11, 2023, the Government of India. Published the bill as an Act (DPDP Act 2023). Which will serve as the Personal Data Protection and regulatory regime in India. The DPDP Acts is applicable only to personal data in digital form and does not regulate non personal data is currently unregulated in India.
It Is an act that provide for processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such persona data for lawful purposes and for matters connected therewith or incidental thereto.
Keywords: Data protection, DPDP Act, personal data, rights, individuals.
HISTORICAL BACKGROUND OF THE ACT
The legal framework of India for data protection was initiated with the historic Supreme Court decision in Justice K.S. Puttaswamy (Retd.) v. Union of India, which adjudged the right of privacy to be a constitutional right under Article 21 of the Constitution. The Court emphasized that privacy is the core of the liberty of individuals and set out the test of proportionality for any restriction. This decision gave constitutional bases for a sound system of data protection that influenced the key features of the Digital Personal Data Protection (DPDP) Act, 2023, such as informed consent, data minimization, and rights of the individual about personal data.
Before the DPDP Act, the Information Technology (IT) Act, 2000, was the major law governing digital data. Yet, it provided scant protection, with just Sections 43A and 72A protecting personal data security. The digital economy is evolving, and with it, we’ve seen a rise in data misuse that has exposed the gaps in the IT Act. This situation called for a comprehensive data protection law. It was in 2017 that the Justice B.N. Srikrishna Committee was established to tackle these matters, recommending a rights-based framework based on responsibility, consent, and localization of data. This gave way to the Personal Data Protection (PDP) Bill in 2019.
The bill came under criticism due to its robust data localization requirement and the general powers granted by it to the government under Section 35. Following delays and 81 amendments proposed by the Joint Parliamentary Committee, the PDP Bill was withdrawn in 2022. Subsequently, the DPDP Bill, 2022, was brought, with a more balanced and business-friendly approach, and was finally enacted as the DPDP Act, 2023. The Act creates a consent-based regime, enshrines roles such as data fiduciaries and principals, gives individuals the right to access, correct, and delete data, and imposes draconian penalties for non-compliance, a huge leap towards privacy-oriented data governance in India.
KEY DEFIITION UNDER DPDP ACT 2023
- Personal data or information
- Data principal
- Data fiduciary
- Also Data processor
- Significant data fiduciary
- Consent manager
PERSONAL DATA OR INFORMATION
While DPDP applies only to digital personal data that a data fiduciary has converted to digital form after collection, the act’s definition of personal data is expansive. According to the Act Personal Data; personal data includes any information related to an individual that entities could use to identify the individual. It incudes all information under one term and does not categorize data as sensitive or non sensitive like other regulations. This information can be used to directly or indirectly identify a person. protection of personal data is crucial for privacy, identity theft prevention, cyber security etcetera. On August 11, 2023,India parliament introduced the Data personal data protection Acts 2023,(DPDPA), making the country’s inaugural comprehensive data protection Laws. Personal data refers to any information tied to an identified or identifiable individual such as; Name, Age, Gender, Address, Contact details, Marital status and more.
DATA PRINCIPAL
Under DPDP Act, data principal refers to individuals who personal data is being collected, stored, stored or otherwise interacted with.
- Data personal right
They are rights granted to individual (data principal) to ensure they have control over the processing of their personal data. These rights are enshrined in Laws like: DPDP Acts in India, Data subject rights under GDPR in the Europe Union and other related Laws in the universe. These laws give individuals the right to safeguard their privacy, maintain transparency and hold organizations accountable for data processing activities.
Data personal data protection Acts 2023, gives individuals the right to protect their privacy at the same time outlining responsibilities for organizations (Data fudiciaries) that handles personal data. The rights entitled to by the data principals include but not limited to:
- A. Right to access: they have the right to request a summary of their personal data, the purposes of processing and who access it.
- B. Right to correction: right are given to request correction in the case of incomplete or inaccurate information or data.
- C. Right to restriction: limitations can also be given to data usage, such as opting out of marketing communications.
- D. Right to erasure: request can also be made for deletion of personal data when it is no more relevant.
- E. Right to nominate: Also, data principal has the right to nominate someone to exercise their rights on their behalf.
DATA FIDUCIARY
Under the Digital Personal Data protection Act 2023, data fiduciaries are persons that determine the purposes and means of processing personal data. They are responsible for compliance with law’s requirements, and remain liable or acts and omissions of the data processors they appoint.
DATA PROCESSOR
A data processor refers to any group or entity that processes personal data on behalf of a data fiduciary, without determining the purpose or means of processing. This covers a wide range of services such as aggregators, cloud providers, payment processors or marketing automation tools.
Two major ways in which data processors can involve in processing personal data include:
- Upstream processor: they collect data from data principals directly on behalf of another business e.g. marketing agencies collecting consents from customers for Email campaigns. They are saddled with the responsibility of collecting valid data and consents for the data on behalf of the fiduciary. Typical examples of upstream processors include Zomato, Makemytrip, Amazon, Google play store etc.
- Downstream processors: they carry out the task of processing data primarily based on the instructions of the fiduciary. E.g. payroll providers handling employee salary disbursement for a company. They are primarily tasked with running consent check to ensure all of their processing activities happen on the basis of valid consent or other means as provided for in DPDP Act.
SIGNIFICANT DATA FIDUCIARY
They are large organizations like major tech firms, banks, or E commerce platforms in India that processes large volume of personal data, particularly sensitive information subjected to stricter rules under DPDP Act. The DPDP Act , SDFs are entities created as regards to the recognition that certain organizations handle larger volumes of highly sensitive personal or process data. And because misuse or mishandling of the data can lead to severe consequences for individuals and even for national security at large.
Unlike the general duties applied to fiduciaries, SDFs are saddled with more stricter and detailed obligations which include the following amongst many other;
- Task to conduct Data Protection Impact Assessments (DPIAs): they must undergo regular assessments in order to identify risks to individuals’ privacy which arise from the way it processes data. These reports help the organization to understand if its practices are capable of causing harm to users and the measures needed to limit or curb the risks. For example, a major social media company must assess how its targeted advertising system uses user profile and if such profiling could negatively impact individuals.
- Duty to appoint a Data Protection Officer: Every SDFs must appoint a senior officer who serve as data protection officer as provided for in DPDPA. He is responsible for ensuring compliance with the Act, acting as the point of contact for the “Data Protection Board” and help the grievance officer to resolve users’ complaints. For example, a large payment service provider must designate a DPO who can be accessed directly by the users and regulate and regulate any concerns about misuse of financials data.
- Maintenance of high standards of security and Governance: while all data fiduciaries are concerned with implementation of security measures, SDFs are expected to maintain advanced safeguards detailed governance policies and stronger monitoring system to protect misuse and breach of data.
CONSENT MANAGER
In order to enhance data privacy and individual control, DPDPA introduces the concept of consent manager. The concept originated from 2017 Srikrishna committee report, which envisioned consent managers as trusted intermediaries offering users clear interface to control their data sharing preferences. Consent manager act as a bridge between data principals and data fiduciaries, providing secure and transparent consent management in the digital space. They empower users to share data securely with third party through revocable, traceable and granular consent mechanisms using standardized APIs (used to replace outdated methods like notarization and screen scrapping). These managers are officially registered with data protection board and must provide an interoperable platforms for giving, managing, and withdrawing of consents.
OBLIGATIONS OF DATA FIDUCIARIES
Chapter II of the DPDP Act elucidates the responsibilities of a Data Fiduciary, focusing on the principles governing data processing. According to the Act, personal data may only be processed by an individual or entity for lawful purposes, with explicit consent or under specified legitimate circumstances. The term ‘Data Principal’ denotes the individual to whom the personal data pertains, extending to include parents or legal guardians in the case of minors, and legal guardians in the event of individuals with disabilities.
Before seeking consent, the Data Fiduciary is obligated to provide a detailed notice outlining the processing purpose, complaint procedure, and access to the notice in English or any language specified in the eighth schedule of the constitution. This obligation persists regardless of whether consent was previously obtained before the Act came into effect. The obligations of data fiduciaries are as follow:
A. Consent
Section 6 of the Act mandates that consent from Data Principals must be freely given, specific, informed, unconditional, and clear, indicating their agreement to the processing of their data for a defined purpose. Any aspect of consent that violates the Act’s provisions will be deemed void. Data Principals must receive transparent consent requests in simple language, including contact details for a Data Protection Officer, if applicable, or another authorized individual designated by the Data Fiduciary to handle communications from Data Principals. Data Principals can retain the right to revoke consent at any time, and upon withdrawal, the Data Fiduciary must promptly cease processing, unless such processing is permitted under this Act or other relevant Indian laws.
B. Appointment of a Consent Manager
The Data Principal has the authority to oversee, assess, or retract consent granted to the Data Fiduciary via a designated Consent Manager. This Consent Manager is responsible to the Data Principal and is obligated to act in their best interests, adhering to specified duties. Each Consent Manager is required to register with the Board in accordance with prescribed procedures, and they must comply with specified technical, operational, financial, and other requirements.
C. Processing for Certain Legitimate Uses
Under Section 7 of the Act, a Data Fiduciary is permitted to process the personal data of a Data Principal for various purposes, including instances where the Data Principal has willingly supplied their data to the Data Fiduciary for a particular purpose, without expressly consenting to its usage, along with other designated uses outlined within the section.
D. Processing of Data for the State
The Data Fiduciary is authorized to handle the personal data of a Data Principal for defined objectives, such as enabling the State and its entities to furnish subsidies, benefits, services, certificates, licenses, or permits. This action is permissible under two circumstances: firstly, when the Data Principal has previously consented to such data processing by the State, and secondly, if the personal data exists in digital format or in non-digital format and is subsequently digitized from State-maintained databases or documents, as stipulated by Central Government notification. Adherence to processing standards mandated by the Central Government’s policy or relevant laws is obligatory.
E. General Obligations of a Data Fiduciary
Section 8 delineates the duties of Data Fiduciaries, requiring them to adhere to the Act and regulations concerning the processing of personal data. They are obligated to maintain the accuracy, entirety, and coherence of data, institute technical and organizational safeguards for data protection, notify the Board and affected Data Principals in the event of breaches, and publicly disclose contact details for Data Protection Officers.
F. Processing of Personal Data of Children
Section 9 outlines the responsibilities of Data Fiduciaries regarding Data Principals who are minors or individuals with disabilities. Prior to processing any personal data of a child or a person with a disability under lawful guardianship, the Data Fiduciary must obtain verifiable consent from the parent or lawful guardian, as specified. It is prohibited for a Data Fiduciary to conduct any processing of personal data that may adversely affect the well-being of a child. Additionally, tracking or behavioral monitoring of children, as well as targeted advertising aimed at them, is strictly prohibited for Data Fiduciaries.
SECTION 8 OF THE DPDP PROVIDES FOR THE OBLIGATIONS OF THE DATA FIDUCIARIES AS FOLLOWS:
8.(1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.
(2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.
(3) Where personal data processed by a Data Fiduciary is likely to be—
(a) used to make a decision that affects the Data Principal; or
(b) disclosed to another Data Fiduciary,
the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency.
(4) A Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.
(5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,—
(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
(b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor.
In summary, the Digital Personal Data Protection (DPDP) Act of 2023 establishes a strong framework to protect the privacy rights of individuals in India. With a thorough set of obligations, the Act makes it mandatory for data fiduciaries to handle data lawfully, thereby give paramount importance to consent, and safeguard the privacy of Data Principals. Significantly, the DPDP Act enhance measures for managing children’s data, assigns greater responsibilities to Significant Data Fiduciaries, and specifies penalties for violations. By striking a harmonious equilibrium between data utility and protection, the DPDP Act plays a vital role in cultivating a more accountable and secure digital landscape in the country.
The enactment of the Digital Personal Data Protection Act, 2023 is a landmark development in India’s legal and regulatory approach to data privacy. Which emerges from constitutional recognition of privacy as a fundamental right, the Act establishes a structured framework that balances individual rights with legitimate data processing needs. By clearly defining key actors such as data principals, data fiduciaries, data processors, significant data fiduciaries, and consent managers, the DPDP Act enhances clarity, accountability, and transparency in the handling of digital personal data. The rights granted to data principals empower individuals to have greater control over their personal information, while on the other hand the obligations imposed on data fiduciaries, particularly significant data fiduciaries, aim to ensure responsible data governance and robust security practices. Although the Act is limited to digital personal data and does not extend to non-personal data, it nonetheless marks a critical step toward strengthening privacy protection in India’s rapidly expanding digital economy. Ultimately, the DPDP Act, 2023 lays a foundational legal framework capable of evolving alongside technological advancements, fostering trust, safeguarding individual privacy, and promoting responsible data processing practices in India.
