This article is written by Tanusri Santra, B.A. LL.B., 2nd Year, Department of law, Calcutta University College, during her internship at LeDroit India.
Keywords
Digital Personal Data Protection Act( DPDP Act), enforcement, compliance, data fiduciary, penalties, Data Protection Board
ABSTRACT
The 2023 Digital Personal Data Protection Act establishes regulations for particular data missions involving storehouse and processing and transfer in India. The enforcement of the Act together with compliance and the DPB’s part face significant expostulations. The Act defines scores for data fiduciaries and birthrights for data headliners but perpetration faces obstacles from vague delineations and nonsupervisory body capacity terminations and inadequate digital structure. The growing number of digital deals requires operative and prompt grievance requital mechanisms to make the Act prosperous. The study examines current obstacles to perpetration while furnishing ultrapractical results through legit principles and technological regulations and nonsupervisory case inquiries.
INTRODUCTION
The ultramodern digital period has converted particular data into an essential resource which directs client elections while suiting election effects and checking transnational profitable systems. The massive excrescency of data collection and processing missions has generated serious worries about sequestration and screen as well as responsibility measures. Following the Supreme Court’s corner judgment in * Justice K.S. Puttaswamy v. Union of India *( 2017) which established sequestration as a abecedarian birthright under Composition 21 of the Constitution India enforced its first standalone data security law through the Digital Personal Data Protection Act 2023( DPDP Act).
The DPDP Act introduces a fully new frame for digital particular data operation within India. The act creates a system grounded on concurrence alongside outlined places for Data Fiduciaries and subventions Data Headliners practicable birthrights to cover their particular information. The law creates the Data Protection Board of India as the main nonsupervisory body to apply compliance and break controversies.
The Act contains vittles that look ahead but it encounters physical difficulties during its perpetration. The Act faces multitudinous perpetration obstacles because of its unestablished nonsupervisory administration together with vague delineations and cases withcross-border jurisdictional control and inadequate public knowledge. The Act’s truculent authority diminishes because it lacks felonious penalties and judicial control.
The paper evaluates the enforcement cases in Indian data security ordinances through comparison of the DPDP Act with GDPR norms and suggests ultrapractical reforms to ameliorate compliance systems. The forcefulness of any legislation depends on its perpetration energy because indeed the most improved ordinances come unworkable without proper enforcement. The DPDP Act achieves success through its textbook along with the quality of its on- the- ground perpetration.
1.An outline of the 2023 DPDP Act
For India’s digital nonsupervisory frame, the Digital Personal Data Protection Act 2023( DPDP Act) is a revolutionary step. It creates a complete legit frame for recycling particular data that screens the sequestration of individualities and permits associations to exercise data in a licit manner. The Act creates a frame for data security grounded on concurrence, in reaction to the Supreme Court’s holding in Justice K.S. Puttaswamy v. Union of India( 2017).
The Act regulates digital particular data attained both domestically and internationally when it’s reused for conditioning related to offering goods or services to Indian home. Through its preface of the tours Data star and Data Fiduciary the Act defines precise places and duties which govern data processing conditioning.
DPDP Act establishes its primary features through the following elements:
- The processing of data requires prior notice and explicit consent from the individual.
- The law grants people the ability to access their data, modify it, delete it, and receive solutions for their complaints.
- Certain organizations which receive the designation of Significant Data Fiduciaries must follow additional compliance requirements.
- The Data Protection Board of India exists as an enforcement body which can issue penalties and resolve data breach disputes under the Act.
2. Practical Enforcement Difficulties
The execution of the Digital Personal Data Protection Act faces practical challenges because its enforcement framework remains underdeveloped and unorganized. The DPDP Act brings forward advanced privacy regulations yet its execution framework lacks organizational structure and developmental progress. The effectiveness of any legal document depends on the strength of its implementation mechanisms. The DPDP Act demonstrates excellent theoretical provisions yet various practical enforcement obstacles reduce its operational effectiveness.
- Non-Operational Data Protection: The DPBI functions as the principal entity for enforcement and adjudication according to the Act. The Board stays inactive because there have been no official appointments together with the absence of procedural rules and infrastructure development until mid-2025. The absence of a regulatory authority prevents grievance redressal and compliance checks and penalty impositions thus creating a legislative gap.
- Ambiguity in Legal Provisions The legislation does not provide complete explanations for its main terms including “public interest,” “legitimate use,” and “voluntary consent.” The unclear language creates gaps in compliance regulations which data fiduciaries exploit for broad interpretations that harm data principals.
- Insufficient Penalty Structure The Act excludes criminal liability, even for repeated or deliberate violations, and only stipulates civil monetary penalties. This lessens its deterrent effect, particularly when it comes to data breaches, profiling, or the sale of private information.
- D. Digital Literacy and Awareness Gap The ability to enforce rules depends directly on the knowledge and legitimate power of data principals. Numerous people throughout India’s digital environment remain unaware about their DPDP Act rights together with complaint submission processes. The lack of knowledge makes it hard to hold lawbreaker accountable.
- Jurisdictional and Cross-Border Complexities Although the Act permits data exchanges with Central Government approved nations it lacks adequate mechanisms for enforcing laws outside our national boundaries. The misuse of data in foreign countries creates limited possibilities for India to pursue legal actions because of international regulations and diplomatic restrictions.
3. Case Laws Judicial Reference
The Digital Personal Data Protection Act, 2023 is based on a series of important judgments by Indian courts, especially the Supreme Court. The most significant case is Justice K.S. Puttaswamy v. Union of India (2017). In this case, a nine-judge bench declared privacy as a fundamental right under Article 21. The requirement for a data protection law was underscored in the digital age by this verdict.
Within K.S. Puttaswamy (Aadhaar) (2019), the Court discerned that although the government scheme had virtuous motives, data sharing between private companies was unrestricted, and it opposed the constitution. It espoused the tenets of purpose limitation in conjunction with data minimization. Those tenets constitute the underpinnings of the DPDP Act presently.
Furthermore, in Anuradha Bhasin v. Union of India (2020), the Court reaffirmed the principle of proportionality. This principle is important for understanding exceptions like “public interest” in the DPDP Act. Although it was not a direct data privacy case, the Facebook-Cambridge Analytica incident, which came to the Indian courts through public interest lawsuits, highlighted the risks of data profiling and pushed the conversation toward stronger regulation.
4. Judicial Reference
Indian courts, especially the Supreme Court, have molded the principles with urgency behind decisive data protection legislation. Their determinations furnished the ethical and judicial impetus which incited the government to proceed. Accordingly, lawmakers instituted the DPDP Act, 2023.
The judiciary for the State consistently stresses functioning as a trustee, rather than an owner, of citizens’ data. Puttaswamy’s recognition of informational self-determination allows people to control their private data. For the rights under the DPDP Act, such as access, correction, and deletion, this is a crucial concept.
When rendering decisions, courts adhere to the principles of proportionality and minimal interference. They demand that privacy restrictions serve justifiable purposes and be necessary and well-defined. The judicially developed tests will serve as crucial tools to interpret terms such as “legitimate use”, “public interest” and “voluntary consent” during enforcement proceedings of the Act.
The judiciary must operate as a monitoring body to supervise government discretion because the Act provides extensive authority for the Central Government to develop rules. The ongoing judicial oversight plays a fundamental role in maintaining both constitutional foundations and practical implementation of privacy protections.
5. Suggested Solutions for Robust Enforcement
The DPDP Act needs a robust enforcement system to achieve its objectives. The Act requires multiple enforcement strategies to overcome its existing limitations and achieve its intended success.
A. Operationalising the Data Protection Board of India (DPBI)
The Data Protection Board of India requires immediate actions to establish its authority. The Board needs to select professionals who possess legal and technical and administrative skills while creating procedural rules and digital infrastructure to resolve complaints promptly.
B. Drafting Comprehensive Rules and Guidelines
The DPDP Act contains several provisions which depend on Central Government rules that will be established later. These rules need to establish the meaning of important terms such as “legitimate use” while establishing timelines for grievance resolution and penalty frameworks. The process of making rules must maintain transparency through public consultations which stand as a necessary requirement.
C. Awareness and Capacity Building
The enforcement of rights by data principals needs proper education regarding their rights together with available redress mechanisms. Public awareness campaigns should utilize regional languages to reach the target audience. The implementation of training programs for data fiduciaries including MSMEs and startups will help them achieve compliance.
D. Technological Readiness
The implementation of digital systems such as AI-based monitoring systems together with real-time audit capabilities and automatic consent management consoles can boost enforcement measures. The Indian technology sector provides opportunities to minimize administrative hold-ups while enhancing regulatory performance.
E. Judicial Review and Oversight
Judicial oversight of Board decisions will establish constitutional equilibrium together with procedural equity during situations that involve major fines or confidential information.
Strong enforcement of the DPDP Act requires both institutional power and clear procedures along with public participation and technological systems. The absence of these fundamental elements will lead to failure of modern legislation in actual implementation.
Conclusion
Digital Personal Data Protection Act, 2023 marks a significant legal milestone for India because it establishes individual data control and organizational responsibility in digital markets. Through its definitions of data fiduciaries and data principals and its consent-based processing framework and Data Protection Board of India establishment the Act brings India closer to GDPR standards.
The article demonstrates that the Act will achieve its goals only through effective implementation along with proper enforcement procedures. The Act faces significant enforcement obstacles because institutions lack readiness and the rule-making process experiences delays while legal language remains ambiguous and penalty systems are insufficient and public understanding is limited.The privacy rights that the Act seeks to protect will remain out of reach if proper systems are not put in place.
A successful enforcement framework needs to combine clear regulations with technology, judicial oversight, and public participation. The goal goes beyond just punishing violations. It aims to create an environment where personal data is treated with respect, along with practices of compliance and transparency.
The DPDP Act will achieve its success through the practical implementation of its core principles. The words data protection along with privacy and enforcement and compliance and digital rights need to become actual protections which protect all citizens instead of staying as formal legal terms. When properly implemented the DPDP Act will establish itself as the fundamental foundation of India’s digital transformation which maintains a proper balance between technological progress and personal data rights in modern times.
References
1. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 – https://indiankanoon.org/doc/91938676/
2. Anuradha Bhasin v. Union of India, (2020) 3 SCC 637 – https://indiankanoon.org/doc/115963968/
3. Facebook Cambridge Analytica case – https://indiankanoon.org/doc/181644971/
4. GDPR Text – https://gdpr-info.eu/
5. MeitY DPDP Act – https://www.meity.gov.in/digital-personal-data-protection-act-2023
6. NLS Journal – https://www.nls.ac.in/resources/journals/
