Author: Supriya Dayal, Banasthali Vidyapith, Rajasthan

In the era of digital revolution, where our mornings do not begin with the rising sun, but with the notification sound of our smartphones, from sending messages on WhatsApp, checking for updates, joining online classes, making payments, every activity in our day-to-day life revolves around our smartphones. By every tap, swipe, and click on our smartphones during our daily routine, we are sharing our personal data and giving consent without thinking for a second about where and how our information may be used. When we willingly tap ‘Agree’ or click ‘Accept’ countless times, few of us fully read the agreement in which we are entering that to what extent our personal data is collected, shared with the other parties. This effortless flow of personal data has created an uncontrolled and unregulated domain of data, this makes digital privacy not just a matter of personal interest, but a fundamental right of every citizen that requires protection under the law. The Supreme Court of India in the landmark case of K.S. Puttaswamy vs. Union of India recognized the Right to Privacy as a Fundamental Right and laid down the foundation for the protection by extending it to digital privacy.

The right to privacy is an essential part of Right to Life and Personal Liberty provided under Article 21 of the Constitution of India. It protects an individual’s privacy, dignity, and control over personal information, ensuring freedom from unwanted invasion by the state or any private entities. Before 2017, privacy existed only in fragments inferred from various judicial interpretations like M.P. Sharma v. Satish Chandra, 1954 and Kharak Singh v. State of Uttar Pradesh, 1962 where the court denied the existence of a constitutional right to privacy stating that the Constitution of India did not mention it explicitly. In the case of Gobind v. State of Madhya Pradesh, 1975, the Supreme Court ruled that privacy could be protected as part of personal liberty, but subject to reasonable restrictions. In the Puttaswamy case, where a nine-judge bench unanimously overruled the earlier precedents and guaranteed privacy to the status of a fundamental right. Justice D.Y. Chandrachud observed that “Privacy is the constitutional core of human dignity.” The judgement recognized three dimensions of privacy such as physical privacy, informational privacy and decisional privacy. 

The Supreme Court recognized privacy as a fundamental right which laid the Constitutional framework, but in the era of digitalization, where digital data is escalated, demanded a specific legislative framework to regulate how personal information in digital form is collected, processed, and protected. The Government of India enacted the Digital Personal Data Protection Act (DPDP Act) in 2023, a statute to implement the constitutional right to privacy in the digital era. The DPDP Act attempts to address the challenges arising by modern technology, data driven business models and the dramatic increase of digital information flows. 

The Aims of the Act are:

1. Empower individuals with rights over their personal information by provisions for mandatory informed consent, access, correction, etc.

2. Ensure transparency and accountability among data handling entities that collect and process digital personal data.

3. Provide clear obligations and penalties to prevent misuse, unauthorized disclosure, negligence in data handling.

4. Balance individual privacy rights with the need for state and corporate entities to process data for legitimate purposes such as service delivery, governance, innovation, and national security, etc.

Key Provisions

1. Applicability and Scope: As per Section 3 of the Act, it applies to processing digital personal data within India and also applies to processing outside India if offering goods or services to individuals in India.

2. Consent Requirement: Section 7 states that Personal data must be processed after obtaining free, informed and specific consent of the individual, unless exempted. Consent can be withdrawn at any time.

3. Rights of Individuals: 

   Right to access personal data held by data fiduciaries (Section 9). 

   Right to correction and erasure of inaccurate or incomplete data (Section 10).

   Right to grievance redressal and to nominate representatives (Section 11).

4. Obligations of Data Fiduciaries and Processors:

Under section 14, 15 and 17 it is the duty of data fiduciaries to maintain data accuracy, reasonable security safeguards and notify Data Protection Board and affected individuals about breach of data and also it is their duty to retain data for the duration necessary for the purpose.

5. Exemption

Under Section 33 exemption is provided to government agencies to process digital personal data for legal proceedings, national security, public order and any other exemption as notified.

Challenges in implementing the DPDP Act, 2023

 As the legislative framework laid down by the DPDP Act, but there are several persisting challenges in its effective implementation:

1. Lack of Awareness among Individuals

Many people, in rural and semi-urban areas, are unaware of their digital privacy rights under the Act. Due to low awareness, there are limited individuals who exercise control over their personal data or seek redressal when their rights are violated.

2. Complex Compliances 

A large number of small and medium enterprises (SMEs) and startups struggle to meet the complex compliance requirements due to limited technical expertise and financial resources.

3. Rising Incidents of Data Breaches

Recently, there has been a significant rise in data breaches affecting health insurance companies (Star Health Insurance, 2023), fintech companies (Policybazaar, 2023), government databases (Aadhaar Database leak, multiple times), exposing millions of personal records.

4. Ambiguities in Cross-Border Data Transfer

As the Act allows cross-border data transfer subject to approval of the Central Government. This creates ambiguity and complexity for businesses operating in the global market.

5. Balancing State Surveillance and Privacy 

The Act provides exemption to government agencies related to national security and law enforcement sometimes raises concerns regarding unchecked surveillance, leading to debates on how to balance security with Privacy safeguards.

The recognition of the right to privacy as a Fundamental Right in case of Justice K.S. Puttaswamy v. Union of India marked a milestone affirming that protecting personal data is essential for an individual's dignity and liberty. The Digital Personal Data Protection Act, 2023 transformed a landmark judicial interpretation into a legislative framework for data governance in the era of digitalization. It aims to safeguard personal informational autonomy while balancing digital innovation and governance efficiency.

However, the success of the Act depends on its effective implementation, awareness, clarity in provisions and accountability. Rising cases of data breach, complex compliances and ambiguities in certain provisions are challenges that need to be resolved by adapting significant approaches. Article 21 means making privacy protection an everyday reality rather than a mere legal provision. Digital privacy is not about restricting technology but empowering individuals to have control over how technology shapes their lives.