NATIONAL LAW UNIVERSITY ODISHA,

CUTTACK

COURSE OUTLINE

DATA PROTECTION
LAW
B.A./B.B.A. LL.B.
IX SEMESTER July 2025- December 2025

Course Instructor: Richa Singh, Assistant Professor of Law, NLUO

Email: richa@nluo.ac.in
 COURSE INTRODUCTION

In this course we will see the conceptual & practical understanding of the Digital Personal
Data Protection Act, 2023 (hereinafter DPDP) and Draft Digital Personal Data Rules, 2025.

This course provides a comprehensive understanding of privacy law and data protection in
the context of India’s digital economy and global data governance frameworks. It begins by
tracing the historical evolution of the right to privacy, culminating in its recognition as a
fundamental right by the Supreme Court of India in the Puttaswamy judgment. Building on
this foundation, the course critically examines the DPDP—India’s first comprehensive data
protection legislation.
Students will study the key principles and provisions of the DPDP Act, including data
fiduciary obligations, user consent architecture, the role of the Data Protection Board, and
grievance redressal mechanisms. A significant focus will be placed on the Data Protection
Officer (DPO), a new fiduciary figure responsible for ensuring organizational compliance and
accountability.
The course undertakes a comparative analysis with leading international data protection
frameworks such as the General Data Protection Regulation (GDPR) of the EU and the
California Consumer Privacy Act (CCPA) of the USA. This comparison is crucial in
understanding regulatory overlaps, cross-border data flow issues, and global standards of
privacy protection.
In addition to legal analysis, the course will explore contractual safeguards, data processing
agreements, and procedural compliance requirements. Students will also examine the impact
of Artificial Intelligence on data privacy—especially concerning automated decision-making,
data ownership, and algorithmic accountability.
By the end of the course, learners will have a nuanced understanding of privacy as a legal and
policy issue, the institutional mechanisms involved, and the tools for compliance and redress.
It will also equip them for advanced research and informed participation in the ongoing
debates surrounding digital rights and data governance.
 COURSE OBJECTIVES

● To enable the students to understand the concept of Privacy & relevance of Data

Protection Laws

● Understand the role of data, communication, and computation in modern public

policy.

● Develop effective communication strategies for policy advocacy in the digital age.

● Anticipate and address emerging policy issues related to data protection.

COURSE MODULES & LECTURES

Modu Title No of Lectures

le
I Big Data & Society 9
II An Introduction to Right to Privacy 10
III Key Definitions & Jurisdictional Aspects 12
IV Actor-Structure Framework of Data Protections Law 12
V Rights of Data Subjects 9
VI Compliance and Procedural Aspects 8
VII Tutorials 15
Total 75
 Module 1: Big Data & Society

This module will give an introductory insight that how the rise of Big Data over years has

ripple effects in various spheres of the society. How Big Data has also shaped the legal world

till now will be part of this module coverage. This module will also provide a ringside view

of how Big Data business models has been a source of disruptive innovation in the different

sectors of the economy. Most of societal problems that have cropped up with the advent of

Big Data like Disinformation, Fixing Elections, and Digital Taylorism among others

discussed in the module. This module will also introduce the concept of DATAISM, one of

the offshoots of AI revolution, the new emerging area of philosophy which advocates

unbridled flow of information throughout the world. The module will also discuss about the

legitimacy of business models of Big Data with different case studies. One of the important

parts of the module is effect of data on vulnerable groups like women and children.

i. Big Data and 5 Vs- Volume, Velocity, Veracity, Variety & Value.

ii. Legitimacy of Big Data Business models- Case Studies on

AirBnB, Google, Facebook, ChatGPT and Uber.

iii. Open Data Policy & Role of Digital Public Infrastructure (DPIs)

iv. Data Ownership in the age of Generative AI (The New York

Times case)

Recommended Readings:

1. Ferreira, C., Merendino, A. and Meadows, M., 2023. Disruption and legitimacy: big data
in society. Information Systems Frontiers, 25(3), pp.1081-1100.

2. Custers, B. and Malgieri, G., 2022. Priceless data:: why the EU fundamental right to data
protection is at odds with trade in personal data. Computer Law & Security Review, 45,
p.105683.
3. Avrahami, O. and Tamir, B., 2021. Ownership and Creativity in Generative Models.
arXiv preprint arXiv:2112.01516.

4. Zuboff, S., 2023. The age of surveillance capitalism. In Social theory re-wired (pp. 203-
213). Routledge.

5. Tiwari, S., Packer, F. and Matthan, R., 2023. Data by People, for People. FINANCE
& DEVELOPMENT.

6. Privacy 3.0: Unlocking Our Data-Driven Future by Rahul Matthan

 Module 2: An Introduction to Right to Privacy

This module traces the evolution of Privacy Law through a historical perspective. From the

Kharak Singh case in 1950s to the recent Puttaswamy judgment the evolutionary

jurisprudence of the concept of privacy has seen rapid strides. This module will also discuss

about the concept of Informational Privacy and other attributes of the concept of privacy. The

module also discusses landmark cases related to privacy across the world. The clash of right

to privacy as a fundamental right against the principles of national security vis-à-vis right to

free speech and freedom of trade is also highlights of this chapter.

i) An introduction to the concept of Privacy

ii) Evolution of Privacy Jurisprudence in India- Kharak Singh to

Puttaswamy Judgment

iii) Right to be forgotten (Google Spain SL, Google Inc v Agencia Española

& Google v. CNIL case)

iv) Right to Privacy in the backdrop of mass surveillance. (Big Brother Watch

v United Kingdom )

Recommended Readings

1. Warren, S. and Brandeis, L., 1989. The right to privacy. In Killing the Messenger: 100
Years of Media Criticism (pp. 1-21). Columbia University Press. Refer
2. Kumaraguru, P., Cranor, L.F. and Newton, E., 2005, September. Privacy perceptions in
India and the United States: An interview study. In The 33rd Research Conference on
Communication, Information and Internet Policy (TPRC) (Vol. 1, pp. 1-13). Refer
3. Tarafder, A., 2015. Surveillance, Privacy and Technology: A Comparative Critique of the
Laws of USA And India. Journal of the Indian Law Institute, pp.550-578.
4. Singh, P., 2021. Aadhaar and data privacy: biometric identification and anxieties of
recognition in India. Information, Communication & Society, 24(7), pp.978-993.
 Module 3: Key Definitions & Jurisdictional Aspects

This module introduces three major Data Protection laws which are DPDP, 2023, GDPR and

CCPA. The module looks at the key definitions mentioned in the respective legislations. The

module gives an introductory insight into the types of data mentioned in the laws and

policies. The jurisdictional aspect is a key concept in understanding the extent and ambit of

data protections laws vis-à-vis Cross border data flows and Data Localisation requirements.

The module highlights the timeline of Data Protection Laws in India and its subsequent

modifications into the present law.

i. Personal Data & Special Categories of Data

ii. Evolution of Digital Personal Data Protection Act, 2023.

iii. Jurisdiction of Data Protection Laws: The Brussels Effect

iv. Established Data Protection Principles- Purpose Limitation, Notice & Consent,

Data Minimisation etc.

v. Exemptions under the Data Protection Laws.

Recommended Readings

1. Purtova, N., 2018. The law of everything. Broad concept of personal data and future of
EU data protection law. Law, Innovation and Technology, 10(1), pp.40-81.
2. Motiwala, F., 2024. Comparative Study of General Data Protection Regulation (GDPR)
and Digital Personal Data Protection Act (DPDP): A Way Out for European Industry to
Navigate through Indian Personal Data Protection Regulation.
3. Gunst, S. and De Ville, F., 2021. The Brussels effect: how the GDPR conquered Silicon
Valley. European Foreign Affairs Review, 26(3).
4. Dwivedi, S.K., 2020. From Privacy to Data Protection in India: Evaluating the
Personal Data Protection Bill, 2019. Issue 4 Int'l JL Mgmt. & Human., 3, p.2136.
5. Arora, K., 2020. Privacy and data protection in India and Germany: A
comparative analysis (No. SP III 2020-501). WZB Discussion Paper.
6. Cortez, E.K., 2021. Data protection around the world. Privacy laws in action.
7. Bakare, S.S., Adeniyi, A.O., Akpuokwe, C.U. and Eneh, N.E., 2024. Data privacy laws
and compliance: a comparative review of the EU GDPR and USA regulations. Computer
Science & IT Research Journal, 5(3), pp.528-543.
 Module 4: Actor-Structure Framework of Data Protections Law

The present module introduces key stakeholders in the data protection laws and any new type

of institutions that comes under the ambit of present legislations. The role of responsibility of

Data Protection Officer is clearly highlighted under the module. The regulatory apparatus and

the enforcement of Data Protection Law will be discussed under the module.

i. Introduction to key actors in the DPDPA, 2023, GDPR & CCPA.

ii. Role of Data Protection Officer.

iii. Obligations of Data Fiduciaries and Significant Data Fiduciaries

iv. Functions of Data Principal & Data Processor

v. Data Protection Board

vi. Practical Steps to conduct a Data Protection Impact Assessment

Recommended Readings

1. Raul, A.C. ed., 2021. The privacy, data protection and cybersecurity law review. Law
Business Research Limited.
2. Yadav, A. and Yadav, G., 2021. Data protection in India in reference to personal
data protection bill 2019 and IT act 2000. Int. Adv. Res. J. Sci. Eng. Technol, 8(8).
3. Strycharz, J., Ausloos, J. and Helberger, N., 2020. Data protection or data frustration?
Individual perceptions and attitudes towards the GDPR. Eur. Data Prot. L. Rev., 6, p.407.
4. Veit, R.D., 2022. Safeguarding regional data protection rights on the global internet—The
European approach under the GDPR. In Personality and Data Protection Rights on the
Internet: Brazilian and German Approaches (pp. 445-484). Cham: Springer International
Publishing.
5. Baik, J.S., 2020. Data privacy against innovation or against discrimination?: The case of
the California Consumer Privacy Act (CCPA). Telematics and Informatics, 52
 Module 5: Rights of Data Subjects

Providing legal rights to data subjects so that they can protect their privacy is one of the ways

in which these principles are operationalised. These rights are at the core of data protection

frameworks. The module carries out a comparative assessment of various data rights

enshrined under DPDP, 2023, GDPR and CCPA. The module also cover exceptions which

are restrictions on these data rights along with relevant obligations on data processors.

i. The rights to access, confirmation, and information;

ii. The rights to rectification and erasure or deletion;
iii. The rights to be forgotten and to data portability;
iv. The rights to object and to restrict processing;
v. The right against automated decision-making and profiling;
vi. The right to delegate (or for third-party to exercise) rights; and
vii. Whistle-blower protection.

Recommended Readings

1. Nycyk, M., 2020. From data serfdom to data ownership: An alternative futures view of
personal data as property rights. Journal of Futures Studies, 24(4), pp.25-34.
2. Taylor, L., 2017. What is data justice? The case for connecting digital rights and freedoms
globally. Big Data & Society, 4(2), p.2053951717736335.
3. Rubinstein, I.S., 2013. Big data: The end of privacy or a new beginning?. Int'l Data Priv.
L., 3, p.74.
4. Rustad, M.L. and Koenig, T.H., 2019. Towards a global data privacy standard. Fla. L.
Rev., 71, p.365.
5. Ghosh, M.J. and Shankar, U., 2016. Privacy and Data Protection Laws in India: A Right-
Based Analysis. Bharati Law Review, pp.65-66.
6. Chatterjee, S., 2019. Is data privacy a fundamental right in India? An analysis and
recommendations from policy and legal perspective. International Journal of Law and
Management, 61(1), pp.170-190.
 Module 6: Compliance and Procedural Aspects

This module importantly discussed the compliance procedures with different forms and

documents as stated under the data protection laws. All such laws impose penalties for any

breach of data or procedural compliances. Procedural steps like auditing, defining internal

consent, managing third parties, providing for user rights and enhancing Data Security are

discussed under the module. Students will learn to draft Privacy Policy and how to

incorporate data protection clause in different types of contracts in this module.

i. Penalties and Enforcement

ii. Data Breach reporting and developing robust incident response plans

iii. Drafting of Privacy Policy & Data Protection Agreement

iv. Data Protection Clause in e-commerce agreements, SaaS agreements and other

various types of technology related contracts.

Recommended Readings

1. Hirsch, D.D., 2010. The law and policy of online privacy: Regulation, self-regulation, or
co-regulation. Seattle UL Rev., 34, p.439.

2. Al-Fedaghi, S., 2009. Drafting informational privacy laws: Information

science perspective. Issues Inform. Syst, 10, pp.165-174.

3. Prasad M, D. and Menon C, S., 2020. The Personal Data Protection Bill, 2018: India’s
regulatory journey towards a comprehensive data protection law. International Journal
of Law and Information Technology, 28(1), pp.1-19.

4. Zaeem, R.N. and Barber, K.S., 2020. The effect of the GDPR on privacy policies:
Recent progress and future promise. ACM Transactions on Management Information
Systems (TMIS), 12(1), pp.1-20.
 Course Pedagogy

i. Lectures
ii. Case Study
iii. Group
Discussion
iv. Discussion
Leading
v. Exercises
vi. Assignments

Course Study Material

i. Will be provided in due course.

ii. Other material referred in the study material to be studied.
iii. Basic text and reference books on the subject to be consulted.

Course Learner Participation

Course learner should come to the lecture sessions:

i. After going through the relevant part in the course study material.
ii. Bare Act must be brought and not come with bare hands.
iii. Come without fail in time.
iv. Deliberate in the class purposefully and meaningfully.
v. Engaging in any other activity during lecture is absolutely unwelcome.
vi. Facilitation of your own as well as others’ learning.