HIDAYATULLAH NATIONAL LAW UNIVERSITY

CONTINUOUS INTERNAL ASSESSMENT- I

Submitted by – Sejal Sahu

Semester- January to April 2025

Section – B

Roll no.- 146

Enrolment Id – 23/2023/2881

Subject – Public Policy Process

Submitted to- Dr. Kamal Narayan (Assistant Professor)

Introduction

In today’s era, Personal data serves as valuable business property for leading multiple
industries such as e-commerce, finance, healthcare and social media as well as individuals.
Rapid digital transformation in India triggers the collection of massive personal information
data that private companies and government institutions manage and store. Data-driven
operations have increased substantially while generating new privacy and security issues as
well as unauthorized information use concerns.

No complete legal rules existed before individuals and companies faced privacy violation
incidents and experienced surveillance problems.1 Major data exposures at technology
companies and from the Aadhaar system showed us that India needed strong laws to protect
personal data.2 The right to privacy is a fundamental right, as established in the case of Justice
K.S. Puttaswamy vs. Union of India. 3 This case made it easier to create better data protection
laws for India. With the Digital Personal Data Protection Act of 2023 (DPDPA) 4 entering
force, India adopts reforms to keep individual privacy secure and empower consumers
against misuse of their personal data.

In India, the legal structure for data protection evolved dynamically over several years until it
converged into one consolidated data protection law. Data protection and security regulations 5
during the start of the century were limited to the Information Technology (IT) Act, 2000 6
because its main purpose was stopping cyberattacks including hacking and stealing identities
and financial fraud. Under Section 43A7 of the IT Act corporate bodies received a
requirement to maintain reasonable security practices yet this provision did not specify
personal data rights nor establish firm guidelines for data collectors and processors. 8
Additional data security safeguards entered through the creation of the IT (Reasonable
1
DLA Piper, Data Protection Laws of the World: India, https://www.dlapiperdataprotection.com (last visited
Mar. 26, 2025).
2
Aadhaar Breach: A Case of Data Privacy in India, UK Essays, https://www.ukessays.com (last visited Mar. 26,
2025)
3
Justice K.S. Puttaswamy v. Union of India*, (2017) 10 SCC 1 (India).
4
Digital Personal Data Protection Act, No. 32 of 2023, India Code (2023).
5
ICRIER, Evolution of India’s Data Protection Law: A Primer, https://icrier.org (last visited Mar. 26, 2025).
6
Information Technology Act, No. 21 of 2000, India Code (2000).
7
Information Technology Act, § 43A, No. 21 of 2000, India Code (2000).
8
Press Information Bureau, Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011, https://archive.pib.gov.in (last visited Mar. 26, 2025).
Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 9
although enforcement remained erratic and compliance levels showed significant variation
among different business sectors of the economy.

The Justice K.S. Puttaswamy judgment introduced a fundamental change by having the
Supreme Court of India establish privacy rights under Article 21 of the Constitution. 10 The
breakthrough decision acknowledged personal data protection as an important system to
defend human freedom and dignity. The government received orders to establish a specific
data protection law that would govern the methods of personal data collection and storage
alongside its processing and sharing.

In turn, the Personal Data Protection Bill, 201911 follows the line of inspiration from the
General Data Protection Regulation (GDPR) of the European Union. 12 Nevertheless, data
localization concerns, government exemption, and regulatory complexity led to its
withdrawal.13 The DPDPA came after many revisions and consultations with stakeholders.
The main goal of this law is to designate data principals’ rights, data fiduciaries’ obligations
and enforcement mechanisms, and establish a regulatory framework in a structured way. It
aims to strike a balance between individual privacy and business so that businesses can do
business well and protect privacy rights at the same time.

Scope and Applicability of DPDPA

The DPDPA applies to the collection, storage, processing and sharing of digital personal data
in India.14 If it relates to Indian persons, it extends to data processed outside India as well to
make sure that foreign entities that process Indian users’ data comply with its provisions.
Such an extraterritorial reach is, coincidentally, also cleared by global privacy laws like the
GDPR to avoid misuse by foreign data processors. However, it does not relate to data
concerning non-personal and anonymized information. But the Act also gives the power to

9
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011, G.S.R. 313(E) (India).
10
India Const. art. 21.
11
The Personal Data Protection Bill, 2019, Bill No. 373 of 2019 (India).
12
Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016, 2016 O.J. (L 119) 1
(EU).
13
Sidharth Deb, The Withdrawal of the Proposed Data Protection Law Is a Pragmatic Move, Carnegie
Endowment for Int'l Peace (Aug. 12, 2022), https://carnegieendowment.org/posts/2022/08/the-withdrawal-of-
the-proposed-data-protection-law-is-a-pragmatic-move.
14
Digital Personal Data Protection Act – India’s New Data Protection Framework, Clifford Chance (Aug. 2023),
https://www.cliffordchance.com/content/dam/cliffordchance/briefings/2023/08/digital-personal-data-
protection-act-indias-new-data-protection-framework.pdf.
Indian government officials to exempt some companies from the payment requirement, like
startups or government bodies, adding that that could lead to state surveillance and regulatory
imbalance.

Legal and Critical Analysis of the Act

A. Strengths

The DPDPA created a complete data protection system that resembles international standards
while establishing clear guidelines for safe personal data handling. Individuals are granted
rights to obtain their data and make necessary changes and data removal through this law,
which bolsters privacy guarantees mentioned in Article 21 of the Constitution. 15 Data
fiduciaries under the Act need to establish explicit consent requirements as well as secure
data storage systems.16 Under the supervision of the Data Protection Board of India (DPBI)
organizations must comply with regulations which carry potential fines of up to ₹250 crore as
DPBI works to increase company responsibility. Government-owned data receive exceptions
which should be monitored by judges since they pose risks to individual privacy through
surveillance and targeted enforcement practices.

B. Weaknesses and Criticisms

The DPDPA, 2023 created a complete data protection system that resembles international
standards such as GDPR while establishing clear guidelines for safe personal data handling.
Individuals are granted rights to obtain their data and make necessary changes and data
removal through this law which bolsters privacy guarantees mentioned in Article 21 of the
Constitution. Data fiduciaries under the Act need to establish explicit consent requirements as
well as secure data storage systems. 17 Under the supervision of the Data Protection Board of
India (DPBI), organizations must comply with regulations which carry potential fines of up to
₹250 crore as DPBI works to increase company responsibility. 18 Government-owned data
receive exceptions which should be monitored by judges since they pose risks to individual
privacy through surveillance and targeted enforcement practices.

15
India Const. art. 21.
16
Digital Personal Data Protection Act, 2023: A Brief Analysis, Bar & Bench (Aug. 14, 2023),
https://www.barandbench.com/law-firms/view-point/digital-personal-data-protection-act-2023-a-brief-
analysis.
17

18
C. Comparison with Global Data Protection Laws

The DPDPA, 2023 mirrors the EU’s GDPR in principle of data minimization, consent-based
processing and accountability as well as a more lenient enforcement approach compared to
the EU’s GDPR under European Data Protection Board (EDPB). While doubts prevail about
impartiality, the Data Protection Board (DPBI) of India works under executive control, unlike
the independent supervisory authorities of the GDPR. India’s unified model is unlike that of
the US, where the sectoral approach is followed (e.g. HIPAA for healthcare, CCPA for
consumer privacy). Unlike extraterritorial scope that India has, the Privacy Act of Australia
emphasises individual rights. To ensure global alignment, India needs a greater degree of
regulatory independence, as well as harmonization of the processes relating to inter-border
data transfer, through bilateral frameworks.

IV. Effectiveness and Impact in Protecting Privacy

A. Positive Impacts

Significantly, the DPDPA, 2023 provides consumers much needed trust by mandating that
data is only collected with transparency; that organizations adhere purpose limitation and data
minimisation principles. This is in tune to Justice K. S. Puttaswamy (2017) judgment that
privacy is a fundamental right. Where the data rights are clear, the DPBI constitutes an armed
guard for grievance redress through constitutionally protected Article 21 safeguards, and the
enforcement of penalties for noncompliance further buttresses constitutional protections
under Article 21.

The Act is incentive based for businesses to do better data governance and are really an
incentive for firms to implement this privacy by design type frameworks that are a
REQUIREMENT of GDPR mandates. Case laws such as Google Spain SL v. The DPDPA
provisions that have been reproduced from AEPD (2014), which laid down the ‘right to be
forgotten’, have influenced the ADR in such a way that they offer Indians the same right over
their personal data. On the other hand, DPBI’s autonomy must be strengthened to make it
work better, and in fact use it to the fullest only through impartial enforcement. DPDPA can
go on to elevate the digital India by fostering secure data ecosystems and protect the
individual privacy.

V. Recommendations and Way Forward

1. Clarification of Ambiguous Provisions: Ensure Precise Legal Definitions

The key concern included in the DPDPA, 2023 is ambiguity of the definitions within the
DPDPA, 2023 regarding terms such as ‘legitimate use’, ‘public interest’, and ‘deemed
consent’. If provisions are undefined or too broad, they provide a range for imprecise
interpretations which then come back for inconsistent enforcement. In order to deal with this,
the governing body should draft the explicit rules and guidelines, just as the EU’s GDPR
Recitals do offering clarity on the legal terms and interpretations.

The Supreme Court in Shreya Singhal v. Union of India (2015) expressed that the vague laws
violate Article 14 (equality) and Article 21 (due process) because they do not satisfy the test
of legality. Thus, the explicit definition in DPDPA’s Rules would help significantly in the
better compliance, reduction in litigation and more legal certainty for businesses and citizens.
This also means that the Data Protection Board of India (DPBI) should be vested with power
to issue binding clarifications to all and sundry of the form commonly known as GDPR
supervisory authorities.

2. Stronger Oversight Mechanisms: Enhance Regulatory Independence

As currently constructed, the Indian Data Protection Board (DPBI) lacks institutional
independence. The central government both appoints and oversees members of its governing
council, which has potential ramifications for whether buffalo are properly enforced or not
when they come into conflict with government entities. To instill trust, however, DPBI should
be given the type of independence afforded to the European Data Protection Board (EDPB)
under the GDPR and India's Election Commission as a constitutional body operating
autonomously under India's Constitution.

In a recent judgment by the Supreme Court in2017, Justice K.S. Puttaswamy v. Union of
India emphasized the importance independent oversight plays in deciding how data
governance is carried out! Newsletter Drawing on constitutional principles, In order to ensure
privacy norms are abided by even when the government asks for access to data DPBI should
be endowed with judicial review powers. Moreover, through the implementation of a multi-
stakeholder governance model advocating representation from civil society as well as
technical professionals and industry heads can prevent the government's excessive control on
information efficiency to hold authorities accountable for their regulations.

3. Balanced Approach to Government Exemptions: Introduce Judicial Oversight

Under Section 18 of the DPDPA, 2023, the government has been granted wide exemptions
that allow it to surveil without sufficient checks and balances. This mass surveilling of
citizens can be done, among other reasons, in the name of national security and public order.
We all know how important national security is. But what we should not be okay with is
unrestricted data access that runs afoul of the Puttaswamy ruling.

To maintain the equilibrium, India can have an arrangement like the UK’s Investigatory
Powers Tribunal (IPT), with an independent judicial body that reviews requests for all kinds
of surveillance. Another option is to establish a Data Protection Ombudsman, with sufficient
authority to review and challenge requests from government agencies for access to all kinds
of data. This is in line with what Article 23 of the GDPR provides for. Prior to mandating
either of these arrangements, one can look into the well-trodden path—searching for an
independent, unbiased, and strident entity in law that can form a bulwark against erosions of
the right to privacy.

4. Capacity Building and Awareness: Public Campaigns on Data Privacy Rights

Many people in India still don’t know much about data rights and privacy laws.
A NASSCOM survey in 2022 found that over 60% of internet users were unaware of their
rights under current IT laws. The new DPDPA, 2023 brings in rights like data correction,
portability, and erasure, but how well these work depends on how well people can use
them.

We really need a nationwide Data Privacy Awareness Program, similar to the efforts by
the UK’s ICO (Information Commissioner’s Office), to help educate everyone about their
rights and what they can do under the DPBI. Schools and universities should
introduce digital literacy courses so that people know about this from an early age. Plus,
companies should be required to provide annual privacy training for their employees, just
like the GDPR requires under Article 39, to make companies more accountable. By
boosting privacy literacy, India can help people take charge of their personal data and make
smarter digital choices.

5. Encouraging Innovation in Privacy Technologies: Promote Data Security Solutions

To boost data security and compliance, India really needs to promote privacy-enhancing
technologies (PETs) like end-to-end encryption, differential privacy, and zero-knowledge
proofs. Countries such as Germany and Canada have done a great job by weaving secure
computation techniques into their data regulations, which helps keep risk at bay. The DPDP
Act should encourage businesses to create and use these technologies through tax breaks,
grants, and regulatory sandboxes, which would help create a culture of proactive privacy
protection.

What's more, we should roll out privacy-by-design certification programs—similar to

the EU’s ePrivacy certification—under the Bureau of Indian Standards (BIS). This would
push businesses to welcome security-first approaches in how they develop their products.
The Supreme Court in the case of Internet Freedom Foundation v. Union of India
(2022) emphasized how important it is to have strong encryption standards to safeguard
user data. By putting privacy-focused innovation at the forefront, India can not only
enhance consumer protection but also establish itself as a global leader in ethical tech
development.