DIGITAL DATA PROTECTION : The way forward

When we think of the term personal data, a wide range of information immediately comes to mind, our name, phone number, email address, residential details, health records, financial information, and much more. The reality is that the extent to which personal data is known to us is much greater. A numerical identifier, whether it is IP or device ID or even behavioral patterns, which can identify us in any way is considered personal data. The list, as a matter of fact, is interminable.

However, even when working with large and sensitive data, it is easy to overlook the fact that we are sharing information: when do we stop to actually think where this information is going? To what extent do we routinely consider the origin, intention, or style of how we gather and utilize data? The unpleasant fact is that we hardly do. In most instances, we reveal personal information almost unconsciously while signing up, using a Google account, or entering our phone number just to access a software or information in a faster way.

Under this process, consent turns out to be mechanical rather than informed. Where the submitted data goes and how it is processed, who has the access, etc. are not the things we give much thought to; how long and where the data is stored, are also not what we mind as long as data is entered. If one were to ask when was the last time we shared personal data while genuinely understanding how it would be used, it is likely that a vast majority of us would struggle to recall an answer.

It is on this basis that the necessity of a regulatory intervention can be recognized clearly. Today, in the highly digitalised world, the information is not stored in books, accounts, or ledgers. Rather huge amounts of individual data are stored or hosted on clouds and servers and sophisticated IT systems of not only private companies, but governments as well. This change can lead to an appreciable increase in the risks of data exposure, including both identity theft and unauthorised commercial use and conscious misuse or weaponisation of personal information.

Being aware of these dangers, there are a number of countries, which have developed powerful data protection regulations. The first that comes into mind is the General Data Protection Regulation (GDPR) by the European Union. It has been adopted as one of the main exemplifiers of contemporary data protection legislation.

Other countries which are outside the European Union, such as the United States, China, Brazil, Canada, the United Kingdom, Australia, and New Zealand, have also developed their own privacy and data protection systems. All of them are developed to suit their local legal and technological requirements. India however did it gradually. Until recently, the digitization and electronic data concerns were primarily addressed by the Information Technology Act, 2000.

Even though the IT Act was instrumental in supporting the process of electronic commerce and in the regulation of internet cyber activities, it had not been formulated to act as a holistic data protection law. Consequently, all the issues associated with the privacy and protection of personal data were marginal, without the attention, coverage, and protection that a specific data protection system and protocol require.

Cue the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), India’s first law focused solely on personal data governance. The DPDP Act outlines how personal data should be understood, collected, processed, and protected. It emphasizes transparency, uniform compliance standards, and, most importantly, the rights of individuals, known in the Act as Data Principals.

In contrast to the old legislation, the DPDP Act of 2023, as well as its current announced rules, establishes a systematic structure that is applicable to any organization that defines the way personal data is handled. It establishes certain requirements regarding the collection, storage, processing, and use of personal data through digital resources and different sectors, including technology, finance, education, healthcare, and consumer services.

The main advantage of the DPDP Act is the understanding of personal data as a precious asset of the current data-driven economy, which emphasizes the necessity to safeguard interests of people whose data sustains the given systems. It is at this pivotal junction between data as a resource and data as a right that the Act aims to create some form of balance by ensuring the Data Principal is in the centre stage of the data protection regime in India.

The DPDP Act is applicable to processing of all the personal data that is collected, stored or otherwise in India and the processing of personal data that is processed external to India provided that the processing is linked to the provision of goods or services to the people in India. Markedly, the Act also applies to personal data originally in non-digital format, an event that has occurred after the data has been digitised. In doing that, the legislation focuses on areas where data processing, as well as the threats of its abuse, has the highest magnitude.

​​The person whose personal information is gathered is known as Data Principal. The party or an organization which decides an aim and the manner in which such personal data is processed is referred to as a Data Fiduciary. Organizations that handle personal information at the direction of the Data Fiduciary, but without dictating the purpose of acting so, are termed as Data Processors.

Consider an individual who orders food through a food-delivery mobile application. The customer whose name, phone number, delivery address, and payment details are collected is the Data Principal. The food-delivery platform, which decides why this data is collected (order fulfilment, payments, customer support) and how it is processed, is the Data Fiduciary. The third-party payment gateway or cloud service provider that processes this data strictly on the instructions of the platform functions as the Data Processor.

The DPDP Act's emphasis on consent-based processing is a key component. Unless the processing falls within the narrow category of recognized legitimate uses, personal data may only be processed for legal purposes and with free, specific, informed, unconditional, and unambiguous consent. The Act does not intend for consent to be merely a checkbox exercise. Instead, it is considered as the continuous relationship between the Data Principal and the Data Fiduciary where individuals can revoke the consent at any moment. The regulations provide this strategy with more feasibility through the establishment of rules of consent requests, privacy notices, and easy withdrawal procedures.

The Act places significant set obligations on Data Fiduciaries to guarantee the effective data management in addition to the consent. The responsibility of the Data Fiduciaries is to engage in reasonable security measures to curb personal data breaches. They also need to make sure that the data is exact and complete when needed and cease maintaining data after the purpose of the processing has been achieved. Effective internal preparedness and response protocols play a very significant role in the eventuality of personal data breach. Organizations must quickly inform the Data Protection Board of India and affected individuals.

It is also important to identify the actionable rights of Data Principals. Citizens have the right to know how their personal information is used, to have their grievances taken care of within stipulated periods of time and request that any false or outdated information be fixed or removed.

The DPDP Act uses a civil regulatory system for enforcement, supported by significant financial penalties for non-compliance. The Data Protection Board of India serves as the main adjudicatory body. It can investigate violations, issue directions, and impose fines when necessary. This marks a deliberate shift from criminal enforcement to structured regulatory oversight and fair accountability.

The recently announced DPDP Rules clarify procedural issues, such as notification requirements, consent management, complaint resolution timelines, and additional responsibilities for Significant Data Fiduciaries. Organizations must integrate the Act and the Rules into their internal governance to create a functional compliance framework.

The DPDP regime cannot be achieved without the basic reconsideration of approach to personal data among organisations. Recourse to common contractual terms or broad and boilerplate privacy policies is now no longer effective to address statutory expectations. The legislation mandates compliance that forces organisations to look internally- to evaluate internal data flows, and review current methods of operations, and to fine-tune the current third party and vendor agreements to comply with the new legal regime.

This is usually done by seeking a clear understanding of what personal data is being collected, why and the way it is transferred among systems and stakeholders. It also requires the implementation of proper governance systems, which are well defined privacy notices, a developed grievance redress system, and internal responsibility. Organisations are also required where necessary to appoint responsible persons to manage data protection requirements, and as a contact point to individuals who have been affected.

The Act uses a model of deterrence to enforce its provisions with some penalty up to 250 crore, based on nature and severity of violation. These implications emphasize that data protection is now no longer a technical or a backend issue, but a governance issue. Simultaneously, when organisations become proactive and constructive in their compliance efforts, they can reap greater benefits than regulatory assurance only, they gain trust and credibility in an ever-privacy-minded market, as well as in a market with an ever-growing awareness of responsible data use.

To sum up, the regulatory landscape of India has transformed considerably due to the introduction of Digital Personal Data Protection Act 2023, which is set to be completely enforced by May of 2027. It implies the process of replacing ad hoc data protection policies with a legal right-based system of policy governance. Companies that recognize data protection as a fundamental governance activity as opposed to it being a marginal compliance obligation will be in the best position to operate in the emerging digital economy as enforcement systems are elaborate and regulatory requirements hardened.