Print Friendly, PDF & Email

Limitations of India’s new Digital Personal Data Protection law (DPDP) 2023

GS Paper 2

 Syllabus: Governance/ Government Policies and Interventions


Source: TOI

 Context: This article is in continuation to yesterday’s article on the Impact of the DPDP Bill on the RTI Act


Digital Personal Data Protection in India is criticized for granting extensive state control over citizens’ lives and privacy.


Limitation of the DPDP Bill:

The bill has an emphasis on data collection and commercialization, potentially overshadowing robust protection of citizens’ rights and data privacy.
Weak Notice ProvisionData collecting companies (data fiduciaries) are not required to inform users (data principals) about sharing their data with third parties
Consent Issues‘Legitimate uses’ of data are vaguely defined, potentially leading to consent-related issues. E.g., reasons like ‘State functions’ and ‘medical reasons’, do not require user consent, possibly undermining privacy
Government ImmunityThe government is granted extensive powers to gather and process citizens’ data.
Compromised IndependenceThe Data Protection Board’s lack of independence due to government-appointed members
Undefined Data Fiduciary CategoryUnclear criteria for ‘significant data fiduciaries’ exemptions from notifying users about data collection, storage, or sharing


In September 2018, nearly a year after its decision on the fundamental right to privacy, the Supreme Court upheld but also limited the Aadhaar programme. Justice D.Y. Chandrachud, in his dissenting judgment, drew from Nobel Prize-winning author Aleksandr Solzhenitsyn’s experience in Stalinist Russia: “The invisible threads of a society networked on biometric data had grave portents for the future and unless the law mandates an effective data protection framework, the quest for liberty and dignity would be as ephemeral as the wind.”