Published on : 05/10/2025

View Count : (30)

Digital Personal Data Protection Act: Will it safeguard privacy or widen state-corporate surveillance

Author Details

Ms. Reena Manetia

LL.M., Corporate and Commercial Law,

University of Westminster, London

Abstract

The growing capacity for electronic monitoring has rekindled the age-old dispute over whether personal privacy is a basic human right or a conditional privilege. To explore how digital personal space is within the bounds of law and democracy. The right to privacy has been upheld by important legal precedents, such as the Puttaswamy v. Union of India (2017) case in India, and by statutes like the Digital Personal Data Protection Act (2023) and the General Data Protection Regulation (GDPR). National security concerns and the desire to profit from data are driving the expansion of official and corporate monitoring technologies, which is casting doubt on this idea. The research that was looked at highlights how different cultures regard privacy, how important privacy-by-design is for technology, and how current data protection regimes have their limitations. The breadth and depth of contemporary data collecting necessitate a reassessment of privacy safeguards, notwithstanding the fact that technological instruments and civil society activism provide some resistance to surveillance abuse. Digital privacy, according to this corpus of work, runs the risk of becoming a privilege available under selective circumstances rather than a widely recognised right unless it is bolstered by strong legal and ethical protections.

Introduction

In a growing digitised world, where enormous personal information is generated, stored, and processed on a daily basis, never has there been a more pressing need for strong privacy protections.[1] From social media sites to online shopping sites, people unwittingly provide enormous quantities of sensitive information on a daily basis.[2] This increasing digital trail, however, makes individuals vulnerable to abuse of data, surveillance, and exploitation.[3] With information being the lifeblood of the global economy, the question of who processes it and protects it becomes not only important for individuals but also for governments and corporations.[4]

In India, protection of personal data became a major issue in recent years, particularly after the historic Supreme Court Judgment in Puttaswamy, which declared the right to privacy as a constitutional fundamental right.[5] The judgment gave the context to legislative reforms that would govern the way personal data is collected, processed, and used in India. This being the case, the Digital Personal Data Protection Bill (DPDPA), which was introduced in 2023, seeks to address these needs by establishing a legal framework to protect data.[6]

DPDPA is aimed at harmonizing individual privacy with digital innovation and economic growth. The Act aims at finding a balance between protecting the rights of citizens and allowing businesses to use personal data for business purposes.[7] The Act, however, has created quite a wide controversy. While it promises to fortify privacy protections and rein in corporate data collection activities, it also raises state overreach, unmonitored surveillance, and corporate exploitation of personal data issues.[8] Critics feel that the exceptions provided in the bill, particularly those under national security issues, may invite state surveillance and undermine the very privacy it seeks to protect.[9]

This essay considers whether the DPDPA will actually safeguard privacy or if it will ironically broaden the extent of state-corporate surveillance. By reviewing the law's key provisions, its possible pitfalls, and a comparison with global data protection regimes, we aim to evaluate its ability to find balance between privacy protection and state control. The aim is not to oppose the law but to critically analyze if it will be able to perform its role of protecting the fundamental right of privacy or become a tool of increased surveillance and data exploitation.

The Need for Data Protection

Today, with the hyper-connected world, individual data is both commodity and currency. Every day, individuals are engaged in activities on the internet that generate vast amounts of personal data. It may be browsing history, transaction data, social networking activity, health data, or location tracking, the data paints a rich picture of one's life.[10] Data is now a valuable resource, not only for business organizations trying to customize services and optimize revenues but for governments and security organs who employ it for safeguarding.[11]

But as this data rises in volume and depth, so does the risk to individual privacy. While the sheer amassing and analysis of information have led to progress in service, convenience, and innovation, they have also opened up channels for exploitation, manipulation, and invasion.[12] Personal data, left uncontrolled, can expose individuals to identity theft, discrimination, and financial deceit. Even more ominously, individuals are becoming increasingly blind to the degree to which their own private data is collected, processed, and being used without direct approval.

Digital Footprint and the Erosion of Privacy

The digital age has changed the manner in which humans interact with the world, but it has also ushered in a new age of threats to privacy. Every click, query, and Facebook post leaves behind a digital track that can be collected and exploited without an individual's knowledge or consent. This growing "digital footprint" has become a double-edged sword. On one hand, it powers the luxury of modern life allowing personal experience and targeted content. On the other, it creates daunting vulnerabilities.

The lack of transparency of data gathering practices, combined with the volume of data being gathered, means that it is nigh on impossible for the average user to fully grasp the implications of surrendering their information. As users, we typically accept terms and conditions without reading them, thereby forfeiting our right to control what is done with our data. This is exacerbated by the complex ways in which companies sell and pass on data to third parties for advertising, profiling, and other commercial uses.[13]

Privacy vs. Convenience: The Trade-off

There is an inherent balance between convenience and privacy. Online services and sites, whether social media or online shopping, strive to provide the hassle-free, customized experience to customers. To achieve this convenience, however, customers are requested to forgo their personal information. Willingly forsaking privacy is rarely done openly or very explicitly, so users unconsciously forgo their private details for the sake of convenience and accessibility.

The paradox is even more straightforward when considering how businesses compensate users for generating more content. Free products such as social media, email, and cloud storage operate on a system where the actual cost is not economic but personal. The sites make money from user information by selling them out to advertisers, constructing an economy based on exploitation of personal data. Privacy here is a luxury that customers cannot afford, and it is profit that corporations make from data collection.

Global Context: How Other Countries Are Responding

India is not alone in grappling with these concerns. In recent years, countries around the world have been overhauling their data protection laws to confront the increasing dangers presented by digital data. The European Union's General Data Protection Regulation (GDPR), for instance, has emerged as a global benchmark for data protection, setting down stringent rules on how personal data is to be collected, stored, and processed.[14] The GDPR has brought significant transformation in how data has to be processed by companies, such as the requirement of clear consent and the right to erasure, giving individuals greater control over their data.[15]

Similarly, in the United States, while there is no one federal data protection law, single states like California have passed California Consumer Privacy Act (CCPA), which mandates business to notify data collection activities and grants consumers an opt-out right from data selling.[16] These regulations illustrate increasing recognition that personal data protection is vital to safeguarding individual rights in the digital age.

India, with its rapidly growing digital economy and over 600 million internet users, has its unique challenges. While the Puttaswamy Judgment made privacy a constitutional right, the absence of a comprehensive data protection law has allowed companies and state institutions to keep going in a legal grey area. The DPDPA aims to fill this gap by implementing a regulatory system for data protection and offering clear guidelines on how to deal with data.

A Global Issue, but a Local Challenge

While global experience is essential to learn from, India's particular socio-political and economic context makes data protection a particularly challenging task. A significant percentage of Indians are not even aware of the risks of data abuse, and even most educated people are not aware of their rights when it comes to personal data. Furthermore, India's diverse population, varying levels of digital literacy, and accessibility of technology suggest that many users are likely unaware of the potential impacts of their online behavior.

Besides, India's position as a rapidly growing economy with an emerging technology sector is a unique challenge. On one hand, the privacy of citizens must be protected and companies must be assured to take ethical data practices. On another hand, there is a urgent need to encourage innovation, bring in investment, and support the growth of the technology sector. The trial is how one can weigh privacy of the individual and allowing the digital economy to thrive.

The Objectives of the DPDPA

One of the main objectives of the Act is to give statutory recognition to the fundamental right to privacy. The right was finally settled by the Supreme Court of India in the Justice K. S. Puttaswamy (Retd.) v. Union of India, which declared that privacy is intrinsic in the dignity and liberty guaranteed under Article 21 of the Constitution.[17] DPDPA operationalises this right by placing obligations on data fiduciaries any entity that collects or processes data and by granting certain rights over their data to individuals. These include the right to access and correct their data, demand erasure in certain circumstances, port data between service providers, and withdraw consent for processing. Together, these steps aim to enhance individual control and ensure data cannot be utilised without informed consent.[18]

To ensure these protections, the DPDPA establishes the Data Protection Board as an independent organization with responsibility for ensuring compliance, investigating breaches, and sanctioning non-compliance. The Board can issue guidance, monitor cross-border transfers, and impose penalties worth billions of rupees for severe breaches. This organisational framework is to ensure that government departments and private firms are all brought within accountability, imparting a degree of regulatory oversight which has been lacking thus far for India's digital economy.[19]

Equally important is the Act's emphasis on corporate accountability. Data fiduciaries will have to be operated in terms of principles of security, data minimisation, and purpose limitation. These regulations restrain organisations from gathering too much information, mandate that it can only be used for clearly defined purposes, and demand effective security practices to prevent breaches or misuse. These obligations are a bid to instate corporate accountability and restrict potentialities of exploitation or over-surveillance, a rising anxiety in India's rapidly-digitising economy.[20]

Accountability is bolstered by an architecture of remedies and penalties. Non-compliant organistions—i.e., by not appointing a Data Protection Officer, reporting breaches late, or losing sensitive information—are liable for stiff penalties. Importantly, victims whose data have been compromised are eligible for compensation, shifting the burden of responsibility from victims to organisations. These measures are intended to promote proactive compliance and instill a culture of responsibility in data governance.

But the Act also provides concessions to public order and national security. It permits the government to exempt itself from certain of its obligations, such as gaining consent, when it is acting in the interest of law enforcement or security. Although the exemptions are ostensibly designed to serve urgent state purposes, critics argue that they are overly broad and can actually enable surveillance without adequate oversight. Although the law refers to the tests of necessity and proportionality, as established in Puttaswamy, the protections themselves are vague and reinforce abuse fears.[21]

Generally, the DPDPA's objectives are ambitious: to enshrine privacy as a statutory right, make corporations accountable, provide redress for incursions, and limit state access to information. The success of these objectives in practice will ultimately be contingent on the effectiveness of enforcement measures and moderation exercised by the state in exercising its sweeping exemptions.

Potential Challenges to Privacy

While the Digital Personal Data Protection Act (DPDPA), 2023, hopes to strengthen India's privacy protection, it is overfilled with utmost concern regarding facilitating mass surveillance, corporate exploitation, and marginalization of vulnerable communities. The following are issues that highlight the overreliance of the Act in failing to match its assurances.

One of the most significant concerns is with regard to the sweeping powers granted to the government under provisions such as Section 35, which allow the state to exempt itself from defined obligations on national security, public order, or law and order grounds. Such exemptions have been criticized by opponents to legitimize mass surveillance unchecked, echoing international criticism around programs such as the U.S. National Security Agency's PRISM surveillance.[22] While the Act invokes proportionality and necessity principles in Justice K.S. Puttaswamy (Retd.) v. Union of India, it lacks specific judicial scrutiny mechanisms, which has been found to be a cause of concern for untrammelled state intrusion.[23] Without there being judicial intervention, there exists a possibility that such provisions will negate the very privacy the Act seeks to protect.

Another frailty is to be found in corporate use of personal data. Although the DPDPA puts in place such requirements as consent, purpose limitation, and minimization of data, it does not attempt to resolve the structural asymmetry between consumers and corporations.[24] Most people lack the bargaining power to negotiate on a level playing field and are typically faced with "take-it-or-leave-it" proposals to utilize services that they need.[25] In practice, consent may be more formalistic than informed, particularly where terms are buried within thick technical jargon. In addition, corporations will continue to exploit loopholes, reusing anonymized or aggregated data to target advertising and construct profiles that users are unaware of or have no influence over. Despite threats of enforcement, large technology companies will generally possess the legal and financial resources to resist enforcement.[26]

Controversy is provided for under the law provisions of data localisation. Mandating some forms of personal data to be kept locally within India, the Act wants domestic legislation upheld and frauds prevented from being perpetrated abroad.[27] Localisation can increase the cost of doing business for international nature firms of technology, forcing them to create separate infrastructure to conduct business within India. This will deter cross-border innovation in fields like artificial intelligence, medical research, and climate modelling that need large, heterogeneous datasets.[28]Opponents also warn that they will create the "balkanisation" of the internet, fragmenting global data flows and undermining international cooperation.[29]

Finally, the Act's safeguards will not adequately shield vulnerable communities. India's digital divide means that most individuals, especially from rural or marginalised society, lack the digital literacy required to understand data rights or privacy risks.[30] In such communities, consent mechanisms are particularly problematic. They may be compelled to surrender data to access welfare schemes, mobile apps, or jobs without knowing the implications. In these contexts, the theoretical rights provided under the DPDPA can do little actual good, with vulnerable groups disproportionately likely to be at risk of exploitation.

Overall, although the DPDPA goes a long way towards protecting personal data, its broad government exemptions, insufficient checks on corporate power, costly localisation requirements, and limited inclusivity present dangers that risk undermining its possibilities. Without better protections, transparency, and sensitivity to marginalized communities, the Act risks becoming an instrument of observation and exploitation rather than empowerment.

Conclusion

In the constantly changing world of digital data and privacy, our thorough look at the "European Union's General Data Protection Regulation (EU GDPR)" and "The Digital Personal Data Protection Act, 2023" has shown us both common concepts and different paths. As we reach the end of our study of the complexity of data protection laws, we get to a crucial point that requires deep thought, change, and commitment from everyone concerned. The EU GDPR has set a high standard for protecting people's privacy rights because it applies to everyone and has a lot of rules. Data protection has changed in a big way because of tight permission requirements, powerful enforcement systems, and an emphasis on giving people more power. India's DPDP Act 2023, on the other hand, shows a commitment to data privacy, but it also has a unique mix of localised data control and big goals. It meets the needs of a nation that is becoming more diverse and more digital. The research has revealed the complex structure of the legal system in question, as well as the nuanced subtleties that arise while navigating the diverse terrain of data-driven society. It is very important to follow cultural norms, uphold ethical standards, and promote responsible data use. People need to understand that their responsibilities go beyond just following the law and include a moral duty as well. AI, the Internet of Things (IoT), and Big Data are all going to change the way we use data in the future. In this time, the merging of technology and privacy will mean that legal and moral rules need to be changed all the time. The fragile balance between innovation and protection requires a shared responsibility by politicians, businesses, engineers, and individuals. 
In conclusion, our detailed comparison analysis shows how important privacy is in today's digital world. The preceding assertion contends that trust, innovation, and human rights are contingent upon a fundamental ingredient. The GDPR and the PDPA of 2023 are two different but linked laws that protect and privacy data. The texts stated above have two purposes: they are legal documents and contracts that bind people to protect, preserve, and use their data responsibly for the betterment of society.

References

[1] Carnegie Endowment for International Peace. “Understanding India’s New Data Protection Law.” 3 October 2023.

[2] DLA Piper. Data Protection Laws of the World – India. 2023.

[3] Al Jazeera. “India passes data protection bill amid surveillance concerns.” 9 August 2023. 

[4] PRS Legislative Research. “The Digital Personal Data Protection Bill, 2023.” Bill Track. 2023.

[5] Justice K. S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., Writ Petition (Civil) No. 494 of 2012, Supreme Court of India (2017).

[6] (n 1).

[7] Saurabh, Shubham. The Digital Personal Data Protection Act of 2023: Strengthening Privacy in the Digital Age. Gujarat National Law University, 2024. 

[8] (n 3).

[9] (n 4).

[10] Acquisti, A., Taylor, C., & Wagman, L. (2016). The Economics of Privacy. Journal of Economic Literature, 54(2), 442–492.

[11] Zuboff, S. (2019). The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. London: Profile Books.

[12] Schneier, B. (2015). Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. New York: W. W. Norton & Company.

[13] Tufekci, Z. (2015). Algorithmic harms beyond Facebook and Google: Emergent challenges of computational agency. Colorado Technology Law Journal, 13(1), 203–218.

[14] Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer.

[15] Kuner, C. (2020). The General Data Protection Regulation: A commentary. Oxford University Press.

[16] Goldman, E. (2020). An introduction to the California Consumer Privacy Act (CCPA). Santa Clara Law Review, 59(1), 1–38.

[17] (n 5).

[18] (n 7).

[19] (n 2); (n 4).

[20] (n 1).

[21] (n 3).

[22] Greenwald, G. (2014). No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. New York: Metropolitan Books.

[23] Bhatia, G. (2019). Privacy and surveillance in India: The jurisprudence of Puttaswamy. Indian Law Review, 3(2), 100–118.

[24] (n 1).

[25] Solove, D. J., & Hartzog, W. (2022). The failure of consent. Duke Law Journal, 73(1), 1–62.

[26] Srikrishna, B.N. (2018). A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians. Report of the Committee of Experts on Data Protection Framework for India. Government of India.

[27] MeitY (Ministry of Electronics and Information Technology). (2023). Digital Personal Data Protection Act, 2023. Government of India.

[28] Chander, A., & Le, U. (2015). Data Nationalism. Emory Law Journal, 64(3), 677–739.

[29] Aaronson, S. (2019). Data protection and digital trade in the age of AI. Journal of International Economic Law, 22(4), 743–762.

[30] Rao, N. (2020). The digital divide in India: Implications for privacy and inclusion.