In today’s digitally driven world, data privacy has emerged as a cornerstone of individual rights and societal well-being. With the proliferation of digital transactions, educational admissions, healthcare services, and property dealings, the collection and handling of sensitive personal data have become unavoidable. However, this vast repository of information is often susceptible to misuse, creating significant risks for individuals. Recognizing these challenges, the Ministry of Electronics and Information Technology (“MeitY”) introduced the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its accompanying Rules, drafted on January 03, 2025. This legislative framework aims to balance innovation with robust data protection measures. The DPDP Act introduces groundbreaking provisions such as explicit parental consent for processing children’s data and stringent requirements for safeguarding sensitive data like financial records and health information. It aligns with global data privacy status & methods, particularly the European Union’s General Data Protection Regulation (“GDPR”), in catering to India’s unique socio-economic landscape.This research paper delves into the DPDP Act’s key features, including its focus on data principals’ rights, obligations of data fiduciaries, and mechanisms for redressal in case of breaches. It also explores the broader implications for businesses and institutions, especially in the financial and healthcare sectors, which increasingly rely on digital agreements and transactions. The paper critically examines the act’s capacity to mitigate privacy risks amidst concerns over government oversight and enforcement.Furthermore, a comparative analysis is conducted between the DPDP Act and international data protection frameworks, with a focus on the GDPR, the California Consumer Privacy Act (“CCPA”), and other prominent privacy laws. This analysis provides insight into how India’s approach aligns with and diverges from global best practices, and the potential challenges of harmonizing international data protection standards.Ultimately, the study underscores the DPDP Act’s potential to shape India’s data protection regime, fostering trust in digital ecosystems while addressing the pressing need for accountability in an era where data is both an asset and a vulnerability.
Key words: Data Privacy, Fiduciaries, Privacy Laws, GDPR.
INTRODUCTION
As technology is developing at unprecedented pace in this interconnected digital age, data plays a pivotal role in innovation as well as in economic growth of the individuals. Every digital or online interaction contains digital footprints which are derived from the data incurred by the individuals who usually get involved in e-commerce, online banking or transactions, using cashless payment applications or taking healthcare schemes such as life insurance or health insurance policies. Such data are coined as sensitive personal data which can be forged or challenge the privacy of the person by intermediating that data. With the growth of digital facilities, it is quite difficult to secure the personal or primary data which needs to be filled for enjoying the perks of the internet. However, global regulations GRDP & Indian regulation DPDP Act tries to confront these critical challenges by imposing the landscape of the issue faced and balancing utility of these perks which needs to be protected by proper authority[1]. It also made efforts to dive into web security to safeguard data privacy, examining the mechanism of interplay between societal needs, technological advancements & aspects of legal framework by spotting gaps & required recommendations. Many inquisitive individuals had expected that the rules would broaden the DPDP Act’s justification in regards with the process of personal data[2]. Nevertheless, the consent-centric framework is unaltered because the rules didn’t elaborate new basis for commercial companies to process non- consent. By offering fresh guidelines for consent notices, the rules support the consent first strategy which must provide independent information of others, necessitating a modification in the practice of amalgamating consent with acceptance of terms & conditions[3]. It’s still unclear if this only makes an entreaty to data that has been accumulated or if it is applicable to data obtained from behavioural monitoring. Despite this uncertainty, companies should make building thorough data inventories a top priority in order to guarantee compliance and lucidity. Additionally, these inventories will aid the creation of concise and understandable consent notifications[4]. The Indian government has made draft regulations available for public review 16(sixteen) months after DPDP Act was commenced. These regulations are intended to operationalize & elucidate important legal requirements[5]. However, no grounds are available to revoke consent if it was not the base for processing personal data & the processing was carried out for a legitimate purpose, with the unusual situations as mentioned under Section 7(a) of the DPDP Act which requires voluntary consent to process personal sensitive data. Processing of personal information outside India is governed by Rule 14 of the DPDP Rules. As it declares the limitations & compliance criteria set by the Indian government will apply to the collection & usage of private data protected by DPDP Act.[6] Further the central government is currently in charge of defining and enforcing these standards & prohibitions as they are not yet specified in the draftDPDP Rules. At the first presentation of the DPDP Act, 2023 it faced a lot of market speculation as the central government had compiled it as a ‘negative list’ as the other authorities of several nations use the personal data but determined countries forbid from transferring or treating personal data[7].
[1]Sarif, S. M. (2024). Complete set of the journal. IIUM Journal of Case Studies in Management, 15(1).
[2]Ibid.
[3]Ibid.
[4]Ibid.
[5]Ibid.
[6]Malhotra, C., & Bhilwar, A. (2023). Striving to build citizens’ trust in the digital world. In Routledge eBooks (pp. 141–161).
[7]Ibid.