BharatNotes
What is Data Privacy?
Data Privacy refers to the right of individuals to control how their personal information is collected, used, stored, and shared by organisations. It is a fundamental aspect of individual autonomy and dignity in the digital age. In the Indian context, the Supreme Court recognised the right to privacy as a fundamental right under Article 21 of the Constitution in the landmark K.S. Puttaswamy v. Union of India (2017) judgment — a unanimous decision by a nine-judge bench that overruled earlier judgments in M.P. Sharma (1954) and Kharak Singh (1962).
India enacted the Digital Personal Data Protection Act, 2023 (DPDPA) — receiving Presidential assent on 11 August 2023 — to provide a comprehensive framework for the processing of digital personal data. The Act recognises both the right of individuals to protect their personal data and the need to process such data for lawful purposes. It applies to digital personal data processed within India, as well as data processed outside India if it relates to offering goods or services to individuals in India.
The DPDPA introduces key roles: Data Principals (individuals whose data is processed), Data Fiduciaries (entities that determine the purpose and means of processing), and Significant Data Fiduciaries (large entities handling sensitive or voluminous data, identified by the Central Government based on volume, sensitivity, and risk). The Act establishes the Data Protection Board of India (DPBI) as the adjudicatory body for enforcement, breach determination, and grievance redress. Consent must be "free, specific, informed, unconditional and unambiguous" and communicated through clear affirmative action.
Key Features
| # | Feature | Details |
|---|---|---|
| 1 | Consent-Based Processing | Consent must be free, specific, informed, unconditional, and unambiguous |
| 2 | Data Principal Rights | Right to access, correction, erasure, grievance redress, and consent withdrawal |
| 3 | Data Fiduciary Obligations | Must provide privacy notice, ensure data security, report breaches |
| 4 | Breach Notification | Mandatory reporting of breaches to DPBI and affected individuals |
| 5 | Children's Data | Verifiable parental consent required; behavioural tracking of children prohibited |
| 6 | Cross-Border Transfer | Permitted to all countries except those restricted by Central Government notification |
| 7 | Penalties | Up to Rs. 250 crore for non-compliance; Rs. 200 crore for breach notification failure |
| 8 | Government Exemptions | Exemptions for national security, public order, crime prevention, and sovereignty |
Application in Governance / Case Studies
Aadhaar and Privacy: The Aadhaar programme, which collects biometric and demographic data of over 1.4 billion residents, has been at the centre of India's data privacy debate. The Puttaswamy judgment (2017) established privacy as a fundamental right, and the Aadhaar judgment (K.S. Puttaswamy v. Union of India, 2018) upheld the Aadhaar Act but struck down Section 57, limiting private sector use of Aadhaar data.
The EU's General Data Protection Regulation (GDPR, 2018) has served as a global benchmark for data protection. India's DPDPA draws some parallels — such as consent requirements and data principal rights — but takes a more government-friendly approach with broader exemptions for state agencies and does not include a right to data portability.
Data breaches involving government databases (e.g., reported leaks from the CoWIN vaccination portal in 2023) have underscored the urgency of robust enforcement. The establishment of the DPBI and notification of rules are critical steps in operationalising the Act.
The Justice B.N. Srikrishna Committee (2018) had earlier submitted the Personal Data Protection Bill, 2018, which included provisions on data localisation and a Data Protection Authority — some of which were not carried forward into the final 2023 Act.
UPSC Exam Corner
Prelims: Key Facts
- Right to privacy is a fundamental right under Article 21 (Puttaswamy, 2017, 9-judge bench)
- DPDPA enacted on 11 August 2023
- Key roles: Data Principal (individual), Data Fiduciary (processor), Significant Data Fiduciary (large processor)
- Data Protection Board of India (DPBI) is the enforcement body
- Maximum penalty: Rs. 250 crore
- Justice Srikrishna Committee (2018) submitted the earlier data protection framework
- GDPR (EU, 2018) is the global benchmark
Mains: Probable Themes
- Analyse the key provisions of the DPDPA, 2023 and its impact on digital governance
- Discuss the tension between national security and data privacy in India
- Compare India's DPDPA with the EU's GDPR — strengths and limitations
- How does the right to privacy shape the ethical use of technology in governance?
- Evaluate the adequacy of government exemptions under the DPDPA
Sources: DPDPA 2023 — MeitY, PRS India — DPDP Bill 2023
