Challenges and Criticisms: The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 faces significant criticism for its approach to privacy, government powers, and practical implementation.

Major Challenges

• Broad Government Exemptions: The Act grants the central government wide authority to exempt itself and certain agencies from key provisions in the name of national security or public order, without robust checks. This raises concerns of unchecked mass surveillance and the risk of state overreach.

• Impact on Right to Information (RTI): Amendments to the RTI Act allow the government to deny disclosure of personal information more broadly. Critics argue this could reduce transparency and foster corruption by concealing financial and public records of officials.

• Weak Accountability and Board Independence: The Data Protection Board, intended to enforce the Act, is appointed and controlled by the government, raising fears it may not act independently, especially when handling state violations.

• Hazy Rules for Cross-border Data Transfers: There is insufficient clarity on how data will be protected when transferred internationally, especially where destination countries may have weaker privacy standards.

• Limited Protection of Individual Rights: The Act mainly focuses on the mechanics of data processing over individual rights. There is limited scope for individuals to challenge automated decisions, and informational notices to users lack vital details like data retention, sharing, or international transfers.

• No Compensation for Breach Victims: While organizations can be penalized for data breaches, there is no provision for direct compensation to data subjects affected by such breaches.

Additional Criticisms

• Complex Rule-making and Legal Uncertainty: The Act defers many crucial issues to rules to be formulated later by the government, creating uncertainty about future rights and obligations.

• Insufficient Attention to Marginalized Groups: Critics note the law missed an opportunity to bolster privacy for vulnerable segments, offering limited specific protections for marginalized or at-risk populations.

• Transparency and Consent Issues: Requirements for informing users are minimal; companies can collect consent without fully notifying individuals about how their data will be used or shared.

• Potential for State Surveillance: The broad powers and exemptions may inadvertently or deliberately facilitate increased government surveillance, undermining the law’s stated goal of empowering citizens.

While the DPDP Act, 2023 advances India’s data protection framework, concerns remain about privacy safeguards, government overreach, regulatory certainty, and the limited emphasis on individual rights and transparency.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is a significant step forward for India, it has faced several challenges and criticisms from privacy advocates, legal experts, and civil society organizations. The primary concerns revolve around broad exemptions, the concept of “deemed consent,” and the structure of the new regulatory body.

1. Broad Exemptions for the Government

One of the most significant criticisms is the extensive power the Act gives to the Central Government to exempt its agencies from key provisions.

• National Security and Public Order: The Act allows government agencies to process personal data without the data principal’s consent for purposes like national security, public order, and the prevention of offenses.
• Risk of Surveillance: Critics argue that these broad, vaguely defined exemptions could enable a surveillance state, allowing the government to collect and retain vast amounts of citizen data without adequate checks and balances or accountability. This potentially undermines the fundamental right to privacy established by the Supreme Court.
• No Right to Information: The Act amends the Right to Information (RTI) Act, allowing government entities to deny requests for personal information, which critics say could reduce government transparency and accountability.

2. The Concept of “Deemed Consent”

The Act introduces the concept of “deemed consent,” which allows for the processing of an individual’s data without their explicit consent in certain situations. While the Act’s purpose is to streamline data processing for legitimate uses, it has raised concerns.

• Circumventing Explicit Consent: Critics argue that “deemed consent” can be used to bypass the principle of explicit, informed consent, which is a cornerstone of data protection. The Act allows for data processing when it’s “necessary for a legitimate use” as prescribed, which some believe is too broad.
• Examples: The Act deems consent for various purposes, including employment, medical emergencies, and the provision of state services. While some of these are understandable, the lack of a precise definition for “public interest” or “fair and reasonable purposes” could be misused, allowing for data processing without a clear, specific legal basis.

3. Independence of the Data Protection Board

The Data Protection Board of India (DPB) is the central regulatory body for enforcing the Act, but its structure and powers have been a source of concern.

• Government Control: The DPB’s members, including the Chairperson, are appointed and can be removed by the Central Government. Critics fear this could compromise the Board’s independence and make it susceptible to political influence, hindering its ability to hold government agencies accountable.
• Adjudicatory vs. Regulatory Role: The DPB is primarily an adjudicatory body, focused on hearing complaints and imposing penalties, rather than a pro-active regulator with the power to issue binding rules or guidelines. This could limit its ability to effectively enforce data protection principles and preemptively address data misuse.
• Limited Rule-Making Power: The Act gives the Central Government the power to make many of the rules and regulations needed to operationalize the law, which some see as an excessive delegation of legislative power to the executive branch.

4. Other Criticisms

• No Right to Portability or Right to be Forgotten: Unlike data protection laws in other jurisdictions, such as the EU’s GDPR, the DPDP Act does not grant data principals the specific rights to data portability or the right to be forgotten (right to erasure).
• Penalties on Individuals: The Act uniquely imposes a penalty of up to ₹10,000 on a data principal for making a false or frivolous complaint. This has been criticized for potentially discouraging individuals from raising legitimate concerns about data misuse.
• Vague Definitions: Key terms like “significant data fiduciary” and “lawful purpose” are not precisely defined in the Act itself, leaving their interpretation to the government and future rules, which creates uncertainty for businesses and individuals.

The Digital Personal Data Protection Act, 2023 (DPDP Act), while a significant step toward data protection in India, has faced several challenges and criticisms. Below is a detailed breakdown based on available information and analysis:

Challenges:

1. Delayed Implementation:
   • The DPDP Act was passed on August 9, 2023, and received presidential assent on August 11, 2023. However, as of September 2025, the full implementation is still in progress.
   • Draft rules were released in August 2024 for public consultation, but final rules and operational guidelines are yet to be fully notified. This delay creates uncertainty for businesses preparing for compliance.
   • The Data Protection Board, a critical enforcement body, is still in the process of being established, slowing down grievance redressal and oversight mechanisms.
2. Compliance Burden for Businesses:
   • Small Businesses and Startups: The Act imposes significant compliance requirements, such as appointing Data Protection Officers, implementing consent mechanisms, and ensuring robust cybersecurity. Small enterprises with limited resources may struggle to meet these standards.
   • Significant Data Fiduciaries: Entities classified as Significant Data Fiduciaries face stricter obligations (e.g., audits, impact assessments), but the criteria for designation remain unclear, complicating compliance planning.
   • Cost Implications: Implementing technical and organizational changes (e.g., data encryption, consent management systems) can be costly, particularly for sectors like fintech, health, and e-commerce that handle large volumes of sensitive data.
3. Ambiguity in Key Provisions:
   • Terms like “reasonable security safeguards” and “legitimate uses” lack precise definitions, leaving room for interpretation until detailed rules are finalized.
   • The process for cross-border data transfers, including restrictions on certain countries, awaits government notification, creating uncertainty for global businesses.
   • Exemptions for government agencies and specific use cases (e.g., research, startups) are vaguely defined, leading to potential misuse or inconsistent application.
4. Technological and Operational Challenges:
   • Consent Management: Obtaining free, informed, specific, and unambiguous consent, especially for children’s data (requiring parental verification), is complex and resource-intensive.
   • Data Localization and Transfer: While the Act allows cross-border data transfers, potential restrictions on certain countries could disrupt operations for multinational companies.
   • Data Breach Preparedness: Organizations must implement robust mechanisms to detect, report, and mitigate data breaches, which requires significant investment in cybersecurity infrastructure.
5. Capacity Building:
   • The Data Protection Board and other regulatory bodies need adequate staffing, expertise, and infrastructure to enforce the Act effectively.
   • Limited awareness among individuals and businesses about their rights and obligations under the Act hinders effective implementation.

Criticisms:

1. Government Exemptions and Surveillance Concerns:
   • The Act provides exemptions for government agencies and law enforcement for purposes like national security, public order, and crime prevention. Critics argue these exemptions are overly broad and lack sufficient oversight, potentially enabling unchecked surveillance.
   • The absence of independent checks on government access to personal data raises privacy concerns, especially given India’s history of data requests for law enforcement purposes.
2. Weak Accountability Mechanisms:
   • The Data Protection Board, responsible for enforcement, is appointed by the government, raising questions about its independence compared to global standards like the GDPR’s independent data protection authorities.
   • Critics argue that the Board’s limited powers (e.g., no proactive investigative authority) may weaken its ability to address systemic violations.
3. Limited Rights for Data Principals:
   • While the Act grants rights like access, correction, and erasure, it lacks provisions for advanced rights like data portability (seen in GDPR) or automated decision-making transparency, limiting user control.
   • The right to withdraw consent is provided, but practical implementation (e.g., seamless data deletion across systems) may be challenging for users.
4. Impact on Innovation:
   • Stringent requirements for data processing, especially for children’s data and targeted advertising, may restrict innovation in sectors like edtech, gaming, and digital marketing.
   • The prohibition on behavioral tracking for minors could disrupt business models reliant on personalized advertising, prompting criticism from industry stakeholders.
5. Inadequate Public Consultation:
   • The Act’s development faced criticism for limited stakeholder engagement compared to earlier drafts (e.g., the 2018 and 2019 bills). The 2022 draft was withdrawn after significant feedback, and the 2023 version was seen as rushed by some privacy advocates.
   • The draft rules released in August 2024 have been under consultation, but critics argue the timeline for feedback was insufficient for such a complex law.
6. Alignment with Global Standards:
   • While the DPDP Act draws inspiration from frameworks like GDPR, critics note it falls short in areas like data portability, mandatory data breach notifications to individuals, and independent regulatory oversight.
   • The lack of clarity on cross-border data transfers may complicate India’s pursuit of “data adequacy” status with jurisdictions like the EU, affecting global trade.

Broader Implications:

• For Businesses: The challenges and criticisms highlight the need for clear guidelines and government support (e.g., compliance templates for SMEs). Companies must proactively invest in compliance infrastructure despite ambiguities.
• For Individuals: While the Act empowers users with rights, the effectiveness depends on awareness and accessible grievance mechanisms. Privacy concerns persist due to government exemptions.
• For Policy: Addressing criticisms requires refining rules, strengthening the Data Protection Board’s independence, and balancing privacy with innovation and security needs.