Digital Personal Data Protection Act, 2023: Key Recommendations and Concerns

Sansad TV


In August 2023, resident Draupadi Murmu gave her assent to the Digital Personal Data Protection Bill, 2023. This Bill addresses the crucial issue of processing digital personal data in a manner that respects individuals’ rights to safeguard their personal information while also acknowledging the need to process this data for lawful purposes.

Need for Data Protection in India:

With approximately 40 crore internet users and 25 crore social media users spending considerable time online in India, the need for data protection is undeniable. The average cost of data breaches in the country has risen to Rs. 11.9 crore, a 7.9% increase from 2017. Furthermore, the Supreme Court, in the KS Puttaswamy case, affirmed data privacy as a fundamental right under Article 21. This underscores the importance of data protection for the following reasons:

Data Export:

Many data storage companies, particularly e-commerce firms holding vast amounts of Indian data, are based abroad and frequently export data to other jurisdictions. This complicates the application of Indian data protection laws.

Data Localization:

Mandating data localization has faced opposition from private entities and their home governments. The involvement of numerous private players in data management makes establishing a uniform data protection framework challenging.

User Consent:

Applications often employ pre-ticked consent boxes when seeking user approval for terms and conditions, potentially infringing on user privacy.

Privacy Breach:

Identifying those responsible for privacy breaches is often a challenging task.

Privacy Laws:

Currently, the usage and transfer of personal data of citizens are governed by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. However, these rules are only applicable to private entities and not government agencies.

Data Ownership:

According to TRAI guidelines, individuals own the data, while data collectors and processors are mere custodians subject to regulations.

India’s Data Protection Bill – Key Recommendations:

  1. Remove the word ‘personal’ from the existing title of the ‘Personal Data Protection Bill’ to encompass non-personal data that has been anonymized.
  2. Revise the section restricting the transfer of personal data outside India, ensuring that sensitive personal data isn’t shared with foreign governments or agencies without central government approval.
  3. Require social media platforms to establish an office in India for their parent company to operate in the country.
  4. Propose the establishment of a separate regulatory body for media oversight.
  5. Impose penalties, including a jail term of up to 3 years, a fine of Rs 2 lakh, or both, for any person re-identifying de-identified data.


  1. Major players in India’s digital economy are primarily based abroad and often export data to other jurisdictions.
  2. The potential loss of economic wealth to MNCs located in the USA.
  3. Insufficient infrastructure in India for efficient data collection and management.

Way Forward:

  1. Advocate data minimization and enhance accountability for data processors and controllers.
  2. Protect personal data collected in the public interest and ensure it is used only for its intended purposes.
  3. Develop the necessary infrastructure for energy, real estate, and internet connectivity to establish India as a global hub for data centers.
  4. Encourage startups to create technology that grants users control over their digital behavior patterns.
  5. Share data with startups to create a level playing field against global data giants.
  6. Promote the development of native internet giants, similar to China’s approach.
  7. Update current data protection rules under the Information Technology Act to align with modern trends.
  8. Implement a robust data protection law akin to the European Union’s General Data Protection Regulation (GDPR).

In conclusion, data protection is essential to balance India’s digital economy’s growth and the use of data for communication while safeguarding individuals’ autonomy from both state and private entity encroachments. India should adopt stringent data protection laws on par with the GDPR enacted by the European Union.