Despite its wide-reaching implications, there has been little debate or discussion about the Digital Personal Data Protection Act and its rules among Goan enterprises, activists, and media circles
In today’s knowledge economy, power stems from having the right information, in the right amount, at the right time. Information, which is essentially processed data, has become the fuel driving the modern digital revolution. Often referred to as the ‘new oil’ of the Information Age, data powers technological advancements, just as oil powered the industrial revolution.
This isn’t an exaggeration. Over the past few decades, Information and Communication Technology (ICT), propelled by data, has created multimillion-dollar empires and elevated countless individuals to new heights of success. At the same time, data has also been a double-edged sword. Cybercrimes, fuelled by the misuse of data, have disrupted lives, toppled enterprises, and shaken organisations to their core. It’s clear that data, as one of today’s most valuable resources, holds immense potential and poses significant risks.
The misuse of personal data is a growing concern. Over the years, opportunistic organisations across the globe have unscrupulously exploited individuals’ personal data—from location and finances to contacts and health details—for their business advantage. Worse still, this often happens without the data owner’s knowledge, leaving their privacy vulnerable and at risk.
To address these challenges, nations worldwide have implemented data protection laws. Notable examples include the European Union’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA), China’s Personal Information Protection Law (PIPL), and the US Privacy Act of 1974. India joined this global effort with the enactment of the Digital Personal Data Protection Act (DPDP) 2023 in November 2023. This landmark law aims to empower individuals with greater control over their personal data and regulate how organisations handle it.
On January 3, 2025, the Indian government released draft rules for implementing the DPDP Act and invited public feedback, with a deadline of February 18. This presents a crucial opportunity for citizens to shape the final version of the law, ensuring it aligns with public interest and safeguards personal data effectively.
As the name suggests, the Digital Personal Data Protection Act 2023 focuses on the ‘protection’ of ‘personal’ ‘data’ in ‘digital’ formats. A notable aspect of the law is its inclusive language, as it the first law in India which consistently refers to individuals as ‘she’ throughout the text, marking a departure from the traditionally used ‘he’.
The law’s definition of ‘person’ is comprehensive, encompassing individuals, Hindu undivided families, companies, firms, associations (whether incorporated or not), the State, and other artificial juristic entities. This means that everyone, from individuals to businesses and government entities connected to the digital world, falls under the ambit of this law.
Surprisingly, despite its wide-reaching implications, there has been little debate or discussion about the DPDP Act and its rules among Goan enterprises, activists, and media circles.
The DPDP law centers on two critical concepts: the ‘data fiduciary’ and the ‘data principal’.
A data fiduciary refers to any entity—a company, government body, organisation, or individual—that collects, processes, or uses personal data digitally. Social media platforms, e-commerce websites, online food delivery apps, for that matter every website or application handling user data fall into this category.
On the other hand, the data principal is the individual entity i.e. you and me or even an enterprise whose personal data is being handled by the data fiduciary.
Under the DPDP Act, data fiduciaries have a duty to protect the personal data entrusted to them by data principals. Personal data cannot be used without the explicit consent of the data principal. The law underscores the importance of safeguarding personal data in the digital realm, proposing steep penalties of up to Rs 250 crore or more for violations. To oversee its implementation, the law envisages the establishment of a fully digital and first-of-its-kind Data Protection Board in India. Additionally, it proposes guidelines for data exchange with other countries, further strengthening data security.
The DPDP Act envisions data fiduciaries as trustees of personal data, responsible for handling it with the same diligence and seriousness as trustees managing valuable assets. This trustee-like relationship highlights the importance of protecting personal data in today’s interconnected world.
One of the standout features of the law is its emphasis on safeguarding children’s personal data. For minors under 18, verifiable parental consent will be mandatory for using online platforms that collect or process their data. The law also prohibits processing personal data that could harm a child’s well-being, as well as tracking, behavioural monitoring, or targeted advertising directed at children. If implemented effectively, these provisions could provide significant relief to parents concerned about mobile addiction and potential online risks for their children.
The Indian government has set an ambitious timeline of approximately two years to implement the DPDP Act across all online platforms and domains. Once fully operational, the law promises to revolutionise how personal data is managed and protected in India, ushering in a new era of digital trust and accountability.
The DPDP Act 2023 is not just a regulatory measure; it’s a step toward ensuring that individuals’ privacy is respected and their data is handled responsibly. By addressing the challenges of the digital age, this law has the potential to empower citizens and foster a culture of trust in the online world. However, its success depends on effective implementation and active participation from all stakeholders—citizens, businesses, and government alike.
(Sangeeta Naik is an IT professional based in Goa.)
