The Digital Personal Data Protection Act (DPDPA), 2023 – which was passed in the Rajya Sabha – has now become a law. It received presidential assent
However, it appears that the law is impeded by several fundamental flaws, which are likely to prevent it from fulfilling the purported objectives that were sought to be achieved when it was being drafted as a data protection and privacy law. More importantly, the law may ultimately be seen as a tool through which the government will be able to circumvent the already scant mechanisms that are available to individuals with regard to their ability to exercise informational autonomy and ensure the privacy of their personal data.
The initial Digital Personal Data Protection Bill was prepared and delivered to the Ministry of Electronics and Information Technology (MeitY) by an expert committee headed by Supreme Court Justice B.N. Srikrishna in 2018. This happened after a year of deliberations and changes since the need for a privacy law was articulated in the landmark 2017 judgment of Justice K.S. Puttaswamy v. Union of India. In the ruling, the Supreme Court bench held privacy as a fundamental right protected under Article 21 of the constitution.
Both the letter and spirit of the law have seen several deviations since that time. However, the 2018 draft Bill, for instance, recognised the importance of appropriately classifying data, affording special consideration to protect personal data which is deemed sensitive in nature. The most recent iteration of the law however does not make a distinction between personal data and sensitive personal data, nor does it afford any additional consideration to adequately protect such data.