Introduction
There are very few concepts that have undergone such rapid transformation, both in terms of how it’s understood and the level of public awareness, as data privacy. Although the concept is not new, the meteoric growth of personal data collection over the last two decades has completely altered how people, companies, and governments look at privacy.
India’s first comprehensive data privacy law, the Digital Personal Data Protection Act (DPDPA), 2023, was enacted on August 11, 2023
In India, the Supreme Court recognised the fundamental right to privacy on August 24, 2017, in the landmark Puttaswamy v. Union of India case. This decision declared privacy as part of the fundamental right to life and personal liberty under Article 21 of the Constitution Pre-2017 Regulatory Framework: Before this, India’s data privacy framework primarily relied on provisions within the Information Technology Act, 2000 and its amendment in 2008, along with the SPDI Rules, 2011.
Data is a collection of facts, numbers, words, observations or other useful information. Through data processing and data analysis, organisations transform raw data points into valuable insights that improve decision-making and drive better business outcomes
In today’s fast-paced, technology-driven world, data is more than just a collection of numbers and facts—it is a powerful asset that drives decisions, strategies, and growth. Data is the lifeblood of businesses, organisations, and industries, providing valuable insights that fuel everything from day-to-day operations to long-term strategic planning. Data is no longer just an operational byproduct but a critical asset that shapes success.
UNDERSTANDING THE SHIFT FROM ANTITRUST TO PRIVACY
Data privacy concerns apply to all sensitive information that organisations handle, including that of customers, shareholders, and employees. Often, this information plays a vital role in business operations, development, and finances. It is not only limited to protect the privacy of a person using a social media but also extends to a person or a company managing a business. It does not confine to limited roles, the data privacy is also a country’s biggest concern in order to protect their information.
India emphasised to authorise privacy laws with the aim of protecting the fundamental right to privacy under article 21 of the Indian constitution
It recognised the dire need to implement such laws and rules for privacy mainly because of the landmark case Puttaswamy v. Union of India, it transformed the idea from vague law principle to more codified, enforceable fundamental right.
India’s Legal Response to Big Tech’s Data Power
In the age of algorithms and attention, data is power—and with power comes the need for accountability. Around the world, governments are grappling with the sheer influence of Big Tech companies, not just in terms of market dominance, but in the way they collect, store, and monetize our personal data.
India, home to one of the world’s largest digital populations, has responded with a dual-legal framework: the Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000. Together, these legislations aim to shift the balance of power back to the user—and redefine the rules of engagement for tech giants.
Digital Personal Data Protection (DPDP) Act, 2023 The law’s primary goal is to:
Empower individuals to control their personal data, Hold data processors accountable, Introduce transparency in how personal data is used. It has some distinct key features that involves
- Consent based processing:Personal data cannot be processed without explicit, informed, and specific consent from the user, except under legitimate grounds.
- Data Protection Board of India:A regulatory body empowered to investigate complaints, impose penalties, and ensure compliance
- Cross-Border Data Transfers:The Act allows international data transfers to notified countries, but with safeguards. This is key for global companies operating in India.
- User Rights:Individuals are given rights such as:
- Right to access information
- Right to correction and erasure
- Right to grievance redressal
Information Technology Act, 2000, Before the DPDP Act, India’s digital legal landscape was governed by the IT Act, designed initially to address cybercrimes and electronic commerce. It focuses on Cybersecurity, Digital signatures and contracts, Offenses like hacking, identity theft, phishing. Section 79: Safe Harbour for Intermediaries, This section offers conditional protection to intermediaries (e.g., Facebook, Twitter, YouTube) from liability for third-party content, provided they: Act as neutral conduits of information, Comply with government takedown requests, Do not knowingly allow unlawful content to thrive.
IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- Mandates traceability of messages on platforms like WhatsApp.
- Requires appointment of compliance officers in India.
- Platforms must take down flagged content within 72 hours.
These rules tighten the noose on Big Tech’s laissez-faire attitude toward content moderation and accountability.
Impact on Big Tech Companies
Privacy regulations significantly impact big tech companies by increasing compliance costs, altering data handling practices, and potentially affecting market competition. While these regulations aim to protect user data, they also pose challenges for companies in terms of innovation and global operations. This laws include Increased Compliance Costs, Big tech companies face substantial costs associated with implementing new privacy measures, including updating systems, training employees, and undergoing audits. These costs can be particularly burdensome for smaller businesses trying to compete with larger tech firms, potentially hindering innovation and market entry. Also has Altered Data Handling Practices, Regulations like GDPR and the California Consumer Privacy Act (CCPA) require companies to obtain explicit consent for data collection, limit data usage, and provide users with access to and control over their data. This can lead to changes in how companies collect, store, and use data, potentially impacting their ability to personalise services, target advertising, and develop new products.
CHALLENGES AND CRITICISM
2023, India took a historic step toward strengthening digital rights with the enactment of the Digital Personal Data Protection (DPDP) Act. The Act was heralded as the much-needed shield against the misuse of personal data by both the state and tech giants. But like any ambitious reform, this law hasn’t come without pushback and controversy.
While the law claims to protect individual autonomy in the digital age, experts, civil society, and even industry players have flagged serious concerns. Is the law truly people-centric—or does it leave too much power with the government? Let’s take a closer look.
One of the most significant criticisms of the Digital Personal Data Protection (DPDP) Act, 2023, is its ambiguity in key definitions. Terms such as “legitimate use,” “necessary data processing,” and even “consent” remain vague, especially within the complex structures of today’s digital ecosystems. This lack of clarity opens the door to broad and potentially exploitative interpretations
—whether by overreaching regulators or companies seeking to sidestep user rights. A particularly controversial aspect of the Act is the wide-ranging exemption granted to the Central Government, which allows any of its instrumentalities to bypass provisions of the law in the name of national security, public order, or sovereignty.
This raises a core contradiction: can a law designed to protect individual privacy truly deliver on its promise if the state itself is allowed to sidestep it? Critics argue that this effectively creates a double standard, where private companies are stringently regulated while state agencies operate with near impunity. Another point of concern is the lack of independence of the Data Protection Board of India, the body meant to enforce the law.
Since the Board is appointed and overseen by the central government without adequate judicial or parliamentary checks, its impartiality—especially in disputes involving state surveillance—is in serious doubt. Moreover, while tech giants may absorb the compliance costs, startups and small businesses may find it difficult to implement data processing systems, establish consent frameworks, or meet future obligations such as appointing Data Protection Officers. This could hamper digital innovation and create barriers for India’s thriving startup ecosystem.
Perhaps the most pressing concern, however, is the potential for unchecked state surveillance.
While the Act imposes strict responsibilities on private entities, it sets no clear limitations on how the government may collect or use personal data. Without a separate and strong legal framework to oversee surveillance, many fear the DPDP Act could inadvertently legitimize mass data collection by the state under vague pretexts like “national interest.” Together, these criticisms highlight the urgent need for transparency, accountability, and balance between privacy protection and state power.
Conclusion
India’s Digital Personal Data Protection Act, 2023 is undoubtedly a monumental step in formalising the right to privacy in a digital economy. For the first time, there exists a legal framework that defines how personal data must be collected, stored, and processed, offering citizens a say in how their digital identities are handled. It aligns with global trends and responds to the growing power imbalance between individuals and data-driven corporations.
However, the success of any privacy regime lies not just in its legislative intent but in how fairly and transparently it is implemented. The DPDP Act, while progressive in its spirit, still raises serious concerns about accountability, oversight, and state power. The exemptions granted to government bodies, the limited independence of the Data Protection Board, and the silence around surveillance oversight create a legal structure where privacy protections may be selectively applied. This duality weakens the very foundation of user trust that the law seeks to build.
Equally important is the law’s impact on business innovation. While Big Tech firms can afford compliance infrastructure, startups and small enterprises may find the new rules burdensome, particularly in the absence of robust guidance and support. For India to become a global data economy, it must strike a balance between user protection and ease of doing business. Privacy must not become a privilege that only the powerful can enforce or afford.
Ultimately, privacy is more than a right—it is a reflection of the relationship between individuals, society, and the state. In the age of AI, algorithmic profiling, and surveillance capitalism, a robust privacy framework is not just a safeguard—it’s a necessity for democracy. The DPDP Act lays the groundwork, but the real test lies ahead—in how the law is interpreted, enforced, and challenged. Privacy cannot be a paper promise. It must be a lived right—backed by law, defended by institutions, and upheld by society.
