ISME

Explore - Experience - Excel

They’ve Been Selling Your Secrets: India’s DPDP Act Finally Fights Back! – Geeta Ashok

Medium Link: https://medium.com/@geetaashok/theyve-been-selling-your-secrets-add7856005b1

Course Relevance: Banking Operations – B. Com – 2nd Semester (SEP) and Banking Law and Practice – BBA – 5th Semester (NEP)

Academic Concept:

Digital Personal Data Protection focuses on safeguarding personal information collected, stored, and processed by organisations. The DPDP Act introduces a legal framework to protect individuals’ digital identities and regulate how organisations use personal data. This is even more applicable to banking institutions and other financial institutions which collects an individual’s data as part of identification and KYC procedures.

1. Digital Personal Data Protection and Privacy

  1. Meaning and importance of personal data in the digital environment.
  2. Protection of digital identity and individual privacy rights.
  3. Regulation of collection, storage, and processing of personal information.
  4. Need for privacy protection in apps, websites, and online platforms.
  5. Balancing technological innovation with individual data security.

2. Data Principal and Data Fiduciary Relationship

  1. Understanding the roles of Data Principal and Data Fiduciary.
  2. Data ownership and individual control over personal information.
  3. Responsibilities of organisations handling user data.
  4. Trust-based relationship between individuals and businesses.
  5. Accountability of organisations for responsible data processing.

3. Consent Management and Data Rights

  1. Importance of informed, specific, and meaningful consent.
  2. Right of individuals to access their personal data.
  3. Right to correct inaccurate information.
  4. Right to withdraw consent and request data deletion.
  5. Role of consent managers in controlling data usage.

4. Data Governance, Compliance and Regulation

  1. Importance of structured data management practices.
  2. Obligations of organisations under data protection laws.
  3. Data security safeguards and breach reporting mechanisms.
  4. Role of Data Protection Board in enforcement.
  5. Impact of penalties and regulatory compliance on businesses.

5. Digital Ethics and Cybersecurity

  1. Ethical challenges in collection and use of personal data.
  2. Importance of cybersecurity controls for data protection.
  3. Prevention of misuse and unauthorised access to information.
  4. Responsible use of technology and digital platforms.
  5. Building trust and transparency in the digital ecosystem.

Teaching Notes

  • Discuss how everyday applications collect user information.
  • Explain how personal data can affect privacy and security.
  • Compare traditional privacy concepts with digital privacy.
  • Highlight the need for legal protection of digital information.
  • Encourage students to analyse their own digital data footprint.
  • Explain the relationship between technology and ethical responsibility.
  • Discuss cybersecurity practices for protecting personal data.
  • Analyse risks associated with misuse of digital information.
  • Encourage discussion on privacy versus innovation.
  • Highlight the importance of responsible digital behaviour.
  • What are the implications for banks in India?

Learning Objectives

Students will be able to:

  • Define the concept of digital personal data.
  • Explain the importance of privacy protection.
  • Identify different forms of personal information.
  • Analyse risks related to data misuse.
  • Understand the purpose of data protection laws.
  • Differentiate between Data Principal and Data Fiduciary.
  • Explain the responsibilities of data-handling organisations.
  • Evaluate the importance of accountability in data processing.
  • Analyse trust issues in digital services.
  • Understand the rights and responsibilities of stakeholders.
  • Understand ethical issues in digital technology use.
  • Explain cybersecurity measures for data protection.
  • Analyse privacy challenges in digital platforms.
  • Evaluate responsible technology practices.
  • Develop awareness about secure digital behaviour.
  • Understand the implications for banks.

Introduction:

Every app you’ve ever trusted with your name, number, and location has been playing by rules that barely existed. That has just changed.

If you try to recall the last time you signed up for a food delivery app, you may recall that you would have handed over your personal details. This could include your name, phone number, home address, and sometimes even your location in real time. And all of this would have happened within a fraction of two minutes. Many of us do not read what we are agreeing to. And, till recently, in Indian law there has been no provision about what those companies could do with the data that they have collected from us.

This situation has changed from August 2023 when the Government of India passed the Digital Personal Data Protection Act or the DPDP Act. This is one of the most important technological legislation that India has ever seen. You can understand it as India’s answer to Europe’s GDPR, but one which is designed for the Indian context. So let us understand it more better.

Key Scope: The DPDP Act applies to an individual’s digital data, which is collected within India. It even applies to data which is collected outside India but is used to offer goods and services to people in India. If a company has your data, this law is likely to cover such organisations.

So, What Is “Personal Data”?

Before we get into the law, let us understand what is personal data. Personal data is all such information which can identify you as an individual. This includes obvious information such as your name, phone number, email, date of birth, but also less obvious information like your IP address, browsing history, or even the way you type on a keyboard. Basically, if any such information can identify you as a person, then it is your personal data.

The DPDP Act has been enacted to protect your personal information when it exists in digital form, whether it was originally collected digitally or it was later digitised. So, if there are physical records that someone typed up and stored online, then that will also be accounted for under this Act.

The Big Players: Who Does What?

Under this law there are two main parties. The first party is the Data Principal, which is you, the individual, whose data is being collected. The individual is regarded as the principal, and the owner of the data. The second party is the Data Fiduciary, which is the organisation that collects and uses your data. They hold it in trust, as a fiduciary would do with your money. The word choice is deliberate because they are supposed to handle your data responsibly, and not exploit it.

Another party in this Act are Consent Managers. These are registered platforms, which help in managing your consent preferences across different services. It is like a dashboard which gives you an overview of who is holding your data. You can also decide whether you want them to continue holding your information or you want to withdraw it back. This is a genuinely novel addition to Indian law.

The Golden Rule: Consent

The heart of the entire Act is ‘Consent’. Companies cannot collect or use your personal data without your clear, informed, and specific consent. Sometimes such consents are buried in the terms or made compulsory to accept before using an app. Therefore, consent refers to actual and meaningful consent. Therefore, the companies should give a clear explanation about the nature of data collected and the reasons for which it is collected.

There is an interesting aspect to this Act. You can revoke your consent at any time. If a company can no longer justify holding your data after you have taken back your consent, they are legally required to delete it. That is a huge shift from the current reality. This is because many a times the old data sits quietly on their servers forever.

Note: In a few cases, the consent is not needed from individuals. For example, when the government uses data for law enforcement, or when you yourself have requested for data processing for a certain service. However, these are a few exceptions, which are provided by the Act, and cannot be regarded as loopholes for corporations.

Your Rights Under The Act:

As a Data Principal, you now have legally protected rights. This includes the following:

1.  Right to Access: You can ask any organization about the nature of personal data that they have in their records about you and get a clear summary.

2.  Right to Correction: You can get your personal data updated or corrected.

3.  Right to Erasure: You can request an organization to remove your data once the purpose for collecting it is over.

4.  Right to Withdraw Consent: You can take back your consent at any time. Then the company must immediately stop processing your data.

5.  Right to Grieve: You can file a formal complaint if your rights are violated and can expect a response from the appropriate authorities.

6.  Nominee Rights: In case of your death or incapacity, a nominated person can exercise these rights on your behalf.

What companies must do?

Data Fiduciaries are organizations, which have your data. Therefore, they have serious obligations about how they deal with the data of individuals. They are entitled to collect data only to the extent to which is strictly necessary for a particular purpose, but cannot hoard the data. They must have reasonable security safeguards in place. In case of a data breach, they are legally required to notify both the Data Protection Board of India and the affected individuals. No more quietly sweeping breaches under the rug.

Once the purpose for which data is collected has been fulfilled, they must delete it. The law calls this ‘Storage Limitation’, which is a concept borrowed from global data protection frameworks and long overdue in India.

What about the fines?

ViolationMax Penalty
Failure to notify individuals and the Board for breach of dataUp to ₹200 crore
Failure to implement adequate data security safeguardsUp to ₹250 crore
Failure to protect children’s personal data or targeting minors with adsUp to ₹200 crore
Non-fulfilment of obligations by Data FiduciariesUp to ₹150 crore
Failure to register as a Consent Manager or meet obligationsUp to ₹150 crore
Breach of extra obligations for Significant Data FiduciariesUp to ₹50 crore
Non-compliance with Data Protection Board directionsUp to ₹50 crore

To put this in perspective, a ₹250 crore fine is like a slap for a big tech company. For mid-sized Indian start-ups, it could be fatal. The penalty structure is deliberately graduated. Therefore, the more sensitive the violation is, like mishandling a data breach or exposing children’s data, the fine would be heavier. The law is essentially saying that the bigger the harm the company could cause, the more will be the penalty levied on them for negligence.

The Data Protection Board of India: Your Enforcer

The DPDP Act is not merely a piece of legislation, which creates rights on paper. It has the right to create a body to enforce them. The Data Protection Board of India (DPBI) is a judicial regulatory authority, which has powers similar to that of courts to receive complaints, conduct investigations, and impose penalties on violators.

Therefore, if an organization refuses to get your data deleted after you have requested it to do so, or ignores a breach, which you have notified to them, you can file a grievance with the Board. The Board will call the company to explain itself. If the company is found guilty, the Board can impose penalties up to the limits in the table above.

The catch? As of 2026, the Board for implementing the Act is constituted but is not fully operational. The law has been enacted, but the enforcement machinery is still being assembled. There is a great concern regarding this by legal experts because rights without enforcement are just aspirations. However, once this Board becomes operational, it will become a very important digital regulatory body in the country.

Important:  Until the Data Protection Board is fully operational, the enforcement of the DPDP Act remains limited. You must keep watching for government notifications on its formal constitution and other related updates.

What about apps that are not Indian?

An important aspect of this law is that it has extraterritorial reach. This means that it does not apply only to Indian companies but it applies also to foreign companies. Therefore, if a foreign company, such as a US-based app or a European platform collects data from Indian users or offers services to people in India, they must ensure that they are compliant with the DPDP Act.

This matters because many of the apps which we use daily such as Instagram, Google, Spotify, WhatsApp are all foreign-owned. Under this law, all of them are legally obligated to follow Indian data protection rules when dealing with Indian users. The government can also restrict cross-border data transfers to countries which they feel are unsafe for Indian data. However, the specific list of allowed countries is yet to be officially notified.

A Note On Children’s Data:

This Act has special protection for minors (anyone under 18). It mandates that if any organisation wants to process a child’s data, it must obtain a verifiable parental consent. Also, platforms are prohibited from offering behavioural advertising to children, and from doing anything that could harm a child’s wellbeing. As the amount of time that kids of today spend on social media and gaming platforms is very huge, this is definitely and genuinely an important addition.

Conclusion:

The enactment of the DPDP Act is India’s first real and meaningful attempt to place individuals at the center of the data conversation so that their privacy is respected.  It will not resolve all issues immediately and there are valid discussions regarding its exemptions and the timing for implementation. However, for the first time, you possess legal rights concerning your own digital identity.

Discussion Questions:

1.  What makes the term “Data Fiduciary” more important than simply referring as a “data collector”?

2.  In what situations can a company process your data without your consent?

3.  What role does the Data Protection Board of India play?

4.  How does the DPDP Act affect a college student using apps and social media daily?

5.  What is the biggest complaint of the DPDP Act so far?