Welcome to Drishti Judiciary - Powered by Drishti IAS

A Robust Data Protection Law for the Digital Age

    «    »

   08-Jan-2024 | Aarifa Nadeem

Data protection refers to the strategic and operational procedures taken to secure the privacy, availability, and integrity of sensitive data and is frequently used interchangeably with the word 'data security'. These safeguards, which are essential for organizations that collect, handle, or retain sensitive data, are designed to avoid data corruption, loss, or harm. In an era when data collection and storage are increasing at an unprecedented rate, a solid data protection plan is critical. The major purpose of data protection is not only to preserve sensitive information but also to keep it accessible and trustworthy, hence maintaining confidence and compliance in data-centric operations.

Data protection laws are fundamental to establishing a fair, secure, and trustworthy digital environment where personal information is respected, innovation thrives, and individuals' rights are safeguarded. Creating a robust data protection law for the digital age is crucial to safeguard individuals' privacy and secure their personal information in an increasingly connected world.

Significance of Data Protection Laws in the Digital Era

  • Protecting individual privacy and fostering trust and confidence
  • Preventing misuse and abuse of data
  • Supporting innovation and commerce
  • Promoting ethical data use
  • Mitigating risks and liabilities
  • Adaptability to technological changes
  • Ensuring accountability

Major Data Protection Regulations Worldwide

Data protection regulations vary significantly across the globe, reflecting each region's cultural, legal, and technological landscapes. Here are some key data protection regulations and frameworks from different parts of the world:

  • The EU General Data Protection Regulation (GDPR): The world's most powerful privacy and security legislation is the EU's General Data Protection Regulation (GDPR).
    • The 1995 data protection directive's guiding principles were brought up to date and modernized by this law. It was approved in 2016 and went into effect on May 25, 2018.
    • The GDPR states the fundamental rights of a person of the digital age, the responsibilities of those processing data, procedures for guaranteeing compliance, and penalties for rule breakers.
  • The American Data Privacy and Protection Act (ADPPA): The US model places a strong emphasis on protecting a person's privacy against governmental interference. It allows for the gathering of personal data as long as the subject is informed about the data-collecting process and its intended purpose.
    • The United States of America, in contrast to several other nations, has a multitude of federal and state regulations that are intended to safeguard the personal information of its citizens.
  • Chinese Personal Information Protection Law (PIPL): The Chinese government's Personal Information Protection Law (PIPL) aims to prevent the inappropriate use of personal data by granting data principals more rights.
    • Important concepts covered by the law include processing, sensitive personal information, and personal information. Interestingly, it states clearly that it has jurisdiction over international borders.
    • PIPL encompasses essential components of data protection, such as guidelines for handling personal data, consent, and non-consent-based processing reasons, cross-border data transfer procedures, and data subjects' rights.

India’s Data Protection Acts

India has been working on comprehensive data protection legislation to address the challenges posed by the digital era and protect individuals' privacy rights. There are two significant data protection bills in India:

  • Personal Data Protection Bill, 2019: The MeitY established a committee to investigate data privacy issues. Justice B. N. Sri Krishna, a retired SC judge, presided over the committee. In July 2018, the committee submitted a draft version of Personal Data Protection.
    • The report was updated numerous times later by the Government of India, and after getting central cabinet clearance, the draft legislation was introduced in the Indian Parliament on December 11, 2019.
    • After being introduced, the bill was referred to the JPC (Joint Parliamentary Committee); after receiving criticism from stakeholders, the opposition, and experts, the revised 2019 Bill was withdrawn from the Indian Parliament on August 3, 2022.
  • Digital Personal Data Protection Act, 2023: The Indian Parliament passed the Digital Personal Data Protection Act, 2023, also known as the DPDP Act or DPDPA-2023, to regulate the processing of digital personal data in a way that respects people's right to data protection and the necessity of processing such data for legitimate purposes, as well as for matters related or incidental to them.
    • Unlike traditional "he/him" pronouns, "she/her" pronouns were employed in this initial Act of the Indian Parliament. The following are some of the ways that the Act protects digital personal data or information that may be used to identify an individual:
      • The duties of data fiduciaries, or individuals, businesses, and governmental organisations that handle data, concerning data processing (that is, gathering, storing, or any other activity on personal data)
      • The obligations and rights of Data Principals, or the individuals to whom the data is related
      • Penalties in money for violating rights, duties, and obligations
      • All data in India, whether initially offline and thereafter digitised, is covered by the DPDP Act.
        • Furthermore, the Act also covers the processing of digital personal data outside of India, especially when it involves providing products or services to people within India.
      • Following the new DPDP law, age verification procedures will be required for all Indian firms, including banks, e-commerce, telecoms, and others.
      • The new law states that personal data can only be included and processed with the individual's express consent unless there are special circumstances involving national security, the law, or order.
      • A Data Protection Officer (DPO) must be appointed by each substantial data fiduciary. The DPO's job is to handle the questions and concerns of data principals, or the people whose data is being gathered and processed.
      • The DPDP Act allows data fiduciaries to transfer personal data to any nation or territory outside of India for processing.
        • This includes international data transfers. Nonetheless, notifications allow the national government to impose limitations.

Formation of the Data Protection Board of India

The Government of India established the Data Protection Board of India as an adjudicating authority following section 18 of the Digital Personal Data Protection Act, 2023. This organisation resolves disputes between individuals whose personal information has been provided to a platform and the platform, which has violated the DPDP Act, 2023, on the platform's part.

The Protection Provided by the DPDP Act

  • Processing personal data is required to enforce any applicable legal rights or claims. Personal data is processed so that any crime or violation of any current Indian legislation can be prevented, detected, investigated, or prosecuted.
  • Any contract that an Indian-based individual enters with a third party outside of India's borders is the basis for processing the personal data of Data Principals who are not located in India.
  • Any Indian court, tribunal, or other entity tasked by law with carrying out any judicial, quasi-judicial, regulatory, or supervisory duty may process personal data as long as doing so is required to carry out that function.
  • A court, tribunal, or other authority authorised to do so by any currently in effect law must approve any scheme of compromise, arrangement, merger, amalgamation, or reconstruction of a company through demerger or another method, transfer of an undertaking from one company to another, or involving division of one or more companies.
  • The processing will only take place if it complies with the laws currently in effect regarding the disclosure of information or data and is done so to determine the financial information, assets, and liabilities of any individual who has fallen behind on payments owed for a loan or advance obtained from a financial institution.


In essence, a robust data protection law sets the foundation for a digital environment where privacy is respected, individuals have control over their data, organizations act responsibly, and innovation thrives within ethical boundaries. It strikes a balance between protecting personal information and allowing for the legitimate use of data for societal, economic, and technological advancements.