DPDPA 2023 has come into existence as a law on August 11, 2023. In January 2025 MeitY issued a notification of draft Rules and opened it for public comments. However till today the rules have not been notified raising the speculation that Government is not serious about bringing in the law.
However more recently, NeGD jumped into fray by announcing a “Coding Competition” to encourage the private sector to develop a “Consent Management System” which can be integrated into the data fiduciary systems through an open source platform. For the purpose of this competition, NeGD has issued a document called “Business Requirement Document” which outlined some of the expectations of such a system. This document is not an extension of the “Rule” but the fact that NeGD is part of the Digital India Mission, there is a misconception that the BRD is a detailing of the “Consent Management Requirement” under the rules.
It is also reported that MeitY has made a reference to the Attorney General for a clarification on Section 44(3) related to the impact of DPDPA on RTI act.
Additionally, the Digital India Corporation (DIC) has called for appointment of a “Consultant” for developing the digital office of the proposed Data Protection Board.
These developments indicate that the MeitY is actually trying to finalize the rules and notify them at the earliest.
In the meantime there are two questions which have been raised in the professional circles about whether DPDPA has some fundamental flaws in defining the terms “Digital” and “Personal Data”.
As readers of naavi.org are aware, we had published a series of articles under the title “Shape of Things to Come” before DPDPA 2023 was enacted indicating our Wishlist. We have also been discussing on many other aspects of the law on how we can interpret the law for initiating the compliance in the industry.
Without going into a debate on what more could have been done and what has been missed, our approach is that a proper interpretation of DPDPA 2023 can lead to development of Jurisprudence which can take care of many of the perceived short comings.
Hence we restrict our discussion here on the two points of “Definition of Digital” and “Definition of Personal Data” and whether they could weaken the law significantly.
Digital:
According to Section 37(3) the definition of “Information” and “Computer Resource” in the Act shall have the same meaning as in ITA 2000.
Under Section 2(1)(v) of the ITA 2000, “Information” includes “Data” and “Data for this section” includes representation of information in any form which can be processed by a computer and by the definition of “Electronic form” includes any information that is computer generated such as print outs or intended to be processed in a computer etc.
In view of these definitions, the word “Digital” extends to any “Binary expression” and this definition extends to DPDPA so that even quantum pulses or neural data may be considered as “Digital”.
Only those documents which are manually prepared and meant to be manually used for ever are outside the definition of DPDPA as regards “Protection of Privacy”.
Hence adoption of the principle “DPDPA is only for Digital Data” does not significantly affect the Privacy Rights of an individual. Further the law is meant for “Processing of Digital Data by a Data Fiduciary” and hence omission of “Oral data” by a “Data Fiduciary” which is neither recorded nor stored or transmitted on a digital media is of little consequence. It would not be out of place to say that in today’s corporate world, there is no information which is not digital.
The moment any manually collected personal data is converted into digital form, it becomes part of the DPDPA.
Definition of Personal Data
There is a view that Personal data is defined as “Any information about an individual who is identifiable with reference to the data. The objection raised is that if there is any information owned by a person but does not identify the person, it can be used by others without restriction. Also if the data is currently identifiable but later anonymised or de-identified, it can be used and this is argued as unfair.
Here again we need to refer to IPR law which protects data of a person with IPR value whether it is through Copyright or Trademark Rights or Patent Rights. These rights are however linked to the voluntary disclosure of ownership and can be compulsorily opened out if there is public interest.
The personal data on the other hand has two components one of which is the identity and the other “Information without identity”. When an information is de-identified or anonymised, the data which is personal becomes relatively “Non Personal” and useful to the society for statistics or other purposes. This is one of the balancing features of the law that tries to ensure that in the guise of Privacy we restrict the society being benefited.
We must also appreciate that by recognizing the “Right to Nomination”, DPDPA recognizes the ownership of personal data to the individual and then leaves it to his discretion to provide consent for its use in an identifiable form. Derived data in the form of de-identified or anonymous data without affecting the privacy of the individual is outside the scope of this act like the corporate data or environmental data etc.
There are certain issues related to definition of personal data which we have discussed earlier such as
1.Defining Personal Data under Naavi’s theory of Privacy (“Nee Maayeyolago, Ninnolu Maayeyo” )
2. Interpreting “Personal Data” and “Business Contact Data” under GDPR
3. Personal Data should be considered a personal Property
4.Difference between “Personal Data” and “Protected Personal Data” under DPDPA
Essence of most of these discussions is that “What is personal and What is not personal” is the choice of the individual and hence the definition ultimately gets tied with the “Consent”.
As long as some information cannot damage the personal reputation of an individual nor create a mental disturbance if it is in the hands of another person, the issue of “Privacy” should not arise. If there is any value in the information without identity, that should be protected under IPR laws. If there is a misuse of de-identified information, there can be action under ITA 2000 as a Cyber Crime.
Hence it is my view that the lack of a detailed definition of “Digital” or “Personal Data” or “Ownership of Personal Data” is not a significant fundamental flaw that can be held to criticise DPDPA 2023.
On the other hand, DPDPA 2023 adopting the principle of “Data Fiduciary” vs “Data Controller” makes it a hugely superior law than GDPR since every data processor needs to ask himself whether he is a “Data fiduciary” and more so whether he is a “Significant Data Fiduciary” and ensure not only the obligations specified but also the duties specified in the law for both the data fiduciary and the data principal whether the processing is done by the data fiduciary or his agents.
No law can be drafted as “Perfect” less so a law that has to balance the “Undefined Right called “Privacy” with “Business interests” and “Governance and Security of the nation” . The interpretations will emerge initially through professionals and later through Courts and subsequently through further amendments.
We need to be patient and let the law run.
Naavi