Blog | BALANCING PRIVACY AND ECONOMIC INTERESTS: THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

INTRODUCTION

If there is one thing that is “golden’’ in today’s digital world, it is data. India’s Digital Personal Data Protection Act of 2023 (DPDPA 2023)1 functions as a major law to address the digital privacy protection and economic advancement. The law ensures data privacy while allowing businesses to leverage data for technological innovation and economic growth. However, the execution of this remains very challenging. The DPDPA 2023 serves as India's first digital data protection regulation which controls digital personal data processing procedures. The Act constructively incorporates transparency together with accountability and consent principles to let people know how their data will be used and gain permissions to retract their consent whenever they want. The Act establishes data handling rules to establish trust between people and organizations as it creates a safer and lasting digital environment.

BALANCING PRIVACY AND ECONOMIC INTERESTS

The DPDPA 2023 is established to maintain equilibrium between safeguarding personal information and achieving financial advantages through data utilization. As part of its privacy policy the Act enables individuals two fundamental rights including inspection and error correction and data deletion according to specific criteria. The DPDPA 2023 orders organizations to request explicit user consent as a prerequisite for data collection or processing while insisting individuals receive comprehensive understanding of data utilization.2 The Act enhances business growth by improving services, increasing productivity, and fostering innovation. Data analytics remains essential for businesses that work in e-commerce healthcare and finance to generate understanding about customer patterns and create individualized service 1Ministry of Electronics & Information Technology, Digital Personal Data Protection Act, No. 23 of 2023, INDIA CODE, https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf (last visited March 7, 2025). 2 ET Legal World, Draft DPDP Rules Outlines Balancing Innovation with Data Security, The Economic Times (2025), https://legal.economictimes.indiatimes.com/news/law-policy/draft-dpdp-rules-outlines-balancinginnovation-with-data-security/117064691 (last visited March 7, 2025). solutions as well as optimize their operational workflows. Businesses can effectively utilize data under the DPDPA 2023, which provides a distinct legal framework supporting privacy standards.

WHAT ARE THE CHALLENGES IN IMPLEMENTING DPDPA 2023?

Multiple obstacles stop the DPDPA 2023 from reaching its desired outcomes even while operating under an advanced framework. The DPDPA 2023 implementation faces its major obstacle in business compliance cost which affects small and medium-sized enterprises (SMEs) the most. Smaller businesses face potentially high expenses when they implement required technical and organizational data protection measures.3 Dark patterns are deliberately designed to work as tricks that guide users into making decisions, they would not otherwise be willing to make on their own by misusing their personal data. Some examples include the ‘consent tick marks’ which are already selected and users have to deselect them, or setting up privacy options in relatively obscure sub-menus where users are unlikely to look for them. Here, people are often unaware that they have agreed to their data being harvested and used for advertising or marketing.4 India’s DPDPA is intended to make all consents informed and express. However, dark patterns are more of using words while obtaining consent in the way that they are creating a grey area between data collection and misleading data gathering. Data is also shared with third-party services or vendors, the original app often claims it is no longer responsible for how that data is handled. This creates a lack of accountability and transparency regarding how user data is ultimately used which may also lead to data falling in the hands of shady parties who are involved in cyber frauds. The enforcement process faces difficulties because it involves multiple complexities. The Act needs an effective enforcement system with sufficient resources to make organizations from multiple sectors adhere to its requirements. The Data Protection Board of India (DPBI) recently established as an oversight body must address diverse compliance matters that include data breach 3 John Doe, The Impact of Data Protection Regulations on Start-Up Enterprises, ResearchGate (2021), https://www.researchgate.net/publication/348118237_The_Impact_of_Data_Protection_Regulations_on_Sta rt-Up_Enterprises (last visited March 7, 2025). 4 RSRR, Data Privacy and Protection in India: A Comprehensive Analysis, https://www.rsrr.in/_files/ugd/286c9c_3da4e758c4db40098ebe691004e90b71.pdf?index=true (last visited March 7, 2025). investigations and consent conflicts. The Data Protection Board of India needs to build substantial capacity to process such cases. 5

CASE STUDY: GOOGLE’S COMPLIANCE WITH GDPR

The General Data Protection Regulation (GDPR) stands as one of the world's most sophisticated data protection law ever created by the European Union in 2018. Google encountered multiple barriers to synchronize its business practices with GDPR standards. Google established open systems for consent procedures and data information which allows users to see data processing details. Data minimization became a key practice at the company which guaranteed that essential data would only be collected for specific business purposes. Google established a system which allowed users to enjoy access rights and request rectification and erasure of their data while giving them the power to move their information to different systems using user-friendly tools. The company encountered several difficulties because of high implementation expenses and complicated global operations management across different data protection standards when together with complaints about its dark consent pattern. Observation of Google demonstrates why transparency must be paired with user rights alongside accountability in data protection regulations but emphasizes the implementation costs and enforcement difficulties. DPDPA 2023 in India faces similar problems with implementing privacy regulations because it needs to protect privacy rights along with stimulating economic growth.

CONCLUSION India takes substantial progress in its digital economic development through the enactment of the Digital Personal Data Protection Act, 2023. The Act establishes a compatibility between economic development and privacy protection by finding equilibrium between both interests. The implementation of this balance needs solutions to address compliance problems and enforcement limitations as well as technological changes. The DPDPA 2023 must address rapid developments in technology. Advancements in technology such as artificial intelligence (AI) and machine learning systems have revolutionized methods of information collection and its applications. The Act will need amendments to stay relevant because of developing technologies. By incorporating 5 iPleaders Blog, Digital Personal Data Protection Act (DPDPA) 2023, https://blog.ipleaders.in/digital-personaldata-protection-act-dpdpa-2023/ (last visited March 7, 2025). global best practices, such as the right to data portability, the right to be forgotten, and compensation for harm just like the GDPR, and by strengthening the Data Protection Board of India, the Act can be transformed into a more robust framework for protecting privacy.6 As technology continues to evolve, the DPDPA must adapt to address new challenges, ensuring a balance between innovation and individual rights.

REFERENCES

1. Ministry of Electronics & Information Technology, Digital Personal Data Protection Act, 2023, (June 2024), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf.

2. AZB & Partners, Indian Data Protection Law Versus GDPR: A Comparison, AZB & Partners (last visited Mar. 7, 2025), https://www.azbpartners.com/bank/indian-data-protection-law-versus-gdpr-a-comparison/.

3. [Author(s)], The Impact of Data Protection Regulations on Start-Up Enterprises, ResearchGate (2021), https://www.researchgate.net/publication/348118237_The_Impact_of_Data_Protection_Regulations_on_Start-Up_Enterprises.

4. RGNUL Student Research Review, Data Protection and Privacy in India, RSRR (last visited Mar. 7, 2025), https://www.rsrr.in/_files/ugd/286c9c_3da4e758c4db40098ebe691004e90b71.pdf.

5. [Author(s)], Federated Learning: A Decentralized Approach to AI, Sci. Direct (2024), https://www.sciencedirect.com/science/article/pii/S2542660524002592#:~:text=Federated%20learning%20is%20a%20decentralized,the%20risk%20of%20data%20breaches.

6. Integrate.io, What is Data Privacy & Why is it Important?, Integrate.io (last visited Mar. 7, 2025), https://www.integrate.io/blog/what-is-data-privacy-why-is-it-important/.

7. Right to Compensation and Liability, GDPR Info (last visited Mar. 7, 2025), https://gdpr-info.eu/art-82-gdpr/.

8. The Right to Be Forgotten Under GDPR, GDPR.eu (last visited Mar. 7, 2025), https://www.gdpreu.org/right-to-be-forgotten/.

9. iPleaders, Digital Personal Data Protection Act (DPDPA) 2023, iPleaders (last visited Mar. 7, 2025), https://blog.ipleaders.in/digital-personal-data-protection-act-dpdpa-2023/.

Author's Details

Srushti Kadak

The author of the above blog is a second year law student at Des Shri Navalmal Firodia Law College Pune

Email: srushtikadak@gmail.com

Disclaimer: The blog mentioned above has been prepared by the author as part of their internship at Legitimate Scrutiny. The views expressed herein are solely those of the author and do not necessarily reflect the views of Legitimate Scrutiny. While every effort has been made to ensure accuracy, Legitimate Scrutiny assumes no responsibility for any copyright infringement or legal implications arising from this content. Readers are advised to verify information independently and seek professional advice if required.