DPDP Act: India's New Digital Shield or Legal Gap?

The Digital Personal Data Protection (DPDP) Act signifies a transformative step in India's data governance regime. As India steps into a digital-first economy, protecting personal data has assumed critical importance, not only from a civil liability perspective but increasingly in light of cybercrime and criminal law enforcement. This article analyses the DPDP Act through the lens of cyber law and its interface with existing and emerging criminal jurisprudence. It also evaluates this legislation's practical and theoretical implications and offers a critical perspective on its enforcement challenges.

I. Introduction

The intersection of privacy, cybersecurity, and criminal liability has witnessed a legislative evolution in India, culminating in the Digital Personal Data Protection Act. This Act arrives in the wake of significant judicial recognition of privacy rights and growing concerns over the misuse of personal data in the digital economy. The inadequacy of earlier provisions under the Information Technology Act, 2000, in ensuring robust data protection has now been addressed through a dedicated statutory regime.

II. Legislative Background and Context

India's data protection regime has historically been anchored in the Information Technology Act, 2000 (IT Act), specifically under Sections 43A and 72A. However, these provisions largely catered to compensation for negligence and unauthorised disclosures without offering a comprehensive regulatory architecture. The Supreme Court’s landmark verdict in Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1, which held privacy to be a fundamental right under Article 21, acted as a constitutional catalyst for enacting a robust data protection law.

The DPDP Act, therefore emerges not merely as a statutory intervention but as a necessary constitutional corollary to digital rights in the 21st century.

III. Key Features of the DPDP Act.

1. Consent Architecture
The Act is premised on informed and specific consent of the data principal before any personal data can be processed, marking a shift from implicit or opt-out frameworks.

2. Obligations of Data Fiduciaries
Entities processing personal data—termed as data fiduciaries—must adhere to principles of purpose limitation, data minimisation, and reasonable security safeguards.

3. Data Principal Rights
Individuals are vested with significant rights, including the right to access, correct, and erase their data, the right to grievance redressal, and the right to withdraw consent.

4. Regulatory Framework
The establishment of the Data Protection Board of India provides an adjudicatory and enforcement mechanism with powers to impose monetary penalties for non-compliance.

5. Cross-Border Data Flow
While the Act permits data transfers outside India, it empowers the central government to notify countries where such transfers may be restricted.

IV. Cyber Law and Criminal Law Interplay

Though the DPDP Act is fundamentally regulatory and administrative, its interaction with India's cyber and criminal law is profound.

A. Overlap with Existing Criminal Provisions
The IT Act, 2000, criminalises unauthorised access, hacking, identity theft (Section 66c), and breach of confidentiality (Section 72). These provisions remain operative and continue to apply in cases where data breaches involve criminal intent or fraudulent gain.

B. Vicarious Liability and Corporate Offences
Under Section 85 of the IT Act, corporate entities may be held criminally liable for offences committed with their knowledge or due to negligence. The DPDP Act indirectly reinforces this principle by establishing rigorous fiduciary duties.

C. Enabling Framework for Cybercrime Investigation
The DPDP Act, while not criminalising data misuse per se, creates an ecosystem that supports investigation and prosecution under cybercrime laws by mandating logs, audit trails, and breach reporting.

V. Enforcement Challenges and Legal Ambiguities

Despite its ambitious goals, the DPDP Act faces notable implementation and jurisprudential challenges:

1. Absence of Criminal Sanctions
The Act does not introduce penal provisions such as imprisonment, preferring monetary penalties. This limits its deterrence against wilful and malicious data misuse.

2. Jurisdiction and Enforcement Against Foreign Entities
Cross-border enforcement remains problematic without mutual legal assistance treaties (MLATs) or reciprocal arrangements with foreign jurisdictions.

3. State Exemptions and Civil Liberties
Section 17 of the Act provides wide exemptions to the State for national security, raising concerns about unchecked surveillance and erosion of the right to privacy without adequate judicial oversight.

4. Adjudicatory Structure and Capacity Issues
The functioning of the Data Protection Board, its independence, and institutional capacity are yet to be tested and may impact the Act's success.

VI. Harmonizing DPDP with Future Criminal Law Reforms

India is poised to replace its colonial-era criminal laws with modern codes such as the Bharatiya Nyaya Sanhita (BNS). In this context, the DPDP Act may serve as a foundation for incorporating express penal provisions for digital crimes relating to data exploitation, trafficking of personal information, and algorithmic harms.

A future reform agenda could include:

Codifying aggravated data crimes as criminal offences.

Introducing cyber-specific procedural safeguards for evidence collection.

Harmonizing definitions and standards across the DPDP Act, IT Act, and IPC/BNS.

VII. Conclusion

The Digital Personal Data Protection Act is a cornerstone in India’s journey toward a rights-based and accountable digital economy. Its nuanced intersection with cyber and criminal law lays the groundwork for a more secure and privacy-respecting cyberspace. However, its success will depend on judicial interpretation, institutional robustness, and the ability of lawmakers to evolve its provisions in response to emerging threats.

As India steps into a data-driven future, the DPDP Act offers a principled beginning. The task ahead lies in ensuring its consistent application, enhancing legal harmonization, and embedding it within a strong criminal law framework to address the growing menace of cybercrime.

By Advocate Ananth Shankar Sharma 
Rajasthan High Court, Jaipur