Introduction
With the rise of digital technologies, Indian consumers increasingly share personal information through online platforms, apps, social media, and digital services. This digital data includes names, contact details, financial information, browsing history, and biometric identifiers. Protecting this data is essential for preserving individual autonomy, preventing misuse, and building trust in digital ecosystems. In recent years, India has taken significant steps to define and strengthen consumer rights related to data and privacy. These include the constitutional recognition of the right to privacy, sectoral regulations, and most notably, the enactment of the Digital Personal Data Protection Act (DPDPA), 2023, which will govern personal data processing across India once fully operational.
1. Right to Privacy as a Fundamental Right
In the landmark case of Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court of India declared the right to privacy a fundamental right under Article 21 of the Constitution. This judgment laid the constitutional foundation for data protection laws in India. It affirmed that every individual has the right to control their personal information and be protected from arbitrary intrusion by the state or private entities. This right includes informational privacy, which extends to how personal data is collected, stored, processed, and shared.
2. Digital Personal Data Protection Act, 2023 (DPDPA)
The DPDPA, passed in August 2023, is India’s comprehensive law governing the collection and processing of digital personal data. It applies to data fiduciaries (entities that collect data) and data processors, and aims to protect the privacy of individuals while facilitating lawful data use. Key consumer rights under this law include:
a. Right to Consent
Consumers have the right to provide informed and specific consent before their personal data is collected or processed. The consent must be freely given and revocable. Data fiduciaries are required to clearly explain what data is being collected and for what purpose.
b. Right to Access Information
Consumers have the right to obtain information about the personal data held by a data fiduciary, including the categories of data, processing purposes, and third-party disclosures.
c. Right to Correction and Erasure
Consumers can request correction of inaccurate or outdated personal data and seek the erasure of data that is no longer necessary for the stated purpose.
d. Right to Grievance Redressal
Consumers can file complaints with data fiduciaries if they believe their data rights have been violated. If unsatisfied, they can escalate the issue to the Data Protection Board of India, which is empowered to investigate and impose penalties.
e. Right to Nominate
The law allows individuals to nominate another person to exercise their data rights in the event of death or incapacity.
f. Right to Data Portability and Limitation (Not Explicit Yet)
Although the DPDPA does not explicitly include the right to data portability or profiling limitations as seen in the GDPR (EU’s regulation), future rules may evolve to include these.
3. Obligations on Data Fiduciaries
To protect consumer rights, the DPDPA imposes several obligations on companies and government entities that handle personal data:
-
Process data only for legitimate and necessary purposes.
-
Ensure data security through reasonable technical safeguards.
-
Inform consumers of data breaches that impact their rights.
-
Appoint a Data Protection Officer (DPO) in case of significant data handling.
-
Avoid storing data longer than necessary.
4. Children’s Data Protection
Children (under 18 years) receive special protection. Parental consent is mandatory for processing their data. Data fiduciaries must refrain from tracking or targeted advertising directed at children.
5. Data Breach Notification
Under the DPDPA, companies must notify both the affected individuals and the Data Protection Board of any personal data breach that is likely to cause harm. This enables consumers to take timely action, such as changing passwords or monitoring financial accounts.
6. Penalties and Enforcement
The Data Protection Board can impose significant penalties for non-compliance. For example, failure to take security safeguards may result in a fine of up to ₹250 crore. This ensures that consumers’ rights are backed by legal enforcement.
7. Sector-Specific Regulations
Apart from the DPDPA, several sectoral laws also provide data protection rights to consumers:
-
Information Technology Act, 2000 (Section 43A): Holds companies accountable for negligence in protecting sensitive personal data.
-
RBI Guidelines for Banks and NBFCs: Require financial institutions to protect customer data and disclose breaches.
-
Telecom Regulatory Authority of India (TRAI): Issues regulations for protecting mobile users’ privacy, including Do Not Disturb (DND) services.
-
Aadhaar Act, 2016: Limits data sharing by the UIDAI and mandates encryption and consent for Aadhaar-related information.
8. Consumer Protection Act, 2019
The CPA empowers consumers to file complaints against unfair trade practices, including misleading data policies and unauthorized use of personal data. It also enables e-commerce platforms to maintain transparency in data handling practices.
9. Right to Be Forgotten (Emerging Concept)
Though not yet explicitly codified, Indian courts have begun to recognize the “right to be forgotten” in certain cases. This right enables individuals to seek the removal of personal data from the internet or databases when the information is outdated, irrelevant, or causing harm. The DPDPA mentions data erasure but stops short of a comprehensive legal definition.
10. Judicial Remedies and Redress
Consumers can approach civil courts, consumer forums, or file writ petitions under Article 226 (High Courts) or Article 32 (Supreme Court) to enforce their data rights. Public Interest Litigations (PILs) have also been used to challenge state surveillance and demand better data protection policies.
11. Emerging Data Protection Practices and Consumer Awareness
With the rise of digital platforms, consumers are becoming more aware of their privacy rights. Organizations are increasingly required to publish transparent privacy policies, obtain consent before collecting data, and enable consumers to control cookie settings. Digital literacy campaigns and privacy advocacy are helping empower Indian users to demand accountability.
Conclusion
India’s legal framework for data protection is evolving rapidly to meet the needs of its digital economy. The recognition of privacy as a fundamental right, coupled with the enactment of the Digital Personal Data Protection Act, 2023, provides a solid legal foundation for safeguarding consumer data. However, effective implementation, robust enforcement, and public awareness are key to realizing these rights in practice. As digital services continue to grow, the balance between innovation and individual privacy will remain central to building a secure, ethical, and user-centric digital ecosystem in India.
