How does the DPDPA empower you to control your personal data online in India?

In an increasingly digitized world, our personal data is our digital identity—be it names, mobile numbers, Aadhaar details, browsing habits, or medical records. With businesses and governments relying heavily on data to provide services, data protection has become a fundamental right, not just a technical issue. Recognizing this, the Indian government enacted the Digital Personal Data Protection Act (DPDPA), 2023, ushering in a new era of data privacy, accountability, and empowerment for Indian citizens.

As a cybersecurity expert, I consider the DPDPA a landmark legislation that not only safeguards your data but also gives you direct control over who uses it, how it’s used, and for what purpose. In this blog post, we’ll explore how the DPDPA empowers you to control your personal data online in India, what rights you now hold, and how you can practically exercise them.

What is the DPDPA, 2023?

The Digital Personal Data Protection Act (DPDPA) was passed in August 2023 by the Parliament of India. Its primary objective is to protect digital personal data and regulate how organizations collect, store, process, and share your data—while respecting individuals’ right to privacy.

It applies to:

  • All personal data collected in digital form, whether online or offline (if digitized).

  • All data processing activities that involve Indian citizens, even if done outside India.

It introduces clear responsibilities for companies (called “Data Fiduciaries”) and strong rights for you—the “Data Principal”.

Key Rights You Have Under DPDPA

1. Right to Consent

One of the most powerful features of DPDPA is that no one can collect or process your personal data without your clear and informed consent. This consent must be:

  • Free (not forced),

  • Specific (for a particular purpose),

  • Informed (you must know what data is collected and why),

  • Unambiguous (clear and affirmative),

  • Revocable at any time.

🟢 Example: When you download a food delivery app, it must explicitly ask you for consent to access your location or contacts. You can say “No” to access beyond what is necessary.

2. Right to Access Your Data

You have the right to know:

  • What personal data a company holds about you,

  • Why and how it was collected,

  • Whether it has been shared with third parties,

  • For how long it will be stored.

This gives you transparency into the digital footprint you leave behind.

🟢 Example: If you use an online shopping platform, you can request details about your saved addresses, payment history, preferences, and browsing activity.

3. Right to Correction and Erasure

You can now request corrections to inaccurate data and even ask companies to erase data that is no longer necessary or was obtained without valid consent.

🟢 Example: If a digital health app still stores your outdated contact details or wrong medical history, you can demand corrections—or erasure—under the law.

4. Right to Grievance Redressal

If a company refuses to correct or delete your data, or if your consent was ignored, you have the right to file a grievance. The data fiduciary must respond within a stipulated time.

If unresolved, you can escalate the issue to the Data Protection Board of India (DPBI), an independent body created under the Act.

🟢 Example: A mobile app you deleted months ago continues to send you promotional emails. You can complain to the company and then to the DPBI if they don’t act.

5. Right to Nominate

In the event of your death or incapacitation, you can nominate someone to exercise your rights under DPDPA on your behalf.

🟢 Example: Suppose you become critically ill and cannot manage your digital accounts. Your nominated person can request erasure of your sensitive data or deactivate your accounts.

What Organizations (Data Fiduciaries) Must Do

DPDPA doesn’t just give rights to users—it places strict responsibilities on companies that handle your data. These include:

  • Data minimization: Only collect data necessary for the stated purpose.

  • Storage limitation: Don’t store your data forever. Delete it once the purpose is over.

  • Security safeguards: Implement encryption, access control, and other cybersecurity measures.

  • Breach notifications: Inform affected users and the Board in case of data leaks.

  • Consent managers: Make it easy for users to give or withdraw consent via independent platforms.

Failure to comply with these duties can lead to heavy fines—up to ₹250 crore per violation.

Practical Steps: How to Exercise Your Rights

1. Read the Privacy Policy Carefully

Whenever you install an app or use a new website, go through the privacy policy. Check:

  • What data is collected

  • For what purpose

  • If data is shared with third parties

  • Your rights as a user

🔒 Pro Tip: If the app doesn’t provide a clear privacy policy or asks for unnecessary permissions (like a flashlight app asking for location), avoid it.

2. Use “Privacy Settings” in Apps

Most apps and websites now offer privacy dashboards. Use them to:

  • Limit data collection

  • Revoke previously given consent

  • Opt out of targeted ads

🛡️ Example: In Facebook or Instagram, go to Settings > Privacy to control who sees your data and manage ad preferences.

3. Submit a Data Request

Under DPDPA, companies must provide a mechanism (usually via email or web form) to:

  • Access your data

  • Correct or delete it

  • Lodge complaints

Sample request:

“As per the Digital Personal Data Protection Act, 2023, I request access to all personal data your company holds about me. Kindly also provide details about the purpose of processing and any third parties with whom my data has been shared.”

4. Escalate to the Data Protection Board

If a company ignores your requests or violates your rights:

  • File a formal complaint with the Data Protection Board of India once it is operational.

  • Provide supporting documentation like screenshots, previous emails, or proofs of consent denial.

Real-Life Scenario: How the DPDPA Helped Ramesh

Ramesh, a college student from Pune, used a free resume-builder app. He later found his resume posted on a job portal without his knowledge. The app had collected and misused his personal data without proper consent.

Under DPDPA, Ramesh contacted the app developer and demanded deletion of his data and proof of action taken. When they ignored his requests, he lodged a complaint with the Data Protection Board (once active), which penalized the company and enforced data erasure.

This case highlights how DPDPA shifts power back to the individual.

Challenges Ahead

While DPDPA is a great step forward, its success depends on:

  • Public awareness: Citizens must know and exercise their rights.

  • Efficient enforcement: The Data Protection Board must act swiftly and transparently.

  • Corporate compliance: Businesses need to prioritize privacy, not just treat it as legal formality.

Conclusion

The Digital Personal Data Protection Act, 2023, marks a historic shift in how India treats data privacy. For the first time, it places you—the citizen—at the center of control over your personal data.

From giving explicit consent to accessing and deleting your data, to holding companies accountable for violations, DPDPA empowers you like never before. It lays the foundation for a safer digital India where privacy is not a luxury, but a legal right.

In an age where “data is the new oil”, this law ensures you’re not just a product—but an empowered individual.

So the next time an app asks for access to your gallery or contacts, think twice—and remember, you have the right to say no.

rahulsharma

Posts