INTRODUCTION
Ever searched for a health supplement online, and within minutes, your Instagram and YouTube feeds are flooded with ads for weight-loss pills and protein shakes. A few days later, a telecaller tries to sell you a diet plan mentioning details you never shared with them directly.
That’s because of data surveillance. Your personal information, including your name, browsing habits, location, even phone number was likely collected, shared, and monetized without your explicit consent.
Globally, high-profile cases like the Cambridge Analytica–Facebook scandal have shown how unchecked data usage can manipulate public opinion and violate individual rights. In India too, there have been disturbing instances of personal data leaks from telecom providers, banks, hospitals, and even government portals. To curb this misuse and empower citizens, India introduced the Digital Personal Data Protection (DPDP) Act, 2023. This landmark legislation grants individuals strong, enforceable rights over their personal data.
In this blog, we decode the 10 key rights you now enjoy under the DPDP Act and why every citizen, lawyer, and privacy-conscious user should understand them.
WHO ARE THE KEY STAKEHOLDERS ?
Before diving into the rights, it’s essential to understand two fundamental terms defined under the Act:
- Data Principal: The individual to whom the personal data relates, i.e., you.
- Data Fiduciary: The entity (company, organization, app, etc.) that determines the purpose and means of processing your personal data.
KEY RIGHTS UNDER THE DPDP ACT, 2023
- Right to Access Information – Legal Basis: Section 11 of DPDP Act, 2023
You have the right to know what data is being collected, why, and with whom it is shared. This is rooted in the right to privacy as a fundamental right under Article 21 of the Constitution. It ensures transparency and prevents hidden data practices.
Case Law: In K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, the Supreme Court recognized privacy as a fundamental right under Article 21.
- Right to Correction and Erasure – Legal Basis: Section 12 of DPDP Act, 2023
Data principals have the right to ask for their personal data to be corrected if it is incorrect, incomplete, or outdated. They can also request that their data be deleted in certain situations, such as when it is no longer needed for the reason it was collected or if they choose to withdraw their consent.
Case Law: Indian Express Newspapers v. Union of India, AIR 1986 SC 515 emphasized the importance of factual information in upholding democratic rights.
- Right to Consent and Withdrawal – Legal Basis: Section 6 of DPDP Act, 2023
Your personal data cannot be collected or processed without your free, informed, specific, and unambiguous consent. You can also withdraw consent at any point. It gives you complete control over when and how your data is used.
Case Law: Anuradha Bhasin v. Union of India, (2020) 3 SCC 637 emphasized the principle of necessity and proportionality in state actions affecting digital rights.
- Right of Grievance Redressal – Legal Basis: Section 13 of DPDP Act, 2023
You have the right to raise a complaint regarding the handling of their personal data by either the data fiduciary or the consent manager.
Case Law: People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301 laid down procedural safeguards for surveillance, a precedent for redressal mechanisms.
- Right to Nominate – Legal Basis: Section 14 of DPDP Act, 2023
You can nominate another person to exercise your rights under this Act in the event of your death or incapacity. It prevents misuse of your data and ensures protection.
- Right to Data Portability
Though not expressly stated, it can be inferred under Sections 11 and 12 of DPDP Act, 2023. The DPDP Act implies that individuals can access and transfer their personal data to other service providers. This concept aligns with Article 20 of the GDPR, which promotes user autonomy in switching between digital platforms.
- Right to Be Informed About Data Breaches – Legal Basis: Section 8(6) of DPDP Act, 2023
Data Fiduciaries are required to notify you and the Data Protection Board in the event of a personal data breach. It is important so that you can take prompt action like changing passwords, freezing bank accounts, or raising fraud alerts.
Case Law: Reinforced by Anuradha Bhasin, which emphasized timely notification and procedural fairness.
- Right Against Unlawful Automated Decision-Making
Although the Act does not ban automated decision-making, it limits significant decisions such as job offers, loan approvals, or profiling based solely on algorithms without human oversight.
Judicial View: Courts in India and globally have emphasized the need for fairness and human oversight in automated decisions, highlighted again in Puttaswamy.
- Right to File Complaints with the Data Protection Board – Legal Basis: Section 28 of DPDP Act, 2023
If your grievance isn’t resolved satisfactorily by the Data Fiduciary, you can file a complaint with the Data Protection Board of India, which has the powers to:
- Conduct inquiries
- Impose monetary penalties
- Enforce compliance
- Order compensation for data harms
- Right to Fair and Lawful Processing – Legal Basis: Section 4 of DPDP Act, 2023
Data should be collected lawfully, fairly, and only for specified purposes. This forms the ethical backbone of the DPDP Act.
Case Law: K.S. Puttaswamy, PUCL case, both emphasize legality, fairness, and proportionality as essential elements of privacy.
JUDICIAL DEVELOPMENTS & GLOBAL INFLUENCE
- K.S. Puttaswamy v. Union of India (2017): Privacy declared a fundamental right.
- PUCL v. Union of India (1997): Established surveillance safeguards.
- Anuradha Bhasin v. Union of India (2020): Stressed proportionality.
- Justice B.N. Srikrishna Committee Report: Laid groundwork for the DPDP Act.
- GDPR Influence: Inspired India’s framework on consent and data rights.
LIMITATIONS AND EXCEPTIONS
Your rights may be limited in cases involving:
- National security, sovereignty (Sections 17 & 18)
- Public interest or legal obligations
- Statistical/research purposes with anonymized data
CONCLUSION
The DPDP Act, 2023 marks a shift in India’s digital rights landscape. With enforceable mechanisms and judicial backing, it empowers individuals to control and protect their personal data. In today’s digital world, understanding your rights is not just useful, it’s essential. Next time a website asks for your location or contact list, remember: You have the legal right to say yes, no, or even change your mind later.
