Abstract
The Digital Personal Data Protection Law, 2023 along with the newly enacted Rules, 2025, marks the beginning of the operation as well as the enforceability of the Act along with the subservient Rules in India. The Act has laid down emphasis on the recent internet and media related trends and the sensitivity of personal data in this arena, regulating various sectors, classifying them as data fiduciary and their consequent responsibilities. This blog aims to highlight the discrepancies in real-time implementation of the protection laws and the subsequent practical solutions for the same.
Unconscious Digital Consumption and Its Impact
It cannot be disputed that we are consuming information, rather in an unconscious manner, the vast surmountable data that has no requirement unless heard, seen or shared with, what do we even do knowing how to make diary-free alfredo pasta at 3 a.m. in the morning? Are we even aware of what kind of exposure our brain is prone to, what conscious choice are we making to stay out of this vicious loop? We all know that this chronic scrolling of reels and social media participation is a cheap replacement for dopamine, and yet, though we constantly struggle to climb the ladder higher and higher, we do choose the cheapest outlet-lowering our standards. If this is the plight of us adults, what about the younger pool of the future, are they realizing the consequences of such unregulated environment, where a simple ‘I agree’ can let a stranger into their personal seclusion and this brazen act could lead to unutterable situations, that a child is obviously too scared to seek help, therefore just succumbing to the threat.
Legislative Awareness and Policy Response
Our so-called elected representatives did ponder a lot about this, which is very much evident in the newly enacted Act and its ancillary Rules, with an aim to lend out protection to the most vulnerable and most active section of the society. This century has to be applauded for one reason only: it made us believe that nothing is possible without active digital connection, your essay is not good enough since there is no mention of the recent internet trend, your fashion sense is off because it is not aesthetic enough, you have no social life since you don’t doom scroll in every break that you get, or having a short attention span. Can’t read a whole page with mindfulness and the trending song not ringing at the back of your mind? Congratulations, you rightfully belong here.
Digital Companionship and Social Dependency
Humans were never designed to survive alone, we are a non-entity without companionship, and were orchestrated to thrive with our peers. This does sound like a lot of work right? So yes, we did welcome the accessible-digital connection into our lives. This was supposed to stop at phone calls and messaging, but then came social media and connecting to a whole another level of networking, why not seek companionship with anyone? Why just our peers?
The Boon–Bane Dichotomy and the Need for Law
This was a whole package of boon and bane in itself, and to counter this bane, we now require ‘Laws’. Account breach and invasion of privacy-needs to be gunned down, and are our Laws realistic enough to effectuate it?
Minority, Consent, and Contractual Paradox
Indian Laws prescribe that you are a minor if you are under the age of 18, any contract that you enter into is void-ab initio (with few exceptions) and you are incapable to contract. Yet, when a minor clicks on the ‘I agree’ button on every site they visit to share cookies, record their personal data or share them with third parties, they are conceptually competent enough and presumed to be an adult. Such click-baited consent does mimic a contract, but is argued that it is only data processing and not a formal contract. Is this not counter-intuitive? This juxtaposition of wordplay around ‘minor’ puts up a paradox. How can you be incapable and capable of saying ‘yes’ at the same time?
Parental Consent Framework under the DPDP Act
The Act introduces the concept of parental consent for processing data of individuals below the age of 18. Consequently, it is prescribed that all kinds of tracking, targeted advertisements and behavioural monitoring directed at children be prohibited. While undoubtedly even adults need such protection, the Act aims to establish a sector specific significant Data Fiduciaries-that classifies entities and the rules for establishing and processing the data of children after receiving a ‘verifiable consent’ from the parent/guardian. They are supposed to have the collected data be disposed of within a prescribed period and fundamentally-have age based classification of content and its subsequent delineation to a minor consumer. The main discourse here is about its implementation when there are several browsers that let you skip such a verification stage and it’s a painless routine to morph the required adult’s consent.
Regulatory Gaps and Sectoral Exclusions
It is undeniable that digital access adds upon the creativity, learning and opportunities for the children, and the same empowering tool can expose them to profound privacy harms if left realistically impossible. There is only a fine line between regulatory restriction and overreach, and the Act has only addressed this superficially. Another worthwhile mention would be the exclusion of Healthcare systems from being regarded as a ‘Data Fiduciary’ and allowed to store all kinds of personal data (health data) and no provision for non-retention of the same after its use. A classic citing about the AIIMS data breach in 2022 is a prime example to convey the hazards of how such non-regulated entities are exploited and equally vulnerable to cyber attacks. The DPDP Act imposes substantial financial penalties for non-compliance by Data Fiduciaries. The highest penalty up to Rs. 250 crore applies to failure of a Data Fiduciary to maintain reasonable security safeguards. Notifying the Board or affected individuals of a personal data breach as well as violations of obligations relating to children can each attract penalties of up to Rs. 200 crore. Any other violation of the Act or Rules by a Data Fiduciary may attract penalties up to Rs. 50 crore. While hospitals being the treasurer of our personal record-a record more personal than our toothbrushes, is not a data fiduciary, where is the provision to protect us from the data breaches from such entities? Is our consent to hospitals an exception or is our data here not ‘personal’ enough?
Practical Safeguards and Policy Recommendations
One of the most practical implementations towards securing such vulnerable data is encryption. A committee to be set up internally, in both such data fiduciary entities and also non-data fiduciary entities, to regulate this process, storage and transfer of such data. There shall be subsidies or credit points allocated to such entities by the Government to encourage healthy practices, and more importantly, there is a need for mass-education of parents and children in every sector about the consequences of their choices through different mediums according to the literary gaps. This poses as parliamentary activism and not regulatory outreach, hence proportional to the expectations of the democratic people, and upholding their right to privacy in its true essence.
Share:
Share on
×