The Digital Personal Data Protection Act, 2023 [“DPDP Act”] is India’s first comprehensive legislative attempt to regulate personal data protection in an era where AI and algorithmic governance are predominant. However, the law’s unclear language especially in the areas of consent, deemed consent, harm, and State surveillance exemptions creates difficulties related to the constitution and its interpretation.
This paper analyses the impact of such uncertainties on the core of the right to privacy under Article 21 and the manner in which Indian courts may construe these provisions by reference to the established principles of legality, necessity, proportionality, and constitutional morality.The research through doctrinal and interpretative means, casts light on the interaction of the DPDP Act with AI-powered systems for profiling, automated decision-making, and algorithmic bias.
The paper, among others, referencing a plethora of international sources, argues for a more flexible approach of statutory interpretation in order to protect informational autonomy and human dignity in the digital age.The paper, in fact, sees the fate of the law as hinged upon judicial interpretation, that is to say, whether courts employ a rights-centric, purposive approach which enables privacy to be balanced with technological innovation and State interests under India’s digital constitutionalism framework that is evolving.
The Digital Personal Data Protection Act 2023 [“DPDP Act”] reflects major change in how India’s law deals with the global challenges of data governance and privacy in the digital age. After long years of deliberation, the legislation tries to strike a balance between giving the individual his right to privacy and allowing the state to impose regulations for security purposes. However, such balancing is fragile. The Act’s overall approach along with its unfixed terms i.e. “Public interest”, “harm”, “deemed consent”, and “national security” render it problematic as the definitions have been left open to interpretation to be done by the executive and judicial branches of the government.
The primary aim of the DPDP Act is to lay down a data protection framework based on the constitutional right to privacy as recognized in Justice K.S. Puttaswamy (Retd.) v. Union of India. Yet, it differs from the court decision in that it allows the public and private entities a broad scope of action. Section 7 on deemed consent and Section 17 on State exemptions, are examples of how the drafter’s indeterminacy can gradually strip informational autonomy away. The Act does so by switching from one mode of protecting citizens to another mode of empowering regulators thus mirroring the bigger interaction of liberty vs. governance in the Indian digital law system.
On top of that, the exponential development of Artificial Intelligence further complicates the matter. To operate, AI systems require continuous data input and use predictive profiling methods which go beyond the limits of even the most rigorous consent-based regulations. As the DPDP Act is still very much a product of traditional ideas of informing the user of the purpose of data collection, it cannot realistically handle issues such as automated decision-making and algorithmic bias. The difference here has to be filled with the application of purposive interpretation so as to be sure that privacy standards progress in tandem with technological advancements.
Consequently, this paper views the resolution of the DPDP Act’s interpretative difficulties and the scope for judicial action through a constitutional viewpoint. The Authors seek to highlight that not only literal but also judicial interpretation of the law is necessary, the judiciary should read the law in a way that is consistent with the values of the Constitution, hence adopting a rights-centric approach. The courts can use the concepts such as proportionality and purposive construction to convert the legislative uncertainty into the framework which both guarantees privacy and allows for innovations.
This work places the DPDP Act within a worldwide conversation about digital constitutionalism and points to the fact that the future of privacy in India will be less dependent on the statutory provisions than on the judicial institutions’ interpretative integrity
The Legislative Context and Structural Ambiguity
The DPDP Actis India’s first major visible effort to have a law governing personal data. Fundamentally, the law is a schizophrenic attempt, on the one hand, it tries to guarantee the privacy of individuals but, on the other hand, it gives the State large powers to engage in surveillance and regulate individuals. This contradictory tendency to swing between individual rights and State interests creates a surveillance dilemmaechoes our past battle history of rights versus security which today is much more pronounced in the digital sphere.
The use of words such as “public interest,” “harm,” “deemed consent,” and “national security”, throughout the Act, without any proper definition to shed light on them, leaves a massive scope for arbitrary interpretation and creating grey areas. When statutory words and phrases are left undefined, or are considered vague, this weakens the legality principle that forms the basis of the rule of law, as confirmed in the case ofS.G. Jaisinghani v. Union of India, where the Supreme Court stated that “the absence of arbitrary power is the first essential of the rule of law.”
Because of the uncertainties of the DPDP Act, the risk of taking the Act literally or textually is such that administrative convenience will override constitutionally guaranteed rights. The judiciary in that case should interpret the DPDP Act as a purposive one, taking into account Article 21 and the right to privacy in Puttaswamyv. Union of India, where informational autonomy was considered to be derived from human.
Consent and Deemed Consent – The dilution of Autonomy
We first look at the Textual reading, The first item on the list is that DPDP Act Section 6 necessitates that consent is “free, specific, informed, and unambiguous.” Nevertheless, the next section introduces the concept of “deemed consent” for data processing in cases such as employment, public interest, or benefit of the data principal. While this device might appear to be a practical one, it actually confuses the border between express and implied consent.
This mix of those two terms dismantles the voluntariness of consent, a core privacy principle recognized in Selvi v. State of Karnataka, where the apex court stated that the forced collection of personal data is a violation of personal liberty. On the same note, District Registrar and Collector v. Canara Bank, affirmed that the State too cannot enter the informational privacy realm without the due process.
The Interpretative Issue then allows for us to adopt a literal view of section 7, which, at first glance appears to permit quite invasive data collection ostensibly justified in Public interest. Nevertheless, remembering Puttaswamy, restrictions on privacy come with a mandatory threefold test firstly to be legal, then necessary, and proportional. Therefore, “deemed consent” should be considered only in such cases where it is impossible to get express consent, and where the purpose clearly corresponds to legitimate State objectives.
Besides that, R. Rajagopal v. State of Tamil Nadu, emphasized the individual’s “right to be let alone.” When the government decides on behalf of the citizenry, this freedom is in danger.
For a Comparative Insight, The GDPR through Articles 6–7 mandates explicit consent and provides processing without consent only under narrowly enumerated legitimate grounds. The CJEU in Planet49 GmbH, ruled that consent can’t be derived from silence or pre-ticked boxes, and that an active indication of will is required.
The U.K. The Supreme Court in Lloyd v. Google LLC also emphasized that data subjects must have “real choice and control” over data use.
Thus, Indian courts have been known to interpret “deemed consent” in a restrictive manner in line with the constitutional ethos of autonomy. Consent ought to be an affirmative one and dependent on the situation, rather than being presumed by default. Any wider interpretation of this concept would mean less control for the individual over her/his personal data the very right that the DPDP Act is aimed at safeguarding.
The undefined concept of “Harm” and its consequences
The DPDP Act is very clear that “harm” is the main thing on which penalties are based (sections 33-36) but it never defines this word. This silence leads to a serious vacuum for the enforcement of the law.
In Justice K.S. Puttaswamy (Aadhaar-5J) v. Union of India, the Court held that violations of privacy do not have to be measurable to be of constitutional importance. Therefore, “harm” cannot be limited to only economic or physical damage; it also has to cover dignitary, emotional, and reputational harms.
Besides, in K.S. Puttaswamy (Retd.) the Court associated privacy with dignity and autonomy thus forming the base for a non-material idea of harm. In the same way, in Maneka Gandhi v. Union of India, the Court widened Article 21 to include concepts of justice and reason, thus indicating that even the intangible harms are under this law.
A limited understanding of harm would take away the right of individuals to seek privacy breaches that are non-economic, which is against the worldwide standard. According to GDPR Recital 75, harm comprises “discrimination, identity theft, fraud, reputational damage, or loss of control.” The Australian Privacy Act similarly recognizes psychological harm.
Hence, Indian courts, using a purposive and constitutional approach, are likely to interpret “harm” in a broad sense – including all injuries to dignity, reputation, or autonomy, thus coordinating the DPDP Act’s redressal provisions with the revolutionary vision of substantive privacy protection.
Exemptions and Critical Assessment
Section 17 gives the Central Government the authority to free any State body from following compliance obligations due to reasons such as sovereignty, national security, public order, or friendly relations with foreign States. None of these terms are defined or qualified, thus putting at risk an unlimited executive discretion and unregulated data surveillance without any control.
In People’s Union for Civil Liberties (PUCL) v. Union of India, the Supreme Court required that surveillance be conducted only after due process and stated that, in particular, an unregulated wiretapping results in breach of the right to privacy. In Anuradha Bhasin v. Union of India, the Court held that limitations on rights should be necessary and proportionate.
The principle of proportionality which the Court relies on in Modern Dental College v. State of Madhya Pradesh, means that any limitation must have a lawful purpose, be least restrictive, and be logically connected to the objective. Section 17 infringes this principle due to the lack of clear monitoring of its procedures.
Besides that, Kartar Singh v. State of Punjab, held that national security cannot be used as a reason for drastically reducing fundamental rights. Consequently, judges have to interpret Section 17 in such a way that it makes all the exceptions subject to their scrutiny under the Puttaswamy proportionality framework, thereby not allowing executive convenience to benefit at the expense of privacy. The imprecisions in the DPDP Act are a sign that the act is a compromise between safeguarding privacy and the governing body’s rights. Undefined terms like “harm,” “public interest,” and “deemed consent” have the potential to turn rights guaranteed by the constitution into privileges granted by the administration. The statute’s broad surveillance exemptions further erode accountability.
It will be a judicial intervention that will have the power to bring about a change in the situation. The courts are the ones to harmonize the DPDP Act with Article 21, Article 14, and the doctrine of proportionality through their interpretations, thus making privacy a substantive constitutional right and not a conditional concession.
In the end, the effectiveness of the Act will be judged by whether the judiciary takes on a rights-preserving interpretative approach, thereby turning the legislative ambiguity into an avenue for constitutional enhancement thereby ensuring that the Indian data protection framework reflects dignity, autonomy, and accountability as its fundamental values.
Conclusion
The Digital Personal Data Protection Act 2023 is a landmark law in India’s attempt to regulate digital privacy. The Act reveals the contradictions between technological progress and individual rights. The analysis of the ambiguities of the legislation, presented in this study highlight that the interpretation of the law by the courts will largely determine whether the DPDP Act is a success or not.
The law is full of undefined terms such as “harm”, “public interest”, “deemed consent” and “reasonable purpose” that leave a lot of room for interpretation. If these terms are left without definition, it will be possible to justify the expansion of executive power and there will be less protection of privacy.The court decisions leading to Puttaswamy, Maneka Gandhi, Anuradha Bhasin, and PUCL taken together, argue that privacy should not be considered a privilege granted by statutes, but a fundamental right that is the basis of human dignity and freedom.Thus, if these terms are understood in the context of constitutional principles like legality, necessity, and proportionality, they can be viewed as means of protection. Thus, the judiciary has the responsibility to ensure that local administration under the Act is in accordance with the constitution.
Sunidhi Khabya is a 3rd-year BA.LL.B (Hons) student at National Law University, Jodhpur. Her areas of interest include constitutional law, data protection, privacy, technology law, and international maritime law. She has contributed to research on digital privacy frameworks and emerging legal issues, and her publication “Anchoring Maritime Laws: Exploring China’s Maritime Lien Laws and Lessons for International Legal Reform” appears on the ICS Research Blog, Institute of Chinese Studies, Delhi.
Satviki Agnihotri is a 3rd-year BA.LL.B student at National Law University, Jodhpur. Her areas of interest include international arbitration, data protection, privacy, and governance law. She serves as Associate Editor at the Indian Journal of Arbitration Law and has previously worked as Copy Editor there. She is also actively involved with the Centre for Research in Governance, Institutions and Public Policy (Senior Member), the Centre for Gender Studies (Senior Member), and the Centre for Wellness and Counselling at NLU Jodhpur.
Author Name- Sunidhi Khabya is a 3rd-year BA.LL.B (Hons) student at National Law University, Jodhpur
