LIJDLR

Data Fiduciary

CRITIQUING THE ‘NOTICE AND CONSENT’ FRAMEWORK WITHIN INDIA’S DPDP ACT, 2023 AND CONSUMER PROTECTION REGIMES

Volume IV Issue I /

CRITIQUING THE ‘NOTICE AND CONSENT’ FRAMEWORK WITHIN INDIA’S DPDP ACT, 2023 AND CONSUMER PROTECTION REGIMES Nitin Shukla, PhD Research Scholar, Faculty of Law University of Lucknow, Lucknow (India) Download Manuscript doi.org/10.70183/lijdlr.2026.v04.14 The introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act) is a landmark in the digital jurisprudence in India that transformed the country into a unified statutory framework, moving away from a disjointed regulatory framework of Information Technology Act, 2000, to a centralized one, based on the Notice and Consent approach. This research paper critically, in detail, and exhaustively critiques this framework, enshrined in the DPDP Act, Sections 5 and 6, by contrasting it with the parallel remedial framework of the Consumer Protection Act, 2019, in Section 7, the so-called Legitimate Uses exception. This paper is based on the thesis that the standard of a valid consent stated in the DPDP Act including the necessity of a free, specific, informed, unconditional, and unambiguous consent is quite high, but the realities of consent fatigue and limited rationality combined with the broadly defined statutory exemption would tend to diminish those requirements to a mere legal fiction. Moreover, the paper also points to a very important jurisprudential difference, namely, the centralization of the enforcement in Data Protection Board of India (DPBI) with penalties accruing to the State, but the absence of direct compensation to Data Principals in the form of harm definition is also identified. The legislative option unwittingly increases the CPA as the main source of individual remedial compensation on harms of privacy, namely under the category of “Unfair Trade Practices” and “Unfair Contracts.” By comparing and contrasting with the GDPR and the PDPA of Singapore, and looking at the new Indian case law such as the Ashwani Chawla v. Flipkart Internet Pvt. Ltd. This study explains the confusing dual-compliance environment in which mobile numbers of collection cases are now being determined as cases of consumer protection following recent rulings on this topic by Chandigarh Commission. This paper concludes that the convergence of these two regimes forms a requisite yet discordant system of checks and balances, in which the failures of the DPDP Act consent model should be compensated by the application of the consumer law principles of dark patterns and fiduciary responsibility in good faith.

CRITIQUING THE ‘NOTICE AND CONSENT’ FRAMEWORK WITHIN INDIA’S DPDP ACT, 2023 AND CONSUMER PROTECTION REGIMES Read More »

CONSENT MECHANISMS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A COMPARATIVE LEGAL ANALYSIS WITH GDPR AND CCPA/CPRA

Volume III Issue II /

CONSENT MECHANISMS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A COMPARATIVE LEGAL ANALYSIS WITH GDPR AND CCPA/CPRA Vedant Raj Chaurasiya,BBA LLB (Final Year – X Sem.), Amity Law School, Amity University Madhya Pradesh Download Manuscript doi.org/10.70183/lijdlr.2025.v03.61 Consent remains a foundational pillar in contemporary data protection frameworks, yet its normative basis, scope, and enforceability vary significantly across jurisdictions. India’s enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) signals a shift towards a consent-centric model, but this framework departs in meaningful ways from the paradigms established under the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), as enhanced by the California Privacy Rights Act (CPRA). This paper conducts a structured comparative and doctrinal analysis to examine how each of these regimes conceptualizes consent, the role of enforcement mechanisms, and the degree of autonomy afforded to individuals. The GDPR situates consent within a rights-based approach, requiring it to be freely given, informed, specific, and revocable—supported by institutional safeguards like independent data protection authorities and mandatory risk assessments. Conversely, the CCPA/CPRA reflects a consumer-choice model where transparency and opt-out functionality dominate, with consent obligations emerging only in limited scenarios. The DPDP Act, though framed around consent, weakens its efficacy by introducing expansive “deemed consent” provisions and lacking critical oversight tools such as mandatory Data Protection Impact Assessments (DPIAs) or a fully independent regulatory authority. The analysis further explores the consequences of this design on India’s cross-border data transfer capability, especially its divergence from GDPR adequacy standards. Arguing for the evolution of a consent-plus architecture, this paper recommends enhancements such as fiduciary accountability, dynamic and context-sensitive consent models, and user interfaces tailored to India’s socio-linguistic diversity. These interventions are imperative for strengthening user autonomy, enhancing legal coherence, and enabling India’s data regime to stand alongside global best practices in digital rights governance.

CONSENT MECHANISMS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A COMPARATIVE LEGAL ANALYSIS WITH GDPR AND CCPA/CPRA Read More »

NAVIGATING THE PERSONAL DATA CONTOURS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT 2023

Volume 1 Issue IV /

NAVIGATING THE PERSONAL DATA CONTOURS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT 2023 Amri Gupta, Student at ICFAI Law School, IFHE, Hyderabad. Download Manuscript ABSTRACT The Digital Personal Data Protection Act, 2023, is a pivotal legislation in India’s digital governance landscape, aiming to address the growing need for robust data protection laws in the digital era. It defines and regulates personal data, introducing key entities like Data Fiduciary and Significant Data Fiduciary, along with strict obligations and penalties for non-compliance. However, the Act’s impact is not without challenges, particularly in its potential conflicts with the Right to Information Act, 2005. Amendments to the RTI Act’s Section 8(1)(j), expanding non-disclosure of personal data-related information, raise questions about the balance between data protection and the fundamental right to information. The role of the Data Protection Board emerges as crucial, tasked with providing clarity and guidance on the Act’s implementation. This article underscores the importance of striking a balance between data protection and the right to information, calling for nuanced approaches that safeguard privacy while ensuring transparency and accountability. It examines the Act’s provisions and highlights challenges, emphasizing the vital role of the Data Protection Board in providing much-needed clarity. The analysis stresses the need for clear guidelines and robust regulatory oversight to ensure the Act’s effective implementation. While the DPDP Act 2023 is a significant stride in data governance, the importance of well-defined guidelines becomes evident as India adapts to the intricacies of the digital age. Type Information Research Paper LawFoyer International Journal of Doctrinal Legal Research, Volume I, Issue IV, Page 98-112. Creative Commons Copyright This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. Copyright © LIJDLR 2024 Recent content Author Details (NIKITA AMBWANI & RUPALI CHAUHAN) LAW STUDENTS, UNIVERSITY OF RAJASTHAN, JAIPUR Publication Details Volume 1 Issue 1 Year 2022 Published on 01/09/2022

NAVIGATING THE PERSONAL DATA CONTOURS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT 2023 Read More »