Radhika Bohare, Student of LLM, Amity Law School, Amity University Madhya Pradesh, Gwalior,
Dr. Arun Sharma, Associate Professor, Amity Law School, Amity University Madhya Pradesh, Gwalior,
Abstract
The acceleration of the digital technologies has promoted the issue of the data privacy and safety to a high level, especially among the IT corporations that handle great amounts of personal data. With the growth of online services, social media, and digital platforms in India, there is an increased risk of data misuse, breaches, and unauthorized access. The paper will discuss the existing data protection in India, and the Digital Personal Data Protection Act, 2023, in particular that has been able to mitigate these issues. It examines the role of IT firms in safeguarding the data of their users and the real-life difficulties that they experience in meeting the stipulations of the law.
Other major concerns raised in the study are lax enforcement, lack of sensitization to users, the difficulty in dealing with cross-border information and the growing number of cyber threats. Despite the fact that the law provides a methodical approach of data protection, its efficient implementation and responsibility is yet to be realized. The paper states that more enforcement, awareness and responsible practices of the companies are needed to ensure that the privacy of data is not violated in the cyber arena.
Keywords: –
Data Protection, India, Cyber Security, Data Privacy, IT Companies.
- Introduction: –
In the current digital age, the application of technology has become a significant aspect of daily life, and the IT companies are playing a significant role in offering online services, applications, and platforms. Since social media to online banking and online shopping, a lot of personal information is being gathered, stored and processed daily.[1] This has led to more concerns over how this data is being utilized and whether it is being adequately safeguarded. Cases of data breaches, identity theft, and un-authorized access have rendered privacy and security significant issues to both individuals and businesses. In India, the need to regulate the processing of personal data gave rise to the introduction of the Digital Personal Data Protection Act, 2023, which aims to provide a legal framework of data protection, as well as define the responsibilities of companies that deal with personal information.
Nevertheless, with the availability of such laws, issues still persist as regards enforcement, awareness, and compliance. Most IT businesses are working hard to make sure that the needs of the business are balanced with privacy, and the users are not made aware of their rights. In this regard, it is significant to research the effectiveness of the existing system, whether it can cope with the increasing concerns with data privacy and security in the digital environment in India.[2]
- History of Data Protecting regulation in India: –
The enactment of data protection laws in India has been progressive and has been in tandem with the rise of digital technology and use of the internet. At the beginning of the development, there was no particular law that was devoted to the protection of the personal data and the questions of the privacy were considered only in a rather narrow sense within the frames of general laws. One of the first steps in this direction was the Information Technology Act, 2000 which mostly focused on cybercrimes, electronic records and online transactions. Even though some of the provisions and rules were subsequently introduced in order to address data protection, they were not extensive to handle the growing complexity of the usage of digital data. With more services going online and the rise in internet penetration, the concerns about the misuse of data, surveillance, and breach came into the forefront, and the necessity to have more solid legal frameworks was observed.[3]
The government has over the years brought committees and draft bills to research and suggest on how to improve data protection. These attempts later on resulted into the enactment of the Digital Personal Data Protection Act, 2023, which is a significant move towards the establishment of a systematic approach to data privacy in India. The Act is founded on the major principles, which include consent, purpose limitation, and accountability, and it puts the burden on the organizations, including the IT companies, to approach personal data with care. Although this development is an improvement in aligning India with international standards, the development of the data protection law is still in progress. The actual challenge is not just in formulating laws but also in seeing their right implementation in a fast changing technological world.[4]
- Legal Framework of Data Protection in India: –
The current regime of the protection of personal data in India is developed on the basis of the Digital Personal Data Protection Act, 2023, and the supporting provisions in the context of the Information Technology Act, 2000. This framework seeks to control how personal data is collected, used, stored and shared by organizations, especially those engaged in the online environment, such as IT companies. The Act also suggests the definition of the data fiduciaries, which are the parties that determine the purpose and means of handling personal data, and places a legal responsibility on them to ensure such data is handled responsibly. It points out that the processing of personal data must always be carried out in accordance with the law, and that consent is a key aspect of the law.[5]
Provisions are also concerned with the data security and that companies take reasonable steps to ensure that personal information is not accessed, breached or abused by unauthorized persons. In the event that there would be any form of data breach, organizations are expected to report the same to the relevant authorities and in some cases, the affected. The law also gives penalties in the instances where the companies would not abide by the provisions of the law and thereby provide better practices of data protection. At the same time, some rights are granted to people, such as the right to access their data and demand correction or deletion which could help people to gain more control over their personal information.[6]
Although there is a well-developed legal framework, the practical implementation of the law framework is still challenging. The inability to comprehend some of the provisions, low awareness among the users and challenges that companies face in ensuring full compliance are some of the issues that could weaken the effectiveness of the law. Therefore, despite the legal framework providing a good platform on data protection in India, its effectiveness primarily depends on its ability to be enforced and how it keeps up with the changes in technology.
- Role of IT Companies in Data Privacy and Security: –
IT companies are at the heart of the digital ecosystem, since they are the ones that collect, store and process large amounts of personal data. Their duties are not limited to simple service provision but also providing an assuring and accountable approach to user data. According to the Digital Personal Data Protection Act, 2023, these companies must adhere to specific requirements in working with personal data, including obtaining the necessary consent, providing transparency, and using data only in legitimate cases. This transforms IT firms to be crucial stakeholders in ensuring user privacy in the online world.[7]
In order to maintain data security, companies will be expected to implement numerous technical and organizational measures including encryption, secure storage systems, firewalls, and regular security audits. They should also be ready to act promptly in the event of data breaches and take corrective measures in order to cause minimal harm. Nevertheless, ensuring the high rates of security is not always a simple task, considering the ever-growing complexity of cyber threats. The challenges that many companies face are to ensure that their systems are up to date and the data is not vulnerable to advanced methods of hacking.
A second crucial task of IT companies is to establish trust of users through transparency on how the data are gathered and utilized. User agreements, privacy policies, and effective communication are very significant in this process. Simultaneously, businesses need to find a balance between pursuing business goals, including the use of data to deliver services and targeted advertising, and the necessity to respect user privacy. Smaller businesses, specifically, might struggle to address all compliance needs because of the limited resources. As such, although the IT companies are on the frontline when it comes to ensuring that the data is effectively protected, they also encounter a number of practical challenges in the quest to ensure that the data is effectively protected.[8]
- Issues and challenges in Data Protection: –
Although the Digital Personal Data Protection Act, 2023, has been introduced, a number of issues and challenges can still be observed to impact the effectiveness of data protection in India. One of the gravest issues is a growing number of data breaches when sensitive personal data is exposed due to a weak security system or to a cyberattack.[9] Besides causing money and personalities losses of users and non-reliability of users to digital platforms, these events also reduce confidence users have in digital platforms. A lot of IT companies (and smaller ones in particular) are unable to take effective security measures due to a lack of resources and technical know-how.
The second significant issue is the fact that the users are not aware of their data rights. The majority of people do not have the full understanding of the repercussions of their consent and in most cases they give their consent without the full knowledge of what they are getting into. This undermines the motive behind the law, as the informed consent is one of the key aspects in the Act. Moreover, issues are associated with the cross-border data transfer, where data stored on foreign servers might not be completely safeguarded under Indian laws. This poses legal challenges and increases the challenges of enforcement.[10]
Even the implementation is a significant issue. Even though the legislation has the potential of imposing penalties and compliance requirements, the actual process of implementing the rules is founded on the possibility of the regulatory authorities imposing the penalties and compliance requirements, as well as on the willingness of the companies to comply with the rules. The dynamism of technologies also makes the laws difficult in order to keep up with the new forms of data usage and cyber threats. All these issues justify why a legal framework is not sufficient, but the constant work is necessary to raise the awareness, enforce the existing laws and adapt to the new digital world.
A second crucial task of IT companies is to establish trust of users through transparency on how the data are gathered and utilized. The user agreements, privacy policies and effective communication will have a very significant role in this process. At the same time, businesses must strike a balance between meeting business objectives, such as using data to provide services and targeted advertising, and the need to uphold user privacy. In particular, smaller businesses may not be able to cover all compliance requirements due to the finite resources. In this regard, though the IT companies are on the frontline when it comes to ensuring that the data is effectively protected, they also face a number of practical challenges in the quest to ensure that the data is effectively protected.[11]
- A Comparative View of Data Protection laws: –
An examination of other nations in terms of their data protection systems should aid in establishing where India is and where improvements can be made. Various nations have assumed various strategies in accordance with their legal frameworks and technological advancement. One such example is that the European Union is exposed to formidable and inclusive rights of an individual and heavy obligations of a company, under the General Data Protection Regulation (GDPR). It is aimed at explicit consent, reduction of data and imposing harsh penalties to violations. This has seen the GDPR being amongst the most potent data protection laws in the world today.[12]
On the other hand, the United States is more of a sector-based approach in which different laws are enforced on different sectors such as: the healthcare and financial sectors, among others. It is flexible but might not be uniform as opposed to one comprehensive law. The approach of India based on the Digital Personal Data Protection Act, 2023 is still waiting to be developed as compared to these models. It shares some international standards like consent and accountability but is more preoccupied with the fact that there is a need to balance regulation and the need of digital growth.
Despite the fact that India has taken a good step towards it by developing a certain law on data protection, some improvements can still be made in the areas of enforcement, awareness of the users and clarity of the provisions. One example of experience gained on the global level is the possibility of India to strengthen its structure and to modify the existing gaps. A well-balanced system to safeguard the user rights and enable innovation is essential to create a safe and reliable digital space.[13]
- Policy Interventions for strengthening Data Governance: –
To make the data protection in India more useful, the legal framework as well as its practical implementation should be reinforced. Ensuring the more intensive enforcement of the Digital Personal Data Protection Act, 2023 through provision of the necessary resources, technical skills, and powers to the regulatory bodies is one of the critical steps. Monitoring and timely response to the violations can make the IT companies more accountable and increase the compliance rates. Guidelines and simplified processes can, in the meantime, help companies (including smaller ones) to better understand and comply with the legal requirements with an easier time.
The other major reform is to create awareness to the users regarding their data rights. Many of them do not even have a clue on how their personal information is utilized, what they can do to ensure their information is secure. Sensitization, education and digital literacy initiatives can enable users to make informed decisions and demand better data protection practices by companies. With this, IT companies should be encouraged to follow the best practices such as conducting regular security audits, having clear privacy policies, and having responsible data handling practices.[14]
Also, it is necessary to discuss the issues connected with the cross-border data transfer by means of formulating clear and consistent rules that can ensure the protection of the data even in the situations when the data is stored in the countries that do not belong to the Union. Further data protection can be achieved by increasing the cybersecurity infrastructure and promoting the collaboration of government, industry, and expertise. By taking such reforms into consideration, India will be in a position to create a more stable and secure digital space where innovation and user privacy will receive equal consideration.[15]
- Conclusion: –
The digital technology has brought about a big issue in the present world especially to the IT companies that deal with a lot of personal data. The fact that India has introduced the Digital Personal Data Protection Act, 2023, is a crucial step that will offer a systematic approach to the protection of personal data and will define the responsibilities of the organizations that work with personal data. The very fact that provided legal code can be regarded as the reflection of the efforts of the country to adapt to the modern reality in the sphere of electronic privacy and to correspond with the international standards.[16]
However, despite these improvements, a few obstacles have been left behind including inadequate enforcement, lack of knowledge and ability to keep up with the rapidly changing technologies. IT firms play a very important role in this system since the activities of such firms directly influence the safety and privacy of user data. Thus, they need to move beyond minimum compliance requirements and take on responsible and open-minded ways of data management.[17]
In conclusion, to have a good and efficient system of data protection, a bunch of understandable laws, an adequate use of it and active participation of both companies and users will be necessary. India will be able to establish a secure online environment which will not endanger privacy, but on the other hand, will provide an opportunity to develop technologies.[18]
To sum up, the implementation of a powerful and efficient data protection system depends on a set of clear laws, appropriate implementation, and active involvement of companies and users. Through the introduction of a safer digital environment in India that would protect privacy and encourage technological progress, it can be possible to establish a safer online space in India that would help to safeguard privacy and ensure a progressive development of the law.
[1] Vidya, M. N. “Data Protection in the Era of Digitization: with Special Reference to Data Privacy and Data Localization in India.” PhD diss., Alliance University (India), 2025. visited April 10, 2026.
[2] Vignesh, Balaji. “Data Privacy in the Digital Era: Evaluating India’s Regulatory Landscape.” LawFoyer Int’l J. Doctrinal Legal Rsch. 2 (2024): 732.visited April 10, 2026.
[3] Zanfir, Gabriela. “Tracing the right to be forgotten in the short history of data Protection law: The “new clothes” of an old right.” In Reforming European Data Protection Law, pp. 227-249. Dordrecht: Springer Netherlands, 2014. Visited April 10, 2026
[4] Dewitte, Pierre. “A Brief History of Data Protection by Design: From multilateral security to Article 25 (1) GDPR.” Technology and Regulation 2023 (2023): 80-94. visited April 10, 2026.
[5] Protection, Data. “General data protection regulation.” Intersoft Consulting, Accessed in October 24, no. 1 (2018). visited April 10, 2026.
[6] Marti n, Nicholas, Christian Matt, Crispin Niebel, and Knut Blind. “How data protection regulation affects startup innovation.” Information systems frontiers 21, no. 6 (2019): 1307-1324.visited April 10, 2026
[7] Marsaid, Radlyah Hasan Jan, Miftachul Huda, E. Laxmi Lydia, and K. Shankar. “Importance of data security in business management protection of company against security threats.” J. Crit. Rev 7 (2019): 2020.visited April 11, 2026.
[8] Henry, Lauren. “Information privacy and data security.” Cardozo L. Rev. De-Novo (2015): 107.visited April 11, 2026.
[9] Panjwani, Mehdi, and Marko Jäntti. “Data protection & security challenges in digital & it services: a case study.” In 2017 International Conference on Computer and Applications (ICCA), pp. 379-383. IEEE, 2017.visited April 11, 2026.
[10] Poritskiy, Nazar, Flávio Oliveira, and Fernando Almeida. “The benefits and challenges of general data protection regulation for the information technology sector.” Digital Policy, Regulation and Governance 21, no. 5 (2019): 510-524.visited April 11, 2026.
[11] Sun, Pan Jun. “Privacy protection and data security in cloud computing: a survey, challenges, and solutions.” Ieee Access 7 (2019): 147420-147452.visited April 11, 2026.
[12] Ishii, Kaori. “Comparative legal study on privacy and personal data protection for robots equipped with artificial intelligence: looking at functional and technological aspects.” AI & society 34, no. 3 (2019): 509-533.visited April 12, 2026
[13] Scheibner, James, Marcello Ienca, Sotiria Kechagia, Juan Ramon Troncoso-Pastoriza, Jean Louis Raisaro, Jean-Pierre Hubaux, Jacques Fellay, and Effy Vayena. “Data protection and ethics requirements for multisite research with health data: a comparative examination of legislative governance frameworks and the role of data protection technologies.” Journal of Law and the Biosciences 7, no. 1 (2020): lsaa010.visited April 12, 2026.
[14] Cuijpers, Colette, Nadezhda Purtova, and Eleni Kosta. “Data protection reform and the Internet: the draft Data Protection Regulation.” In Research handbook on EU internet law, pp. 543-568. Edward Elgar Publishing, 2014.visited April 13, 2026.
[15] Ciriani, Stéphane. “The economic impact of the European reform of data protection.” Communications & Strategies 97 (2015): 41-58. visited April 13, 2026
[16] Strobl, Judith, Emma Cave, and Tom Walley. “Data protection legislation: interpretation and barriers to research.” Bmj 321, no. 7265 (2000): 890-892.visited April 13, 2026.
[17] De Hert, Paul, and Vagelis Papakonstantinou. “The new General Data Protection Regulation: Still a sound system for the protection of individuals?.” Computer law & security review 32, no. 2 (2016): 179-194.visited April 13, 2026.
[18] Hartzog, Woodrow, and Daniel J. Solove. “The scope and potential of FTC data protection.” Geo. Wash. L. Rev. 83 (2014): 2230.visited April 13, 2026