Typing Test - A decade earlier
UP Police SI/ASI/Computer Operator English Typing
Time left: 15:00
A decade earlier, India did not recognise any enforceable right to privacy. At present, following the partial enforcement of the Digital Personal Data Protection Act (DPDPA), 2023 through the notification of rules dated Nov 13, 2025, a statute now exists that establishes a legally binding structure enabling Indian citizens to assert privacy rights against both state and non-state entities. Yet, this statute is far from flawless. Considerable distance remains before large data fiduciaries fully honour the rights of Indians and permit their effective exercise. An even greater gap likely exists in embedding data privacy as a core element of governmental functioning. Nevertheless, owing to the sustained efforts of numerous individuals and organisations, judicial directions of the SC, and ultimately governmental action, this law has materialised. Prior to the Supreme Court’s 2017 recognition of privacy as a fundamental right in the Puttaswamy judgment, data privacy barely registered as a concern. That changed when WhatsApp, once positioned as privacy-centric, rolled out a policy permitting the sharing of personal user information with Facebook entities, contradicting its own assurances. This non-consensual data sharing with Facebook — which had acquired WhatsApp in 2014 — appeared fundamentally unjust. Consequently, litigation was initiated, first before the Delhi HC and subsequently before the SC. In 2017, the govt assured the SC that a data protection framework would be enacted within a year. Despite that assurance, the process has consumed eight prolonged years. In substance, the DPDPA formalises and affirms the fundamental privacy rights of users (data principals) vis-à-vis corporations (data fiduciaries or processors) within the domain of data protection. To begin with, it operates against the “State”. Accordingly, individuals may enforce their rights against governmental bodies in addition to private entities. Under the DPDPA, consent is required to be “free, specific, informed, unconditional, unambiguous with a clear affirmative action”. Consequently, default opt-in mechanisms cannot qualify as valid “consent”. Such consent must also be capable of withdrawal with comparable simplicity. Hence, dark patterns that obstruct withdrawal of consent will be unlawful. Fiduciaries are obligated to restrict data processing strictly to the purposes for which consent was obtained. The DPDPA also clearly delineates user rights, encompassing access to information regarding personal data processing, along with correction, completion, updation, and deletion or erasure of such data. Indeed, individuals may legally require companies to erase their data unless a legitimate justification exists. The statute affords substantial protection to children’s personal data. It further establishes the Data Protection Board as the principal regulatory authority, operating as an independent institution and digital office. Additionally, the Act incorporates exemptions for startups in relation to specified processing activities, seeking to balance ease of doing business with users’ privacy rights. Certain features of the DPDPA are notably problematic, while others are likely to evolve through judicial scrutiny. Illustratively, expansive exemptions permit the State to process personal data without clear definition, potentially enabling governmental overreach. Moreover, the Act excludes personal data that users themselves have made public. This implies that any personal data voluntarily disclosed by a user would not