- info@digitalxnode.com
- GF 27, TDI Center, Near Jasola Apollo Metro Station 110025
The Digital Personal Data Protection Act (DPDPA) 2023 continues to be overlooked by many organizations that believe they do not fall within the ambit of the Act. However, a significant number of digital service providers — particularly mobile application platforms — qualify as Data Fiduciaries and are therefore responsible for ensuring Data Principal protection and data privacy compliance.
Under the Digital Personal Data Protection Act 2023, the responsibility for protecting Data Principal information rests with the Data Fiduciary (Controller), while Data Processors operate under the authority of the Data Fiduciary. Although data processors execute processing activities, accountability remains with the Data Fiduciary.
It is the responsibility of the Data Fiduciary to define the procedures, processes, and functional boundaries for Data Processors and to provide appropriate authorization, especially where processing activities are further subcontracted.
The Act introduces significant compliance challenges for digital content providers, mobile application developers, and application publishers.
The ground-level reality may be surprising when viewed from the perspective of:
Without addressing these areas, compliance implementation may face serious challenges.
Key Obligations of Data Fiduciaries Under DPDPA
Under DPDPA 2023, Data Fiduciaries are required to:
1. Consent Management
Data Fiduciaries must obtain explicit consent from the Data Principal while acquiring personal data and must obtain consent prior to:
2. Data Principal Awareness
Data Fiduciaries must ensure that Data Principals are informed and educated about their digital data rights and the mechanisms available to exercise those rights.
3. Continuous Notification
Data Fiduciaries must regularly update Data Principals and notify them at every stage where their personal information is considered for use or processing.
4. Consent Record Management
Data Fiduciaries must maintain consent records within backend systems, including mechanisms supporting:
Consent information must be stored and retrievable for audit and compliance purposes.
5. Children’s Data Protection
In the case of children’s personal data, Data Fiduciaries must ensure:
Most of the above provisions are widely known and do not present significant conceptual difficulty. However, the real challenges begin at the implementation level, particularly within the mobile application ecosystem.
Compliance Challenges in the Mobile Application Ecosystem
There are several areas where mobile applications may not currently align with DPDPA compliance requirements, including but are not limited to the following:
Language Accessibility Challenges
Most mobile applications use English as the primary interface language.
With approximately 89% smartphone penetration in India, less than 10% of users are comfortable communicating in English.
This creates a major challenge in ensuring informed consent under DPDPA, as many users may not fully understand consent terms and privacy notices.
The current consent management mechanisms in many mobile applications may not align with DPDPA guidelines.
In many cases:
Many applications request extensive device permissions, including:
These permissions are often justified as pre-requisites for application functionality but may exceed legitimate requirements.
To support revenue generation, many mobile applications:
These integrations may expose Data Principal information beyond the direct control of the Data Fiduciary.
Sensitivity of Digital Payment Data
India is one of the global leaders in digital payments adoption, which increases the sensitivity of Data Principal information.
Financial and transactional data require stronger data protection controls under DPDPA.
The current state of the mobile application ecosystem indicates significant upcoming compliance challenges, and any negligence may result in non-fulfilment of DPDPA requirements.
Key Questions for the Mobile Application Industry
1. Legacy Data Consent
Mobile applications acting as Data Fiduciaries are already holding billions of Data Principal records.
If Data Principals request deletion of their data, how will mobile applications obtain fresh consent from those Data Principals?
2. Technology Transformation
Do you agree that Data Fiduciaries will be required to make significant modifications to their mobile applications and backend systems to achieve DPDPA compliance?
3. Impact on Mobile Application Business Models
Do you believe that the mobile application sector will face disruption due to the need for DPDPA-compliant consent validation before connecting application servers to advertisement servers for advertisement placement?
4. Right to Forget and MACD Integration
Do you believe that Data Fiduciaries will need to implement new service logic to support:
across application and backend systems?
5. Data Processor Risk
Is it not true that the probability of data leakage may be higher where Data Processors are not directly accountable under the Act, while compliance monitoring remains the responsibility of the Data Fiduciary?
Conclusion
Considering the evolving provisions of the Digital Personal Data Protection Act 2023, it is evident that policymakers aim to:
The changes introduced under DPDPA clearly indicate a shift towards a stronger digital privacy and data protection framework in India.
