The Regulatory Blind Spot In India's Digital Personal Data Protection Framework

The Genesis of the Digital Divide

The evolution of India's data privacy regime reached a pivotal milestone with the Digital Personal Data Protection (DPDP) Act, 2023, and the subsequent rollout of the DPDP Rules in 2025. While these instruments successfully modernize the protections first established by the SPDI Rules of 2011, they are built upon a fundamental exclusion of non-digital data. By aligning itself with the spirit of the landmark K.S. Puttaswamy v. Union of India judgment, the framework recognizes privacy as a fundamental right emanating from the right to life. However, by strictly restricting its operational scope to data in digital form, the law creates a "privacy vacuum" for physical records. This leaves a significant portion of the Indian populace, especially those interacting with less digitized sectors like rural healthcare or legacy banking, vulnerable to exploitation in an era where the boundary between physical and digital storage is increasingly porous.

Comparative Jurisprudence and the Global Standard

India's choice to exclude non-digitized data appears to be a deliberate legislative compromise aimed at reducing the administrative and financial burden on a country where digitization levels remain uneven. Under the European Union's GDPR and the UK Data Protection Act of 2018, the law applies to all personal data within a "structured manual filing system," ensuring that sensitive information cannot bypass regulation simply by being stored on paper. Similarly, the Singaporean PDPA protects both electronic and non-electronic forms of data, recognizing that the inherent sensitivity of the information is more critical than the medium of its storage. By failing to adopt a medium-neutral approach, the Indian framework risks the creation of an "unregulated space" where information can be processed without the accountability mechanisms the Act envisages.

The Emergence of the Independent Fiduciary

Perhaps the most critical risk within India's current framework is the advent of what can be termed an Independent Data Fiduciary or a Secondary Digitized Data Derivative Fiduciary. This phenomenon manifests when a legacy entity, such as a hospital, educational trust, or government department holding decades of physical archives, transfers these records to a third-party service provider for digitization. Because the DPDP Act, 2023, primarily targets data collected in digital form or digitized from digital sources, data that originates in a physical format exists in a regulatory "state of nature" until the moment of its conversion.

The core of the problem lies in the Severance of Data Provenance. When a third-party "Digitization Fiduciary" scans a physical document, they are not merely converting a format; they are bringing new digital personal data into existence. Under current interpretations, because the original collection was physical and therefore exempt, the fiduciary may argue that the "Notice" and "Consent" requirements under Section 5 of the Act do not apply retroactively. This creates a "side door" into the regulated domain where personal information enters the digital ecosystem without a clear audit trail of consent, effectively bypassing the Data Principal's right to be informed.

Further, in the commercial sphere, this structural gap facilitates what can be termed "Data Laundering." By moving data from the unregulated physical realm to the regulated digital realm through a third-party intermediary, corporations can effectively "clean" the data of its original consent obligations:

1. The Outsourcing Loophole: A company may outsource its physical archives to a subsidiary or a vendor. Once digitized, the vendor claims "ownership" of the digital dataset as a work product. This severs the legal link between the original human subject and the digital record.

2. The Secondary Market: These Independent Fiduciaries often monetize these "newly born" digital datasets by selling them for market analytics or risk profiling. Since the data was never "collected digitally" from the individual, the Fiduciary operates under the assumption that they owe no duty to the Data Principal, rendering the individual's rights to correction or erasure unenforceable.

The Proportionality Challenge and Constitutional Validity

The classification between digital and non-digital data must be scrutinized through the Doctrine of Proportionality as affirmed in Puttaswamy. While protecting the digital sphere is a legitimate aim and limiting the scope to digital data has a rational nexus to regulatory feasibility, the "Necessity" of the measure remains open to challenge. The harm caused to an individual's privacy through the

unauthorized use or breach of physical medical files or educational records is identical to that of a digital breach. Therefore, the total exclusion of high-risk physical data appears disproportionate when weighed against the administrative efficiency gained. Furthermore, this exclusion may inadvertently disincentivize the transition to secure digital means, as fiduciaries might find it "safer" and less regulated to maintain or exploit data in its manual form.

Redefining the Data Principal for a Comprehensive Future

To bridge this regulatory gap and settle the ambiguity surrounding digitized derivatives, the government must provide a clarification that redefines the Data Principal more comprehensively. Rather than defining a principal merely as the person to whom the digital data relates, the definition should explicitly include the "Original Source" of the data. By aligning this definition with the concept of an "affected party", similar to the protections afforded to victims under the Code of Criminal Procedure, the law would ensure that the individual's rights remain attached to the information regardless of its format. Such a purposive interpretation would align the statutory framework with its underlying constitutional purpose: protecting the fundamental right to privacy in its entirety, ensuring that no personal information remains "outside the realm" of the law.

The Author Uddhav Gupta is a Lawyer and R Sathvik is a Law Student. Views are personal.