In today’s hyperconnected world, being digitally active is not optional but inevitable. Being digitally active not only exposes our data but with every click, with every scroll, it leaves behind pieces of our identity in the public domain. Here’s the real twist, being digitally active is not equivalent to being digitally literate. Digitally active means mere usage of digital platforms and services, however, the concept of digital literacy goes beyond the usage, it is the ability to critically and safely evaluate and create content in the digital environment. To put it simply in the form of an example, being digitally active is driving anywhere without a map but being digitally literate is knowing the rules

of the road and how to reach the destination safely. This difference matters because the same digital doors that open up numerous opportunities also open paths for attackers to misuse your data.

Recognising the urgent need to protect the personal data and identity of the citizens the Digital Personal Data Protection Act (or The DPDP Act) was enacted in India in the year 2023, a landmark law that reshaped how personal data is collected, stored, and used. It establishes clear obligations for organisations (or Data Fiduciaries) handling personal information and also grants users (or Data Principals) a concrete set of rights over their own data. Even the strongest privacy law can only be as effective as the people who use it. To truly safeguard your digital footprint, you

must know what protections the Act offers and how to invoke them. In other words, the DPDP Act opens the door to stronger digital privacy but it’s your awareness and action that allow you to walk through it.

Guardians of Your Data: Rights You Hold under DPDP & GDPR

While doing a careful analysis of the DPDP act, I realised that there is a certain level of similarity of this act with the Indian constitution. Just as the Constitution grants citizen's certain rights while also imposing duties upon them, the DPDP Act similarly confers both rights and responsibilities upon the Data Principals. However, to effectively exercise these rights, it is essential first to understand what they are. Let’s take a closer look at the rights available to us under the Act:

Right to Access information (Section 11): Data principals have the right to access information about what categories of personal data is being processed, what processing activities are done on it and all the third parties with whom it is being shared.

How to exercise this Right: Data Principals will have the ability to request access to their data in order to examine the personal data that companies store and distribute. To help the company find their data, they will need to present identity and other pertinent information. Businesses will give a summary of the request after they get it, enabling the principal to ask for any additional explanations or changes.

Right to Correction and Erasure of personal data (Section 12): If a data principal's personal information is incorrect, lacking, or out-of-date, they have the right to request that it be corrected. In certain situations, such as when the data is no longer required for the reasons for which it was obtained or when the user withdraws their consent, they may also request that their personal data be erased. This right guarantees the accuracy and timeliness of the data stored by data fiduciaries.

How to exercise this right: Requests for data erasure or rectification can be made by Data Principals via the appropriate channels. In order to assist verification, these requests must explicitly specify the data that needs to be updated or deleted and include identification documentation. Following that, companies will examine these requests, make the required adjustments, and notify the data principle of their progress.

Right to Grievance Redressal (Section 13): For any grievances or issues regarding the handling of their personal data, data principals are entitled to grievance redressal channels. This right gives data principals the ability to address concerns about data processing, including possible infringements on their rights under the DPDP Act, and guarantees that data fiduciaries are held accountable.

How to exercise this right: Data Principals will be able to file complaints via certain channels that companies have given. These complaints should outline the problem in detail and may contain pertinent information andsupporting documentation. Businesses will acknowledge receipt of the complaints, investigate, and respond to the data principal with the resolution or available options for further action, including escalation to the Data Protection Board if unresolved.

Right to Nominate (Section 14): In the event of death or disability, data principals may designate another person to exercise their data protection rights. Even if the data principal is unable to manage their own personal data, this right guarantees that it is handled in accordance with their desires. It gives them a method to assign a trusted individual to oversee or limit access to their personal information.

How to exercise this right: By submitting a request that includes the nominee's name, contact information, and any special instructions pertaining to their authority, Data Principals will be able to designate a representative. Companies will confirm the nominee's and data principal's identity. The company will confirm the nomination and document the information after it has been validated. Notifications on their tasks and responsibilities will be sent to the nominee and the data principal.

The DPDP grants these rights for data principals to exercise, but an imperative question arises, are these rights truly enough? To get a clearer picture, let’s explore exactly what rights users enjoy under the General Data Protection Regulation (GDPR). When the topic is digital privacy and data protection, the first legislation everyone could think of

is the GDPR. The GDPR has set a high bar for all the existing data privacy laws, below are the rights available to the users whose data is being processed.

The above-mentioned rights under the DPDP Act and the GDPR clearly show that the ratio of rights available under GDPR is almost double than those under the DPDP. Take this for instance, the Right to be Informed is not explicitly offered as a right to data principals under the DPDP, rather imposed as an obligation on fiduciaries. In other words, the GDPR can be seen as more “for the people,” whereas the DPDP appears more “for the country.” This explains why the DPDP Act carves out an exception which denies Right to Erasure to Data Principals for purposes as mentioned under Section 17(2) R/W Section 17(4) of the DPDP act, which states that:

(2) The provisions of this Act shall not apply in respect of the processing of personal data

(a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and

(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision

specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.”

(4) In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply.

Hence, the GDPR emerges as a more comprehensive and “rights-heavy” framework, covering almost every aspect of data control. In contrast, the DPDP Act is a lighter, more consent-centric

regime that leaves several areas addressed by the GDPR untouched

With Great Power comes great Responsibility

Imagine the internet as a giant library, so to speak, with every service being a counter providing information, services, or goods. The DPDP Act, 2023 stands as the librarian's rulebook, you are free to read, borrow, and even ask questions about your own records, yet you are required to behave responsibly. Just as a member of the library cannot falsify any information on their membership form, cannot pretend to be someone else, or cannot lodge false complaints about missing books, a data principal in the digital sphere must provide accurate information, be real about his identity, and put forward genuine grievances.

Two-way arrangement keeps this sprawling digital “library” orderly, safe, and just. The duties are provided under Section 15 of the Act and are discussed as under:

 Compliance with laws: Adhere to all the applicable laws while exercising the rights provided under the act

 No Impersonation: Another duty is to not impersonate any other person while providing personal data.

 No suppression of information: information required must be complete and accurate for purposes like unique identifiers.

 No false complaints: File only genuine complaints and not false or frivolous ones.

 Provide authentic information: ensure that the personal data provided to the data fiduciary is authentic in nature particularly when seeking erasure or correction.

The Final Word: Turning Rights into Real Strength

By and large, both the DPDP Act and the GDPR uphold one cardinal truth: data protection is no longer a privilege rather a necessity in this digital age. Legislations either construct frameworks, set boundaries, or provide for remedies; however, their real strength emanates from the manner in which people exercise the rights and uphold the duties they confer. When you know your digital rights, act by them, and insist on accountability, you switch from being a passive data subject to someone actively protecting their privacy. Hence, “your rights” now become “your superpowers” with which you safely, confidently, and in some way control your destiny through personal data.