India’s Digital Personal Data Protection Act, 2023 (DPDPA), marks an important step in protecting personal data and creating a culture of accountability. The law promises to give people more control over their information and hold those who misuse it responsible.
But as the country prepares for its full implementation, one question lingers:
Should the same data protection obligations apply to individuals like lawyers, freelance photographers, makeup artists, tutors, or consultants who collect personal data as part of their day-to-day professional work?
If yes, is this really practical? Under the DPDPA, a Data Fiduciary is defined as any person who alone or with others decides why and how personal data will be processed. In Indian law, the term “person” includes both natural persons (individuals) and legal entities (like companies or firms). It means that even independent professionals those who are not registered as formal businesses can fall within the scope of the Act.
Nothing in the DPDPA or the draft rules currently exempts them. So technically, a freelance photographer who stores client photos; a makeup artist who keeps contact lists and before-after pictures; or a personal fitness trainer who managesn client progress charts could all be seen as Data Fiduciaries.
Let’s imagine a few real-world examples:
- A lawyer posting on LinkedIn to hire two juniors. Within a few days, she receives dozens of applications with names, phone numbers, and resumes.
- A freelance photographer stores hundreds of client pictures, often on personal devices, to build a portfolio or share samples.
- A makeup artist keeps client images and contact details to show styling references or send future updates.
- A home tutor maintains a list of students and parents with their personal and academic details.
Under a strict reading of the DPDPA, each one of them becomes a Data Fiduciary and is required to provide privacy notices, manage consent, ensure secure storage, and delete data once the purpose is over.
But are these expectations realistic? Where should these individuals post their privacy notice? On their Instagram profile? WhatsApp? A PDF on Google Drive?
And what happens if a client’s data is misused elsewhere? How would they ever trace the misuse? Comment in the ChatBox!!
A Gap Between Law and Logic: The DPDPA does not distinguish between a freelancer and a large company when it comes to the definition of a Data Fiduciary. It may look fair in writing but fails in practice. A solo professional managing a handful of clients cannot be expected to maintain the same level of documentation, retention schedules, and legal processes as a fintech company processing millions of records.
The act exempts “personal or domestic use” but the moment someone earns from their work, even independently, it becomes a professional activity, leaving millions of Indians in a grey zone.
Are we protecting privacy or encouraging paperwork? When individuals collecting contact details or resumes is treated like a corporate entity, we are not protecting privacy, we are creating confusion. Privacy compliance is important, but it must be proportionate to the scale and risk of data processing. Otherwise, it turns into a box-ticking exercise that discourages genuine compliance. When compliance becomes a burden instead of a safeguarding, the spirit of the law gets lost. The DPDPA was built for a structured data ecosystem, companies, startups, and government bodies but India’s workforce isn’t limited to corporates.
The act exempts “personal or domestic purposes” but once an individual earns from that activity, it becomes professional even if it involves handling just a few personal records. This is where compliance becomes a regulatory riddle.
- How will a professional afford compliance infrastructure?
- How will the Data Protection Board assess such small cases?
- What if individuals unknowingly violate rules because they never knew they were covered?
Without clarity, it could turn into compliance fatigue instead of privacy empowerment. I feel that India’s data protection regime must be refined with an understanding of our professional landscape where millions of people work as independent service providers without formal business structures.
Here’s how policymakers can make the DPDPA more practical and people-friendly:
- Introduce simplified rules for individuals or small-scale professionals who process less personal data each year.
- There should be a clear guidance on “Person” through the rules or FAQs, explain how the term “person” applies differently to individuals versus registered organisations/legal person.
- Freelancer professionals to provide notice in practical formats such as a short note in emails, WhatsApp messages, or social media captions instead of expecting formal policy pages.
Conclusion:
India’s privacy movement is growing, and the DPDPA is its foundation. The DPDPA’s goal is noble, but for it to truly work, the law must recognise India’s diverse work culture, where professionals often operate solo or informally. Independent professionals such as lawyers, photographers, beauticians, tutors, designers, and consultants, form the backbone of Indian economy. Imposing the same compliance requirements on them as on multinational companies is neither fair nor effective. The law must grow in proportion to the risk it seeks to address not in complexity for its own sake.
True privacy protection will come not from endless paperwork, but from clear, practical, and proportionate rules that empower individuals instead of overwhelming them. Privacy should be a right, not a regulatory riddle!