Data Principal

From Justice Definitions Project

Introduction

The term Data Principal refers to the individual to whom the personal data relates. This concept is foundational in contemporary data protection frameworks, emphasized by modern statutes and regulations to acknowledge the rights and responsibilities of individuals regarding their personal data. It signifies empowerment in controlling how personal data is processed, shared, or utilized by data fiduciaries (organizations managing the data).

Official Definition of Data Principal

Data Principal as defined in Legislation(s)

Digital Personal Data Protection Act, 2023

Under the Digital Personal Data Protection Act, 2023[1] (India), Section 2(f)[2] defines Data Principal as: “The individual to whom the personal data relates, and where such individual is a child, includes the parent or lawful guardian of the child.” A data principal is the person to whom the personal data belongs, that is, the individual whose information is being collected or processed. If the individual is a child, the term also includes the child’s parents or lawful guardian, as they are the ones who will exercise the child’s data-related rights. Similarly, if the individual is a person with a disability who cannot independently act on her own behalf, the definition extends to her lawful guardian, who is authorised to make decisions and exercise rights regarding her personal data.

Legal Provisions Relating to Data Principal under DPDPA, 2023

Rights of the Data Principal

Chapter III of the Act deals with the rights of Data Principal, which are highlighted below:

Right to Access Personal Data

Section 11[3] gives the Data Principal the right to access information about her personal data held by a Data Fiduciary to whom she has previously given consent. On request, she can obtain: (a) a summary of the personal data being processed and the processing activities involved; (b) the identities of all Data Fiduciaries and Data Processors with whom her data has been shared, along with a description of the data shared; and (c) any other prescribed information relating to the processing of her data.

However, the duty to disclose details under clauses (b) and (c) does not apply when the Data Fiduciary shares personal data with another Data Fiduciary who is legally authorised to obtain it for purposes such as preventing, detecting, investigating, prosecuting, or punishing offences or responding to cyber incidents.

Right to correction, completion, updating, and erasure of personal data

Section 12[4] grants the Data Principal the right to have her personal data corrected, completed, updated, or erased when such data is being processed based on her consent. When she requests correction, completion, or updating, the Data Fiduciary must promptly fix inaccurate or misleading data, fill in incomplete data, and update existing data. She may also request the erasure of her personal data, and the Data Fiduciary must delete it unless retaining the data is necessary for the specific purpose for which it was collected or required to comply with any existing law.

Right of Grievance Redressal

Section 13[5] gives the Data Principal the right to access an easily available grievance-redressal mechanism offered by a Data Fiduciary or Consent Manager for any act or omission related to the handling of her personal data or the exercise of her rights under the Act. The Data Fiduciary or Consent Manager must respond to such grievances within a prescribed time. Before approaching the Data Protection Board, the Data Principal must first use and exhaust this internal grievance-redressal mechanism.

Right to Nominate

Section 14[6] gives the Data Principal the right to nominate another individual who will exercise her rights under the Act if she dies or becomes incapable of doing so herself. The term “incapacity” here refers to an inability to exercise these rights due to unsoundness of mind or physical infirmity, ensuring that the Data Principal’s data-protection rights continue to be safeguarded even when she cannot act on her own.

Duties of the Data Principal

Under Section 15[7], the Act also recognises certain obligations on the Data Principal, to prevent misuse of rights and ensure the integrity of data-protection processes.

Duty to comply with all applicable laws

The Data Principal must ensure that, while exercising any of her rights under the Act, such as accessing, correcting, or erasing personal data, she does so in accordance with all other laws currently in force. This means she cannot use the rights granted by the Act in a way that violates other legal requirements, obligations, or restrictions.

Duty not to impersonate another person

The Data Principal must not pretend to be someone else or misrepresent her identity when providing personal data for any specific purpose. This duty prevents misuse of the law by ensuring that individuals cannot submit another person’s data, conceal their real identity, or fraudulently obtain services or benefits by impersonation.

Duty not to suppress material information

When providing personal data for official documents or identifiers, the Data Principal must not hide, omit, or intentionally withhold important information. This duty ensures the authenticity and accuracy of government records and prevents individuals from providing incomplete or misleading data to obtain official documents.

Duty not to file false or frivolous grievances

The Data Principal must avoid misusing the grievance-redressal mechanism by submitting complaints that are knowingly false, baseless, or trivial. This protects the system from being overloaded with non-genuine complaints and ensures that Data Fiduciaries and the Board can focus on resolving legitimate issues.

Duty to provide verifiably authentic information for correction or erasure requests

When requesting correction, completion, updating, or erasure of her personal data, the Data Principal must provide supporting information or documents that are accurate and capable of being verified. This duty ensures that corrections or deletions are not based on false claims and that the integrity of the data held by Data Fiduciaries is maintained.

Relationship with Data Fiduciaries
Processing must be based on Consent or Legitimate Use

Under Section 4[8], a Data Fiduciary can process the personal data of a Data Principal only for a lawful purpose and only after obtaining her valid, informed consent, except where processing falls under legitimate uses listed in Section 7[9]. Consent must be freely given, specific, informed, unambiguous, and given through a clear affirmative action. Section 7 provides exceptions where consent is not required, such as for State functions (7(a)), compliance with court orders (7(b)), responding to emergencies (7(c)), or other legitimate uses defined by law.

Notice before Consent

Before asking for consent, Section 5[10] requires the Data Fiduciary to give the Data Principal a detailed notice that clearly explains what personal data is being collected, for what purpose, how she may exercise her rights and how to contact the Data Protection Board if needed. This notice must be available in English or in any language listed in the Eighth Schedule of the Constitution, ensuring accessibility. Only after this notice is provided can the Data Fiduciary obtain consent as per Section 6[11], which mandates that consent must be free, informed, specific, and capable of being withdrawn.

Withdrawal of Consent and Cessation of Processing

According to Section 6(4)[12], the Data Principal has the right to withdraw her consent at any time, either directly or through a Consent Manager. Once consent is withdrawn, the Data Fiduciary, and any Data Processor acting on its behalf, must stop processing the personal data within a reasonable time, unless the continued processing is legally permitted or required under a legitimate use or other law. Complementing this, Section 8[13] imposes a duty on the Data Fiduciary to ensure that processing always complies with the Act’s obligations, which includes halting processing once consent is revoked.

Processing Personal Data of Children or Persons with Disability (special Data Principals)

Section 9[14] deals with the processing of personal data of children or persons with disabilities (when they have a lawful guardian). It requires the Data Fiduciary to obtain verifiable consent of the parent or lawful guardian before processing such personal data.

Exemptions on Rights of Data Principal

Section 17[15] identifies exemptions where Data Principal rights are limited. In essence, whenever public interest, law enforcement, national security, judicial, financial, or corporate restructuring purposes take precedence, the Data Principal’s rights to consent, access, correction, erasure, and grievance do not apply.

Sub-section (1) of Section 17 specifies the situations where Chapter II, Chapter III, and Section 16 do not apply

  • Legal enforcement (17(1)(a))
  • Courts, tribunals, and regulatory bodies (17(1)(b))
  • Crime prevention and prosecution (17(1)(c))
  • Data of individuals outside India (17(1)(d))
  • Company mergers, acquisitions, restructuring (17(1)(e))
  • Financial defaults (17(1)(f))

Sub-section (2) is when the Act does not apply in its entirety, and the personal data of the Data Principal may be processed without consent, notice, or Data Principal rights.

  • State instrumentalities and national security (17(2)(a))
  • Research, archiving, statistical purposes (17(2)(b))

Sub-section (3) allows the Central Government to notify certain Data Fiduciaries, or classes of Data Fiduciaries, including startups, as exempt from specific obligations under the Act. These exemptions may include notice requirements (Section 5), certain data retention or accuracy obligations (Sections 8(3) and 8(7)), and rights related to access and correction (Sections 10 and 11).

Sub-section (4) deals specifically with processing by the State or its instrumentalities. It states that certain Data Principal rights, including the right to withdraw consent (Section 8(7)) and rights to correction or erasure (Section 12(2) and 12(3)), may not apply when the processing does not involve making a decision that affects the Data Principal.

Enforcement and Recourse
Grievance Redressal through Data Protection Board of India

In Section 27[16], highlights some provisions empowering Data Principals to approach the Board for enforcement of their rights.

Under Section 27(1)(b), The Data Principal can file a complaint if there is a personal data breach or if a Data Fiduciary fails to observe its obligations toward her personal data or the exercise of her rights under the Act. The Board can then inquire into the complaint and impose penalties. Similarly, under Section 27(1)(c), the Data Principal can complain about a breach by a Consent Manager regarding the handling of her personal data. Again, the Board has the power to investigate and take remedial action.

False or Frivolous Complaints by Data Principals

Section 28(12) specifically empowers the Data Protection Board to impose a warning or costs on the complainant if the complaint is found to be false or frivolous. If at any stage after receiving a complaint the Board forms the opinion that the complaint is fake, baseless, or filed with no genuine cause, it may either issue a warning to the complainant or impose costs on them.

Digital Personal Data Protection Rules, 2025

The Digital Personal Data Protection Rules, 2025[17] function as the operational framework for the DPDP Act, 2023. While the Act lays down the broad rights, duties, principles, and regulatory structure, the Rules provide the detailed procedures, prescribed formats, and practical steps needed to implement the Act in real-world scenarios. They clarify how Data Fiduciaries, Consent Managers, and the Data Protection Board must carry out their responsibilities, and how Data Principals can exercise their rights.

Legal Provisions Relating to Data Principal under DPDP Rules, 2025

Notice by Data Fiduciary to Data Principal

Rule 3[18] requires that any notice a Data Fiduciary gives to a Data Principal before collecting or processing personal data must stand alone (not buried in long legalese), be easy to understand, and clearly describe (at minimum) the exact personal data items being collected and the specific purposes for which they will be processed (including a breakdown of goods/services or uses enabled by processing). The notice must also specify how the Data Principal can withdraw consent or exercise her rights under the law, including a link or means to do so.

Reasonable Security Safeguards

Rule 6[19] places on Data Fiduciaries the duty to implement reasonable security safeguards to protect personal data. Although this rule does not address Data Principal rights directly, by imposing security obligations on fiduciaries, it helps protect the data of Data Principals against unauthorised access, misuse or breaches.

Notification in Case of Personal Data Breach

Rule 7[20] requires that in case of a data breach, the Data Fiduciary must notify the affected Data Principals (and the Board) without delay, explaining what happened, what personal data was breached, what risks arise, and what remedial measures are being taken.

Time-based Deletion of Personal Data When Purpose Ends

Rule 8[21] sets out that when the specified purpose for which personal data was collected is no longer served, the Data Fiduciary must erase that personal data. In some cases, like for large platforms, this includes inactive Data Principals. For example, if a Data Principal has not used the service in 3 years, their personal data may be deleted. The Rules also require prior notice to the Data Principal before automatic deletion, giving a chance to re-engage if they wish to retain their data.

Contact Information publication

Rule 9[22] require Data Fiduciaries to publish clear contact information on their platforms for data-related queries or complaints, making it easier for Data Principals to reach out.

Special Consent for Children/Disabled Data Principals

Rule 10[23] requires that for Data Principals who are children or persons with disabilities, verifiable parental or guardian consent before processing their data, ensuring extra protection for vulnerable individuals.

Rights of Data Principals

Rule 13[24] codifies the core rights of Data Principals:

  1. Right to know how to exercise rights: Data Fiduciaries must publish clear instructions on their website/app.
  2. Right to make requests: Data Principals can request access, correction, erasure, or other rights using the prescribed method.
  3. Right to be identified correctly: Data Fiduciaries must specify what identifiers are needed to verify the Data Principal.
  4. Right to grievance redressal: Data Principals can file grievances, and the Fiduciary must resolve them within 90 days.
  5. Right to nominate another person: A Data Principal can nominate someone to exercise her rights after death or incapacity.

Data Principal as defined in International Instruments

General Data Protection Regulation (GDPR), European Union

The General Data Protection Regulation (GDPR)[25], effective since 2018, is one of the most comprehensive data protection laws globally, and it defines the “Data Subject” similarly to the Data Principal under India’s DPDPA. The regulation offers extensive rights to individuals regarding their personal data. These include:

  1. Right to Access: Data subjects can obtain confirmation as to whether personal data concerning them is being processed, and if so, access the data.
  2. Right to Rectification: They can request correction of inaccurate or incomplete data.
  3. Right to Erasure (Right to be Forgotten): Data subjects have the right to request the deletion of personal data under certain circumstances, such as when the data is no longer necessary for processing.
  4. Right to Data Portability: This allows individuals to obtain and reuse their personal data for their own purposes across different services.
  5. Right to Object: Individuals can object to the processing of their personal data for certain purposes, such as direct marketing.

The GDPR places significant responsibility on organizations (Data Controllers and Processors) to ensure that these rights are respected. It also stipulates strict conditions for obtaining valid consent, especially in the context of processing sensitive data. Furthermore, any processing that impacts the rights of data subjects must be justified under one of the lawful grounds established by the regulation, such as necessity for the performance of a contract or compliance with a legal obligation.

European Union Charter

The Charter of Fundamental Rights of the European Union[26] establishes data protection as a fundamental right for EU citizens. It explicitly recognizes privacy and data protection as fundamental rights, providing a robust foundation for the concept of a "data principal." Relevant provisions, such as Articles 7[27] and 8[28], affirm that everyone has the right to the protection of personal data and to access and rectify their data. The Charter stresses that data must be processed fairly and for specified purposes and that compliance with these rights is subject to independent oversight. It highlights the empowerment of individuals to access and control their data, while also recognizing their liability to exercise these rights responsibly, particularly in cases where their actions might impact others' privacy or the public interest.

OECD Guidelines

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) [29]were among the first international efforts to establish a framework for safeguarding personal data while allowing its free flow across borders. These guidelines have formed the basis for privacy laws globally and have been periodically updated to reflect evolving standards. The key principles outlined in the guidelines include the Collection Limitation Principle, which mandates that personal data should be collected only for specified purposes and not in excess; the Data Quality Principle, ensuring that personal data is accurate, complete, and up-to-date; the Purpose Specification Principle, which requires that the purpose of data collection be clearly defined and the data not used for other incompatible purposes; and the Use Limitation Principle, which restricts the use of data for any purpose other than the one for which it was collected, unless consent is given or required by law. The Security Safeguards Principle mandates reasonable security measures to protect personal data from unauthorized access or misuse, while the Openness Principle promotes transparency in data practices, ensuring that individuals can access information about how their data is being handled. The Individual Participation Principle gives individuals the right to access their personal data and request corrections, and the Accountability Principle holds data controllers responsible for adhering to these privacy standards.

APEC (Asia-Pacific Economic Cooperation) & Global CBPR (Cross-Border Privacy Rules) System

The APEC & Global CBPR System is a framework designed to facilitate the free flow of data across borders while ensuring that personal data is protected according to privacy standards. The system is primarily aimed at businesses that operate across multiple jurisdictions, allowing them to demonstrate compliance with privacy laws while streamlining international data transfers. It emphasizes privacy accountability in cross-border data flows, supporting the rights of individuals (data principal) and ensuring compliance among participating organizations. The individuals' rights to transparency, access, and dispute resolution, with protections are ensured through third-party certifications and enforceable commitments by organizations. The system enables individuals to inquire about the use of their data and file complaints regarding misuse or breaches. While the system underscores organizational accountability, it recognizes individuals' role in reporting misuse without imposing direct obligations on them.

UN Compendium on Data Protection and Privacy

The UN Compendium on Data Protection and Privacy [30] is a comprehensive collection of policies, principles, and guidance documents that govern the collection, processing, and management of personal data across the United Nations system. It emphasizes the rights of individuals, or “Data Principals,” as central stakeholders in data governance, ensuring that their personal information is handled with fairness, transparency, and accountability. The Compendium outlines core data-protection principles, including informed consent, purpose limitation, data accuracy, security, and the right to access, correct, or delete personal information. It also highlights the responsibilities of both organizations and individuals, encouraging active participation by Data Principals in safeguarding their own data. By consolidating system-wide standards and human-rights-based norms, the Compendium provides a unified framework to protect individuals’ privacy, promote responsible data practices, and strengthen trust in UN data-handling processes.

Data Principal as defined in Official Documents

Justice BN Srikrishna Committee Report, 2018

A Data Principal is the individual to whom the personal data relates. In a fair and trustworthy digital economy, the data principal is considered the central actor because she exercises autonomy over how her data is used. The relationship between the data principal and any entity processing her data is based on trust, similar to a fiduciary relationship. She expects that her data will be handled fairly, responsibly, and only for purposes that are reasonably foreseeable and in her interest.

Data Principal in Case Law(s)

Right to Privacy

Kharak Singh v State of Uttar Pradesh (1963)

In Kharak Singh v. State of Uttar Pradesh[31] (1963), the Supreme Court of India addressed a challenge to police surveillance under the U.P. Police Regulations. Kharak Singh, previously acquitted of criminal charges, was placed under intensive surveillance, including night visits, constant monitoring, and mandatory reporting of his movements. He argued that this violated his fundamental rights under Articles 19(1)(d) (freedom of movement) and 21 (protection of life and personal liberty). The six-judge bench held that night domiciliary visits were unconstitutional but upheld the rest of the regulations. Crucially, the Court ruled that the right to privacy was not yet recognized as a fundamental right under the Constitution, highlighting early tensions between state security powers and individual freedoms.

KS Puttaswamy v. Union of India (2017)

The Puttaswamy (2017)[32] judgment is the constitutional foundation on which the concept of the Data Principal in the DPDP Act is built. By declaring privacy as a fundamental right under Article 21[33], the Supreme Court affirmed that every individual has autonomy, dignity, and control over her personal information. These values translate directly into the modern idea of a Data Principal, an individual who is the owner of her personal data and whose consent, choices, and control form the core of any data-processing activity. The judgment’s emphasis on informational self-determination directly shapes the DPDP Act’s structure, which grants Data Principals rights such as access, correction, erasure, consent withdrawal, grievance redressal, and nomination.

The proportionality principle laid down in Puttaswamy also heavily influences the DPDP Act. The Court held that any State action limiting privacy must meet the tests of legality, legitimate aim, necessity, and proportionality. These requirements are reflected in the Act’s framework governing when personal data can be processed without consent (legitimate uses), the safeguards applicable to State agencies, and the exemptions granted under Section 17.

Right to be Forgottten

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)

In the Google Spain case[34], the verdict was described in popular parlance as recognizing a “right to be forgotten,” although the court did not formally establish this right. Instead, it relied on the individual’s rights to privacy and data protection, as outlined in Art 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union. Thus, the ruling emphasized protecting personal data and privacy rather than explicitly introducing a standalone right.

The Court reasoned that search engines play a decisive role in making personal information accessible and therefore must comply with data-protection principles. Even if the original publication is lawful, continued linkage via name-search may unfairly harm privacy. A balancing test is required: privacy interests can outweigh public interest unless the person is of particular public importance. Search engines that index and present personal data are data controllers under EU privacy law, and individuals may request de-indexing of links that violate data-protection principles. The right to erasure applies even when original content remains online, subject to a balancing of privacy and public-interest considerations.

Karthick Theodore v. Registrar General, Madras High Court (2021)

In the case of Karthik Theodore v Registrar General and Ors.[35], the Madras High Court considered whether an individual’s personal details could be redacted from an old judgment available in the public domain. The appellant sought removal of his identifying information from a 2011 judgment, arguing that continued disclosure of intimate and outdated personal details had negatively affected his life, including the rejection of an overseas visa application. He invoked the fundamental right to privacy under Article 21, relying on the Supreme Court’s ruling in Puttaswamy(2017), which recognised privacy as an intrinsic part of the right to life.

The High Court examined the need to balance open justice with privacy rights and noted that privacy includes the concept of the “right to be forgotten.” The Court directed that the 2011 judgment be removed from the public domain and that the appellant’s name be redacted to protect his privacy. It also observed that the objectives of the Digital Personal Data Protection Act, 2023 include regulating and safeguarding personal data, and that in appropriate circumstances, individuals may invoke the right to be forgotten to prevent unnecessary exposure of their personal information.

Zulfiqar Ahman Khan v. M/S Quintillion Business Media Pvt. Ltd. (2019)

The case of Zulfiqar Ahman[36] revolved around the misuse of an individual's personal information and the right to privacy. Zulfiqar Ahman Khan sought the removal of defamatory articles online, citing mental agony and reputational harm. In this case, the Delhi High Court addressed whether two #MeToo-related articles published on Quint.com should be permanently removed and delisted from search engine results. Zulfiquar Khan, against whom allegations had been published, filed a defamation suit seeking a permanent injunction for the articles’ removal, arguing that the allegations were baseless, had caused severe reputational and professional harm, and that the publisher had not contacted him before publication. The Court, recognizing Khan’s rights to reputation and privacy, including the “right to be forgotten” and the “right to be left alone", ordered Quint.com to remove and not republish the articles. It further restrained all other media platforms from republishing the same or modified content and directed search engines to ensure that all related links and search results were removed within 36 hours of receiving the order.

International Experience

The concept of a Data Principal is recognized and incorporated in data protection laws worldwide, often under different terminologies such as "Data Subject" (GDPR) or other region-specific terms. While the term Data Principal specifically appears in India’s Digital Personal Data Protection Act (DPDPA), 2023, its recognition and rights find parallels in international frameworks like the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Privacy Act in Australia.

United Kingdom - Data Protection Act 2018

Despite the UK's departure from the European Union, the country maintains a robust regulatory environment for personal data protection, ensuring continued alignment with global data protection norms. Post-Brexit, the UK’s Data Protection Act 2018 [37] incorporates provisions similar to the GDPR, reflecting its adoption of EU-like standards for data protection. The law defines “Data Subjects” (equivalent to Data Principals).

Scope of Protection

The rights of a data subject apply universally to all personal data, whether digital or non-digital, and regardless of the medium of processing. The DPDP Act is limited to digital personal data, and therefore the protections for Data Principals do not extend as widely as the UK’s full-spectrum data subject protections.

Rights Granted to the Individual

The UK framework provides extensive rights, including access, rectification, erasure, restriction, objection, data portability, and safeguards against automated decision-making or profiling. The DPDP Act provides fewer rights which are limited to access, correction/erasure, grievance redressal, and nomination, and are without rights like portability, objection, restriction, or protections against automated decision-making.

Children’s Data Rights

Under the DPA 2018, children under 13 need parental consent only for online information society services, not across all contexts, and children remain the data subjects with parents merely acting on their behalf. The DPDP Act defines children as under 18, mandates parental consent for all processing, and prohibits tracking/targeted advertising, thereby imposing far stricter obligations while also treating the guardian as the actual Data Principal.

Parents or guardians may exercise rights on behalf of a child, but the child remains the data subject, and rights conceptually belong to them. The representative (guardian) becomes the Data Principal for children or persons with disabilities, meaning the Indian approach embeds guardianship into the very definition of the rights-holder.

Duties of the Individual

The UK law imposes no statutory duties on data subjects; individuals are purely rights-holders, and all obligations fall on data controllers/processors. The DPDP Act uniquely imposes legal duties on Data Principals, such as not providing false information or impersonating others, making individuals accountable in ways not found in UK law.

Identity Verification Requirements

Controllers may require “reasonable identification” before acting on requests, but the statute does not impose explicit compliance obligations on the data subject beyond proving identity. Data Principals must comply with stringent verification or authentication requirements as part of their legal duties, placing a comparatively heavier procedural burden on the individual.

Post-Death Rights

The DPA 2018 protects only the data of living individuals; after death, the person ceases to be a data subject, and there is no statutory provision for nominating someone to exercise rights. The DPDP Act creates a unique right of nomination, allowing Data Principals to appoint someone to exercise rights after their death or incapacity, extending the legal effect beyond life.

Remedies & Enforcement Rights

Data subjects may approach the ICO and also pursue direct judicial remedies, including compensation for damage or distress, making enforcement much stronger. The DPDP Act directs Data Principals primarily to the Data Fiduciary and then the Data Protection Board, with limited recourse to courts and no explicit right to compensation for distress, making enforcement narrower.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) [38], which came into effect in 2020, recognizes the rights of California residents as "consumers" in relation to their personal data, aligning it with the Data Principal concept. The CCPA is notable for granting rights similar to those found in the GDPR, but with certain differences. For instance, the CCPA applies primarily to businesses with specific thresholds (e.g., gross annual revenues exceeding $25 million), and it gives consumers a broader right to opt-out of the sale of their data without needing to assert a specific reason or context for doing so. While not as comprehensive as the GDPR, the CCPA has been instrumental in shaping privacy rights in the U.S., especially influencing privacy law discussions in other states. However, there are challenges related to enforcement, particularly with regard to the complexity of the law's language and its implementation at the state level.

Under the California law, a “consumer” refers to a resident whose personal information is collected by a business, and the statute regulates how businesses must treat that personal information, requiring transparency at or before point of collection about what categories of information will be collected, why, whether it will be sold/shared, and how long it will be retained (or the criteria for retention).

Right to Access and Request Disclosure of Data

Under the CCPA, a consumer has the right to request that a business disclose the categories and specific pieces of personal information collected about them. The DPDP Act provides the Data Principal with a right to access information about their personal data and a summary of how it is processed, but the mechanism is more streamlined, and DPDP does not mandate the same detailed “item-by-item disclosure” regime as in CCPA.

Right to Delete / Erasure

Under CCPA, a consumer has the right to request deletion of personal information collected by a business, and the business must delete the data and notify service providers/third parties to delete it as well, subject to certain limitations. The DPDP Act likewise gives a Data Principal a right to erasure (i.e. correction or deletion), but the overall framework under DPDP is comparatively simpler and doesn’t require the exhaustive third-party deletion regime or complex record-keeping obligations that the CCPA imposes on businesses, especially with regard to “sale/sharing” of data which is a central focus under CCPA but not as heavily regulated under DPDP.

Right to Know, Purpose & Sale/Sharing Disclosure / Opt-Out

CCPA requires that businesses inform consumers, at collection, about categories of data, purposes, and whether information will be sold or shared — and gives consumers rights to know what personal information is sold/shared, to whom, and to opt-out of sale/sharing. The DPDP Act does require consent & purpose limitation before processing personal data but does not establish a dedicated “opt-out of sale or sharing” regime similar to CCPA’s, given that the DPDP focuses primarily on “processing” by data fiduciaries rather than “sale/sharing” by default.

Scope and Types of Data Covered

Under CCPA, “personal information” is broadly defined: information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular consumer or household, covering identifiers, online identifiers, financial data, health/medical information, etc. The DPDP Act covers “digital personal data” of individuals. While its definition of personal data is broad, DPDP’s focus on digital processing only makes its scope narrower compared to CCPA’s broader “all personal information” coverage (including offline or non-digital contexts).

Obligations on Businesses (Controllers) aka Data Fiduciaries

CCPA mandates that businesses implement reasonable security procedures to protect personal information and, if they share or sell data with third parties or service providers, must have agreements ensuring the same level of protection and must impose obligations on these recipients to comply with the CCPA. Under DPDP, data fiduciaries (controllers/processors) are also subject to obligations, including security, purpose limitation, data minimization, consent, etc. But the regime tends to simpler compliance obligations compared to CCPA’s extensive contractual and notification obligations especially when sharing or “selling” data. The Indian law doesn’t emphasise “sale” the way CCPA does; its focus remains on “processing.”

Enforcement Mechanism and Remedies

CCPA allows consumers to request deletion and access, and also imposes obligations on businesses; and in cases of data breaches or non-compliance, statutory provisions enable consumers to bring civil action for damages in certain instances. The DPDP Act envisages a central authority/board for grievances and enforcement, and remedies tend to involve regulatory enforcement against data fiduciaries. DPDP does not currently provide for a widespread private right of action by Data Principals for damages in all cases (particularly not a breach-based statutory damage remedy parallel to CCPA; the enforcement paradigm and remedial framework remain more regulatory than consumer-litigation oriented.

Privacy Act, Australia

Australia’s Privacy Act of 1988 [39] has been a cornerstone of personal data protection in the country and aligns with the rights of Data Principals through its Australian Privacy Principles (APPs). These principles govern how organizations should handle personal information, with specific rights for individuals.

Title Purpose
APP 1: Open and Transparent Management Requires APP entities to manage personal information in an open and transparent way, including maintaining a clearly expressed and up-to-date privacy policy.
APP 2: Anonymity and Pseudonymity Mandates that individuals be given the option of not identifying themselves or using a pseudonym, with limited exceptions.
APP 3: Collection of Solicited Information Specifies when APP entities can collect solicited personal information, with stricter standards for sensitive information.
APP 4: Unsolicited Personal Information Outlines how APP entities must handle unsolicited personal information.
APP 5: Notification of Collection Describes when and under what circumstances APP entities must inform individuals about the collection of their personal information.
APP 6: Use or Disclosure Defines the conditions under which APP entities may use or disclose personal information they hold.
APP 7: Direct Marketing Limits the use or disclosure of personal information for direct marketing purposes, requiring compliance with specific conditions.
APP 8: Cross-Border Disclosure Requires APP entities to take steps to protect personal information before disclosing it overseas.
APP 9: Government-Related Identifiers Specifies the limited conditions under which entities may adopt, use, or disclose government-related identifiers of individuals
APP 10: Quality of Information Obligates APP entities to ensure personal information collected, used, or disclosed is accurate, up-to-date, complete, and relevant to its purpose.
APP 11: Security of Information Requires APP entities to protect personal information from misuse, interference, loss, and unauthorized access, and to destroy or de-identify it when necessary.
APP 12: Access to Information Establishes obligations for APP entities to provide access to personal information upon request unless a specific exception applies.
APP 13: Correction of Information Mandates APP entities to correct inaccurate or incomplete personal information they hold.

The Privacy Act also extends protections around data collection, use, and disclosure, making it essential for businesses to handle personal data in an accountable, transparent, and judicious manner. However, like many other jurisdictions, the law is currently under review to expand its scope and strengthen protections in line with global developments, particularly concerning the increased use of digital platforms and emerging technologies.

Singapore Personal Data Protection Act 2012

The Singaporean Personal Data Protection Act 2012 [40] include rights for the Data Principal, such as the right to access personal data held by organizations, the right to request corrections to inaccurate or incomplete data, and the right to withdraw consent for the collection, use, or disclosure of their personal data. Data principals also have the right to data portability, allowing them to request the transfer of their data to another organization in a machine-readable format, as well as the right to request the deletion of their data when it is no longer necessary. Additionally, they have the right to object to the use of their data for marketing purposes. While the PDPA primarily imposes obligations on organizations to safeguard personal data, data principals also bear certain responsibilities. They are required to ensure the accuracy of the information they provide and notify organizations of any changes to their data. Furthermore, data principals must exercise their rights in good faith and follow the correct procedures when making requests, as organizations may refuse to comply with requests that are manifestly unfounded or excessive.

Under the PDPA 2012, the rights-holder is simply the “individual,” meaning the natural person whose personal data is processed; the PDPA does not expand this definition to include guardians, nominees, or representatives within the meaning of the term itself, although representatives can act on behalf of minors or those lacking capacity.

Scope of Personal Data Covered

PDPA covers any personal data about an individual, whether electronic or non-electronic, so long as it “can be processed” (collected, used, disclosed) and is about an identifiable person, as seen from the statutory definition of “personal data” in the file . DPDP is narrower because it covers only digital personal data, whether collected online or digitized later, meaning the scope of a Data Principal’s data under Indian law is restricted compared to the Singapore law that applies across formats.

Rights Granted to the Individual

Under PDPA, the individual has rights primarily to access and correction of personal data in possession of an organisation, and the organisation must provide access unless specific statutory exceptions apply; but PDPA does not grant a general right to erasure, objection, portability, or to restrict processing. Under DPDP, however, the Data Principal possesses rights to access, correction, erasure, grievance redressal, and nomination, which makes the Indian rights structure slightly broader than PDPA’s, even though it still remains narrower than frameworks like GDPR.

Consent and Withdrawal Rights

PDPA relies heavily on consent as the central lawful basis for collection, use, and disclosure, with individuals having the right to withdraw consent at any time subject to reasonable notice, and organisations being obligated to cease processing thereafter unless exceptions apply (e.g., for legal or public interest reasons). DPDP also treats consent as primary, but it embeds a more formalised and notice-driven system, requiring specific consent notices, purpose limitation, and also providing Data Principals the right to withdraw consent through structured mechanisms, although the Indian Act further imposes duties on individuals which PDPA does not.

Duties/Obligations of the Individual

PDPA does not impose statutory duties on the individual; all obligations fall on the “organisation” (data controller). The individual merely exercises rights and makes requests. DPDP, in contrast, imposes explicit legal duties on the Data Principal, including prohibitions against providing false information, impersonation, or frivolous complaints, meaning the Indian law uniquely burdens individuals with compliance obligations rather than treating them solely as rights-holders.

Treatment of Minors and Representation

PDPA does not specify a rigid statutory age threshold like 18; instead, capacity and reasonableness tests apply, and organisations typically rely on parental consent for minors as a matter of practice, not statutory definition. DPDP, however, rigidly defines a child as under 18 years and therefore automatically substitutes the Data Principal with the parent/guardian in such cases, imposing stricter rules such as parental consent and prohibitions on tracking/targeted advertising, making the Data Principal framework far more prescriptive in India.

Accountability and Redress Mechanisms

Under PDPA, individuals submit access/correction requests directly to organisations, and unresolved matters may go to the PDPC (Personal Data Protection Commission), but the individual’s role is limited to requesting and complaining. Under DPDP, the Data Principal interacts directly with the Data Fiduciary but also has a formalised route to the Data Protection Board, plus obligations to follow grievance redressal procedures as part of their own duties, so the Indian individual is more procedurally embedded in the regulatory system than the PDPA individual.

Brazil General Data Protection Law (LGPD)

Brazil’s LGPD [41], adopted in 2020, shares many similarities with the GDPR, particularly in recognizing the rights of Data Principals in relation to their personal data. These rights include:

  • Right to Access: Individuals can request access to their personal data held by data controllers.
  • Right to Rectification and Deletion: Data Principals have the right to rectify inaccurate data and request the deletion of data that is no longer needed.
  • Right to Data Portability: Brazilian citizens can transfer their data to other service providers, enhancing consumer choice.
  • Right to Consent: Similar to the GDPR, the LGPD requires clear and informed consent for processing personal data, with provisions for withdrawal of consent at any time.

The LGPD also created the National Data Protection Authority (ANPD) to oversee compliance and enforce penalties for non-compliance. This further strengthens the data rights of Data Principals in Brazil, aligning them with global standards set by the GDPR.

ACADEMIC RESEARCH

CCG-UNDP Data Privacy Guide

The CCG-UNDP Data Privacy Guide is a framework created collaboratively by the Centre for Communication Governance (CCG) and the United Nations Development Programme (UNDP) to provide practical guidelines for data privacy and protection. While it does not explicitly use the term "Data Principal," it emphasizes the role of individuals in data governance systems and underscores their rights and associated responsibilities.

The Guide recognizes individuals as the central stakeholders in data privacy systems, similar to the concept of "Data Principals". It underscores the importance of informed consent, ensuring that individuals are provided with clear and accessible information to make informed decisions about their data. The Guide also advocates for active participation in data governance, encouraging mechanisms that allow individuals to have a say in how their data is used, which aligns with broader human rights objectives. Additionally, it stresses the need for transparency, with organizations being required to openly disclose their data processing activities to empower individuals.

Furthermore, the Guide provides a comprehensive framework to safeguard individuals’ rights. It grants individuals the right to access their data and understand its usage, as well as the right to rectify or delete data when it is inaccurate or no longer necessary. It promotes data portability, enabling individuals to transfer their data between service providers. Additionally, it ensures that individuals have the right to challenge decisions, especially those made through automated processes or profiling.

While the Guide primarily focuses on institutional accountability, it also acknowledges the responsibilities of individuals. This includes the expectation that individuals provide accurate information to reduce potential misuse of data and engage with available privacy tools and rights mechanisms to ensure compliance from data controllers.

The Guide highlights the accountability of organizations and institutions in protecting individuals’ data rights, stressing the importance of robust data governance frameworks to safeguard these rights. It also advocates for accessible and fair remedial mechanisms, allowing individuals to lodge complaints and seek remedies for any breaches or misuse.

In addition, the Guide uniquely prioritizes the protection of vulnerable populations, such as marginalized communities, who may be at risk of discrimination due to data collection practices. It also places special emphasis on protecting the privacy of children and individuals with limited capacity to consent. By positioning individuals at the heart of data privacy efforts, the CCG-UNDP Guide ensures that data privacy is not only a human right but also a tool for promoting equitable development.

The ICT-UNDP Personal Data Privacy Policy[42] reflects the principles of the CCG-UNDP Data Privacy Guide, placing individuals, similar to “Data Principals”, at the center of data governance. It emphasizes informed consent, transparency, and accountability, while providing rights to access, correct, delete, or transfer personal data. The Policy also protects vulnerable populations, including children and marginalized groups, and encourages individuals to engage responsibly with privacy mechanisms. Overall, it operationalizes the Guide’s framework by embedding individual rights and responsibilities into UNDP’s data privacy practices.

Challenges

  1. Awareness and Accessibility: Limited public understanding of the rights of the Data Principal.
  2. Operational Barriers: Enforcement of consent withdrawal and data deletion rights faces technological challenges.
  3. Regulatory Complexity: Balancing Data Principal’s rights with the operational needs of Data Fiduciaries.
  4. Exemptions: Broad exemption for state agencies could undermine accountability.

Way Ahead

  1. Awareness Campaigns: Public initiatives to educate citizens about their rights as Data Principals.
  2. Technology Solutions: Adoption of robust systems to facilitate seamless grievance redress and consent management.
  3. Strengthened Oversight: Empowering the Data Protection Board to address Data Principal grievances efficiently.
  1. The Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023.
  2. The Digital Personal Data Protection Act, 2023, § 2(f), No. 22, Acts of Parliament, 2023.
  3. The Digital Personal Data Protection Act, 2023, § 11, No. 22, Acts of Parliament, 2023.
  4. The Digital Personal Data Protection Act, 2023, § 12, No. 22, Acts of Parliament, 2023.
  5. The Digital Personal Data Protection Act, 2023, § 13, No. 22, Acts of Parliament, 2023.
  6. The Digital Personal Data Protection Act, 2023, § 14, No. 22, Acts of Parliament, 2023.
  7. The Digital Personal Data Protection Act, 2023, § 15, No. 22, Acts of Parliament, 2023.
  8. The Digital Personal Data Protection Act, 2023, § 4, No. 22, Acts of Parliament, 2023.
  9. The Digital Personal Data Protection Act, 2023, § 7, No. 22, Acts of Parliament, 2023.
  10. The Digital Personal Data Protection Act, 2023, § 5, No. 22, Acts of Parliament, 2023.
  11. The Digital Personal Data Protection Act, 2023, § 6, No. 22, Acts of Parliament, 2023.
  12. The Digital Personal Data Protection Act, 2023, § 6(4), No. 22, Acts of Parliament, 2023.
  13. The Digital Personal Data Protection Act, 2023, § 8, No. 22, Acts of Parliament, 2023.
  14. The Digital Personal Data Protection Act, 2023, § 9, No. 22, Acts of Parliament, 2023.
  15. The Digital Personal Data Protection Act, 2023, § 17, No. 22, Acts of Parliament, 2023.
  16. The Digital Personal Data Protection Act, 2023, § 27, No. 22, Acts of Parliament, 2023.
  17. Digital Personal Data Protection Rules, 2025.
  18. Digital Personal Data Protection Rules, 2025, Rule 3.
  19. Digital Personal Data Protection Rules, 2025, Rule 6.
  20. Digital Personal Data Protection Rules, 2025, Rule 7.
  21. Digital Personal Data Protection Rules, 2025, Rule 8.
  22. Digital Personal Data Protection Rules, 2025, Rule 9.
  23. Digital Personal Data Protection Rules, 2025, Rule 10.
  24. Digital Personal Data Protection Rules, 2025, Rule 13.
  25. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, available at https://eur-lex.europa.eu.
  26. Charter of Fundamental Rights of the European Union, 2000 O.J. (C 364) 1.
  27. Charter of Fundamental Rights of the European Union, art. 7, 2000 O.J. (C 364) 1.
  28. Charter of Fundamental Rights of the European Union, art. 8, 2000 O.J. (C 364) 1.
  29. OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Sept. 23, 1980).
  30. UNITED NATIONS, Compendium of Data Protection and Privacy Policies and Other Related Guidance Within the United Nations Organization and Other Selected Bodies of the International Community (2021), https://unstats.un.org/legal-identity-agenda/documents/Paper/data_protecton_%20and_privacy.pdf.
  31. Kharak Singh v. State of Uttar Pradesh, 1963 AIR 1295.
  32. Justice K.S. Puttaswamy Vs. Union of India and Ors., (2017) 10 SCC 1.
  33. INDIA CONST. art. 21.
  34. Google Spain SL v. Agencia Española de Protección de Datos, Case C-131/12.
  35. Karthik Theodore v Registrar General and Ors., W.P.(MD) No.12015 of 2021.
  36. Zulfiqar Ahman Khan Vs. Ms. Quintillion Business Media Pvt Ltd and Ors., 2019 (175) DRJ 660.
  37. Data Protection Act 2018, c. 12 (UK).
  38. Cal. Civ. Code §§ 1798.100–1798.199.100 (West 2025).
  39. Privacy Act 1988 (Cth).
  40. Personal Data Protection Act 2012, No. 26 of 2012 (Sing.).
  41. Lei No. 13.709, de 14 de Agosto de 2018 (Braz.).
  42. United Nations Development Programme, Personal Data Protection and Privacy Policy (July 26, 2022), https://popp.undp.org/document/personal-data-protection-and-privacy-policy.
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Data_Principal&oldid=10547"