The Imperceptible Cost of Gratuitous Digital Applications: Judicial Safeguards in the Bharatiya Data Privacy Regime.

Introduction  

Every day, millions of people worldwide begin their digital activities by downloading and using mobile applications that appear free at first. However, these seemingly free apps often come with lengthy and complicated Privacy Policies crafted primarily to obtain mandatory user consent, a process many users do not fully understand. This legally required consent is often gained with little awareness of the permissions granted, allowing extensive collection and processing of sensitive personal information without genuine understanding of connected risks  (Zimmeck et al., 2017). Studies show that most Privacy Policies are crafted, making them difficult for average users to comprehend, which leads to many ignoring or skimming them.  Equally concerning, many apps fail to offer clear or easily accessible privacy documents,  adding to the lack of transparency in Data handling (Alamri et al., 2022).  

Constitutional Foundations and Judicial Milestones  

In the Landmark Judgement of K.S. Puttaswamy (Retd.) v. Union of India (2017), the Supreme  Court of India firmly recognized the Right to Privacy as a Fundamental Right under Article 21  of the Indian Constitution. The Court described Privacy as vital to Dignity, Autonomy, and  Liberty, especially important in the Digital era (Bhandari et al., 2017). The Right is not absolute  and is with reasonable restrictions applying legality, necessity, and proportionality principles  The Puttaswamy judgment marked a major evolution in Indian Constitutional law, defining  Privacy as a flexible, fundamental Right responsive to technological and social changes (NUJS  Law Review, 2022).  

The Digital Personal Data Protection Act, 2023: Framework and Key Stakeholders  India’s legislation addressing modern data privacy concerns is codified in the Digital Personal  Data Protection (DPDP) Act, 2023, which establishes a comprehensive, unified legal  framework for protecting Digital Personal Data. The Act applies to the processing of Personal  Data within India when collected in digital form or digitized post collection. It also extends  to data processed outside India when associated with goods or services offered to individuals  residing in India (PRS India, 2025). The Act permits the processing of personal data only  for lawful purposes and with free, informed, specific, and unconditional consent from  individuals, defined as Data Principals (LexComply, 2024). Entities that determine the purpose  and mean of processing such data, known as Data Fiduciaries bear the primary responsibility  to ensure lawful and transparent practices (AZB Partners, 2023). They must provide clear and  concise notices before collecting any data, specifying what data is gathered, why it is collected,  how it is used, and what rights the Data Principal retains.  

Under Section 8 of the Act, fiduciaries are mandated to implement reasonable security  safeguards, including encryption, restricted access, and risk assessments, to prevent  unauthorized use or loss (DLA Piper, 2024). They must also erase personal data upon  withdrawal of consent or once its purpose is fulfilled. Certain large entities, categorized  as Significant Data Fiduciaries, carry additional obligations: appointing an India based Data  Protection Officer, hiring data auditors, and conducting periodic impact assessments to  evaluate and mitigate privacy risks (EY Insights, 2023). The Act also introduces protective 

provisions for children’s personal data, mandating verifiable parental consent and prohibiting  processing that may cause harm or involve tracking and targeted advertising (LexComply,  2024). Moreover, the Data Protection Board of India (DPBI) a quasi-judicial body has been  established to investigate non-compliance, address grievances, and impose financial penalties  reaching up to INR 250 crore depending on the severity of the violation (DLA Piper, 2024).  

Legal Context for App Users and Developers  

The Digital Personal Data Protection (DPDP) Act, 2023 imposes reciprocal duties on mobile  app users, known as Data Principals, and mobile application providers, known as Data  Fiduciaries. Users have the right to know what personal data is collected, how it is processed,  and for what purposes; they may request corrections or deletion of data once the purpose is  fulfilled and withdraw consent at any time, compelling providers to discontinue further use or  storage of data (PRS India, 2025). Conversely, app providers must present clear, intelligible  Privacy Policies and consent forms at installation and before Data collection, specifying Data  categories such as location, contacts, media, and behavior analytics. They must obtain explicit  and verifiable consent for sensitive permissions like microphone and camera access and erase  user data upon account deletion or consent withdrawal. In the event of a Data Breach, providers  are obliged to notify affected users and the Data Protection Board of India. They must prohibit  unauthorized Third party Data sharing and implement robust security measures including  encryption and vulnerability testing (DLA Piper, 2024). These provisions ensure user’s  Fundamental Privacy Rights are protected while holding app providers accountable within  India’s evolving Data protection regime. 

Awareness in the Context of Mobile Application Users under the Bharatiya Data Privacy  Framework 

The Digital Personal Data Protection (DPDP) Act, 2023 marks a transformative shift toward a  Rights based approach to privacy, reinforcing the Right to Privacy as an intrinsic component  of the fundamental right to life and liberty under Article 21 of the Indian Constitution  (Bhandari et al., 2017). For the mobile application users, this right is often undermined by poor  user awareness and exploitative consent practices. Most users are often driven by convenience  and skip the Privacy Policies during app downloads without reading and understanding terms  of the Privacy Policy, which ultimately lead to an imbalance where app providers (Data  Fiduciaries) benefit from user’s (Data Principal) data, leading to a form of unjust enrichment,  compromising user’s Autonomy and Digital Dignity (EY Insights, 2023).  

DPDP Act, 2023 empowers users on paper, but awareness remains the key enforcement  mechanism in practice. Public legal literacy initiatives must emphasize that when users blindly  grant app permissions, they risk undermining their own Constitutional protections.  The duty thus rests not only on app developers to create user friendly and transparent privacy  policies, but also on users to exercise informed discretion before consenting the developer. To  illustrate, each permission granted from access to location to storage or camera use must be  treated as a conscious act of Data sharing rather than a mere installation requirement. (Illume,  2025; Legal500, 2025). 

Conclusion  

Transparency, empowerment, and robust legal enforcement underpin India’s Data Privacy  protections in the era of rapid digital expansion. Simplifying Privacy communications and  mandating Data Fiduciaries to use clear, accessible language bridges comprehension gaps,  particularly among diverse populations (JISA Softech, 2025). Also, the DPDP Act specifically  mandates mobile application providers to transition from blanket consent practices to purpose 

driven, transparent, and user-friendly consent mechanisms, while empowering users to seek 

redress through the Data Protection Board’s jurisdiction. Practices like proactive regulatory  enforcement, leveraging technology for continuous monitoring and regular audits, shifts  oversight from reactive to preventive approach. Empirical regulatory actions including  penalties and mandated operational reforms reinforce Fiduciary Accountability and promote  Ethical Data Stewardship (Consent.in, 2024). Collectively, these measures shall cultivate a  sustainable ecosystem fostering Trust, protecting user Autonomy, and advancing the objectives  enshrined in the DPDP Act amidst the imperceptible costs of free digital services.  

References 

• Alamri, B., et al. (2022). Privacy Policies for Apps Targeted Toward Youth: Descriptive  Analysis of Readability. JMIR mHealth and Health. Available  at: https://pmc.ncbi.nlm.nih.gov/articles/PMC5773816/. 
• AZB Partners. (2023). Digital Personal Data Protection Act, 2023 – Key Highlights.  Available at: https://www.azbpartners.com/bank/digital-personal-data-protection act-2023-key-highlights/
• Bhandari, V., Kak, A., Parsheera, S., & Rahman, F. (2017). An Analysis of Puttaswamy:  The Supreme Court’s Privacy Verdict. IndraStra Global. Available at:  https://www.indrastra.com/2017/11/An-Analysis-of-Puttaswamy-Supreme-Court-s Privacy-Verdict-003-11-2017-0004.html
• Consent.in. (2024). Ethical Data Stewardship under India’s DPDP Act. Available at:  https://consent.in/ethical-data-governance/
• DLA Piper. (2024). Data Protection Laws in India. Available at :  https://www.dlapiperdataprotection.com/?t=law&c=IN
• EY Insights. (2023). Decoding India’s Digital Personal Data Protection Act, 2023.  Available at: 1)https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital personal-data-protection-act-2023. 2) https://lexcomply.com/blog/digital-personal-data-protection-act-2023
• Illume. (2025). Enhancing User Awareness under India’s DPDP Act. Available at:  https://illume.in/blog-details/designing-dpdp-compliant-web-and-mobile-apps
• JISA Softech. (2025). Bridging Privacy Comprehension Gaps with Simplified  Communication. Available at: https://www.jisasoftech.com/dpdp-act-2023/
• Legal500. (2025). Digital Privacy Compliance in India: User Consent and Transparency.  Available at: https://www.legal500.com/guides/india-compliance/

• LexComply. (2024). Digital Personal Data Protection Act, 2023 Key Features. Available at:
• NUJS Law Review. (2022). Puttaswamy Judgment: A Constitutional Evolution on Right to  Privacy. NUJS Law Review, 15(2). 
• PRS India. (2025). The Digital Personal Data Protection Bill, 2023. Available at:  https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
• The Legal School. (2025). Regulatory Enforcement and Accountability in Data Privacy.  Available at: https://thelegalschool.in/data-privacy-law/
• Zimmeck, S., et al. (2017). Automated Analysis of Privacy Requirements for Mobile Apps.  Proceedings of the Network and Distributed System Security Symposium (NDSS).  Available at: https://www.ndss-symposium.org/wp content/uploads/2017/09/ndss2017_05A-5_Zimmeck_paper