The Digital Personal Data Protection Act, 2023 (DPDPA) adopts a broad and comprehensive approach while defining personal data. Personal data refers to any information that can be used to identify an individual, who is referred to under the Act as a Data Principal. This definition is intentionally wide in scope to ensure that various forms of personal information receive adequate legal protection.

Personal data includes traditional identifiers such as names and addresses, as well as modern digital identifiers like IP addresses and browsing history. In addition to these, financial information, opinions, and even biometric data fall within the scope of the Act, provided that such information can be linked to a specific individual. By adopting this wide definition, the Act ensures that a broad range of personal information is covered and protected.

The applicability of the Act is addressed under Section 3 of the DPDPA. This provision specifies the situations in which the Act applies to the processing of personal data.

Firstly, the Act applies to the processing of digital personal data within India. This includes personal data that is collected directly in digital form. It also includes data that is originally collected in non-digital form but is subsequently digitised.

Therefore, physical records that are later scanned, converted into digital format, or stored electronically fall within the scope of the Act. This provision ensures that personal data receives protection regardless of the form in which it was originally collected.

Secondly, the Act provides for extra-territorial jurisdiction. This means that the provisions of the Act may apply even to entities located outside India. If a foreign company, organisation, or entity processes personal data in connection with offering goods or services to individuals in India, it becomes subject to the provisions of the Act. This ensures that individuals in India remain protected even when their personal data is processed by organisations located outside the country.

Despite its broad applicability, the Act also provides certain specific exclusions. The provisions of the Act do not apply to personal data that is used by individuals for domestic purposes. Additionally, personal data that has been made publicly available by the Data Principal themselves, or personal data that has been made public because it was required by law, is also excluded from the scope of the Act.

The Act applies broadly to entities or persons that determine the purpose and means of processing personal data. Such entities are referred to as Data Fiduciaries under the Act. The term Data Fiduciary includes a wide range of entities such as individuals, Hindu Undivided Families, companies, firms, associations of persons, bodies of individuals (whether incorporated or not), the State, and every other artificial juristic person. These entities are responsible for ensuring that the processing of personal data complies with the obligations laid down under the Act.

Furthermore, the Act provides for the designation of certain entities as Significant Data Fiduciaries (SDFs). This designation is based on factors such as the volume and sensitivity of personal data processed, as well as the risk posed to the sovereignty and integrity of India, electoral democracy, or public order. Entities classified as Significant Data Fiduciaries are required to comply with additional obligations under the Act, reflecting the higher level of risk associated with large-scale or sensitive data processing.

Through these provisions, the Digital Personal Data Protection Act, 2023 establishes a framework that determines the entities and circumstances to which the law applies, while also identifying situations where its provisions do not extend.

Recent Posts