Section 3 of the Digital Personal Data Protection Act, 2023
Detailed analysis of Section 3 covering the applicability and territorial jurisdiction of the DPDP Act.
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) represents a significant shift in the regulatory framework of India. The legislation is the first data protection law of India. It prioritizes user autonomy by mandating informed consent and affording individuals control over their personal information.
The DPDP Act once enacted will replace Section 43A of the Information Technology Act, 2011, and the SPDI Rules made thereunder for the protection of the personal and sensitive data of an individual. The aim of this article is to understand the scope and applicability of the DPDP Act.
Application of the DPDP Act within India
Section 3(a) of the DPDP Act provides that the legislation applies to the processing of digital personal data within the territory of India in cases where the personal data has been collected in:
- •Digital form - Data that is originally collected in digital format
- •Collected in non-digital form but has been digitised subsequently - Physical data that is later converted to digital format
Application of the DPDP Act outside India
According to Section 3(b) of the DPDP Act, the DPDP Act applies to the processing of the digital personal data outside the Indian territory in cases of activities which are related to the offering of goods and services to Data Principals within the Indian territory.
📝 Practical Example
OTT Platforms: OTT platforms, with their headquarters in the USA process the personal data of the Data Principals in India for the purpose of creating their user account. Herein, the OTT platform is a Data Fiduciary operating outside the territory of India but providing services within the Indian territory. Therefore, they will be subject to the provisions of the DPDP Act.
Non-applicability of the DPDP Act
Section 3(c) of the DPDP Act carves out specific exemptions wherein the provisions of the legislation are not applicable. These exemptions are designed to balance the stringent requirements of the DPDP Act and are as follows:
The provisions of the DPDP Act will not be applicable to the personal data processed by an individual for any personal or domestic purposes.
📝 Example:
Obtaining the contact information of a friend for the purpose of arranging a dinner engagement is one such instance.
The DPDP Act does not apply to personal data made publicly available by the individuals themselves or by someone else under a legal obligation as per the law in force.
📝 Example:
X, an individual who is a renowned food blogger, posts his personal data on social media making it publicly available for everyone to see. In such cases the DPDP Act is not applicable.
Conclusion
The DPDP Act represents a significant regulatory framework for data privacy in India. It applies to digital personal data processed within India and outside India if related to a Data Subject within the territory of India.
However, it carves out certain instances where the legislation is not applicable. In other words, it excludes data used for personal/domestic purposes and publicly available data. These exemptions aim to balance data protection with practicality and existing legal obligations.
Get Started with Data> Nuance
Stay compliant, stay safe. Reach out to Data> Nuance to ensure compliance with the provisions of the DPDP Act. Ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!