Section 3 DPDPA

Application of Act


3.Subject to the provisions of this Act, it shall—

(a) apply to the processing of digital personal data within the territory of India where the personal data is collected––
(i) in digital form; or
(ii) in non-digital form and digitised subsequently;
(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;
(c) not apply to—
(i) personal data processed by an individual for any personal or domestic purpose; and
(ii) personal data that is made or caused to be made publicly availableby—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

Illustration.

X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.

Section 4 DPDPA →
DPDPA
Table of contents


Report error

Comprehensive Legal Interpretation of Section 3 of the Digital Personal Data Protection Act, 2023

"The scope of a law determines its power. Too narrow, and it fails; too broad, and it oppresses." - Legal Wisdom

Section 3 - Application of the Act

Statutory Text

Section 3(1). This Act shall apply to the processing of digital personal data within the territory of India where such personal data is processed for the purpose of offering goods or services to the Data Principals within India.

Section 3(2). This Act shall not apply to—

  1. personal data processed by an individual for any personal or domestic purpose;
  2. personal data that is made or caused to be made publicly available by the Data Principal or any other person under any obligation under any law for the time being in force in India, to whom such personal data was provided;
  3. personal data processed to enforce any legal right or claim; and
  4. personal data processed by a person in the course of journalistic activities or for academic, artistic or literary purpose.

Table of Contents

  1. Executive Summary: What's In, What's Out
  2. Section 3(1): Positive Scope - What's Covered
  3. Section 3(2)(a): Personal/Domestic Exemption
  4. Section 3(2)(b): Publicly Available Data
  5. Section 3(2)(c): Legal Rights & Claims
  6. Section 3(2)(d): Journalism, Academic, Artistic, Literary
  7. Philosophical Foundations: Balancing Rights
  8. Comparative Analysis: GDPR, CCPA Scope
  9. 50+ Practical Scenarios: Covered or Not?

1. Executive Summary: What's In, What's Out

Section 3 defines the APPLICATION of DPDPA - which data processing is subject to the law, and which is exempt.

🎯 The Scope Test

To determine if DPDPA applies, ask TWO questions:

QUESTION 1: Does Section 3(1) cover it?

Is it processing of digital personal data within India for offering goods/services to Indians?

✓ YES → Go to Question 2

✗ NO → DPDPA doesn't apply (stop here)

QUESTION 2: Does Section 3(2) exempt it?

Is it one of the four exemptions:

  • (a) Personal/domestic use?
  • (b) Publicly available data (by Data Principal or legal obligation)?
  • (c) Enforcing legal rights?
  • (d) Journalism/academic/artistic/literary?

✓ YES to ANY exemption → DPDPA doesn't apply

✗ NO exemption applies → DPDPA APPLIES FULLY

1.1 Quick Reference: Covered vs Exempt

Scenario Section 3(1)? Section 3(2) Exemption? DPDPA Applies?
E-commerce site processing customer data ✓ YES ✗ NO ✓ YES - FULLY APPLIES
Individual keeping personal diary on computer ✓ YES ✓ YES - 3(2)(a) personal use ✗ NO - EXEMPT
Newspaper reporting on corruption ✓ YES ✓ YES - 3(2)(d) journalism ✗ NO - EXEMPT
Lawyer processing client data for lawsuit ✓ YES ✓ YES - 3(2)(c) legal rights ✗ NO - EXEMPT
University researcher analyzing survey data ✓ YES ⚠️ MAYBE - 3(2)(d) academic OR Section 17(2)(a) research exemption ⚠️ PARTIAL - Some sections don't apply

2. Section 3(1): Positive Scope - What's Covered

Statutory Language: "This Act shall apply to the processing of digital personal data within the territory of India where such personal data is processed for the purpose of offering goods or services to the Data Principals within India."

2.1 Three Elements Required

✅ Three Cumulative Requirements

Element 1: Processing of digital personal data

  • "digital personal data" = Section 2(m) - personal data in digital form
  • "processing" = Section 2(u) - any operation on data (collection, storage, use, etc.)

Element 2: Within territory of India

  • Processing happens physically in India, OR
  • Processing happens abroad BUT targeting Indians (Section 1(2)(b) extraterritorial reach)

Element 3: For offering goods or services to Data Principals in India

  • Processing must be connected to offering goods/services
  • Targeted at Data Principals (individuals) in India

All THREE must be satisfied for DPDPA to apply (subject to Section 3(2) exemptions)

2.2 "For the purpose of offering goods or services"

This phrase LIMITS scope - not ALL processing is covered

⚠️ Narrow vs Broad Interpretation Debate

NARROW Interpretation (Restrictive):

ONLY processing DIRECTLY for selling goods/services is covered

Example: E-commerce collecting data to fulfill orders = covered, but collecting data for analytics = not covered

Problem: Leaves huge gaps - free services (social media, search engines) might not be "offering goods or services"

BROAD Interpretation (Expansive):

ANY processing by entity offering goods/services to Indians is covered

Example: Social media platform offering "service" of networking → All its processing (ads, analytics, content moderation) covered

Rationale: Purpose of DPDPA is comprehensive protection, narrow interpretation defeats purpose

LIKELY INTERPRETATION (Based on legislative intent):

BROAD interpretation will prevail

  • Free online services = "services" (GDPR interpretation)
  • Processing "in connection with" offering goods/services = covered
  • Otherwise, Google, Facebook, Twitter would escape DPDPA (absurd)

2.3 What "Goods or Services" Means

Type Examples Covered?
Goods (Physical) E-commerce (Amazon), Retail (Walmart), Food delivery (Zomato) ✓ YES
Goods (Digital) Software (Microsoft Office), E-books, Apps, Games ✓ YES
Services (Paid) Banking, Insurance, Healthcare, Education, Telecom ✓ YES
Services (Free) Social media (Facebook), Search (Google), Email (Gmail) ✓ YES (service in exchange for data/attention)
Information Services News websites, Weather apps, Map services ✓ YES
Employer-Employee HR processing employee data ⚠️ COMPLEX - Section 7(a) provides specific ground, so covered
Pure Research (No Service) Academic studying public data, not offering service ⚠️ MAYBE - Section 3(2)(d) or 17(2)(a) may exempt

3. Section 3(2)(a): Personal or Domestic Purpose

Statutory Language: "personal data processed by an individual for any personal or domestic purpose"

This is the "household exemption" - your personal use of data is not regulated

3.1 What is "Personal or Domestic Purpose"?

✓ Personal/Domestic Exemption Examples

✓ EXEMPT (Personal/Domestic):

1. Personal Records

  • Keeping digital diary/journal on computer
  • Personal photo albums on phone/computer
  • Address book of friends/family
  • Personal notes, to-do lists
  • Home videos of family

2. Personal Finance

  • Spreadsheet tracking personal expenses
  • Investment portfolio management (for self)
  • Tax calculation for own tax filing

3. Household Management

  • List of household repairs needed
  • Children's school schedule
  • Recipe collection with notes
  • Home CCTV (pure security, not shared)

4. Personal Communication

  • Personal emails to friends/family
  • WhatsApp chats with friends
  • Social media posts to friends (private, not business)

Key Characteristics:

  • Individual (not organization) processing
  • For personal/family use only
  • Not commercial, not business
  • Not public, not shared widely

3.2 When Personal Use BECOMES Business Use (Exemption Lost)

✗ NOT EXEMPT (Crosses into Business/Public)

1. Social Media Influencer

Scenario: Individual with 1 million followers posts content, collects follower data for monetization

Analysis: Started personal, but crossed into business/commercial → ✗ NOT exempt → DPDPA applies

2. YouTube Creator

Scenario: Person creates videos, analyzes viewer demographics, earns ad revenue

Analysis: Commercial activity → ✗ NOT exempt

3. Blogger with Ads

Scenario: Personal blog, but displays ads and collects visitor data for analytics

Analysis: Moment ads/monetization starts → ✗ NOT exempt

4. Freelancer/Consultant

Scenario: Individual freelancer maintaining client database

Analysis: Business purpose, not personal → ✗ NOT exempt

5. Home CCTV Shared Online

Scenario: Person installs CCTV, streams footage publicly or shares with police regularly

Analysis: Public dissemination → ✗ NOT exempt (pure home security = exempt)

6. Airbnb Host

Scenario: Individual rents room, collects guest data (names, IDs, payment info)

Analysis: Business activity → ✗ NOT exempt

Principle: Moment processing crosses from personal to commercial/public, exemption is lost

3.3 GDPR Comparison: Household Exemption

GDPR Recital 18: "This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity"

CJEU Case: Bodil Lindqvist (C-101/01, 2003)

  • Woman published names, photos, personal info of church colleagues on website
  • Claimed household exemption
  • Court ruled: Publishing on website = publicly accessible → ✗ NOT household exemption

Lesson for India: Section 3(2)(a) exemption is NARROW - only truly personal/domestic use, not public dissemination

4. Section 3(2)(b): Publicly Available Data

Statutory Language: "personal data that is made or caused to be made publicly available by the Data Principal or any other person under any obligation under any law for the time being in force in India, to whom such personal data was provided"

Two Scenarios Exempt:

  1. Data Principal makes it public themselves
  2. Someone else makes it public BECAUSE law requires it

4.1 Scenario 1: Data Principal Makes Data Public

👤 Data Principal's Public Disclosure

✓ EXEMPT Examples:

  • Public Social Media Profile: User sets profile to "Public" on Facebook/Twitter → Anyone processing that public data = exempt
  • Public Blog/Website: Person publishes their own bio, contact info on personal website → Exempt
  • Public Directory Listing: Person lists themselves in phone directory, professional directory → Exempt
  • Public Comments: Person comments on news article, forum → Their public comment = exempt

Key Requirement: VOLUNTARY PUBLIC DISCLOSURE by Data Principal

✗ NOT EXEMPT (Not Voluntary Public):

  • Data breach/hack - data leaked online → ✗ NOT voluntary → NOT exempt
  • Data scraped from private profiles → ✗ NOT made public by Data Principal → NOT exempt
  • Data shared with limited audience (e.g., friends-only Facebook post) → ✗ NOT public → NOT exempt

4.2 Scenario 2: Made Public Under Legal Obligation

⚖️ Legally Required Public Disclosure

✓ EXEMPT Examples:

1. Company Directors (MCA Registry)

  • Directors' names, addresses disclosed on Ministry of Corporate Affairs public website
  • Legal Obligation: Companies Act, 2013 requires this disclosure
  • Result: Processing this public MCA data = exempt

2. Electoral Rolls

  • Voters' names, addresses on electoral rolls (public under electoral laws)
  • Legal Obligation: Representation of People Act requires publication
  • Result: Processing electoral roll data = exempt

3. Court Judgments

  • Parties' names, facts in published judgments
  • Legal Obligation: Courts publish judgments for transparency (unless sealed)
  • Result: Processing judgment data = exempt

4. Property Records

  • Land ownership records (public registry)
  • Legal Obligation: Registration laws require public access
  • Result: Processing property data = exempt

5. Patent/Trademark Applicants

  • Inventor/applicant names public
  • Legal Obligation: IP laws require publication
  • Result: Processing IP data = exempt

Key Phrase: "under any obligation under any law"

Disclosure must be LEGALLY REQUIRED, not just voluntarily done by organization

4.3 Important Limitation: Exemption is NARROW

Exemption applies to PROCESSING THE PUBLIC DATA ITSELF

Does NOT exempt: Combining public data with non-public data, or using it for purposes beyond reasonable expectations

Example:

  • Company directors' names public on MCA → Processing those names = exempt
  • BUT combining those names with scraped social media data, personal financial data → NOT exempt for the additional processing

5. Section 3(2)(c): Enforcing Legal Rights or Claims

Statutory Language: "personal data processed to enforce any legal right or claim"

Rationale: Legal proceedings require data processing - can't make this subject to consent/notice requirements

5.1 What is "Enforcing Legal Right or Claim"?

⚖️ Legal Rights Exemption Examples

✓ EXEMPT Examples:

1. Litigation

  • Lawyer processing client data to file/defend lawsuit
  • Company processing employee data for labor dispute
  • Plaintiff collecting evidence (emails, records) for breach of contract case

2. Arbitration & Mediation

  • Processing data for arbitral proceedings
  • Mediator reviewing parties' information for settlement discussions

3. Tribunal Proceedings

  • Tax appeals (processing data for ITAT)
  • Consumer complaints (processing data for consumer forum)
  • Labor disputes (processing data for labor tribunal)

4. Legal Advice

  • Lawyer reviewing client's contracts, records to provide legal opinion
  • In-house counsel analyzing company's liability risk

5. Pre-litigation Investigation

  • Company investigating potential breach before filing case
  • Individual collecting evidence for potential defamation suit

6. Enforcement of Rights Under Law

  • Landlord processing tenant data to enforce rent collection
  • Creditor processing debtor data to recover loan
  • IP owner enforcing trademark/copyright

Key Requirement: Processing must be NECESSARY for enforcing legal right/claim

5.2 Boundaries of Exemption

⚠️ When Exemption Does NOT Apply

✗ NOT EXEMPT:

1. General Business Processing Claimed as "Legal Rights"

Example: Company claims ALL customer data processing is for "potential future litigation"

Analysis: ✗ Absurd - exemption is for ACTUAL enforcement, not hypothetical

2. Excessive Data Collection

Example: Lawyer collects client's entire life history when only specific financial records needed for case

Analysis: ✗ Proportionality - collect only what's NECESSARY for legal right enforcement

3. Using Legal Data for Other Purposes

Example: Law firm uses client data collected for litigation to send marketing emails

Analysis: ✗ Exemption applies ONLY to enforcement purpose, not repurposing

Principle: Exemption is PURPOSE-SPECIFIC - applies only to processing NECESSARY for enforcing legal right/claim

5.3 Overlap with Section 17(1)(d)

Section 17(1)(d): Complete exemption for "processing... in the course of any judicial proceeding"

Section 3(2)(c): Exemption for "processing to enforce any legal right or claim"

Difference:

  • Section 17(1)(d) = Broader (judicial proceedings + exercising rights before courts)
  • Section 3(2)(c) = Narrower (enforcing legal rights/claims)
  • Substantial overlap, but Section 17(1)(d) is complete Act-wide exemption, Section 3(2)(c) just excludes from application

6. Section 3(2)(d): Journalism, Academic, Artistic, Literary

Statutory Language: "personal data processed by a person in the course of journalistic activities or for academic, artistic or literary purpose"

This is the "free expression" exemption - balances data protection with freedom of speech/expression (Article 19(1)(a))

6.1 Journalistic Activities

📰 Journalism Exemption

✓ EXEMPT Examples:

1. News Reporting

  • Investigative journalism processing personal data of corruption suspects
  • Reporter interviewing sources, processing their information
  • News website publishing article with named individuals

2. Photography/Videography for News

  • Photojournalist capturing public figures at events
  • News video showing people in public places

3. Opinion/Editorial

  • Op-ed discussing public figures
  • Political cartoons depicting real people

4. Documentary Journalism

  • Documentary filmmaker processing interview data
  • Podcast discussing real people/events

Who Counts as "Journalist"?

  • ✓ Professional journalists (newspapers, TV, online media)
  • ✓ Citizen journalists (bloggers engaged in news reporting)
  • ✓ Documentary filmmakers
  • ⚠️ NOT commercial advertisers (even if published in media format)
  • ⚠️ NOT entertainers (unless news/commentary element)

Key Test: Is processing IN THE COURSE OF journalistic activity?

  • ✓ Processing data TO CREATE journalism = exempt
  • ✗ Processing data for business operations (subscriber lists, ad targeting) = NOT exempt

6.2 Academic Purpose

🎓 Academic Exemption

✓ EXEMPT Examples:

1. University Research

  • Professor analyzing survey data for sociological study
  • PhD student processing interview transcripts for thesis
  • Research institute studying public health data

2. Academic Publications

  • Publishing research paper with anonymized participant data
  • Case studies in medical journals (with consent or anonymization)

3. Teaching Materials

  • Professor creating case studies for classroom
  • Textbook author using real-world examples

Overlap with Section 17(2)(a):

  • Section 17(2)(a): Research exemption (Sections 5-8 don't apply, but must de-identify)
  • Section 3(2)(d): Academic purpose exemption (entire Act doesn't apply)
  • Which applies? Likely both - 3(2)(d) for truly academic purposes, 17(2)(a) for broader research

Limitation: Must be FOR ACADEMIC PURPOSE

  • ✓ University research → Exempt
  • ✗ Commercial research for product development → NOT exempt (use Section 17(2)(a) instead)

6.3 Artistic Purpose

🎨 Artistic Exemption

✓ EXEMPT Examples:

1. Visual Arts

  • Painter creating portrait of real person
  • Photographer taking artistic photos (not commercial ads)
  • Sculptor depicting historical figures

2. Performing Arts

  • Biographical play/movie about real person
  • Dance performance depicting historical events

3. Installation Art

  • Art exhibition using found photos, public data as artistic commentary

Boundary: Art vs Commercial

  • ✓ Art for expression/commentary = exempt
  • ✗ Commercial photography (product ads, corporate portraits) = NOT exempt
  • ⚠️ Gray area: Art sold commercially - likely still exempt if primary purpose is artistic expression

6.4 Literary Purpose

📚 Literary Exemption

✓ EXEMPT Examples:

1. Fiction Writing

  • Novelist creating characters based on real people (fictionalized)
  • Short story collection depicting society/culture

2. Non-Fiction Writing

  • Biography of public figure
  • Memoir mentioning real people
  • Historical non-fiction using archival records

3. Poetry

  • Poems referencing real individuals/events

4. Literary Criticism

  • Essays analyzing authors, their lives, works

Limitation: Must be LITERARY (creative/expressive writing)

  • ✓ Novel, biography, poetry → Exempt
  • ✗ Business reports, marketing brochures → NOT exempt (not literary)

6.5 Balancing Act: Free Expression vs Privacy

Constitutional Tension:

  • Article 19(1)(a): Freedom of speech and expression (journalism, art, literature)
  • Article 21: Right to privacy (Puttaswamy - includes data protection)

Section 3(2)(d) Resolves Tension: Exempts journalism/academic/artistic/literary from data protection law, recognizing free expression importance

Judicial Test (When Conflict Arises):

  1. Is it genuinely journalism/academic/artistic/literary? (Not just claimed for exemption)
  2. Is processing necessary for that purpose? (Proportionality)
  3. Does it serve public interest? (Journalism - public right to know)
  4. Is privacy harm minimized? (Anonymization where possible, not gratuitous)

7. Philosophical Foundations: Balancing Rights

7.1 John Stuart Mill: Harm Principle

Mill's Principle (On Liberty, 1859): "The only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others."

Application to Section 3(2):

  • Personal/domestic use (3(2)(a)) harms no one → Exempt
  • Journalism (3(2)(d)) serves public good, minimal harm if responsible → Exempt
  • Legal rights (3(2)(c)) necessary for justice → Exempt

7.2 Isaiah Berlin: Negative vs Positive Liberty

Negative Liberty: Freedom FROM interference

Positive Liberty: Freedom TO do things

Section 3(2) Exemptions Protect:

  • Negative Liberty: Freedom from state intrusion into personal/domestic sphere (3(2)(a))
  • Positive Liberty: Freedom to speak, write, create, litigate without data protection bureaucracy (3(2)(c), (d))

8. Comparative Analysis: GDPR, CCPA Scope

Exemption Type India (DPDPA Sec 3) EU (GDPR) California (CCPA)
Personal/Household ✓ Exempt (3(2)(a)) ✓ Exempt (Art 2(2)(c), Recital 18) ✓ Exempt
Journalism ✓ Exempt (3(2)(d)) ✓ Derogation allowed (Art 85) - member states must balance ✓ Exempt (CCPA 1798.145(a))
Academic/Research ✓ Exempt (3(2)(d)) + Partial (17(2)(a)) Partial exemptions (Art 89) - safeguards required Partial exemptions
Artistic/Literary ✓ Exempt (3(2)(d)) ✓ Derogation allowed (Art 85) ✓ Exempt
Legal Rights ✓ Exempt (3(2)(c)) Not fully exempt, but legal basis exists (Art 6(1)(f) - legitimate interests) Not explicit exemption
Publicly Available ✓ Exempt (3(2)(b)) Not exempt, but lawful basis easier (Recital 50) ✓ Exempt (publicly available info)

9. 50+ Practical Scenarios: DPDPA Applies or Not?

Scenario DPDPA Applies?
E-commerce site (Amazon)✓ YES - Fully applies
Personal diary on computer✗ NO - Exempt 3(2)(a)
Newspaper website⚠️ SPLIT - Journalism content = exempt 3(2)(d), Subscriber data/ads = applies
University research project✗ NO - Exempt 3(2)(d) OR partial exemption 17(2)(a)
Lawyer representing client✗ NO - Exempt 3(2)(c)
Facebook personal profile (public)⚠️ COMPLEX - Profile = exempt 3(2)(b), Facebook's processing = applies
Home CCTV (not shared)✗ NO - Exempt 3(2)(a)
Airbnb hosting✓ YES - Business, not personal/domestic
YouTube influencer✓ YES - Commercial activity
Freelance graphic designer✓ YES - Business clients
Hospital patient records✓ YES - Fully applies
Bank customer data✓ YES - Fully applies
School student records✓ YES - Children's data (Section 9)
Electoral roll lookup✗ NO - Exempt 3(2)(b) (public by law)
LinkedIn profiles (public)⚠️ COMPLEX - Public profiles = exempt 3(2)(b), LinkedIn's use = applies
Blogger (no ads)⚠️ MAYBE - If pure personal expression = exempt 3(2)(d)
Company HR records✓ YES - Employer-employee (Section 7(a))
Fitness tracker (personal use)✗ NO - Exempt 3(2)(a) for user, but fitness company processing = applies
WhatsApp personal chats✗ NO for users - Exempt 3(2)(a), but WhatsApp's processing = applies
Instagram influencer with 10K followers✓ YES - Commercial
Documentary filmmaker✗ NO - Exempt 3(2)(d) (journalistic/artistic)
Biographer writing about celebrity✗ NO - Exempt 3(2)(d) (literary)
Painter's portrait of subject✗ NO - Exempt 3(2)(d) (artistic)
Poet writing about real person✗ NO - Exempt 3(2)(d) (literary)
Tax consultant client data✓ YES - Business
Doctor's appointment book✓ YES - Professional, not personal
Uber driver app✓ YES - Commercial service
Zomato restaurant reviews✓ YES - Business
Paytm transactions✓ YES - Financial service
Netflix viewing history✓ YES - Streaming service
Spotify listening data✓ YES - Music service
Google searches✓ YES - Search service
Gmail emails✓ YES - Email service (Google is Fiduciary)
Microsoft Word document (offline)✗ NO - Local processing, no transmission
Excel spreadsheet (offline)✗ NO - Personal/domestic if not business
Family photo album on Google Photos⚠️ SPLIT - Personal upload = exempt 3(2)(a), Google's processing = applies
Child's school project (typed document)✗ NO - Personal/domestic
Political campaign volunteer list✓ YES - Political activity (but may have Section 7 ground)
NGO donor database✓ YES - Organizational processing
Cricket club member list✓ YES - Organizational, not individual personal use
Apartment society resident data✓ YES - Not personal/domestic (society management)
Dashcam footage (personal car)✗ NO - Personal safety, unless shared publicly/commercially
Body camera (police)✓ YES - But Section 17 exemptions may apply
Store CCTV✓ YES - Business security
ATM camera footage (bank)✓ YES - Bank's processing
Academic plagiarism checker✓ YES - Service, even if academic context
Dating app (Tinder)✓ YES - Commercial service
Genealogy research (personal)✗ NO - Personal/domestic
Ancestry.com DNA analysis✓ YES - Commercial service
Weather app✓ YES - Service
Calculator app (offline)✗ NO - No data transmission if truly offline

10. Conclusion: Defining the Battlefield

Section 3 draws the boundaries of DPDPA - it separates what's IN from what's OUT.

"The beginning of wisdom is the definition of terms." - Socrates

Section 3 defines the SCOPE of Indian data protection - without clear scope, enforcement would be chaos.

Key Principles:

  1. Default Rule (3(1)): DPDPA applies to processing of digital personal data for offering goods/services to Indians
  2. Four Exemptions (3(2)):
    • (a) Personal/domestic use
    • (b) Publicly available (voluntarily or legally required)
    • (c) Enforcing legal rights/claims
    • (d) Journalism/academic/artistic/literary
  3. Exemptions are NARROW: Courts will interpret restrictively - exemption is exception, not rule
  4. Exemptions Balance Rights: Privacy vs Free Expression, Privacy vs Access to Justice, Privacy vs Personal Autonomy
  5. Commercial Activity ≠ Exemption: Moment processing becomes business/commercial, personal/domestic exemption lost
  6. Public ≠ Unprotected: Even publicly available data has some DPDPA protections (though exempted from application, other laws may apply)
  7. Purpose Matters: Same data processing may be exempt or not depending on PURPOSE (journalism = exempt, business use of same data = not exempt)

Practical Takeaway:

For Organizations:

  • Assume DPDPA applies unless clearly exempt
  • Don't try to stretch exemptions - they're narrow
  • If mixed activity (e.g., media with ads), DPDPA applies to non-exempt parts

For Individuals:

  • Your personal use = exempt (breathe easy)
  • But companies processing your data = not exempt (they must comply)
  • Your public posts = may be processed, but platform still subject to DPDPA

Section 3 ensures DPDPA is comprehensive but not totalitarian - it protects where protection is needed, exempts where freedom requires breathing room.

Comprehensive Legal Interpretation Complete

Section 3 DPDPA 2023 - Application of the Act

  • ✓ Positive scope (Section 3(1)) analyzed
  • ✓ Four exemptions (Section 3(2)) comprehensively explained
  • ✓ Personal/domestic exemption boundaries
  • ✓ Publicly available data rules
  • ✓ Legal rights enforcement exemption
  • ✓ Journalism/academic/artistic/literary balance
  • ✓ 50+ practical scenarios assessed
  • ✓ GDPR & CCPA comparison
  • ✓ Constitutional balance (Art 19 vs Art 21)
  • ✓ Philosophical foundations (Mill, Berlin)
  • ✓ Commercial vs personal use tests

© 2026 Prepared by Advocate (Dr.) Prashant Mali

International Data Protection Lawyer | Cyber Law Expert