Section 3 DPDPA

Application of Act


3.Subject to the provisions of this Act, it shall—

(a) apply to the processing of digital personal data within the territory of India where the personal data is collected––
(i) in digital form; or
(ii) in non-digital form and digitised subsequently;
(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;
(c) not apply to—
(i) personal data processed by an individual for any personal or domestic purpose; and
(ii) personal data that is made or caused to be made publicly availableby—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

Illustration.

X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.

Section 4 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Statutory Provision and Purpose

Provision: Section 3 of the Digital Personal Data Protection Act, 2023 states:

"Application of Act."

While the section title is brief, its implications are foundational within the framework of the DPDPA 2023. This provision delineates the scope and extent to which the Act applies, specifying the entities, geographical boundaries, and types of data covered under its jurisdiction. Establishing a clear application framework ensures that the Act effectively safeguards personal data while providing clarity to data fiduciaries and data principals regarding their obligations and rights.

Purpose:
The primary objective of Section 3 is to define the boundaries of the Act's applicability, ensuring that it effectively targets the intended entities and data types. By outlining these parameters, the Act aims to:

  • Clarify Jurisdiction: Specify the geographical and functional scope to avoid ambiguities in enforcement.
  • Define Applicable Entities: Identify which organizations, government bodies, and individuals are subject to the Act.
  • Categorize Data Types: Distinguish between different categories of personal data to apply appropriate protections.
  • Establish Exceptions: Outline scenarios where the Act may not apply, providing flexibility in data processing under certain conditions.

Legal Interpretation

1. Territorial Scope

a. Geographical Boundaries:

Section 3 typically defines the territorial scope of the Act, determining whether it applies solely within national borders or extends to entities outside the country that process data of residents.

  • Domestic Applicability: The Act applies to all data fiduciaries operating within the country, ensuring comprehensive coverage of organizations handling personal data domestically.
  • Extraterrestrial Applicability: Extends to entities outside the country if they process personal data of individuals residing within the country, ensuring that international organizations comply with local data protection standards when dealing with local residents' data.

b. Implications:

  • Global Reach: Ensures that personal data of residents are protected regardless of where the data processing occurs, promoting consistent data protection standards globally.
  • Compliance Requirements: International entities must adhere to the Act's provisions when processing data of residents, necessitating robust compliance mechanisms.

2. Applicable Entities

a. Data Fiduciaries:

Section 3 specifies which organizations and entities are considered data fiduciaries under the Act.

  • Private Sector: Includes businesses, corporations, non-profit organizations, and any private entities that process personal data.
  • Public Sector: Government departments, agencies, and public institutions engaged in data processing activities are also subject to the Act.
  • Small and Medium Enterprises (SMEs): Depending on the Act's provisions, even smaller entities may be required to comply, especially if they handle significant amounts of personal data.

b. Exemptions:

  • Sovereign Functions: Data processing activities carried out by the government in the exercise of its sovereign functions may be exempt to preserve state integrity and operations.
  • Statutory Exemptions: Specific sectors or types of data processing may be excluded if mandated by other laws or for national security reasons.

3. Types of Data Covered

a. Personal Data:

Any information that can identify an individual, either directly or indirectly, falls under personal data.

  • Examples: Names, addresses, contact information, identification numbers, and online identifiers.

b. Sensitive Personal Data:

A subset of personal data that is more sensitive in nature and requires higher levels of protection.

  • Examples: Health records, financial information, biometric data, religious beliefs, and political opinions.

c. Special Categories of Data:

Certain data categories may be subject to additional protections or restrictions due to their sensitive nature.

  • Examples: Data revealing racial or ethnic origin, trade union membership, genetic data, and sexual orientation.

4. Exceptions and Limitations

a. Legal Requirements:

Processing personal data may be exempted if it is necessary for:

  • National Security: Activities related to defense and security may require exemptions to facilitate effective operations.
  • Law Enforcement: Data processing necessary for the prevention, investigation, detection, or prosecution of criminal offenses.

b. Consent Withdrawal:

In specific cases, individuals may have the right to withdraw consent, impacting the applicability of the Act for ongoing data processing activities.

c. Anonymized Data:

Data that has been anonymized to the extent that individuals cannot be re-identified is typically excluded from the Act's scope, as it no longer constitutes personal data.

Illustrative Examples

Illustration 1: Domestic E-commerce Platform

Scenario: ShopSmart, an online retail platform based in the country, collects personal data from its customers to facilitate purchases, manage accounts, and send promotional offers.

Application of Section 3:

  1. Territorial Scope:
    • ShopSmart operates within the country and processes personal data of local residents, thus falling under the Act's jurisdiction.
  2. Applicable Entities:
    • As a private sector entity handling personal data, ShopSmart is classified as a data fiduciary and must comply with the Act's provisions.
  3. Types of Data Covered:
    • ShopSmart collects names, addresses, payment information (personal data), and potentially health-related data if selling health products (sensitive personal data).
  4. Compliance Measures:
    • Obtaining explicit consent for data collection.
    • Implementing data security measures to protect sensitive information.
    • Providing options for customers to opt out of promotional communications.

Illustration 2: International Social Media Company

Scenario: GlobalConnect, a social media giant based overseas, processes personal data of individuals residing within the country for user account management, targeted advertising, and content personalization.

Application of Section 3:

  1. Territorial Scope:
    • Although GlobalConnect is based outside the country, it processes data of local residents, thus extending the Act's applicability to its international operations.
  2. Applicable Entities:
    • GlobalConnect is identified as a data fiduciary under the Act due to its role in processing personal data of residents.
  3. Types of Data Covered:
    • GlobalConnect handles a vast array of personal data, including user-generated content, location data, and interaction histories.
  4. Compliance Measures:
    • Adhering to data protection standards equivalent to those within the country.
    • Establishing data transfer agreements to ensure data security.
    • Providing mechanisms for data principals to exercise their rights under the Act.

Illustration 3: Government Health Agency

Scenario: The National Health Agency collects and processes health records of citizens to manage public health initiatives, track disease outbreaks, and coordinate healthcare services.

Application of Section 3:

  1. Territorial Scope:
    • As a government body, the National Health Agency operates within the country's jurisdiction, fully subject to the Act unless exemptions apply.
  2. Applicable Entities:
    • As a public sector entity, it is recognized as a data fiduciary with responsibilities under the Act.
  3. Types of Data Covered:
    • Processes sensitive personal data, including medical histories, treatment records, and genetic information.
  4. Compliance Measures:
    • Implementing stringent data security protocols.
    • Ensuring data minimization by only collecting necessary information.
    • Facilitating access controls to sensitive data within the agency.

Illustration 4: Research Institution Handling Anonymized Data

Scenario: EduResearch, a university-based research institution, conducts studies using anonymized survey data to analyze educational trends and outcomes.

Application of Section 3:

  1. Territorial Scope:
    • EduResearch operates domestically and handles data from local residents, thus within the Act's scope.
  2. Applicable Entities:
    • As a private entity involved in data processing, it is a data fiduciary under the Act.
  3. Types of Data Covered:
    • Since the data is anonymized, it does not fall under personal data, thereby excluding EduResearch from certain Act provisions.
  4. Compliance Measures:
    • Ensuring data anonymization is robust to prevent re-identification.
    • Maintaining documentation to demonstrate compliance and data anonymization standards.

Conclusion

Section 3 of the Digital Personal Data Protection Act, 2023 establishes the foundational framework for the Act's applicability, delineating the geographical scope, identifying applicable entities, categorizing data types, and outlining exceptions. By clearly defining these parameters, the Act ensures that personal data is processed lawfully, safeguarding individuals' privacy rights while enabling legitimate data use by organizations.

Key Highlights:

  • Clear Jurisdiction: Specifies both domestic and extraterritorial applicability, ensuring comprehensive data protection for residents regardless of where data processing occurs.
  • Defined Applicable Entities: Identifies a wide range of data fiduciaries, including private and public sector entities, thereby ensuring broad coverage.
  • Comprehensive Data Categorization: Distinguishes between personal and sensitive personal data, applying appropriate protection measures to each category.
  • Strategic Exceptions: Provides necessary flexibility through exemptions in specific scenarios like national security and law enforcement, balancing data protection with other societal needs.
  • Facilitation of Compliance: Offers clear guidelines for organizations to determine their obligations, reducing ambiguity and promoting adherence to data protection standards.
  • Promotion of Accountability: By outlining who is subject to the Act and under what conditions, it holds organizations accountable for responsible data handling practices.

Through the meticulous application of Section 3, the Digital Personal Data Protection Act, 2023, ensures a robust and balanced approach to data protection, fostering a secure and trustworthy digital environment for individuals and organizations alike.

© 2024 Advocate (Dr.) Prashant Mali