Section 38 DPDPA

Consistency with other laws.


38.1) The provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force.

(2) In the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict.

Section 39 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 7 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Introduction

Section 38 of the Digital Personal Data Protection Act, 2023 (India) addresses how the Act’s provisions interact with other existing laws. Its purpose is to ensure that the DPDP Act functions harmoniously within India’s broader legal framework. Rather than superseding or contradicting other statutes, the Act’s data protection mandates are designed to complement existing laws, except where a direct conflict arises.

Key Elements of Section 38

1. Non-Derogation from Existing Laws

Section 38 states that the DPDP Act’s provisions are “in addition to, and not in derogation of” other laws that are consistent with it. The Act is not meant to dilute existing protections or obligations. Instead, it layers additional data protection responsibilities on top of what is already required, ensuring enhanced privacy safeguards.

2. Harmonious Coexistence

The DPDP Act is intended to be read alongside other legal frameworks. Courts, regulators, and entities subject to multiple laws should interpret the Act in a way that fits with the broader legal landscape. This encourages a balanced approach, maintaining respect for pre-established rights and duties where no direct inconsistency exists.

3. Handling Conflicts

If a specific provision of another law directly conflicts with the DPDP Act, a question of priority arises. Section 38 does not automatically give the DPDP Act supremacy. Instead, courts may:

  • Try to harmonize both laws, finding an interpretation that gives effect to both.
  • In case of irreconcilable conflict, consider legislative intent, the specificity of the laws, and public policy to determine which provision should prevail.

4. No Blanket Exemptions from Other Obligations

Compliance with the DPDP Act does not excuse non-compliance with other applicable laws. Entities must meet all relevant legal requirements. Where both the DPDP Act and another law impose obligations, the entity must satisfy both sets of rules unless there is a direct and unavoidable conflict.

Illustrations

1. Data Retention Under Financial Regulations

Scenario:
A bank must store certain transactional records for a period mandated by financial regulations. Meanwhile, the DPDP Act encourages data minimization.

Application:
The bank must comply with both. It can retain necessary records to satisfy financial laws while implementing DPDP Act-compliant safeguards. One law’s data retention requirement does not negate the other’s security and privacy duties.

2. Right to Information vs. Personal Data Protection

Scenario:
A citizen requests personal information about a public official under the RTI Act. The DPDP Act restricts unnecessary disclosure of personal data.

Application:
The public authority must balance both Acts. It might disclose relevant job-related details under RTI but withhold sensitive personal data not serving a public interest. Courts may interpret these laws in a manner that upholds both transparency and privacy.

3. Health Regulations and Personal Data

Scenario:
A hospital must share certain patient health data with a public health authority under health regulations, while the DPDP Act sets strict conditions on sharing sensitive personal data.

Application:
The hospital must comply with both laws by providing the required data securely, minimizing unnecessary exposure, and protecting patient privacy as guided by the DPDP Act while fulfilling health law mandates.

Legal Interpretation and Impact

Encouraging Holistic Compliance:
Section 38 promotes an integrated compliance approach. Entities must consider the entire legal ecosystem and cannot selectively rely on the DPDP Act to evade other obligations.

Judicial Role in Reconciliation:
Courts will attempt to read laws together harmoniously. In case of direct conflicts, judicial interpretation, legislative intent, and the nature of each statute’s subject matter will guide the resolution.

Stability and Predictability:
By clarifying that the DPDP Act doesn’t intend to weaken existing protections, Section 38 provides certainty and encourages stakeholders to develop compliance strategies that respect all relevant legal requirements.

Conclusion

Section 38 of the DPDP Act, 2023 ensures that India’s data protection mandates fit coherently within the broader legal landscape. This provision fosters harmonious interpretation, discourages misuse of the DPDP Act as a shield against other obligations, and promotes a stable environment where data protection rights operate in tandem with other important public policies and legal frameworks.

© 2024 Advocate (Dr.) Prashant Mali