Applicability of the Digital Personal Data Protection Act, 2023 and the roles thereunder
The Digital Personal Data Protection Act, 2023 ("DPDPA") published in the Official Gazette on August 11, 2023 will come into effect on a date to be notified by the Central Government. The administrative rules are expected to be released soon. The DPDPA aims to regulate the processing of non-public personal data in digital form. Its primary purpose is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. In this edition of the Prism, we analyse the material and territorial applicability of the DPDPA and the roles for compliance thereunder. We also compare similar provisions in the data protection legislations across the European Union ("EU"), the State of California and Singapore to see similarities and differences with DPDPA.
Material Scope
The subject matter that the DPDPA regulates is the material scope. The DPDPA applies to the processing of digital personal data.
- Personal data, as defined under the DPDPA, means any data about an individual who is (a) 'Identifiable by such data' where the personal data, by itself can directly identify an individual. For example, if the data includes a person's name, or an email address that can directly reveal their identity; or (b) 'identifiable in relation to such data' where the data relates to an individual but may not directly identify them without additional information. For example, IP address when combined with other data, leading to the identification of an individual.
- The DPDPA only applies to 'digital' personal data i.e means personal data that is collected in a digital form or collected in physical form and digitised subsequently.
The DPDPA does not further categorize 'sensitive' personal data separately.
Territorial Scope
The DPDPA applies to the processing of personal data 'within the territory of India' and 'outside the territory of India' subject to fulfilment of certain conditions.
When is processing of personal data in India covered?
DPDPA applies to the processing of digital personal data happening within the territory of India.
- If an entity carries out the processing activity in India, then DPDPA will apply to processing of personal data by that entity, irrespective of the residency of that entity or of the data principal.
- If the processing occurs within the territory of India, it is immaterial if it is connection with offering goods or services to the data principals.
When is processing of personal data outside India covered?
When the processing is 'in connection with any activity related to offering of any goods or services offered to data principals in India', the DPDPA is applicable.
Where the processing happens outside India but data principals in India are targeted 'in connection with any activity related to offering of goods or services' which could be advertising, marketing/promotional activities, sales, availability in, handling inquiries etc, the DPDPA applies to such processing.
The General Data Protection Regulation ("GDPR") has a similar provision where the GDPR applies to an entity not established in the EU where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU.
When is the DPDPA not applicable?
- Similar to the DPDPA, the California Consumer Privacy Act ("CCPA") also excludes 'publicly available information' from the definition of personal information. 'Publicly available information' is defined as data from government records, information publicly shared by the consumer or media, or information shared by the consumer unless restricted to a specific audience but excluding biometric information. Under the GDPR, the general prohibition on processing special categories of data does not apply to personal data manifestly made public by the data subject.
- Although processing of personal data available publicly is exempted under the DPDPA, the processing of such personal data will have to be in compliance with other applicable laws, for example, the Information Technology Act, 2000 or Intellectual Property laws.
What are the different roles a person processing personal data could play under the DPDPA?
Unlike the GDPR, there is no separate concept of a "joint controller/joint fiduciary" under the DPDPA. Each data fiduciary is responsible for compliance with their obligations under the DPDPA.
Comparison with select data protection laws around the world
| Concept | DPDPA | GDPR | CCPA | Personal Data Protection Act ("PDPA"), Singapore |
|---|---|---|---|---|
| Intra-Territorial Applicability | The DPDPA is applicable to processing of digital personal data in the territory of India. | The GDPR applies
to controllers or processors established in the EU, irrespective of whether the data processing takes place in the EU or not. |
A for-profit business that carries out business in California and meets one of the following thresholds is subject to CCPA: a) has annual revenue of over USD25 million, or (b) collects personal information of over 100,000 California residents, or (c) generates at least half of its revenue from selling personal information of California residents. | The PDPA applies to all organisations which are not a public agency that undertakes processing of personal data in Singapore whether or not the organisation has been registered under the laws of Singapore. |
| Extra- territorial Applicability | The DPDPA applies to processing that happens outside India if it is in connection with offering goods or services to individuals in India. | The controllers and processors outside the EU fall within the ambit of GDPR if they are offering goods or services to individuals who are in the EU or if they monitor the behaviour of residents in the EU. | The CCPA is applicable to businesses outside California if they do business in California (that includes offering goods or services) and satisfies one of the thresholds. | The PDPA is applicable to organisations that collects, uses and discloses personal data in Singapore whether or not formed or recognised under the laws of Singapore. |
| Publicly available personal data | The DPDPA is not applicable to personal data made public by the data principal or by any person under a legal obligation to make such data public. | The GDPR is applicable to personal data made publicly available by the data subjects. | The CCPA has a restricted definition of publicly available information. It means information available from government records, information that has been lawfully made public by the consumer or widely distributed media, or information made available by the consumer unless they have restricted it to a specific audience. | The PDPA provides certain exceptions for publicly available personal data such as collection, use, or disclosure of such personal data can be done without the consent of the individual. |
| Stakeholders | Data Fiduciary, Data Processor, Data Principal. | Data Controller, Data Processor, Data Subjects. | Business, Service Provider, Consumer. | Organisation, Data Intermediary, Individual. |
| Nature of personal data protected | The DPDPA protects only digital personal data. | The GDPR protects personal data in both digital and physical formats | The CCPA applies to processing of personal data in both digital and physical formats. | The PDPA regulates personal data collected both in digital and non-digital formats |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.