In part one of this series on the India Digital Personal Data Protection Act, 2023 (the Act), Rachit Bahl, Rohan Bagai, and Shubham Parkhi delve into its scope and application.
Introduction
On August 11, 2023, India enacted the Act, which is a result of the fifth iteration of the proposed personal data protection legislation and appears to be based on the draft Bill released by the Ministry of Electronics and Information Technology on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which was open for public consultations. Once the provisions of the Act are brought into force, it will replace Section 43A of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules).
The Act is proposed to come into force in a phased manner, i.e., as and when the Central Government notifies the provisions of the Act and also issues rules under the Act from time to time.
Scope
The Act has been formulated with the objective of providing a framework for the processing of digital personal data for lawful purposes in a manner that protects the rights of the individuals to whom the data belongs.
The Act introduces a unique concept of a fiduciary relationship between data subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of the processing of personal data) and classifies them as data principals and data fiduciaries, respectively.
The genesis of the DPDP Act can be traced back to the 2017 landmark decision of the Hon’ble Supreme Court of India (SC) in Justice K.S. Puttaswamy & Ors. v. Union of India & Ors,[1] which held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India, making it a fundamental right. The SC in this case also emphasized the need for the Government to come out with a comprehensive personal data protection legislation that preserves the right to privacy of individuals.
Application
No sub-categories of personal data: The Act focuses on digital personal data and does not apply to non-personal data. The Act applies to the processing of ‘personal data’ collected in digital form, or physically, but digitized subsequently. Personal data is defined to include all identifiable personal data of an individual and does not encompass sub-categories of personal data, such as sensitive personal data or critical personal data. Contrary to the outgoing data protection law contained under the IT Act and the SPDI Rules, there are no sub-categories of personal data, such as sensitive personal data. This approach deviates from the current approach contained within the SPDI Rules, which make a distinction between personal information and sensitive personal data or information and prescribes incremental compliance requirements for the processing of sensitive personal data or information.
Extraterritorial applicability: The Act not only extends to the processing of digital personal data within the territory of India but also processing undertaken outside India if it is in connection with the offering of goods or services to data principals within the territory of India. Accordingly, compliance with the Act must be ensured even if the data fiduciary is an offshore entity engaged in doing business involving data principals in India. Interestingly, the Act also does not require that such offshore data fiduciary’s engagement with data principals in India needs to be systematic or habitual. Hence, even an ad hoc act of collection and processing of data principals in India by offshore businesses could trigger compliance with the provisions of the Act.
Exclusions: The Act excludes from its applicability the processing of anonymized data; the processing of personal data by an individual for any personal or domestic purpose; and the processing of any of the personal data made publicly available by either the data principal themselves or by any other person under a legal obligation.
Exemptions to State and certain data fiduciaries: The Act does not apply to State instrumentalities that the Government may notify, taking into account considerations such as the sovereignty and integrity of India, security, maintenance of public order, etc. The Government is also empowered to exempt certain classes of data fiduciaries including startups, from the requirements relating to notice, accuracy, and erasure requirements.