The Digital Personal Data Protection (DPDP) Act is a game-changer in India's approach to data privacy. It puts power in the hands of users, emphasising consent and control over personal data. Refer to our primer on the DPDP Act to understand India’s first data protection law in depth.
In this piece we will cover everything about the applicability of the DPDP Act. To whom, what, where and when will the law apply? We will answer each of these questions in simple terms with practical examples. By the end of this article you'll have a clear understanding of how the DPDP Act impacts you, whether you're a business owner, a digital platform operator or an individual user.
To what does the DPDP Act apply?
The law applies to “Digital Personal Data”.
Personal data means any data about an individual who can be identified using that data. If collected digitally or is digitised after physical collection it will count as digital personal data. Note that the DPDP Act applies to data collected prior to its enactment.
A person’s name, mobile number, email, bank account, photograph, signature, aadhar details, etc. will be classified as personal data as they can be used to identify an individual. Even website cookies may qualify as personal data. If an entity collects or processes digital personal data of any person they will have to comply with the DPDP Act.
To whom does the DPDP Act apply?
To individuals and organisations that process data of Indian citizens.
The DPDP Act defines two main stakeholders - Data Principals and Data Fiduciaries.
Data Principals - The individuals to whom the personal data relates to. For example, a customer at a bank or a user on a website is a Data Principal. Data principals are highly empowered under the Act! They have rights over their data and most obligations under the Act are owed to Data Principals by Data Fiduciaries.
Data Fiduciaries - The entities who decide the means and purpose of processing personal data. Banks, NBFCs, telecom service providers, social media applications, businesses big and small are all Data Fiduciaries. The burden of proving compliance in data collection and processing is on the Data Fiduciaries.
Apart from these two central players, the DPDP Act also classifies Data Processors as someone who processes personal data on behalf of a Data Fiduciary. Only the Fiduciaries determine the means and purpose of processing. Only the Fiduciaries are responsible for meeting DPDP compliance obligations.
Where does the DPDP Act apply?
Territorially, the DPDP Act applies to personal data:
- Processed within India and
- Processed outside India if it pertains to business activity related to individuals within India.
Let us consider three cases where personal data is processed:
- Bharat Life Insurance uses financial information of a customer residing in India for policy valuation.
- McDonald’s collects customer’s contact information for sending promotional messages for a new happy meal to Indian customers.
- Google collects user data of an individual living in England for optimising its ads in the USA.
In all three cases, digital personal data is being processed. However, the DPDP Act will only apply to cases A and B. In case A the processing is within the territory of India. In case B the processing may be outside India but it pertains to business related to customers within the territory of India. In case C, the processing activities are not related to individuals or businesses within Indian territory. Therefore, in case C the DPDP Act will not apply.
When will the DPDP Act apply?
The DPDP Act was notified in the official gazette of India on 12 August 2023 but the law is not in force yet. The Digital Personal Data Protection Act will be enforced after the enactment of the DPDP Rules and establishment of the Data Protection Board (DPB). The DPB will have the authority to enforce this law.
The DPDP Rules were originally scheduled for release last year but have not come out yet. It is likely that the rules will be released for public consultation only after the general elections. Once the rules are notified and the DPB is set up, the government will notify a compliance deadline. This deadline will be shorter for social media companies but may be more relaxed for startups.
Importantly, the government has indicated that companies will not have a long time to bring their practices into compliance. It is best that you start your compliance journey now to avoid penalties as high as ₹250 Crore.
When will the DPDP Act not apply?
The DPDP Act carves out specific exemptions where its provisions do not apply. These exemptions are designed to balance the stringent requirements of the Act with practical necessities in limited contexts.
Domestic/Personal Purpose - This Act will not apply to you if you are an individual using digital personal data for personal or domestic, such as taking a friend's phone number so that you can meet them over dinner.
Publicly Available Personal Data - The Act does not apply if your personal data is made publicly available by you or by someone else under a legal obligation. Therefore, if you tweeted a picture of yourself, then a business can use that picture without fulfilling requirements under the DPDP Act.
Exceptions to Consent: The Act allows the processing without consent under certain conditions, such as employment-related processing, compliance with legal obligations, or in response to medical emergencies.
General Exemptions: There are scenarios where the majority of DPDP obligations and not just consent, are waived entirely. For instance, processing done under a Business Process Outsourcing (BPO) contract for foreign entities or processing for research and statistical purposes are exempted.
State Exemptions: The DPDP Act also provides exemptions for government bodies or when processing is required for state functions, such as the administration of justice, national security, or public health.
Learn more about these exemptions in our blog post about Exemptions under the DPDP Act.
What can you do to comply with the DPDP Act?
The DPDP Act’s applicability is as wide and far reaching as its business compliance implications. The industry response is not proportionate to the drastic nature of the looming change. This is the calm before the storm. Indian businesses are poised to suffer the same fate as the many European companies that failed to comply with the GDPR in time. The price of non compliance is just as high with the DPDP and within the Indian context the stakes have never been higher.
Kickstart your compliance journey by reading our DPDP Compliance Roadmap. Also refer to our DPDP sector explainers on the BFSI and Telemarketing industries. Our detailed guide to the exemptions available under the DPDP Act will further add to your compliance arsenal.