Far and Wide: The Applicability of the DPDP Act

February 19, 2024

Summary

  • The Digital Personal Data Protection Act applies to digital personal data including identifiable information such as names, contact details, and financial information.
  • The Act defines 'Data Principals' (individuals to whom data pertains) and 'Data Fiduciaries' (entities processing data) with specific rights and obligations.
  • The Act is enforceable for data processed within India and in certain cases outside where it pertains to business with individuals within India.
  • There are specific scenarios where the DPDP Act's provisions are not applicable, including certain employment-related processes, legal obligations, and state functions.
  • The DPDP Act has been notified but awaits full enforcement pending the release of DPDP Rules and the establishment of the Data Protection Board.

The Digital Personal Data Protection (DPDP) Act is a game-changer in India's approach to data privacy. It puts power in the hands of users, emphasising consent and control over personal data. Refer to our primer on the DPDP Act to understand India’s first data protection law in depth.

In this piece we will cover everything about the applicability of the DPDP Act. To whom, what, where and when will the law apply? We will answer each of these questions in simple terms with practical examples. By the end of this article you'll have a clear understanding of how the DPDP Act impacts you, whether you're a business owner, a digital platform operator or an individual user.

To what does the DPDP Act apply?

The law applies to “Digital Personal Data”. 

Personal data means any data about an individual who can be identified using that data.  If collected digitally or is digitised after physical collection it will count as digital personal data. Note that the DPDP Act applies to data collected prior to its enactment.

The DPDP Act applies to any digital data that can be used to uniquely identify an individual

A person’s name, mobile number, email, bank account, photograph, signature, aadhar details, etc. will be classified as personal data as they can be used to identify an individual. Even website cookies may qualify as personal data. If an entity collects or processes digital personal data of any person they will have to comply with the DPDP Act.

To whom does the DPDP Act apply?

To  individuals and organisations that process data of Indian citizens.

The DPDP Act defines two main stakeholders - Data Principals and Data Fiduciaries.

Data Principals - The individuals to whom the personal data relates to.  For example, a customer at a bank or a user on a website is a Data Principal. Data principals are highly empowered under the Act! They have rights over their data and most obligations under the Act are owed to Data Principals by Data Fiduciaries.

Data Fiduciaries - The entities who decide the means and purpose of processing personal data. Banks, NBFCs, telecom service providers, social media applications, businesses big and small are all Data Fiduciaries. The burden of proving compliance in data collection and processing is on the Data Fiduciaries. 

Apart from these two central players, the DPDP Act also classifies Data Processors as someone who processes personal data on behalf of a Data Fiduciary. Only the Fiduciaries determine the means and purpose of processing. Only the Fiduciaries are responsible for meeting DPDP compliance obligations.

Where does the DPDP Act apply?

Territorially, the DPDP Act applies to personal data:

  • Processed within India and
  • Processed outside India if it pertains to business activity related to individuals within India.

Let us consider three cases where personal data is processed:  

  1. Bharat Life Insurance uses financial information of a customer residing in India for policy valuation.
  2. McDonald’s collects customer’s contact information for sending promotional messages for a new happy meal to Indian customers.
  3. Google collects user data of an individual living in England for optimising its ads in the USA.

In all three cases, digital personal data is being processed. However, the DPDP Act will only apply to cases A and B. In case A the processing is within the territory of India. In case B the processing may be outside India but it pertains to business related to customers within the territory of India. In case C, the processing activities are not related to individuals or businesses within Indian territory. Therefore, in case C the DPDP Act will not apply.

When will the DPDP Act apply?

The DPDP Act was notified in the official gazette of India on 12 August 2023 but the law is not in force yet. The Digital Personal Data Protection Act will be enforced after the enactment of the DPDP Rules and establishment of the Data Protection Board (DPB). The DPB will have the authority to enforce this law.

The DPDP Rules were originally scheduled for release last year but have not come out yet. It is likely that the rules will be released for public consultation only after the general elections. Once the rules are notified and the DPB is set up, the government will notify a compliance deadline. This deadline will be shorter for social media companies but may be more relaxed for startups.

Importantly, the government has indicated that companies will not have a long time to bring their practices into compliance. It is best that you start your compliance journey now to avoid penalties as high as ₹250 Crore.

When will the DPDP Act not apply?

The DPDP Act carves out specific exemptions where its provisions do not apply. These exemptions are designed to balance the stringent requirements of the Act with practical necessities in limited contexts.

Domestic/Personal Purpose - This Act will not apply to you if you are an individual using digital personal data for personal or domestic, such as taking a friend's phone number so that you can meet them over dinner.

Publicly Available Personal Data - The Act does not apply if your personal data is made publicly available by you or by someone else under a legal obligation. Therefore, if you tweeted a picture of yourself, then a business can use that picture without fulfilling requirements under the DPDP Act.

Exceptions to Consent: The Act allows the processing without consent under certain conditions, such as employment-related processing, compliance with legal obligations, or in response to medical emergencies. 

General Exemptions: There are scenarios where the majority of DPDP obligations and not just consent, are waived entirely. For instance, processing done under a Business Process Outsourcing (BPO) contract for foreign entities or processing for research and statistical purposes are exempted. 

State Exemptions: The DPDP Act also provides exemptions for government bodies or when processing is required for state functions, such as the administration of justice, national security, or public health.

Learn more about these exemptions in our blog post about Exemptions under the DPDP Act.

What can you do to comply with the DPDP Act?

The DPDP Act’s applicability is as wide and far reaching as its business compliance implications. The industry response is not proportionate to the drastic nature of the looming change. This is the calm before the storm. Indian businesses are poised to suffer the same fate as the many European companies that failed to comply with the GDPR in time. The price of non compliance is just as high with the DPDP and within the Indian context the stakes have never been higher.

We are currently in the midst of the 'Calm before the DPDP Storm'

Kickstart your compliance journey by reading our DPDP Compliance Roadmap. Also refer to our DPDP sector explainers on the BFSI and Telemarketing industries. Our detailed guide to the exemptions available under the DPDP Act will further add to your compliance arsenal. 

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.