🇮🇳
India

Material Applicability Factors

The India Digital Personal Data Protection Act (DPDP Act) establishes several material applicability factors that determine the scope of the law. These include:

  1. Automated Means Criterion
  2. Personal and Domestic Use Exemption
  3. Exception for Publicly Available Information, including Public Records

Let's examine each of these factors in detail.

Automated Means Criterion

The DPDP Act incorporates the Automated Means Criterion by focusing on the processing of "digital personal data." This approach aligns with the concept of data processing carried out by automated means, as digital data inherently involves technological processing methods.

DPDP Art.3(a)(i):

"Subject to the provisions of this Act, it shall— (a) apply to the processing of digital personal data within the territory of India where the personal data is collected–– (i) in digital form; or"

DPDP Art.3(a)(ii):

"Subject to the provisions of this Act, it shall— (a) apply to the processing of digital personal data within the territory of India where the personal data is collected–– (ii) in non-digital form and digitised subsequently;"

Article 3(a)(i) explicitly states that the Act applies to personal data collected "in digital form." This provision directly addresses the automated means criterion by encompassing data that is originally collected through digital channels or systems.

Article 3(a)(ii) extends the Act's applicability to personal data "collected in non-digital form and digitised subsequently." This provision captures scenarios where traditional, non-automated data collection methods are used initially, but the data is later converted into a digital format for processing.

The Act's focus on "digital personal data" effectively covers a wide range of automated processing activities, including those involving electronic systems, databases, and other technology-driven methods of data handling.

Personal and Domestic Use Exemption

The DPDP Act explicitly includes a Personal and Domestic Use Exemption, which excludes personal data processing by individuals for personal or domestic purposes from the Act's scope.

DPDP Act, Article 3(c)(i):

"(c) not apply to— (i) personal data processed by an individual for any personal or domestic purpose; and"

This provision establishes a broad exemption for personal and domestic data processing activities carried out by individuals. The law does not provide a specific definition or examples of what constitutes "personal or domestic purpose." However, this exemption is commonly included in data protection laws to ensure that everyday personal activities involving data processing are not subject to the same stringent requirements as commercial or organizational data processing.

The rationale behind this exemption is to strike a balance between protecting personal data and allowing individuals to freely use their own information for private purposes without undue regulatory burden. It recognizes that applying the full scope of data protection obligations to personal activities would be impractical and potentially infringe on individual privacy and freedom.

Exception for Publicly Available Information, including Public Records

The DPDP Act carves out an exception for publicly available personal data in two specific scenarios:

DPDP Art.3(c)(ii):

"Subject to the provisions of this Act, it shall— (c) not apply to— (ii) personal data that is made or caused to be made publicly available by— (A) the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. Illustration. X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply."

This exception applies to:

  1. Data made public by the Data Principal: The Act does not apply to "personal data that is made or caused to be made publicly available by the Data Principal to whom such personal data relates." This provision recognizes the individual's autonomy in choosing to make their personal data public.
  2. Data made public due to legal obligations: The exception extends to personal data made public by "any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available." This accounts for situations where disclosure is mandated by other Indian laws.

The illustration provided in the Act clarifies that when an individual makes their personal data publicly available on social media while blogging, the Act's provisions do not apply to that data.

Territorial Applicability Factors

The DPDP Act also establishes territorial applicability factors that determine its jurisdiction. These include:

  1. Processing in jurisdiction
  2. Offering Goods and Services to Data Subjects in Jurisdiction
  3. Physical Location/Residency of Data Subject in Jurisdiction

Let's examine each of these factors in detail.

Processing in jurisdiction

The DPDP adopts a nuanced approach to territorial applicability, focusing on where the data is collected rather than solely where processing occurs.

DPDP Art.3(a):

"Subject to the provisions of this Act, it shall— (a) apply to the processing of digital personal data within the territory of India where the personal data is collected–– (i) in digital form; or (ii) in non-digital form and digitised subsequently;"

The DPDP's application hinges on where the personal data was collected, specifically emphasizing data collected within India. While Article 3(a) mentions "processing...within the territory of India," it ties this to data collected in India, indicating the collection point as the primary determining factor.

The Act further clarifies that it applies to data collected "in digital form" or initially collected "in non-digital form and digitized subsequently." This suggests that even if data is collected offline in India, subsequent digitization within India would bring it under the DPDP's purview.

Offering Goods and Services to Data Subjects in Jurisdiction

The DPDP Act extends its applicability to the processing of digital personal data outside India when it relates to offering goods or services to data subjects within India.

DPDP Article 3(b):

"(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;"

This provision specifically targets the "processing of digital personal data outside the territory of India" when it is connected to "offering of goods or services to Data Principals within the territory of India". This extraterritorial reach is designed to protect Indian residents' data even when processed by entities located outside the country. It ensures that foreign companies targeting the Indian market are subject to Indian data protection regulations, regardless of where their data processing occurs.

Physical Location/Residency of Data Subject in Jurisdiction

The factor of Physical Location/Residency of the Data Subject in the jurisdiction is indirectly addressed in the DPDP Act.

DPDP Art.3(b):

"Subject to the provisions of this Act, it shall— (b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;"

DPDP Art.3(a):

"Subject to the provisions of this Act, it shall— (a) apply to the processing of digital personal data within the territory of India where the personal data is collected— (i) in digital form; or (ii) in non-digital form and digitised subsequently;"

DPDP Art.3(b) extends the applicability of the Act to "processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India." This provision highlights that the law is concerned with the location of the data subject, referred to as "Data Principal," at the time of offering goods or services, rather than the physical location of the processing itself.

The interplay between Art.3(a) and 3(b) establishes that the DPDP Act applies to data processing based both on the physical location of the processing activity and the residency or physical presence of the data subject in India.

Conclusion

The India Digital Personal Data Protection Act uses both material and territorial factors in its applicability provisions. The Act focuses on digital personal data, with exemptions for personal and domestic use and publicly available information. Territorially, it applies to data processing within India and extends to foreign entities offering goods or services to Indian residents.



🇮🇳

India

🖥️ Automated Means Criterion🏠 Processing in jurisdiction🗞️ Exception for Publicly Available Information, including Public Records🏡 Personal and Domestic Use Exemption🛍️ Offering Goods and Services to Data Subjects in Jurisdiction Physical Location/Residency of Data Subject in Jurisdiction

globe_book Resources (8)

link InCountry - Indian Data Privacy Lawslink Bharat Privacy Conferencelink Maha Privacy Conferencelink Legislative Department, Ministry of Law and Justicelink Official Gazette of Indialink PRS Legislative Researchlink Ministry of Electronics and Information Technology (MeitY)link Data Protection Board of India (DPBI)

Groups Consultants: (4)

person Mr. Ram Gopal Soni

person Salim Husain

person Mr. Amanulla Goniwada

person Remus Cosmin C.

Consultations

Need consultation on this jurisdiction?
External consultations
1 external consultations
Leave a request and our managers will help you contact external consultants