India: Exception for Publicly Available Information, including Public Records

The India Digital Personal Data Protection Act (DPDP Act) explicitly excludes certain publicly available personal data from its scope of applicability, limiting the Act's reach in specific circumstances.

Text of Relevant Provisions

DPDP Art.3(c)(ii):

"Subject to the provisions of this Act, it shall—(c) not apply to—(ii) personal data that is made or caused to be made publicly available by—(A) the Data Principal to whom such personal data relates; or(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.Illustration.X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply."

Analysis of Provisions

The DPDP Act carves out an exception for publicly available personal data in two specific scenarios:

  1. Data made public by the Data Principal: As per Art.3(c)(ii)(A), the Act does not apply to "personal data that is made or caused to be made publicly available by the Data Principal to whom such personal data relates". This provision recognizes the individual's autonomy in choosing to make their personal data public.
  2. Data made public due to legal obligations: Art.3(c)(ii)(B) extends the exception to personal data made public by "any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available". This accounts for situations where disclosure is mandated by other Indian laws.

The illustration provided in the Act clarifies the application of this exception. It states that when an individual makes their personal data publicly available on social media while blogging, the Act's provisions do not apply to that data.

The rationale behind this exception is likely twofold:

  1. To respect individual autonomy in decisions about personal data disclosure.
  2. To avoid conflicts with other legal requirements for public disclosure of certain information.

Implications

This exception has several implications for businesses and data processors:

  1. Reduced compliance burden: Companies may not need to apply the Act's provisions to personal data that falls under this exception, potentially simplifying data management in some cases.
  2. Careful assessment required: Businesses must carefully evaluate whether personal data truly falls under this exception. The mere fact that data is accessible online does not necessarily mean it's exempt; it must have been intentionally made public by the Data Principal or due to legal requirements.
  3. Context-specific application: The same piece of personal data might be subject to the Act in one context but exempt in another, depending on how it was made public.
  4. Potential for misinterpretation: The broad language of the exception, particularly regarding data made public by the Data Principal, could lead to overly expansive interpretations. Companies should exercise caution and consider the spirit of the law.
  5. Interaction with other laws: While exempt from this Act, publicly available personal data may still be subject to other legal protections or restrictions. Companies should not assume that such data is entirely free from legal constraints.

Jurisdiction Overview