Digital Personal Data Protection Bill
Introduction
On August 11, 2023, India enacted the Act, which is a result of the fifth iteration
of the proposed personal data protection legislation and appears to be based on
the draft Bill released by the Ministry of Electronics and Information Technology
on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which
was open for public consultations. Once the provisions of the Act are brought
into force, it will replace Section 43A of the Information Technology Act, 2000
(IT Act) and the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules).
The Act is proposed to come into force in a phased manner, i.e., as and when the
Central Government notifies the provisions of the Act and also issues rules
under the Act from time to time.
Scope
The Act has been formulated with the objective of providing a framework for
the processing of digital personal data for lawful purposes in a manner that
protects the rights of the individuals to whom the data belongs.
The Act introduces a unique concept of a fiduciary relationship between data
subjects (natural persons to whom the personal data relates) and data controllers
(persons who determine the purpose and means of the processing of personal
data) and classifies them as data principals and data fiduciaries, respectively.
The genesis of the DPDP Act can be traced back to the 2017 landmark decision
of the Hon’ble Supreme Court of India (SC) in Justice K.S. Puttaswamy & Ors. v.
Union of India & Ors,[1] which held that the right to privacy is protected as an
intrinsic part of the right to life and personal liberty under Article 21 of the
Constitution of India, making it a fundamental right. The SC in this case also
emphasized the need for the Government to come out with a comprehensive
personal data protection legislation that preserves the right to privacy of
individuals.
Application
No sub-categories of personal data: The Act focuses on digital personal data
and does not apply to non-personal data. The Act applies to the processing of
‘personal data’ collected in digital form, or physically, but digitized
subsequently. Personal data is defined to include all identifiable personal data of
an individual and does not encompass sub-categories of personal data, such as
sensitive personal data or critical personal data. Contrary to the outgoing data
protection law contained under the IT Act and the SPDI Rules, there are no sub-
categories of personal data, such as sensitive personal data. This approach
deviates from the current approach contained within the SPDI Rules, which
�make a distinction between personal information and sensitive personal data or
information and prescribes incremental compliance requirements for the
processing of sensitive personal data or information.
Extraterritorial applicability: The Act not only extends to the processing of
digital personal data within the territory of India but also processing undertaken
outside India if it is in connection with the offering of goods or services to data
principals within the territory of India. Accordingly, compliance with the Act
must be ensured even if the data fiduciary is an offshore entity engaged in doing
business involving data principals in India. Interestingly, the Act also does not
require that such offshore data fiduciary’s engagement with data principals in
India needs to be systematic or habitual. Hence, even an ad hoc act of collection
and processing of data principals in India by offshore businesses could trigger
compliance with the provisions of the Act.
Exclusions: The Act excludes from its applicability the processing of
anonymized data; the processing of personal data by an individual for any
personal or domestic purpose; and the processing of any of the personal data
made publicly available by either the data principal themselves or by any other
person under a legal obligation.
Exemptions to State and certain data fiduciaries: The Act does not apply to
State instrumentality that the Government may notify, taking into account
considerations such as the sovereignty and integrity of India, security,
maintenance of public order, etc. The Government is also empowered to exempt
certain classes of data fiduciaries including startups, from the requirements
relating to notice, accuracy, and erasure requirements.
