Code: Section 3 – DPDP Act, 2023
Subject to the provisions of this Act, it shall—
(a) apply to the processing of digital personal data within the territory of India
where the personal data is collected––
(i) in digital form; or
(ii) in non-digital form and digitised subsequently;
(b) also apply to processing of digital personal data outside the territory of
India, if such processing is in connection with any activity related to offering of
goods or services to Data Principals within the territory of India;
(c) not apply to—
(i) personal data processed by an individual for any personal or domestic
purpose; and
(ii) personal data that is made or caused to be made publicly available
by—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for
the time being in force in India to make such personal data publicly
available.
Illustration.
X, an individual, while blogging her views, has publicly made available her personal
data on social media. In such case, the provisions of this Act shall not apply.
Explanation of Section 3 DPDP Act
Section 3 of the Digital Personal Data Protection Act, 2023 lays out the scope and applicability of the Act. It clarifies when and to whom the law applies, and equally important—when it does not.
Key Takeaways:
-
The Act applies to:
-
All digital personal data collected in India—whether it was originally digital or later digitised.
-
Data processing activities conducted outside India if they relate to goods or services offered to individuals (Data Principals) in India.
-
-
The Act does not apply to:
-
Personal or domestic use (e.g., maintaining personal contact lists).
-
Personal data made public by:
-
The individual themselves (Data Principal), or
-
Any legal obligation (e.g., public records, government disclosures).
-
-
Illustration
Example 1: Applicability to Indian Businesses
A retail app collects user data directly through its website in India. This data, being collected in digital form within Indian territory, falls squarely under the DPDP Act.
Example 2: Foreign Entity Targeting Indian Users
An e-commerce company based in the UK offers services to Indian consumers and collects their personal data during checkout. Though the company operates outside India, its processing of Indian residents’ data makes the Act applicable.
Example 3: Exempted Personal Data
A person publishes their travel stories along with personal photos and location data on their public blog. Since the personal data is made public voluntarily, the Act does not apply in this instance.
Common Questions & Answers on Section 3 DPDP Act
Q1. Does the DPDP Act apply only to data collected in India?
No. It also applies to digital personal data collected outside India if it is connected with offering goods or services to people within India.
Q2. What if someone collects my data and I voluntarily post it online?
If you (the Data Principal) make your own data public, such as via social media, the DPDP Act does not apply to that data.
Q3. Does the Act apply to businesses operating from outside India?
Yes, if those businesses are processing data related to services offered to individuals in India, the Act applies.
Q4. Is non-digital data covered under the Act?
Only if that non-digital data is subsequently digitised. Otherwise, it is not covered under this Act.
Q5. Does the Act apply to personal notes or household management data?
No. Personal or domestic data processing is explicitly excluded from the scope of the Act.
Conclusion
Section 3 of the Digital Personal Data Protection Act, 2023 clearly defines the boundaries of the law’s applicability. It ensures protection for digital personal data in India and even extends this protection to Indian users’ data handled abroad. However, it smartly carves out exceptions for personal/domestic use and data that’s made public, ensuring the law remains focused, relevant, and enforceable.
For more insights on digital laws and rights, visit the experts at ApniLaw.
