August 4, 2023
Section 3 of the Bill elaborates on the extent of applicability (and non-applicability) of the provisions of the Bill. We’ve dealt with each of the aspects separately below:
Scenarios in which the statute will apply:
Section 3 of the Bill provides that it will apply to the following scenarios:
(a) the processing of digital personal data within the territory of India where the personal data is collected –
(i) in digital form; or
(ii) in non-digital form and digitised subsequently;
Since the proposed statute is being conceived within the fold of the Information Technology Act, 2000, the intent of the Government seems to be to restrict the applicability of the proposed statute to personal data which is either collected in digital form or is converted to digital form subsequent to collection in a non-digital form.
(b) processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.
In light of this provision, if an entity is ‘processing’ (and not simply ‘collecting’) personal data outside India relating to offering of any goods/services to Data Principals within India, such entity will be required to comply with the provisions of the proposed statute. Moreover, the usage of the term ‘Data Principals within the territory of India’ would mean that even processing of personal data of non-Indians present in India would be covered under the provisions of the Bill.
Scenarios in which the proposed statute will not apply:
Section 3 of the Bill also provides that it will not apply to the following scenarios:
(i) personal data processed by an individual for any personal or domestic purpose; and
The operative terms to qualify for an exemption under this provision are ‘individual’ and personal/domestic purpose’. However, the Bill hasn’t defined the phrase ‘personal/domestic purpose’. In light of this, questions could be raised on the determination of threshold of what qualifies as personal or domestic purpose.
(ii) personal data that is made or caused to be made publicly available by –
(A) the Data Principal to whom such personal data relates; or
This simply covers the scenario where the data principal has put out her/his personal data in the public domain themselves. An illustration has also been provided under the Bill which reads as – “X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.”
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
The inclusion of this provision seems to be with the intent of providing exemption to individuals and entities which disclose any personal data owing to compliance with any legislative provision, judicial decision, etc.
It has been reported that the Data Security Council of India (DSCI) will be introducing a ‘data protection seal’ (DPS) for organizationsView More
The Reserve Bank of India (“RBI”) on January 15, 2024, released a draft framework (“Framework”) that outlines the broad responsibilities, functions, governance as well as the eligibility criteria for the purpose of setting up a self-regulatory organization in fintech companies (“SRO-FT”)View More
The Enforcement Directorate (“ED”) after registering a case under Prevention of Money Laundering Act, 2002 (“PMLA”) back in February 2022 and duly conducting the primary investigation alleged in July 2023 that INR 62,476 Crore was illegally transferred by VivoView More
Delhi (Head Office)
Plot No. 66, LGF, #TheHub, Okhla Phase III, Okhla Industrial Estate, New Delhi 110020, India.