Digital Personal Data Protection Act 2022/23 of India

CHAPTER I

PRELIMINARY

1. Short Title and Commencement

(1) This Act may be called the Digital Personal Data Protection Act, 2023

(2) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.

2: Definitions

In this Act, unless the context otherwise requires,—

(a) “Appellate Tribunal” means the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997;

(b) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

(d) “certain legitimate uses” means the uses referred to in section 7;

(e) “Chairperson” means the Chairperson of the Board;

(f) “child” means an individual who has not completed the age of eighteen years;

(g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;

(h) “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;

(i) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

(j) “Data Principal” means the individual to whom the personal data relates and where such individual is—

(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;

(k) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;

(l) “Data Protection Officer” means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10;

(m) “digital office” means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode;

(n) “digital personal data” means personal data in digital form;

(o) “gain” means—

(i) a gain in property or supply of services, whether temporary or permanent; or
(ii) an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;

(p) “loss” means—

(i) a loss in property or interruption in supply of services, whether temporary or permanent; or
(ii) a loss of opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;

(q) “Member” means a Member of the Board and includes the Chairperson;

(r) “notification” means a notification published in the Official Gazette and the expressions “notify” and “notified” shall be construed accordingly;

(s) “person” includes—

(i) an individual;
(ii) a Hindu undivided family;
(iii) a company;
(iv) a firm;
(v) an association of persons or a body of individuals, whether incorporated or not;
(vi) the State; and
(vii) every artificial juristic person, not falling within any of the preceding sub-clauses;

(t) “personal data” means any data about an individual who is identifiable by or in relation to such data;

(u) “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;

(v) “prescribed” means prescribed by rules made under this Act;

(w) “proceeding” means any action taken by the Board under the provisions of this Act;

(x) “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

(y) “she” in relation to an individual includes the reference to such individual irrespective of gender;

(z) “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10;

(za) “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder; and

(zb) “State” means the State as defined under article 12 of the Constitution.

3. Application of the Act

Subject to the provisions of this Act, it shall—
(a) apply to the processing of digital personal data within the territory of India where the personal data is collected––

(i) in digital form; or

(ii) in non-digital form and digitised subsequently;

(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering ofgoods or services to Data Principals within the territory of India;

(i) personal data processed by an individual for any personal or domestic purpose; and

(ii) personal data that is made or caused to be made publicly available

by—

(A) the Data Principal to whom such personal data relates; or

(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.