1. Short Title and Commencement
(1) This Act may be called the Digital Personal Data Protection Act, 2022.
(2) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint.
Different dates may be appointed for different provisions of this Act.
Any reference in any provision of this Act to the
commencement of this
Act shall be construed as a reference to the commencement of that provision
2. Definitions In this Act:–
(1) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
(2) “Board” means the Data Protection Board of India established by the Central Government for the purposes of this Act;
(3) “child” means an individual who has not completed eighteen years of age;
(4) “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;
(5) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
(6) “Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;
(7) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
(8) “Data Protection Officer” means an individual appointed as such by a Significant Data Fiduciary under the provisions of this Act;
(9) “gain” means-
(a) a gain in property or a supply of services, whether temporary or permanent; or
(b) an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration.
(10) “harm”, in relation to a Data Principal, means -
a. any bodily harm; or
b. distortion or theft of identity; or
c. harassment; or
d. prevention of lawful gain or causation of significant loss;
(11) “loss” means –
a. a loss in property or interruption in supply of services, whether temporary or permanent; or
b. a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration.
(12) “person” includes—
(a) an individual;
(b) a Hindu Undivided Family;
(c) a company;
(d) a firm;
(e) an association of persons or a body of individuals, whether incorporated or not;
(f) the State; and
(g) every artificial juristic person, not falling within any of the preceding sub-clauses;
(13) “personal data” means any data about an individual who is identifiable by or in relation to such data;
(14) "personal data breach" means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
(15) “prescribed” means prescribed by Rules made under the provisions of this Act;
(16) “processing” in relation to personal data means an automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
(17) “proceeding” means any action taken by the Board under the provisions of this Act;
(18) “public interest” means in the interest of any of the following:
(a) sovereignty and integrity of India;
(b) security of the State;
(c) friendly relations with foreign States;
(d) maintenance of public order;
(e) preventing incitement to the commission of any cognizable offence relating to the preceding sub-clauses; and
(f) preventing dissemination of false statements of fact.
3. Interpretation In this Act: -
(1) unless the context otherwise requires, a reference to “provisions of this Act” shall be read as including a reference to Rules made under this Act.
(2) “the option to access … in English or any language specified in the Eighth Schedule to the Constitution of India” shall mean that the Data Principal may select either English or any one of the languages specified in the Eighth Schedule to the Constitution of India;
(3) the pronouns “her” and “she” have been used for an individual, irrespective of gender.
4. Application of the Act
(1) The provisions of this Act shall apply to the processing of digital personal data within the territory of India where:
(a) such personal data is collected from Data Principals online; and
(b) such personal data collected offline, is digitized.
(2) The provisions of this Act shall also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India.
For the purpose of this sub-section, “profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.
(3) The provisions of this Act shall not apply to:
(a) non-automated processing of personal data;
(b) offline personal data;
(c) personal data processed by an individual for any personal or domestic purpose; and
(d) personal data about an individual that is contained in a record that has been in existence for at least 100 years.