One of the first questions any organization asks when a new data protection law is passed is a deceptively simple one: does this apply to us?
With India's Digital Personal Data Protection Act 2023, that question deserves a careful, considered answer rather than a quick assumption in either direction. The Act's applicability provisions are broader than many organizations initially expect, the exemptions are narrower than some hope, and the extraterritorial reach catches a significant number of businesses that assume they are outside its scope because they are not physically located in India.
Getting the applicability question right is not just a legal exercise. It is the foundation of the entire compliance program. An organization that misreads its obligations will either waste resources building compliance infrastructure it does not need or, far more commonly and far more dangerously, will fail to build the infrastructure it does need and carry the resulting regulatory exposure into an enforcement environment that is growing more active by the month.
This guide works through the DPDPA's applicability framework in detail, covering who is covered, what activities trigger obligations, how exemptions work, and what the applicability determination means in practical terms for organizations of different types and sizes.
The DPDPA applies specifically to the processing of digital personal data. Both elements of that phrase matter.
Personal data, as defined in the Act, is data about an individual who is identifiable by or in relation to such data. This is deliberately broad. It covers obvious categories like names, addresses, phone numbers, email addresses, and financial account details. It also covers less obvious categories like device identifiers, IP addresses, location data, behavioral data, and any other information that can be linked to a specific individual, directly or indirectly.
The digital qualifier is equally important. The Act applies to personal data that is collected in digital form, and also to personal data that is collected in non-digital form and subsequently digitized. An organization that collects paper application forms and then scans them into a document management system is processing digital personal data for the purposes of the Act from the point of digitization onward.
Personal data that is collected on paper and never digitized falls outside the Act's scope. In practice, for most modern organizations, this is a narrow exclusion. The overwhelming majority of personal data that organizations collect and use is either collected digitally or converted to digital form as part of standard operational processes.
The Act's use of the word processing is expansive. It covers the collection, storage, use, sharing, disclosure, deletion, and destruction of personal data, as well as any other operation performed on personal data. An organization does not need to be doing something sophisticated with data to be processing it within the meaning of the Act. Simply storing personal data in a database is processing. Transmitting it to a third party is processing. Generating a report that includes personal data is processing.
This broad definition of processing means that the applicability question is not really about what an organization does with data in a sophisticated sense. It is about whether the organization handles personal data at all in the course of its activities. For most businesses of any meaningful size, the answer is yes.
The Act applies to the processing of digital personal data collected within the territory of India. This covers any organization, regardless of where it is incorporated or headquartered, that collects personal data within India.
Collection within India means the data is gathered from individuals who are in India at the point of collection, through digital interfaces, physical interactions that are subsequently digitized, or any other means. An Indian company operating entirely within India is clearly within scope. A foreign company that operates a website or app through which it collects data from users in India is equally within scope for that collection activity.
This first scenario captures the most straightforward cases. An Indian bank collecting customer data, an Indian e-commerce platform collecting user account information, an Indian hospital maintaining patient records, and an Indian employer maintaining employee data are all processing personal data collected within India and are unambiguously subject to the Act.
The second scenario is where the Act's extraterritorial reach becomes significant. The Act also applies to the processing of digital personal data outside India if such processing is in connection with any activity related to offering goods or services to Data Principals within India, or profiling of Data Principals within India.
This provision brings a substantial category of foreign organizations within the Act's scope. A foreign company that operates an e-commerce platform accessible to Indian consumers and ships goods to India is offering goods or services to Data Principals within India. A foreign streaming service available in India with Indian subscribers is offering services to Data Principals within India. A foreign employer that employs Indian workers and processes their personal data on systems located outside India is processing data in connection with activities related to service provision to individuals within India.
The profiling limb of this provision is also significant. Any organization that builds profiles of Indian individuals, whether for advertising targeting, credit assessment, behavioral analysis, or any other purpose, is within scope even if the profiling is conducted entirely on systems outside India.
The extraterritorial provisions mean that the DPDPA's applicability is not determined by where an organization is located. It is determined by where the individuals whose data is being processed are located and by the nature of the relationship between the organization and those individuals.
A US-headquartered SaaS company with Indian enterprise customers, a Singapore-based financial services firm with Indian retail investors, a UK-headquartered consulting firm with Indian employees, and a German manufacturer with Indian distributors whose personal data is processed centrally are all potentially within scope of the DPDPA even though none of them is based in India.
For multinational organizations, this requires a careful assessment of the Indian personal data flows within their global data architecture. The relevant questions are not just whether the organization has Indian operations, but whether any of its data processing activities anywhere in the world relate to individuals in India.
The Act's primary compliance obligations fall on Data Fiduciaries. A Data Fiduciary is any person, including a company, firm, state, or any other body corporate or individual, who alone or in conjunction with others determines the purpose and means of processing personal data.
The key phrase is determines the purpose and means. If an organization decides why personal data is being collected and how it will be processed, it is a Data Fiduciary. This is a functional determination, not a legal one. It does not matter what an organization calls itself or how its contracts are structured. If it is making the substantive decisions about the purpose and means of processing, it is a Data Fiduciary and bears the corresponding obligations.
Most organizations that process personal data in the course of their business are Data Fiduciaries for that processing. A company that collects customer data to provide its services is a Data Fiduciary. An employer that maintains employee records is a Data Fiduciary. A healthcare provider that maintains patient data is a Data Fiduciary.
A Data Processor is any person who processes personal data on behalf of a Data Fiduciary. The Data Processor does not determine the purpose or means of processing. It processes data according to the instructions of the Data Fiduciary.
Cloud service providers, payroll processing companies, marketing analytics platforms, and outsourced customer service operations are common examples of Data Processors. They handle personal data, but they do so in service of the Data Fiduciaries that engage them, not for their own independent purposes.
The Act's primary obligations fall on Data Fiduciaries. Data Processors must process data only as instructed by the Data Fiduciary, must implement appropriate security measures, and must notify the Data Fiduciary of any personal data breach. But the full suite of compliance obligations, including consent management, notice requirements, rights facilitation, and Data Protection Board registration for Significant Data Fiduciaries, applies to Data Fiduciaries.
This distinction has important implications for how organizations structure their compliance programs and their contractual relationships with third parties. Data Fiduciaries need to ensure that their Data Processors are contractually bound to meet the Act's requirements and that they have the oversight mechanisms to verify compliance.
The Act's definition of Data Fiduciary includes the possibility of joint determination, where multiple entities together determine the purpose and means of processing. In joint Data Fiduciary arrangements, each entity bears compliance obligations, and the allocation of specific responsibilities between them needs to be clearly defined, ideally through a formal joint controller agreement that specifies who is responsible for fulfilling which obligations.
Joint Data Fiduciary arrangements are common in contexts like co-branded financial products, joint marketing initiatives, and shared platform arrangements. Organizations in these arrangements should not assume that compliance obligations flow automatically to the more prominent partner. Each entity that jointly determines the purpose and means of processing is a Data Fiduciary.
The DPDPA creates a special category of Significant Data Fiduciary. The central government has the power to designate any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries based on an assessment of relevant factors.
Those factors include the volume and sensitivity of personal data processed, the potential risk to the rights of Data Principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, national security considerations, and the potential impact on public order.
The designation of Significant Data Fiduciaries is not yet finalized in the implementing rules, but the factors listed in the Act signal the categories of organization most likely to be designated. Large consumer technology platforms processing data at scale, organizations handling sensitive categories of personal data such as health or financial information, entities with significant market power whose processing activities affect large numbers of individuals, and organizations operating in sectors with national security implications are all plausibly within the designation criteria.
Significant Data Fiduciaries face a set of additional compliance obligations beyond those applicable to all Data Fiduciaries. These include the appointment of a Data Protection Officer who must be based in India and who serves as the point of contact for grievance redressal and regulatory communication. They also include the engagement of an independent data auditor to conduct periodic audits of compliance with the Act's provisions, and the conduct of periodic Data Protection Impact Assessments to evaluate the impact of data processing activities on the rights of Data Principals.
The DPO requirement is particularly significant for multinational organizations that currently manage their global privacy compliance functions from outside India. If designated as a Significant Data Fiduciary, they will need to establish India-based DPO capability, which has implications for organizational structure, resource allocation, and the expertise available to manage Indian regulatory relationships.
The Act does not apply to the processing of personal data by an individual for personal or domestic purposes. Someone who maintains a personal address book, a family photo album, or a personal journal is not a Data Fiduciary and has no compliance obligations under the Act.
This exemption is relevant at the individual level but has no practical application for businesses. An organization cannot claim the personal or domestic use exemption simply because its data processing activities feel informal or small in scale.
The Act does not apply to personal data that is made available by the Data Principal themselves or is made available under any law for the time being in force. If an individual has voluntarily published their personal data, for example by listing their contact information on a public professional directory, processing of that publicly available data is outside the Act's scope.
This exemption requires careful interpretation. Not all data that appears to be publicly available qualifies. The data must have been made available by the Data Principal themselves or pursuant to a specific legal provision. Data that has been scraped from websites, aggregated from multiple sources, or made incidentally accessible through security failures does not qualify as data made available by the Data Principal.
Organizations that rely on publicly available data as a data source need to review the provenance of that data carefully before assuming the exemption applies.
The Act contains a significant exemption for the processing of personal data by the state and its instrumentalities where such processing is necessary for the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, maintenance of public order, or the prevention of cognizable offences.
This exemption reflects the government's retention of broad data processing authority for national security and law enforcement purposes. It has limited applicability for private sector organizations but is relevant for organizations that process data in partnership with government agencies or in connection with government-mandated functions.
The Act provides for exemptions or modifications of obligations for processing carried out for research, archiving, or statistical purposes, subject to conditions that will be specified in the implementing rules. Academic research institutions, statistical agencies, and organizations conducting legitimate research activities may benefit from this exemption, but the specific parameters have not yet been fully defined.
Organizations intending to rely on this exemption should monitor the implementing rules carefully and should not assume broad applicability until the conditions are clearly specified.
The Act provides the government with authority to exempt certain classes of Data Fiduciaries, including startups, from specific obligations or to modify the manner in which obligations apply to them. This provision is intended to reduce the compliance burden on early-stage organizations and small businesses, but the specific scope of any startup exemption will be defined in the implementing rules.
Organizations that believe they might qualify for startup or small business accommodations should track the development of the implementing rules closely. They should not, however, assume that an exemption will apply and defer compliance preparation on that basis. The core obligations of the Act apply to all Data Fiduciaries unless and until a specific exemption is granted.
Banks, NBFCs, insurance companies, mutual funds, payment service providers, and other financial sector entities are among the most clearly within scope of the DPDPA. They process large volumes of sensitive personal data, including financial account information, transaction histories, credit assessment data, and KYC documentation. They are subject to existing regulatory frameworks from RBI, SEBI, IRDAI, and other sector regulators, and the DPDPA adds a layer of data protection obligation that sits alongside those existing requirements.
Financial services organizations need to assess the interaction between DPDPA obligations and their existing regulatory compliance programs carefully. In many cases, existing data governance practices will provide a foundation for DPDPA compliance, but gaps will need to be identified and addressed. The consent management requirements, in particular, may require changes to existing customer onboarding and relationship management processes.
Hospitals, clinics, diagnostic laboratories, health insurance providers, pharmaceutical companies, and digital health platforms all process personal data that includes some of the most sensitive categories of information about individuals. The DPDPA applies to all of this processing.
Healthcare organizations face particular complexity around consent management, because many healthcare interactions involve data processing that is clinically necessary rather than based on voluntary consent in the commercial sense. The Act's legitimate use provisions, particularly those covering medical emergencies and public health functions, provide some accommodation, but organizations need to map their specific processing activities carefully against both the consent requirements and the legitimate use provisions to understand where each applies.
Consumer technology companies, social media platforms, e-commerce operators, gaming companies, and digital content providers are squarely within scope and, for the larger operators in this category, are among the most likely candidates for Significant Data Fiduciary designation.
These organizations typically process personal data at scale, often including behavioral data, preference data, and in some cases location and device data, in ways that raise precisely the kinds of concerns the Act is designed to address. They also face the most complex implementation challenges, particularly around consent management for large existing user bases, multilingual notice requirements for pan-India operations, and the children's data provisions that apply to platforms accessible to minors.
Every organization that employs people in India processes personal data in the form of employee records. Employment data includes names, addresses, contact details, financial information for payroll purposes, health information for insurance and leave management, performance data, and in many cases sensitive personal information related to background verification.
The DPDPA applies to employee data processing. Employers are Data Fiduciaries for the employee data they process. The Act's legitimate use provisions cover some employment-related processing without requiring individual consent, but the precise scope of this provision needs careful analysis in the context of each organization's specific HR data practices.
Multinational employers with Indian workforces need to review their global HR data management practices against DPDPA requirements, particularly where Indian employee data is processed on global HR platforms operated from outside India.
Schools, colleges, universities, and edtech platforms process significant volumes of personal data about students, including minors. The Act's provisions around children's data, which require verifiable parental consent for processing data of individuals below eighteen, have significant implications for educational institutions.
Higher education institutions and adult-focused edtech platforms face a different compliance picture, but still need to review their data collection and processing practices against the Act's general obligations. The collection of student performance data, financial information for fee processing, and behavioral data through digital learning platforms all fall within the Act's scope.
Determining whether and how the DPDPA applies to a specific organization requires working through a structured set of questions. The first is whether the organization processes digital personal data of individuals in India, either by collecting it within India or by processing data outside India in connection with offering goods or services to or profiling of individuals in India. If the answer is yes, the Act applies.
The second question is whether the organization is acting as a Data Fiduciary, a Data Processor, or both in different contexts. This determines which specific obligations apply and how the organization's compliance program needs to be structured.
The third question is whether the organization processes data at a scale or in a manner that might qualify it for Significant Data Fiduciary designation. While designation has not yet been made, organizations that are plausible candidates should be building toward the additional obligations that designation would entail rather than waiting for formal notification.
The fourth question is whether any exemptions apply to specific processing activities. This requires a careful analysis of each exemption against the organization's specific data processing activities, rather than a general assumption that exemptions do or do not apply.
Organizations should document their applicability assessment and the reasoning behind their conclusions. This documentation serves multiple purposes. It demonstrates that the organization has engaged seriously with its compliance obligations. It provides a basis for updating the assessment as the organization's activities evolve or as the implementing rules provide additional clarity. And it creates a defensible record in the event of a regulatory inquiry about the organization's compliance approach.
If your organization is working through its DPDPA applicability assessment and the compliance program design that follows from it, Redfox Cybersecurity's GRC team provides specialist support that combines regulatory expertise with practical implementation experience across sectors and organization types.
The DPDPA's applicability framework is broad in its reach and carefully constructed to capture the full range of organizations that process personal data in connection with India, regardless of where those organizations are based. The extraterritorial provisions bring a significant category of foreign businesses within scope. The functional definitions of Data Fiduciary and Data Processor focus on what organizations actually do rather than what they call themselves. And the exemptions, while real, are narrower than many organizations hope.
The practical implication is straightforward: if your organization collects, stores, uses, shares, or otherwise handles digital personal data about individuals in India, you are almost certainly within scope of the DPDPA. The compliance program you build needs to reflect that reality, not the more comfortable assumption that the Act applies to someone else.
Getting applicability right is the foundation. Everything else in a DPDPA compliance program, the consent management infrastructure, the rights response processes, the security safeguards, the breach notification procedures, the vendor management framework, builds on that foundation. Organizations that invest in getting it right from the start will find the rest of the compliance journey considerably more manageable than those who revisit the question after building on incorrect assumptions.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
