BACK TO DPDP ACT
DPDP Act 2023

Section 3

Application of the Act

THE STATUTE

Original Text

(1) This Act applies to the processing of digital personal data within the territory of India where the personal data is collected — (a) in digital form; or (b) in non-digital form and digitised subsequently. (2) This Act also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India. (3) This Act does not apply to — (a) personal data processed by an individual for any personal or domestic purpose; and (b) personal data that is made or caused to be made publicly available by — (i) the Data Principal to whom such personal data relates; or (ii) any other person who is under an obligation under any law for the time being in force to make such personal data publicly available.

Simplified

Section 3 is the precise scope-drawing provision of the DPDP Act — it defines exactly when the Act applies and when it does not. Section 3(1) establishes territorial scope: the Act applies to digital personal data processed within India, whether collected digitally or originally on paper and subsequently digitised. This covers a vast range of scenarios: digital-native businesses that collect data through apps and websites; traditional businesses that scan paper forms into digital systems; hospitals that convert paper patient records into electronic databases; and government departments that digitise citizen records. Section 3(2) is the extra-territorial arm: the Act also applies to processing outside India if it is connected to offering goods or services to Indian Data Principals — the GDPR targeting principle. A US company running an app for Indian users, a European cloud service processing Indian employees' data, or a Singapore-based data broker profiling Indian consumers are all caught. Section 3(3) carves out two categories. The personal/domestic exclusion (3(3)(a)) ensures individuals who process data for entirely personal purposes — a home video archive, a personal address book, a home security camera — are not regulated as Data Fiduciaries. The publicly available data exclusion (3(3)(b)) is more nuanced: if the Data Principal themselves has made data public (a Twitter post, a public LinkedIn profile, an announcement) or if another person is required by law to publish it (a company's directors' names in the MCA registry, a court judgment with named parties), that data is excluded from the Act's requirements. This exclusion has significant implications: platforms that scrape publicly available social media data for training AI models or market research will argue they fall within 3(3)(b). However, the exclusion applies only to the specifically published data — further processing of that data beyond its public scope remains subject to the Act.

Common Queries

Not directly. The Act applies to 'digital personal data' — but if a handwritten or physical record is subsequently digitised (scanned, typed, or converted), the digitised version falls within the Act's scope.
Yes, if they process data in connection with offering goods or services to Data Principals in India. A US company operating an app used by Indian residents must comply with the DPDP Act even if it has no physical presence in India.
No. Processing of personal data by an individual for personal or domestic purposes is excluded under Section 3(3)(a). However, if the footage is shared with or sold to a commercial entity, that entity's processing would be covered.
Section 3(3)(b) excludes data made publicly available by the Data Principal from the Act's scope. However, companies relying on this exclusion should be cautious: further processing of publicly available data for purposes beyond its public context, or combining it with other data, may not be excluded.

Legal Context

The territoriality provisions reflect the evolution of Indian data protection thinking from the IT Act's SPDI Rules 2011, which had an uncertain extra-territorial reach, to the GDPR-influenced targeting principle. The personal/domestic exclusion follows GDPR Article 2(2)(c). The publicly available data exclusion is broader than GDPR's approach and has been criticised as potentially enabling commercial exploitation of publicly posted personal data.

Key Rules & Provisions

Paper records that are digitised subsequently are covered — closing the analogue-to-digital conversion gap.

Extra-territorial targeting principle — applies to foreign entities offering services to Indian data subjects.

Publicly available data exclusion — significant for AI training data, scraped web data, and open government databases.

Related Case Laws

Google LLC v. CNIL (CJEU, 2019)

Case C-507/17
RELEVANCE

The CJEU's ruling that EU data protection law does not require global de-referencing — only EU-territorial application — illustrates the live international debate on extra-territorial reach that Section 3(2)'s targeting principle engages. India's provision, like GDPR Article 3, applies to foreign entities targeting Indian Data Principals.