In this Act: –
(1) unless the context otherwise requires, a reference to “provisions of this
Act” shall be read as including a reference to Rules made under this Act.
The first part of this section is stating that when the Act refers to “provisions of this Act,” it also includes any rules that are made under the Act. This means that any rules created to support the implementation of the Act are considered a part of the Act itself.
(2) “the option to access … in English or any language specified in the
Eighth Schedule to the Constitution of India” shall mean that the Data
Principal may select either English or any one of the languages specified in
the Eighth Schedule to the Constitution of India;
The second part of this section is explaining what is meant by “the option to access…in English or any language specified in the Eighth Schedule to the Constitution of India.” This refers to the fact that individuals whose data is being processed have the right to choose whether they want to access their data in English or in any one of the languages specified in the Eighth Schedule to the Constitution of India.
(3) the pronouns “her” and “she” have been used for an individual,
irrespective of gender.
The final part of this section is discussing the use of pronouns in the Act. It clarifies that even though the pronouns “her” and “she” are used for an individual, regardless of gender. This is to avoid the use of the male pronoun as a default and promote gender inclusivity in the language used in the Act.
4. Application of the Act
(1) The provisions of this Act shall apply to the processing of digital
personal data within the territory of India where:
(a) such personal data is collected from Data Principals online; and
(b) such personal data collected offline, is digitized.
(2) The provisions of this Act shall also apply to processing of digital
personal data outside the territory of India, if such processing is in connection
with any profiling of, or activity of offering goods or services to Data Principals
within the territory of India.
For the purpose of this sub-section, “profiling” means any form of processing
of personal data that analyses or predicts aspects concerning the behaviour,
attributes or interests of a Data Principal.
The Act applies to the processing of digital personal data within the territory of India, where such data is collected from Data Principals online, and also to personal data collected offline but digitized. The Act also applies to the processing of digital personal data outside the territory of India if such processing is related to profiling or offering goods or services to Data Principals within the territory of India. The Act defines “profiling” as any form of processing of personal data that analyses or predicts aspects concerning the behavior, attributes, or interests of a Data Principal.
Some people may argue that the Act should apply to all personal data processing, regardless of whether it is digital or not. Others may argue that the Act’s provisions regarding processing of data outside the territory of India are too broad and could potentially lead to jurisdictional issues.
(3) The provisions of this Act shall not apply to:
(a) non-automated processing of personal data;
(b) offline personal data;
(c) personal data processed by an individual for any personal or
domestic purpose; and
(d) personal data about an individual that is contained in a record
that has been in existence for at least 100 years.
Non-automated processing of personal data: This exception applies to cases where personal data is processed manually or by non-digital means. For example, if an organization keeps records of its employees’ personal data in a paper-based file, this would fall under the exception and would not be subject to the Act.
Offline personal data: This exception applies to personal data that is collected offline and not digitized. For instance, if a doctor keeps records of a patient’s medical history in a physical notebook, this would fall under the exception and would not be subject to the Act.
Personal data processed by an individual for any personal or domestic purpose: This exception applies to personal data that is processed by an individual for their personal or domestic purposes, such as maintaining a contact list or a diary. For instance, if you maintain a list of your friends’ contact details on your personal computer or in a diary, this would fall under the exception and would not be subject to the Act.
Personal data about an individual that is contained in a record that has been in existence for at least 100 years: This exception applies to personal data that is contained in a record that has been in existence for at least 100 years. For example, if a genealogy society keeps records of individuals’ ancestors that go back 100 years or more, this would fall under the exception and would not be subject to the Act.
While the Act provides for exceptions to the application of the Act in certain cases, some may argue that these exceptions leave certain personal data unprotected. For example, personal data that is collected offline but is later digitized may not be covered by the Act, leaving it vulnerable to misuse. Additionally, personal data that is processed by an individual for commercial purposes, even if it is for personal use, is not covered by the Act, potentially leading to privacy violations.