Scope and Applicability
The scope of the Digital Personal Data Protection Act, 2023 (DPDP Act) defines the operational boundaries of India’s statutory data protection regime. It clarifies when the law applies, to whom it applies, and what forms of data fall within regulatory control.
The Act is designed with a digital-first and activity-based applicability model. Its reach is determined not by organizational size or incorporation status, but by the act of processing digital personal data connected to individuals in India.
Material Scope: What Data Is Covered?
The DPDP Act applies exclusively to digital personal data.
This includes:
- Personal data collected in digital form
- Personal data originally collected offline but subsequently digitized
- Data capable of identifying an individual
The Act does not extend to:
- Non-digital personal data that remains offline
- Anonymized data where identification is irreversibly prevented
- Certain categories notified under statutory exemptions
The material scope is intentionally precise — it regulates identifiable digital data, not all information.
Territorial Scope: Where the Law Applies
The applicability of the Digital Personal Data Protection Act, 2023 extends across two principal dimensions:
| Processing Location | Applicability Status |
| Processing within India | Fully applicable |
| Processing outside India offering goods/services to individuals in India | Applicable |
| Processing unrelated to individuals in India | Not applicable |
This extraterritorial reach ensures that offshore entities targeting Indian users fall within the statutory framework.
Personal Scope: Who Is Covered?
The Act applies to entities categorized as:
- Data Fiduciaries – Entities determining the purpose and means of processing
- Significant Data Fiduciaries – Entities notified based on volume, sensitivity, or risk factors
- Data Principals – Individuals to whom personal data relates
The scope is activity-driven. Any entity — domestic or foreign — that processes digital personal data linked to individuals in India falls within regulatory oversight.
Exclusions and Statutory Carve-Outs
The DPDP Act incorporates defined exclusions to preserve administrative flexibility and public interest objectives.
Key Exemptions Include:
- Processing for certain sovereign functions
- Law enforcement and national security purposes
- Research, archiving, or statistical processing (subject to conditions)
- Personal or domestic use
These exemptions are structured and conditional; they do not eliminate accountability where misuse occurs.
Applicability Matrix
The operational reach of the DPDP Act can be summarized as follows:
| Entity Type | Covered? | Remarks |
|---|---|---|
| Indian companies | Yes | Activity-based coverage |
| Foreign companies serving Indian users | Yes | Extraterritorial application |
| Startups | Yes | Size not determinative |
| Sole proprietors | Yes | If processing digital personal data |
| NGOs | Yes | If processing digital personal data |
| Government entities | Yes (subject to exemptions) | Conditional |
| Data Processors | Indirectly | Through fiduciary obligations |
| Significant Data Fiduciaries | Yes (enhanced obligations) | Risk-based classification |
| Individuals for personal/domestic use | No | Explicit exclusion |
This matrix illustrates the activity-based and digital-centric orientation of the statute.
Digital-First Legislative Orientation
Unlike earlier regulatory models under the Information Technology Act, 2000, which relied on limited rule-based privacy provisions, the DPDP Act establishes a dedicated statutory perimeter specifically for digital personal data ecosystems.
Its scope reflects contemporary realities:
- Platform economies
- Cloud-based infrastructure
- Cross-border data flows
- Data-driven service delivery
The Act is intentionally structured to accommodate evolving technological environments while maintaining defined regulatory boundaries.
Strategic Implication of Scope
The breadth of applicability signals three regulatory priorities:
- Jurisdiction over digital activity affecting individuals in India.
- Accountability independent of corporate size or location.
- Regulatory certainty in cross-border data engagement.
The Digital Personal Data Protection Act, 2023 therefore establishes a clear perimeter: if digital personal data of individuals in India is processed, statutory obligations attach.
The scope and applicability provisions of the DPDP Act create a digitally aligned, jurisdictionally expansive, and structurally precise framework. By defining its reach through data type and processing nexus rather than organizational form, the Act ensures regulatory clarity while maintaining operational flexibility.
This defined perimeter forms the foundation upon which all subsequent rights, duties, and enforcement mechanisms operate.