The provisions of this Act
(A) shall apply to
- (a) the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India;
- (b) the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;
- (c) the processing of personal data by
data fiduciaries or
not present within the territory of India, if such processing is—
- (i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
- (ii) in connection with any activity which involves profiling of data principals within the territory of India.
The Personal Data Protection Law extends beyond India. Data protection laws typically have extraterritorial applicability (that is to say, they apply beyond the physical borders of the jurisdiction that enacts the law). The expansive territorial scope is designed to avoid circumvention of the requirements. Circumvention was a major concern, as the goal is to treat data protection is a fundamental right. However, a move towards global computerization means there was no feasible way to limit the purposes for which technology can be used through traditional borders. ^[https://medium.com/golden-data].
The law is not applicable to processing of anonymised data unless Central Government directs to share anonymised data.
For applicability, any one of the condition has to be satisfied
- Personal Data is Processed in India
- Personal Data is processed by Indian Person
- Personal Data is processed in connection with business in India
- Personal Data is processed in connection with profiling of data principals in India
Indian Person - Indian Company, Indian Citizen, Person incorporated/created in India
Also see -- Explanation of Personal Data