Contributed by: Sumit Kochar, Shivam Gera & Jaydeep Saha
Introduction
In today’s digital age, safeguarding personal data has become a top priority, driven by data-driven decision-making and information-sharing. Governments worldwide have enacted legislation to protect the privacy and rights of individuals whose personal information is collected and processed. India is no exception, with the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act). While the DPDP Act aims to comprehensively protect personal data, a key question arises: does the DPDP Act’s definition of “person” extend to entities such as companies and partnership firms? This article aims to interpret and clarify this crucial aspect of the DPDP Act.
Defining “Person” under DPDP Act
The DPDP Act provides definitions for essential terms relevant to its enforcement, including “person” and “personal data.” Section 2(i) of the Act explicitly defines “person” as encompassing various categories:
(i) An individual; (ii) A Hindu undivided family; (iii) A company; (iv) A firm; (v) An association of persons or a body of individuals, whether incorporated or not; (vi) The State; and (vii) Every artificial juristic person, not falling within any of the preceding sub-clauses.
This comprehensive definition appears to include a wide range of entities, from individuals and families to companies and even the State. However, the ambiguity arises when we examine the interpretation of “personal data” in conjunction with the definition of “person.”
Understanding “Personal Data”
The DPDP Act, under Section 2(t), defines “personal data” as follows:
“Personal data” means any data about an individual who is identifiable by or in relation to such data.
This definition underscores the DPDP Act’s primary focus on safeguarding the personal information of individuals, emphasizing the importance of protecting individual privacy and data rights.
Interpreting the Scope
Now comes the critical question: does the inclusion of entities like companies and firms within the definition of “person” mean that personal data protection applies to these entities? A careful analysis of the Act reveals that the DPDP Act primarily revolves around the protection of personal data related to individuals. The definition of “personal data” specifically refers to “an individual who is identifiable by or in relation to such data.” This language unambiguously directs the Act’s scope toward individual data subjects and their privacy concerns.
Entities like companies and partnership firms, while falling under the broad definition of “person” in the Act, are not the primary focus of personal data protection under the DPDP Act. The Act primarily addresses the processing and protection of personal data concerning individuals, with a primary goal of safeguarding the rights and interests of these individuals.
Conclusion
In conclusion, the Digital Personal Data Protection Act, 2023, in its definitions and provisions, clearly intends to prioritize the protection of personal data related to individuals. While the Act’s definition of “person” is comprehensive and includes various entities, it is essential to recognize that the Act predominantly addresses the protection of individual privacy rights. Companies and partnership firms, although considered “persons” under the Act, should primarily concentrate on their data protection responsibilities concerning the personal data of their employees, customers, and other individuals whose data they process. Understanding this distinction is crucial for compliance and ethical data handling in the digital age.