The Digital Personal Data Protection Act, 2023 (DPDPA) is primarily concerned with the processing of “digital personal data.” A key definitional component that underpins the Act’s scope and application is the concept of “automated” processing. Understanding what “automated” means in the context of the DPDPA, and how it interacts with other core definitions like “processing” and “digital personal data,” is crucial for businesses to determine the extent of their obligations.
This article explores the DPDPA’s definition of “automated” and discusses its implications for the types of data processing activities that fall under the Act’s purview.
The DPDPA’s Definition of “Automated”
The DPDPA defines “automated” as: “any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data.”
This definition is relatively straightforward but has significant implications when read in conjunction with other definitions in the Act. Key takeaways from this definition include:
- Digital Process: The automation must relate to a digital process. This aligns with the Act’s primary focus on “digital personal data.”
- Capable of Operating Automatically: The core characteristic is the ability of the process to function without continuous manual human intervention once initiated.
- Response to Instructions or Otherwise: It can be triggered by explicit instructions (e.g., a user command, a scheduled task) or operate “otherwise” (e.g., based on predefined rules, algorithms, or sensor inputs) for the purpose of data processing.
Interplay with “Processing” and “Digital Personal Data”
The significance of “automated” becomes clearer when we look at related definitions:
“Processing”
The Act defines “processing” in relation to personal data as: “a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”
The crucial phrase here is “wholly or partly automated.” This means that for an operation on digital personal data to be considered “processing” under the DPDPA, at least some part of it must involve an automated means. Purely manual processing of digital personal data, if such a scenario could even practically exist without any automated component (like using a computer), might arguably fall outside this definition, though this is a very narrow interpretation. In reality, almost all handling of digital data involves some level of automation.
“Digital Personal Data”
The Act defines “digital personal data” as: “personal data in digital form.”
The DPDPA primarily applies to the processing of personal data that is in a digital format. It also applies to personal data collected in non-digital form but subsequently digitised.
Therefore, the DPDPA’s obligations kick in when there is:
- Personal Data
- In Digital Form (or digitised)
- Subjected to Processing that is Wholly or Partly Automated
Scope of Application: What’s Covered?
Given these definitions, the DPDPA generally covers:
Data processed by computers, software, and algorithms
This includes most modern data processing activities, from managing customer databases and sending automated emails to running analytics and deploying AI models.
Automated collection of data
For example, data collected through website cookies, sensors, or IoT devices.
Automated decision-making systems
While the DPDPA doesn’t have a specific “right against automated decision-making” like GDPR, systems that make decisions about Data Principals using automated processing of their digital personal data are subject to its principles (e.g., accuracy, fairness, notice, consent for the underlying data processing).
Digital records management
Even storing digital personal data in an organised (or even unorganised but searchable) way typically involves automated systems (e.g., databases, cloud storage), thus falling under “processing.”
What Might Be Less Directly Covered by “Automated”?
Purely Manual, Non-Digitised Processing
The Act’s focus is on “digital personal data.” If personal data is collected manually (e.g., in a paper notebook) and never digitised, its purely manual processing would not fall under the DPDPA. However, the moment such data is digitised (e.g., scanned into a PDF, entered into a spreadsheet), its subsequent processing via automated means comes under the Act.
Individual’s Personal or Domestic Purpose
The Act exempts personal data processed by an individual for any personal or domestic purpose. This exemption applies regardless of whether the processing is automated or not (e.g., an individual managing their personal contacts on a smartphone).
Specific Regulations or Exemptions Linked to “Automated”
Currently, the DPDPA does not contain extensive, specific regulations or exemptions that are explicitly and solely triggered by the term “automated” beyond its role in defining the scope of “processing” and “digital personal data.”
However, the implications of automated processing are woven throughout the Act:
Reasonable Security Safeguards
The nature of automated systems (scalability, speed, potential for widespread impact) necessitates robust technical and organisational measures to secure them.
Data Breach Notifications
Automated systems can be targets of large-scale breaches, making the notification requirements critical.
Data Protection Impact Assessments (DPIAs for SDFs)
Large-scale automated processing, especially involving profiling or sensitive data, is often a trigger for requiring DPIAs in many data protection regimes. For SDFs, this is a direct DPDPA obligation.
Algorithmic Diligence for SDFs
The Draft DPDP Rules require SDFs to observe due diligence regarding algorithmic software to ensure it doesn’t pose a risk to Data Principal rights, which directly relates to automated processing by algorithms.
Implications for Businesses
Broad Applicability
Most businesses today rely heavily on automated systems for processing digital personal data. Therefore, they will almost certainly fall within the DPDPA’s scope.
Review Data Handling Practices
Businesses should review how they collect, store, and use digital personal data to ensure that all “processing” (which is wholly or partly automated) complies with DPDPA principles (notice, consent, purpose limitation, security, etc.).
Focus on Digital Data
While non-digital data converted to digital form is covered, the primary thrust is on data already in digital formats and processed by automated means.
System Design
When designing or implementing new systems, ensure they are built with DPDPA compliance in mind, particularly concerning how automated processing will handle personal data according to the Act’s requirements.
Conclusion: “Automated” as a Foundational Concept
The DPDPA’s definition of “automated” processing is a foundational concept that, in conjunction with “processing” and “digital personal data,” delineates the Act’s primary scope of application. For virtually all modern businesses engaged in handling personal information digitally, their activities will involve “partly automated” processing at a minimum, bringing them under the purview of the DPDPA.
While the Act doesn’t currently link extensive specific rules or exemptions directly to the “automated” characteristic itself (beyond its definitional role), the nature of automated systems inherently magnifies the importance of DPDPA’s core obligations concerning security, breach notification, accuracy, and the responsible governance of data. As technology evolves, particularly in areas like AI and IoT, the interpretation and regulatory focus on “automated” processing will likely continue to develop.
Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023, and the Draft DPDP Rules, which are subject to change. For advice on specific legal issues, please consult a qualified legal professional.
Need Help with DPDPA Compliance?
Contact our team of experts for personalized guidance and implementation support.
