Can Public Data Be Freely Used? DPDP Act and the Future of AI in India

Section 3(c)(ii) of the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”) creates an important exemption from the scope of the Act in respect of certain categories of publicly available personal data. While the DPDP Act establishes a framework based on notice, consent, accountability, and data principal rights, Section 3(c)(ii) recognises that the application of these obligations may not be appropriate in circumstances where personal data has already been made publicly available either by the Data Principal or pursuant to a legal obligation. Accordingly, the provisions of the DPDP Act do not apply to personal data that has been made publicly available by the Data Principal to whom such personal data relates or by any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. 

The first limb of the exemption concerns the voluntary actions of the Data Principal. Individuals may choose to make their personal information publicly accessible through various means, such as publishing professional profiles, maintaining public social media accounts, operating personal websites, or otherwise disclosing information in a public forum. In such cases, the personal data falls outside the scope of the DPDP Act, provided that it has been made publicly available by the Data Principal. The rationale appears to be that imposing the Act’s consent and processing requirements on information intentionally placed in the public domain by the individual may be impractical and inconsistent with the purpose of the disclosure. 

The second limb relates to disclosures mandated by law. Various Indian laws require certain personal information to be publicly accessible in the interests of transparency, accountability, public administration, or commercial certainty. Examples may include disclosures made in statutory registers, regulatory filings, court notices, insolvency proceedings, or electoral disclosures. Section 3(c)(ii) ensures that the operation of such statutory disclosure regimes is not inadvertently restricted by the DPDP Act. As a result, information that is required by law to be made publicly available remains outside the Act’s regulatory framework. 

The exemption has attracted significant attention in the context of data analytics, artificial intelligence, and machine learning. Since publicly available personal data falling within Section 3(c)(ii) is excluded from the scope of the DPDP Act, organizations may argue that the collection and processing of such data does not require compliance with the Act’s obligations. This could have implications for activities such as web scraping, data aggregation, and AI model training. However, the precise contours of the exemption remain untested, and it would be premature to conclude that all forms of collection or use of publicly available data are automatically permissible. Other legal frameworks, contractual restrictions, platform terms of use, intellectual property considerations, and evolving judicial interpretations may continue to impose limitations on such activities. 

Importantly, the exemption is not without boundaries. Its applicability depends upon the manner in which the data became publicly available. Personal data that enters the public domain as a result of a data breach, unauthorised disclosure, hacking incident, or other unlawful act would not ordinarily fall within the scope of Section 3(c)(ii), as it was neither made public by the Data Principal nor disclosed pursuant to a legal obligation. Consequently, entities processing such data may not be able to rely on the exemption merely because the information is publicly accessible. This distinction is critical to ensuring that the exemption does not undermine accountability for unauthorised disclosures or the unlawful dissemination of personal information. 

As regulatory guidance and judicial interpretation emerge, Section 3(c)(ii) is likely to become one of the most closely scrutinised provisions of the DPDP Act. Its interpretation will have significant implications for businesses, researchers, technology companies, and public institutions seeking to balance innovation, transparency, and privacy in India’s evolving data protection landscape.