Introduction
The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India’s first dedicated data privacy law. The Act applies only to digital personal data, leaving out other categories of data from its ambit. However, even in this limited category, the meaning of personal data is not entirely clear. Section 2(t) of the act defines it as information about an individual who is identifiable “by or in relation to” such data. The first limb of “by such data” is relatively straightforward, and it is clear that it covers information such as names, Aadhaar numbers, and other direct identifiers. However, the second limb, “in relation to,” is not as determinate. It prima facie appears broader than the former and seems to entail even non-direct identifiers. This prompts the broader question of whether data that does not directly identify a person but still reveals aspects of their identity or influences their life should fall within the Act’s scope.
The answer to this question matters because much of the digital economy today relies on data that appears anonymous in isolation but, when viewed together, reveals personal information about individuals. For example, energy use records may not contain a person’s name, but when analysed, they can reveal patterns about daily routines and lifestyle. Such insights can then be used to make decisions about pricing or eligibility, directly affecting the individual. This is known as the “mosaic effect” in the scholarship on data protection. A narrow reading of the second limb “in relation to” by the Data Protection Board (“DPB”) would exclude such supposedly anonymous data from the ambit of the act. This would consequently leave a substantial amount of data that could expose individuals to privacy risks unregulated.
To counteract such a possibility, the present article advocates for a broad reading of “in relation to” under Section 2(t). It argues for an interpretation that treats data as personal whenever it is functionally connected to individuals. To operationalise this, it proposes two standards that the DPB must consider when interpreting the section: the Linkability criterion and the Purpose-or-Effect criterion. Together, these offer a structured, clear, and rights-oriented framework for determining when a datum comes within the Act’s scope.
The Expansive Mandate of the DPDP Act and International Precedents
The DPDP Act, inter alia, seeks to align India’s data protection law with global standards while adapting it to the unique features and scale of its digital economy. Any interpretation of the phrase “in relation to” in Section 2(t) must also reflect this objective.
To start an analysis of what this phrase can and should entail, it helps to look at the report of the Justice B.N. Srikrishna Committee. It was formed to draft a data protection law for India, following the decision in Justice K.S. Puttaswamy. Even though the committee would scoff at the current version of the DPDP Act, their insights into the text of the law remains relevant. The committee had recognised that modern data systems make linkage and re-identification of even anonymous data increasingly easy. Such data can, once combined with other datasets or analysed through advanced tools, reveal individual identities just as directly identifiable data would.
To pre-empt the problem of misuse of data through re-identification or linkages, the Committee recommended a broad, technology-neutral definition of personal data that anticipates future methods of processing rather than being confined to existing technical forms. In doing so, they seem to have been inspired by the European General Data Protection Regulation (“the GDPR”). This was one of the foremost and most consequential data protection laws in the world, and served as the classic case of the Brussels effect by inspiring similar laws worldwide. Interestingly, the definition of personal data under the GDPR is very similar to the DPDP Act. Under Article 4, the former defines personal data as information “relating to an identified or identifiable natural person”. Read with Recital 26 to the GDPR, it also requires controllers to consider all means reasonably likely to enable identification when determining whether a datum is personal or not. The Article 29 Working Party that drafted the GDPR had clarified this definition by stating that data can “relate” to an individual based on its content, its purpose, or its effect. This tripartite test focuses on how data is used, rather than on formal or semantic categories.
The Court of Justice of the European Union (“CJEU”) has given a concrete shape to this. In Patrick Breyer v. Bundesrepublik Deutschland (C-582/14), the Court held that dynamic IP addresses could amount to personal data. Even though website operators could not identify users directly using these addresses, linking them with other data through Internet Service Providers made identification reasonably possible. The Court rejected the idea that data must contain identifiers on its face to be personal, and instead emphasised the importance of considering contextual linkability for the same. This reasoning is particularly relevant for India, where public databases such as Aadhaar and widespread data-sharing arrangements make indirect identification routine place.
This logic was extended in the decision in Peter Nowak v. Data Protection Commissioner (C-434/16). The Court found that an examination script with examiner comments constituted personal data. This was because the script related to the examinee through its content, served the purpose of evaluating their performance, and carried effects regarding future opportunities for the examinee (the Working Party’s tripartite test). The court emphasised that data may be personal not only because of what it contains but also because of how it is used and the consequences it can produce.
Thus, Breyer emphasises the importance of contextual linkability, while Nowak focuses on purpose and effect. Together, these decisions support a practical understanding of “in relation to” that focuses on the real-world consequences of the data rather than merely its superficial form.
Given the similarity in definition and the very well-developed jurisprudence under the GDPR, India can draw valuable lessons from it (while keeping in mind its unique realities). To that end, this article proposes two standards for interpreting what “in relation to” personal data entails in the following section.
The Criteria for Interpreting “In Relation To” in the DPDP Act
This article proposes two criteria for interpreting what “in relation to” means under Section 2(t). These are inspired by the comparative analysis done with the GDPR in the previous section. Under these criteria, Data should be treated as identifiable “in relation to an individual” (and thus personal) if it meets either the Linkability Criterion or the Purpose or Effect Criterion.
The Linkability Criterion classifies data as personal when it can reasonably be connected to an individual, directly or indirectly, using information available to the data fiduciary or which is obtainable through lawful means. This approach resonates with the ruling in Breyer and recognises that a dataset need not itself contain identifiers; identifiability is enough if it is realistically possible in context. What is “reasonably available” must be judged against technological feasibility, cost, and effort. In India, this standard would have particular relevance given that Aadhaar and other extensive digital infrastructure make linkage between data sets routine.
The Purpose or Effect Criterion shifts the focus from the form of the data to its function. Under this, data is personal if it is processed, or intended to be processed, to evaluate, profile, predict, or make decisions about an individual, or if it has tangible effects on them. This is drawn from Nowak and ensures that data which is used to set credit scores, insurance premiums, or regulate access to welfare benefits is recognised as personal.
Together, these criteria recognise that the personal character of data lies not only in what it contains but also in how it is used and what it produces. In India’s growing digital ecosystem, where data is (and is bound to be) increasingly recombined and repurposed, a narrow definition of personal data would exclude entire categories of impactful information from the DPDP Act’s protection.
To illustrate how these criteria apply in practice, consider a lending application that collects device metadata, app usage, and GPS location without recording a name. If this information is combined with telecom records or Aadhaar-based KYC data to assess creditworthiness, the Linkability Criterion applies and labels such data as personal. Even without such linkage, if the app uses behavioural or location patterns to assign a risk score that determines loan eligibility, the Purpose or Effect Criterion applies. This is because the data materially influences the individual’s opportunities. In both cases, the information is considered ‘in relation to’ the person and must be treated as personal under the DPDP Act.
Conclusion
The success of the DPDP Act depends on whether the DPB would be willing to interpret “personal data” to include more than information that directly names an individual. To truly safeguard data privacy, data that drives profiling, shapes decisions, or influences outcomes for identifiable persons must fall within the Act’s scope. A narrow reading of Section 2(t)’s phrase “in relation to” would leave large categories of impactful data outside regulation and frustrate the Act’s objective.
This article has supported a broad reading and anchored it in two criteria which could be used by the DPB when reading this phrase. The Linkability Criterion captures data that can reasonably be tied to an individual, while the Purpose or Effect Criterion covers data that affects individuals through its use. Together, they reflect the realities of India’s digital ecosystem, align with the Srikrishna Committee’s intent, and adapt insights from comparative law in a way suited to local conditions. Without such an approach, the law risks becoming a hollow guarantee in the very domain it was meant to regulate.
(This post has been authored by Shubham Thakare and Arpanjot Kaur, 3rd-year students at NLSIU, Bangalore)
CITE AS: Shubham Thakare and Arpanjot Kaur, ‘Interpreting “In Relation To”: Towards a Functional Test for Personal Data under India’s DPDP Act’ (The Contemporary Law Forum, 26 December 2025) <https://tclf.in/2025/12/26/interpreting-in-relation-to-towards-a-functional-test-for-personal-data-under-indias-dpdp-act/> date of access.