READ: THE PERSONAL DATA PROTECTION BILL, 2018

THE PERSONAL DATA PROTECTION BILL, 2018

CHAPTER I

PRELIMINARY

Short title, extent and commencement.— …………………………………………………………………….. 1

Application of the Act to processing of personal data.— ……………………………………………….. 1

Definitions.— In this Act, unless the context otherwise requires, — ……………………………….. 2

CHAPTER II

DATA PROTECTION OBLIGATIONS

Fair and reasonable processing.— ………………………………………………………………………………. 6
Purpose limitation.— ………………………………………………………………………………………………… 6

Collection limitation. —. …………………………………………………………………………………………… 7

Lawful processing.— ………………………………………………………………………………………………… 7
Notice.— …………………………………………………………………………………………………………………. 7

Data quality.— …………………………………………………………………………………………………………. 8

Data storage limitation.— ………………………………………………………………………………………… 8
Accountability.— ……………………………………………………………………………………………………. 9

CHAPTER III

GROUNDS FOR PROCESSING OF PERSONAL DATA

Processing of personal data on the basis of consent.—…………………………………………………. 9

Processing of personal data for functions of the State. — …………………………………………… 10
Processing of personal data in compliance with law or any order of any court or tribunal. —

Processing of personal data necessary for prompt action. — ………………………………………. 10

Processing of personal data necessary for purposes related to employment. —……………… 10
Processing of data for reasonable purposes. —………………………………………………………….. 11

CHAPTER IV

GROUNDS FOR PROCESSING OF SENSITIVE PERSONAL DATA

Processing of sensitive personal data based on explicit consent. —……………………………… 11

Processing of sensitive personal data for certain functions of the State. — …………………… 12

Processing of sensitive personal data in compliance with law or any order of any court or tribunal. — …………………………………………………………………………………………………………… 12
Processing of certain categories of sensitive personal data for prompt action. —…………… 12

Further categories of sensitive personal data.— ………………………………………………………… 13

CHAPTER V

PERSONAL AND SENSITIVE PERSONAL DATA OF CHILDREN

Processing of personal data and sensitive personal data of children. —………………………… 13

CHAPTER VI

DATA PRINCIPAL RIGHTS

Right to confirmation and access. — ……………………………………………………………………….. 14

Right to correction, etc.— ………………………………………………………………………………………. 14
Right to Data Portability. — …………………………………………………………………………………… 15

Right to Be Forgotten. — ……………………………………………………………………………………….. 16

General conditions for the exercise of rights in this Chapter. — ………………………………….. 16

CHAPTER VII

TRANSPARENCY AND ACCOUNTABILITY MEASURES

Privacy by Design. — ……………………………………………………………………………………………. 17
Transparency. — …………………………………………………………………………………………………… 18

Security Safeguards.— …………………………………………………………………………………………… 18

Personal Data Breach.— ………………………………………………………………………………………… 18
Data Protection Impact Assessment. — ……………………………………………………………………. 19

Record-Keeping. — ………………………………………………………………………………………………. 20
Data Audits. —……………………………………………………………………………………………………… 20

Data Protection Officer. — …………………………………………………………………………………….. 21

Processing by entities other than data fiduciaries. — …………………………………………………. 22
Classification of data fiduciaries as significant data fiduciaries. — ……………………………… 22

Grievance Redressal. — …………………………………………………………………………………………. 23

CHAPTER VIII

TRANSFER OF PERSONAL DATA OUTSIDE INDIA

Restrictions on Cross-Border Transfer of Personal Data. — ……………………………………….. 23

Conditions for Cross-Border Transfer of Personal Data. — ………………………………………… 24

CHAPTER IX

EXEMPTIONS

Security of the State.— ………………………………………………………………………………………….. 25
Prevention, detection, investigation and prosecution of contraventions of law.— ………….. 25

Processing for the purpose of legal proceedings.— ……………………………………………………. 26

Research, archiving or statistical purposes. — ………………………………………………………….. 27
Personal or domestic purposes. — …………………………………………………………………………… 27

Journalistic purposes.— …………………………………………………………………………………………. 28

Manual processing by small entities.— ……………………………………………………………………. 28

CHAPTER X

DATA PROTECTION AUTHORITY OF INDIA

Establishment and incorporation of Authority.— ………………………………………………………. 29
Composition and qualifications for appointment of members.— …………………………………. 29

Terms and conditions of appointment.— ………………………………………………………………….. 30

Removal of members.— ………………………………………………………………………………………… 30
Powers of the chairperson.— ………………………………………………………………………………….. 31

Meetings of the Authority.— ………………………………………………………………………………….. 31

Vacancies, etc. not to invalidate proceedings of the Authority.—………………………………… 31
Officers and Employees of the Authority.— …………………………………………………………….. 31

Grants by Central Government.— …………………………………………………………………………… 32

Accounts and Audit — …………………………………………………………………………………………… 32
Furnishing of returns, etc. to Central Government.—…………………………………………………. 32

Powers and Functions of the Authority.— ………………………………………………………………… 33
Codes of Practice.—………………………………………………………………………………………………. 35

Power of Authority to issue directions.— …………………………………………………………………. 36

Power of Authority to call for information.— …………………………………………………………… 37
Power of Authority to conduct inquiry. — ……………………………………………………………….. 37

Action to be taken by Authority pursuant to an inquiry.—………………………………………….. 38

Search and Seizure.— ……………………………………………………………………………………………. 39
Coordination between the Authority and other regulators or authorities.— …………………… 40

Appointment of Adjudicating Officer.— ………………………………………………………………….. 41

CHAPTER XI PENALTIES AND REMEDIES

Penalties.— ………………………………………………………………………………………………………….. 41

Penalty for failure to comply with data principal requests under Chapter VI.—…………….. 42
Penalty for failure to furnish report, returns, information, etc.— …………………………………. 42

Penalty for failure to comply with direction or order issued by the Authority.— …………… 43

Penalty for contravention where no separate penalty has been provided.— ………………….. 43
Adjudication by Adjudicating Officer.—………………………………………………………………….. 43

Compensation.—…………………………………………………………………………………………………… 44

Compensation or penalties not to interfere with other punishment.— ………………………….. 45
Data Protection Funds.— ……………………………………………………………………………………….. 45

Recovery of Amounts.—………………………………………………………………………………………… 46

CHAPTER XII APPELLATE TRIBUNAL

Establishment of Appellate Tribunal.—……………………………………………………………………. 47

Qualifications, appointment, term, conditions of service of members.—………………………. 48
Vacancies.— ………………………………………………………………………………………………………… 48

Staff of Appellate Tribunal.— ………………………………………………………………………………… 48

Distribution of business amongst benches.— ……………………………………………………………. 48
Appeals to Appellate Tribunal.— ……………………………………………………………………………. 49

Procedure and powers of Appellate Tribunal.—………………………………………………………… 49

Orders passed by Appellate Tribunal to be executable as a decree.— ………………………….. 50
Appeal to Supreme Court of India.— ………………………………………………………………………. 50

Right to legal representation.— ………………………………………………………………………………. 50
Civil court not to have jurisdiction.—………………………………………………………………………. 51

CHAPTER XIII OFFENCES

Obtaining, transferring or selling of personal data contrary to the Act.—……………………… 51

Obtaining, transferring or selling of sensitive personal data contrary to the Act.—………… 51

Re-identification and processing of de-identified personal data. — ……………………………… 52
Offences to be cognizable and non-bailable.— …………………………………………………………. 52

Power to investigate offences.—……………………………………………………………………………… 52

Offences by companies.— ……………………………………………………………………………………… 52
Offences by Central or State Government departments. — …………………………………………. 53

CHAPTER XIV TRANSITIONAL PROVISIONS

Transitional provisions and commencement. — ………………………………………………………… 54

CHAPTER XV MISCELLANEOUS

Power of Central Government to issue directions in certain circumstances. — ……………… 55

Members, etc., to be public servants. — …………………………………………………………………… 55

Protection of action taken in good faith. — …………………………………………………………….. 55
Exemption from tax on income. — ………………………………………………………………………… 55

Delegation. — …………………………………………………………………………………………………….. 55

Power to remove difficulties. — ……………………………………………………………………………. 56
Power to exempt certain data processors.— ……………………………………………………………. 56

No application to non-personal data……………………………………………………………………….. 56

Bar on processing certain forms of biometric data……………………………………………………. 56
Power to make rules. — ……………………………………………………………………………………….. 56

Power to make regulations. — ………………………………………………………………………………. 58

Rules and Regulations to be laid before Parliament.—……………………………………………… 59
Overriding effect of this Act. — ……………………………………………………………………………. 60

Amendment of Act 21 of 2000. — …………………………………………………………………………. 60

Amendment of Act 22 of 2005. — …………………………………………………………………………. 60

THE FIRST SCHEDULE ……………………………………………………………………………………………………. 61

THE SECOND SCHEDULE…………………………………………………………………………………………………. 62

THE PERSONAL DATA PROTECTION BILL, 2018

WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy;

WHEREAS the growth of the digital economy has meant the use of data as a critical means of communication between persons;

WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation;

AND WHEREAS it is expedient to make provision: toprotect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities;

BE IT ENACTED by Parliament in the Sixty-Ninth Year of the Republic of India as follows: —

CHAPTER I PRELIMINARY

Short title, extentand commencement.—

(1) This Act may be called the Personal Data Protection Act, 2018. (2) It extends to the whole of India.

(3) The provisions of Chapter XIV of this Act shall come into force on such date, as the Central Government may by notification appointand the remaining provisions of the Act shall come into force in accordance with the provisions in that Chapter.

Application of the Act to processing of personal data.—

(1) This Act applies to the following—

(a) processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and

(b) processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.

(2) Notwithstanding anything contained insub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —

(a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or

(b) in connection with any activity which involves profiling of data principals within the territory of India.

(3) Notwithstanding anything contained in sub-sections (1) and (2), the Act shall not apply to processing ofanonymised data.

Definitions.—In this Act, unless the context otherwise requires, —

(1) “Aadhaar number”shall have the meaning assigned to it under clause (a) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016);

(2) “Adjudicating Officer” means an officer of the adjudication wing under section 68;

(3) “Anonymisation”in relation to personal data, means the irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, meeting the standards specified by the Authority.

(4) “Anonymised data” means data which has undergone the process of anonymisation under sub-clause (3) of this section;

(5) “Appellate Tribunal”means the tribunal notified under Chapter XIIof this Act;

(6) “Authority” means the Data Protection Authority of India established under Chapter X

of this Act;

(7) “Automated means”means any equipment capable of operating automatically in response to instructions given for the purpose of processing data;

(8) “Biometric data”means facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;

(9) “Child” means a data principal below the age of eighteen years;

(10) “Code of Practice”means a code of practice issued by the Authority under section 61; (11) “Consent”means consent under section 12;

(12) “Data”means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means;

(13) “Data fiduciary”means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;

(14) “Data principal”means the natural person to whom the personal data referred to in sub- clause (28) relates;

(15) “Data processor”means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary;

(16) “De-identification”meansthe process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;

(17) “Disaster” shall have the same meaning assigned to it underclause (d) of section 2 of the

Disaster Management Act, 2005 (53 of 2005);

(18) “Explicit consent”means consent under section 18;

(19) “Financial data”means any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a data principal or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history;

(20) “Genetic data”means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result,in particular, from an analysis of a biological sample from the natural person in question;

(21) “Harm”includes—

(i) bodily or mental injury;

(ii) loss, distortion or theft of identity; (iii) financial loss or loss of property, (iv) loss of reputation, or humiliation; (v) loss of employment;

(vi) any discriminatory treatment;

(vii) any subjection to blackmail or extortion;

(viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal;

(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or

(x) any observation or surveillance that is not reasonably expected by the data principal.

(22) “Health data”means data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services.

(23) “Intersex status”means the condition of a data principal who is—

(i) a combination of female or male;

(ii) neither wholly female nor wholly male; or

(iii) neither female nor male.

(24) “Intra-group schemes” means schemes approved by the Authority under section 41;

(25) “Journalistic purpose” means any activity intended towards the dissemination through print, electronic or any other media of factual reports, analysis, opinions, views or documentaries regarding—

(i) news, recent or current events; or

(ii) any other information which the data fiduciary believes the public, or any significantly discernible class of the public, to have an interest in;

(26) “Notification” means a notification published in the Official Gazette and the term

“notify” shall be construed accordingly;

(27) “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal;

(28) “Person”means—

(i) an individual,

(ii) a Hindu undivided family, (iii) a company,

(iv) a firm,

(v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and

(vii) every artificial juridical person, not falling within any of the preceding sub- clauses;

(29) “Personal data”means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information;

(30) “Personal data breach” means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to, of personal data that compromises the confidentiality, integrity or availability of personal data to a data principal;

(31) “Prescribed”means prescribed by rules made by the Central Government under this Act; (32) “Processing”in relation to personal data, means an operation or set of operations

performed on personal data, and may include operations such as collection,

recording,organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or

otherwise making available, restriction, erasure or destruction;

(33) “Profiling”means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interest of a data principal;

(34) “Re-identification”meansthe process by which a data fiduciary or data processor may reverse a process of de-identification;

(35) “Sensitive Personal Data”means personal data revealing, related to, or constituting, as may be applicable—

(i) passwords;

(ii) financial data; (iii) health data;

(iv) official identifier; (v) sex life;

(vi) sexual orientation; (vii) biometric data; (viii) genetic data;

(ix) transgender status; (x) intersex status;

(xi) caste or tribe;

(xii) religiousor political belief or affiliation; or

(xiii) any other category of data specified by the Authority under section 22.

(36) “Significant data fiduciary”means a data fiduciary notified by the Authority under section 38;

(37) “Significant harm”means harm that has an aggravated effect having regard to the nature of the personal data being processed,the impact, continuity, persistence or irreversibility of the harm;

(38) “Specified” means specified by regulations made by the Authority under this Act and the

term “specify” shall be construed accordingly;

(39) “State” shall, unless the context otherwise requires, have the same meaning assigned to itunder Article 12 of the Constitution;

(40) “Systematic activity” means any structured or organised activity that involves an element of planning, method, continuity or persistence;

(41) “Transgender status”means the condition of a data principal whose sense of gender does not match with the gender assigned to that data principal at birth, whether or not they have undergone sex reassignment surgery, hormone therapy, laser therapy, or any other similar medical procedure.

CHAPTER II

DATA PROTECTION OBLIGATIONS

Fair and reasonable processing.—Any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal.

Purpose limitation.—

(1) Personal data shall be processed only for purposes that are clear, specific and lawful.

(2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.

Collection limitation. —Collection of personal data shall be limited to such data that is necessary for the purposes of processing.

Lawful processing.—

(1) Personal data shall be processed only on the basis of one or a combination of grounds of processing in Chapter III.

(2) Sensitive personal data shall be processed only on the basis of one or a combination of grounds of processing in Chapter IV.

Notice.—

(1) Thedata fiduciary shall provide the data principal with the following information, no later than at the time of collection of the personal data or, if the data is not collected from the data principal, as soon as is reasonably practicable—

(a) the purposes for which the personal data is to be processed; (b) the categories of personal data being collected;

data protection officer, if applicable;

(d) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;

(e) the basis for such processing, and the consequences of the failure to provide such

personal data, if the processing of the personal data is based on the grounds in section 12 to section 17, and section 18 to section 22;

(f) the source of such collection, if the personal data is not collected from the data principal;

(g) theindividuals or entities including other data fiduciaries or data processors, with

whom such personal data may be shared, if applicable;

(h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;

(i) the period for which the personal data will be retained in terms of section 10 or

where such period is not known, the criteria for determining such period;

(j) the existence of and procedure for the exercise of data principal rights mentioned in

Chapter VI and any related contact details for the same; (k) the procedure for grievance redressal under section 39;

(l) the existence of a right to file complaints to the Authority;

(m) where applicable, any rating in the form of a data trust score that may be assignedto the data fiduciary under section 35; and

(n) any other information as may be specified by the Authority.

(2) Thedata fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable.

(3) Sub-section (1) shall not apply where the provision of notice under this section would substantially prejudice the purpose of processing of personal data under sections15or 21of this Act.

Data quality.—

(1) Thedata fiduciary shall take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated, having regard to the purposes for which it is processed.

(2) In considering whether any reasonable step is necessaryunder sub-section (1), the data fiduciary shall have regard to whether the personal data—

(a) is likely to be used to make a decision about the data principal;

(b) is likely to be disclosed to other individuals or entities including other data fiduciaries or processors; or

(c) is kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments.

(3) Where personal data is disclosed to other individuals or entities, including other data fiduciaries or processors, and the data fiduciary subsequently finds that such data does not comply with sub-section (1), the data fiduciary shall take reasonable steps to notify suchindividuals or entities of thisfact.

Data storage limitation.—

(1) Thedata fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed.

(2) Notwithstanding sub-section (1), personal data may be retained for a longer period of time if such retention is explicitly mandated, or necessary to comply with any obligation, under a law.

(3) The data fiduciary must undertake periodic review in order to determine whether it is necessary to retain the personal data in its possession.

(4) Where it is not necessary for personal data to be retained by the data fiduciary under sub- sections (1) and (2), then such personal data must be deleted in a manner as may be specified.

Accountability.—

(1) The data fiduciary shall be responsible for complying with all obligations set out in this

Act in respect of any processing undertaken by it or on its behalf.

(2) The data fiduciary should be able to demonstrate that any processing undertaken by it or on its behalf is in accordance with the provisions of this Act.

CHAPTER III

GROUNDS FOR PROCESSING OF PERSONAL DATA

Processing of personal data on the basis of consent.—

(1) Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.

(2) For the consent of the data principal to be valid, it must be—

(a) free, having regard to whether it meets the standard under section 14 of the Indian

Contract Act, 1872 (9 of 1872);

(b) informed, having regard to whether the data principal has been provided with the information required under section 8;

(c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing;

(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and

(e) capable of being withdrawn, having regard to whether the ease of such withdrawal

is comparable to the ease with which consent may be given.

(3) The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.

(4) The data fiduciaryshall bear the burden of proof to establish that consent has been given by the data principal for processing of personal data in accordance with sub-section (2).

(5) Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.

Processing of personal data for functions of the State. —

(1) Personal data may be processed if such processing is necessary for any function of

Parliament or any State Legislature.

(2) Personal data may be processed if such processing isnecessary forthe exercise of any function of the State authorised by law for:

(a) the provision of any service or benefit to the data principal from the State; or

(b) the issuance of any certification, license or permit for any action or activity of the data principal by the State.

Processing of personal data in compliance with law or any order of any court or tribunal. —

Personal data may be processed if such processing is—

(a) explicitly mandated under any law made by Parliament or any State Legislature; or

(b) for compliance with any order or judgment of any Court or Tribunal in India.

Processing of personal data necessary for prompt action. —

Personal data may be processed if such processing is necessary—

(a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual;

(b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or

(c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.

Processing of personal data necessary for purposes related to employment. —

(1) Personal data may be processed if such processing is necessary for—

(a) recruitmentor termination of employment of a data principal by the data fiduciary; (b) provision of any service to, or benefit sought by,the data principal who is an

employee of the data fiduciary;

(d) any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary.

(2) Sub-section (1) shall apply only where processing on the basis of consent of the data principal is not appropriate having regard to the employment relationship between the

data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities under this section.

Processing of data for reasonable purposes. —

(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration—

(a) the interest of the data fiduciary in processing for that purpose;

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal;

(d) the effect of the processing activity on the rights of the data principal; and

(e) the reasonable expectations of the data principal having regard to the context of the processing.

(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including—

(a) prevention and detection of any unlawful activity including fraud; (b) whistle blowing;

(d) network and information security; (e) credit scoring;

(f) recovery of debt;

(g) processing of publicly available personal data;

(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall:

(a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and

(b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose.

CHAPTER IV

GROUNDS FOR PROCESSING OF SENSITIVE PERSONAL DATA

Processing of sensitive personal data based on explicit consent. —

(1) Sensitive personal data may be processed on the basis of explicit consent.

(2) For the purposes of sub-section (1), consent shall be considered explicit only if it isvalid as per section 12 and is additionally:

(a) informed, having regard to whether the attention of the data principal has been drawn to purposes ofor operations in processing that may have significant consequences for the data principal;

(b) clear, having regard to whether it is meaningful without recourse to inference from conduct in a context; and

separately consenting to the purposes of, operations in, and the use of different categories of sensitive personal data relevant to processing.

Processing of sensitive personal data for certain functions of the State. —

Sensitive personal data may be processed if such processing is strictly necessary for: (a) any function of Parliament or any State Legislature.

(b) the exercise of any function of the State authorised by law forthe provision of any

service or benefit to the data principal.

Processing of sensitive personal data in compliance with law or any order of any court or tribunal. —

Sensitive personal data may be processed if such processing is—

(a) explicitly mandated under any law made by Parliament or any State Legislature; or

(b) necessaryfor compliance with any order or judgment of any Court or Tribunal in

India.

Processing of certain categories of sensitive personal data for prompt action. —

Passwords,financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary—

(a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal;

(b) to undertake any measure to provide medical treatment or health services to any

individual during an epidemic, outbreak of disease or any other threat to public health; or

(c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.

Further categories of sensitive personal data.—

(1) Such further categories of personal data as may be specified by the Authority shall be sensitive personal data and, where such categories of personal data have been specified, the Authority may also specify any further grounds on which such specified categories of personal data may be processed.

(2) The Authority shall specify categories of personal data under sub-section (1) having regard to—

(a) theriskof significant harm that may be caused to the data principal by the processing of such category of personal data;

(b) the expectation of confidentiality attached to such category of personal data;

(c) whether a significantly discernible class of data principals may suffer significant harm from the processing of such category of personal data; and

(d) the adequacy of protection afforded by ordinary provisions applicable to personal data.

(3) The Authority may also specify categories of personal data, which require additional safeguards or restrictions where repeated, continuous or systematic collection for the purposes of profiling takes place and, where such categories of personal data have been specified, the Authority may also specify such additional safeguards or restrictions applicable to such processing.

CHAPTER V

PERSONAL AND SENSITIVE PERSONAL DATA OF CHILDREN

Processing of personal data and sensitive personal data of children. —

(1) Every data fiduciary shall process personal data of children in a manner that protects and advances the rights and best interests of the child.

(2) Appropriate mechanisms for age verification and parental consent shall be incorporated by data fiduciaries in order to process personal data of children.

(3) Appropriateness of an age verification mechanism incorporated by a data fiduciary shall be determined on the basis of—

(a) volume of personal data processed;

(b) proportion of such personal data likely to be that of children;

(d) such other factors as may be specified by the Authority.

(4) The Authority shall notify the following as guardian data fiduciaries—

(a) data fiduciaries who operate commercial websites or online services directed at children; or

(b) data fiduciaries who process large volumes of personal data of children.

(5) Guardian data fiduciaries shall be barred from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.

(6) Sub-section (5) may apply in such modified form, to data fiduciaries offering counseling or child protection services to a child, as the Authority may specify.

(7) Where a guardian data fiduciary notified under sub-section (4)exclusively provides counseling or child protection services to a child, as under sub-section (6), then such guardian data fiduciary will not be required to obtain parental consent as set out under sub-section (2).

CHAPTER VI

DATA PRINCIPAL RIGHTS

Right to confirmation and access. —

(1) The data principal shall have the right to obtain from the data fiduciary—

(a) confirmation whether the data fiduciary is processing or has processed personal data of the data principal;

(b) a brief summary ofthe personal data of the data principal being processed or that has been processed by the data fiduciary;

respect to the personal data of the data principal, including any information provided in the notice under section 8 in relation to such processing activities.

(2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

Right to correction, etc.—

(1) Where necessary, having regard to the purposes for which personal data is being processed, the data principal shall have the right to obtain from the data fiduciary processing personal data of the data principal—

(a) the correction of inaccurate or misleading personal data; (b) the completion of incomplete personal data; and

(2) Where the data fiduciary receives a request under sub-section (1), and the data fiduciary does not agree with the need for such correction, completion or updatinghaving regard to the purposes of processing, the data fiduciary shall provide the data principal with adequate justificationin writing for rejecting the application.

(3) Where the data principal is not satisfied with thejustification provided by the data fiduciary under sub-section (2), the data principalmay require that the data fiduciary take reasonable steps to indicate,alongside the relevant personal data, that the same is disputed by the data principal.

(4) Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

Right to Data Portability. —

(1) The data principal shall have the right to—

(a) receivethe following personal data related to the data principal in a structured, commonly used and machine-readable format—

(i) whichsuch data principal has provided to the data fiduciary;

(ii) which has been generated in the course of provision of services or use of goods by the data fiduciary;or

(iii) which forms part of any profile on the data principal, or which the data

fiduciaryhas otherwise obtained.

(b) have the personal data referred to in clause (a) transferred to any other data fiduciary in the format referred to in that clause.

(2) Sub-section (1) shall only apply where the processing has been carried out through automated means, and shall not apply where—

(a) processing is necessary for functions of the State undersection 13; (b) processing is in compliance of law as referred to in section 14; or

(c) compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciaryor would not be technically feasible.

Right to Be Forgotten. —

(1) The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciaryrelated to the data principalwhere such disclosure—

(a) has served the purpose for which it was made or is no longer necessary;

(b) was made on the basis of consent under section 12 and such consent has since been withdrawn;or

Parliament or any State Legislature.

(2) Sub-section (1) shall only apply where the Adjudicating Officer under section

68determines the applicability of clause (a), (b) or (c) of sub-section (1) and that the rights and interests of the data principal in preventing or restricting the continued

disclosure of personal data override the right to freedom of speech and expression and the

right to information of any citizen.

(3) In determining whether the condition in sub-section (2) is satisfied, the Adjudicating

Officer shall have regard to—

(a) the sensitivity of the personal data;

(b) the scale of disclosure and the degree of accessibility sought to be restricted or prevented;

(d) the relevance of the personal data to the public; and

(e) the nature of the disclosure and of the activities of the data fiduciary, particularly whether the data fiduciarysystematically facilitates access to personal data and whether the activities would be significantly impeded if disclosures of the relevant nature were to be restricted or prevented.

(4) The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

(5) Where any person finds that personal data, the disclosure of which has been restricted or prevented by an order of the Adjudicating Officerunder sub-section (2) does not satisfy the conditions referred to in that sub-section any longer, they may apply for the review of that order to the Adjudicating Officer in such manner as may be prescribed, and such Adjudicating Officer shall review her order on the basis of the considerations referred to in sub-section (3).

General conditions for the exercise of rights in this Chapter. —

(1) The exercise of any right under this Chapter, except the right undersection 27,shall only be on the basis of a request made in writing to the data fiduciarywith reasonable information to satisfy the data fiduciaryof the identity of the data principal making the request and the data fiduciary shall acknowledge receipt of such request within such period of time as may be specified.

(2) Thedata fiduciary may chargea reasonable fee to be paid for complying with requests made under this Chapter, except for requestsmade under clauses (a) and (b) of sub-section (1) ofsection 24 and section 25 which shall be complied with by the data fiduciary without charging any fee.

(3) The Authority may specify a reasonable time period within which the data fiduciaryshall comply with the requests under this Chapter, and such time period shall be communicated to the data principal along with the acknowledgement referred to in sub-section (1).

(4) Where any request made under this Chapter is refused by the data fiduciary, it shall provide the data principal making such request with adequate reasons for suchrefusal as per the provisions of this Chapter in writing,and shall inform the data principal regarding the right to file a complaint with the Authority against the refusal within such period and in such manner as may be specified.

(5) The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

(6) The manner of exercise of rights under this Chapter shall be in such form as may be provided by law or in the absence of such law, in a reasonable format to be followed by each data fiduciary.

CHAPTER VII

TRANSPARENCY AND ACCOUNTABILITY MEASURES

Privacy by Design. —

Every data fiduciary shall implement policies and measures to ensure that—

(a) managerial, organisational, business practices and technical systems are designed in a manner to anticipate, identify and avoid harm to the data principal;

(b) theobligations mentioned in Chapter II are embedded in organisational and business practices;

(c) technology used in the processing of personal data is in accordance with commercially accepted or certified standards;

(d) legitimate interests of businesses including any innovation is achieved without compromising privacy interests;

(e) privacy is protected throughout processing from the point of collection to deletion of personal data;

(f) processing of personal data is carried out in a transparent manner; and

(g) the interest of the data principal is accounted for at every stage of processing of personal data.

Transparency. —

(1) The data fiduciary shall take reasonable steps to maintain transparency regarding its general practices related to processing personal data and shall make the following information available in an easily accessible form as may be specified—

(a) the categories of personal data generally collected and the manner of such collection;

(b) the purposes for which personal data is generally processed;

(c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm;

(d) the existence of and procedure for the exercise of data principal rights mentioned in

Chapter VI, and any related contact details for the same; (e) the existence of a right to file complaints to the Authority;

(f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under section 35;

(g) where applicable, information regarding cross-border transfers of personal data that

the data fiduciary generally carries out;and

(h) any other information as may be specified by the Authority.

(2) The data fiduciary shall notify the data principal of important operations in the processing of personal data related to the data principal through periodic notifications in such manner as may be specified.

Security Safeguards.—

(1) Having regard to the nature, scope and purpose of processing personal data undertaken, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing, the data fiduciaryand the data processor shall implement appropriate security safeguards including—

(a) use of methods such as de-identification and encryption;

(b) steps necessary to protect the integrity of personal data; and

(2) Every data fiduciary and data processor shall undertake a review of its security safeguards periodicallyas may be specified and may take appropriate measures accordingly.

Personal Data Breach.—

(1) The data fiduciary shall notify the Authority of any personal data breach relating to any personal data processed by the data fiduciarywhere such breach is likely to causeharm to any data principal.

(2) The notification referred to in sub-section (1) shall include the following particulars—

(a) nature of personal data which is the subject matter of the breach; (b) number of data principals affected by the breach;

(d) measures being taken by the data fiduciary to remedy the breach.

(3) The notification referred to in sub-section (1) shall be made by the data fiduciary to the Authority as soon as possible and not later than the time period specified by the Authority, following the breach after accounting for any time that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm.

(4) Where it is not possible to provide all the information as set out in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without undue delay.

(5) Upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.

(6) The Authority, may in addition to requiring the data fiduciary to report the personal data breach to the data principal under sub-section (5), direct the data fiduciary to take appropriate remedial action as soon as possible andto conspicuously post the details of the personal data breach on its website.

(7) The Authority may, in addition, also post the details of the personal data breach on its own website.

Data Protection Impact Assessment. —

(1) Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section.

(2) The Authority may, in addition, specify those circumstances, or classes of data fiduciaries, or processing operations where such data protection impact assessment shall be mandatory, and may also specify those instances where a data auditor under this Act shall be engaged by the data fiduciary to undertake a data protection impact assessment.

(3) A data protection impact assessment shall contain, at a minimum—

(a) detailed description of the proposed processing operation, the purpose of processing and the nature of personal data being processed;

		(b) assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and (c) measures for managing, minimising, mitigating or removing such risk of harm.
	(4)	Upon completion of the data protection impact assessment, the data protection officer shall review the assessment prepared and shall submit the same to the Authorityin such manner as may be specified.
	(5)	On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processingor direct that such processing shall be subject to such conditions as may be issued by the Authority.
34.	Recor	d-Keeping. —
	(1)	The data fiduciary shall maintain accurate and up-to-date records of the following—
		(a) important operations in the data life-cycle including collection, transfers, and
		erasure of personal data to demonstrate compliance as required under section 11;
		(b) periodic review of security safeguards under section 31;
		(c) dataprotection impact assessments under section 33; and
		(d) any other aspect of processing as may be specified by the Authority.
	(2)	The records in sub-section (1) shall be maintained in such form as specified by the Authority.
	(3)	Notwithstanding anything contained in this Act, this section shall apply to the Central or State Government, departments of the Central and State Government, and any agency instrumentality or authority which is “the State” under Article 12 of the Constitution.

Data Audits. —

(1) The data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.

(2) The data auditor will evaluate the compliance of the data fiduciary with the provisions of this Act, including—

(a) clarity and effectiveness of notices under section 8; (b) effectiveness of measures adopted under section 29;

(c) transparency in relation to processing activities under section 30; (d) security safeguards adopted pursuant to section 31;

(e) instances of personal data breach and response of the data fiduciary, including the

promptness of notification to the Authority under section 32; and

(f) any other matter as may be specified.

(3) The Authority shall specify the form, manner and procedure for conducting audits under this section including any civil penalties on data auditors for negligence.

(4) The Authority shall register persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, with such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may specify, as data auditors under this Act.

(5) A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.

(6) The Authority shall specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2).

(7) Notwithstanding sub-section (1) where the Authority is of the view that the data fiduciary is processing personal data in a manner that is likely to cause harm to a data principal, the Authority may order the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.

Data Protection Officer. —

(1) The data fiduciary shall appoint a data protection officer for carrying out the following functions—

(a) providing information and advice to the data fiduciary on matters relating to fulfilling its obligations under this Act;

(b) monitoring personal data processing activities of the data fiduciary to ensure that such processing does not violate the provisions of this Act;

(c) providing advice to the data fiduciary where required on the manner in which data protection impact assessments must be carried out, and carry out the review of such assessment as under sub-section (4) of section 33;

(d) providing advice to the data fiduciary, where required on the manner in which internal mechanisms may be developed in order to satisfy the principles set out under section 29;

(e) providing assistance to and cooperating with the Authority on matters of compliance of the data fiduciary with provisions under this Act;

(f) act as the point of contact for the data principal for the purpose of raising grievances to the data fiduciary pursuant to section 39 of this Act; and

(g) maintaining an inventory of all records maintained by the data fiduciary pursuant to

section 34.

(2) Nothing shall prevent the data fiduciary from assigning any other function to the data protection officer, which it may consider necessary, in addition to the functions provided in sub-section (1) above.

(3) The data protection officer shall meet the eligibility and qualification requirements to carry out its functions under sub-section (1) as may be specified.

(4) Where any data fiduciary not present within the territory of India carries on processing to which the Act applies under section 2(2), and the data fiduciary is required to appoint a data protection officer under this Act, the data fiduciary shall appoint such officer who shall be basedin India and shall represent the data fiduciary in compliance of obligations under this Act.

Processing by entities other than data fiduciaries. —

(1) The data fiduciary shall only engage, appoint, use or involve a data processor to processpersonal data on its behalf through avalid contract.

(2) The data processor referred to in sub-section (1) shall not further engage, appoint, use, or involve another data processor in the relevant processing on its behalf except with the authorisation of the data fiduciary, unless permitted through the contract referred to in sub-section (1).

(3) The data processor, and any employee of the data fiduciary or the data processor, shall only process personal data in accordance with the instructions of the data fiduciary unless they are required to do otherwise under law and shall treat any personal data that comes within their knowledge as confidential.

Classification of data fiduciaries as significant data fiduciaries. —

(1) The Authority shall, having regard to the following factors, notify certain data fiduciaries or classes of data fiduciaries as significant data fiduciaries—

(a) volume of personal data processed;

(b) sensitivity of personal data processed; (c) turnover of the data fiduciary;

(d) risk of harm resulting from any processing or any kind of processing undertaken by the fiduciary;

(e) use of new technologies for processing; and

(f) any other factor relevant in causing harm to any data principal as a consequence of such processing.

(2) The notification of a data fiduciary or classes of data fiduciaries as significant data fiduciaries by the Authority under sub-section (1) shall require such data fiduciary or class of data fiduciaries to register with the Authority in such manner as may be specified.

(3) All or any ofthe following obligations in this Chapter, as determined by the Authority, shall apply only to significant data fiduciaries—

(a) data protection impact assessments under section 33; (b) record-keeping under section 34;

(d) data protection officer under section 36.

(4) Notwithstanding sub-section (3), the Authority may notify the application of all or any of the obligations in sub-section (3) to such data fiduciary or class of data fiduciaries, not being a significant data fiduciary, if it is of the view that any processing activity undertaken by such data fiduciary or class of data fiduciaries carries a risk of significant harm to data principals.

Grievance Redressal. —

(1) Every data fiduciary shall have in place proper procedures and effective mechanisms to address grievances of data principals efficiently and in a speedy manner.

(2) A data principal may raise a grievance in case of a violation of any of the provisions of this Act, or rules prescribed, or regulations specified thereunder, which has caused or is likely to cause harm to such data principal, to—

(a) the data protection officer, in case of a significant data fiduciary; or

(b) an officer designated for this purpose, in case of any other data fiduciary.

(3) A grievance raised under sub-section (2) shall be resolved by the data fiduciary in an expeditious manner and no later than thirty days from the date of receipt of grievance by such data fiduciary.

(4) Where, a grievance under sub-section (2) is not resolved within the time period mentioned under sub-section (3), or where the data principal is not satisfied with the manner in which the grievance is resolved, or the data fiduciary has rejected the grievance raised, the data principal shall have the right to file a complaint with the adjudication wing under section 68 of the Act in the manner prescribed.

(5) Any person aggrieved by an order made under this section by an Adjudicating Officerin accordance with the procedure prescribed in this regard, may prefer an appeal to the Appellate Tribunal.

CHAPTER VIII

TRANSFER OF PERSONAL DATA OUTSIDE INDIA

Restrictions on Cross-Border Transfer of Personal Data. —

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

Conditions for Cross-Border Transfer of Personal Data. —

(1) Personal data other than those categories of sensitive personal data notified under sub- section (2) of section 40 may be transferred outside the territory of Indiawhere—

(a) the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Authority; or

(b) the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible; or

(d) in addition to clause (a) or (b) being satisfied, the data principal has consented to such transfer of personal data; or

(e) in addition to clause (a) or (b) being satisfied, the data principal has explicitly consented to such transfer of sensitive personal data, which does not include the categories of sensitive personal data notified under sub-section (2) of section 40.

(2) The Central Government may only prescribe the permissibility of transfers under clause (b) of sub-section (1) where it finds that the relevant personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements, and the effectiveness of the enforcement by authorities with appropriate jurisdiction, and shall monitor the circumstances applicable to such data in order to review decisions made under this sub-section.

(3) Notwithstanding sub-section (2) of Section 40,sensitive personal data notified by the

Central Government may betransferred outside the territory of India—

(a) to a particular person or entity engaged in the provision of health services or emergency services where such transfer is strictly necessary for prompt action under section 16; and

(b) to a particular country, a prescribed sector within a country or to a particular international organisation that has beenprescribed under clause (b) of sub-section (1), wherethe Central Government is satisfied that such transfer or class of

transfersis necessary for any class of data fiduciaries or data principals anddoesnot hamper the effective enforcement of this Act.

(4) Any transfer under clause (a) ofsub-section (3) shall be notified to the Authority within such time period as may be prescribed.

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this sub-section to any other person or entity.

(6) Where a data fiduciary seeks to transfer personal data subject to standard contractual clauses or intra-group schemes under clause (a) of sub-section (1), it shall certify and periodically report to the Authority as may be specified, that the transfer is made under a contract that adheres to such standard contractual clauses or intra-group schemes and that it shall bear any liability for the harm caused due to any non-compliance with the standard contractual clauses or intra-group schemes by the transferee.

CHAPTER IX

EXEMPTIONS

Security of the State.—

(1) Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law,andis in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.

(2) Any processing authorised by a lawreferred to in sub-section (1) shall be exempted from the following provisions of the Act—

(a) Chapter II, except section 4; (b) Chapter III;

(f) Chapter VII, except section 31; and

(g) Chapter VIII.

Prevention, detection, investigation and prosecution of contraventions of law.—

(1) Processing of personal data in the interests of prevention, detection,investigation and prosecution of any offence or any other contravention of law shall not be permitted unless

it is authorised by a law made by Parliament and State Legislatureand is necessary for, and proportionate to, such interests being achieved.

(2) Any processing authorised by law referred to in sub-section (1) shall be exempted from the following provisions of the Act—

(a) Chapter II, except section 4; (b) Chapter III;

(f) Chapter VII except section 31; and

(g) Chapter VIII.

(3) Sub-section (1) shall apply in relation to processing of personal data of a data principal who is a victim, witness, or any person with information about the relevant offence or contravention only if processing in compliance with the provisions of this law would be prejudicial to the prevention, detection, investigation or prosecution of any offence or other contravention of law.

(4) Personal data processed under sub-section (1) shall not be retained once the purpose of prevention, detection, investigation or prosecution of any offence or other contravention of law is complete except where such personal data is necessary for the maintenance of any record or database which constitutes a proportionate measure to prevent, detect or investigate or prosecute any offence or class of offences in future.

Processing for the purpose of legal proceedings.—

(1) Where disclosure of personal data is necessary for enforcing any legal right or claim, seeking any relief, defending any charge,opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding such processing shall be exempted from the following provisions of this Act—

(a) Chapter II, except section 4; (b) Chapter III;

(e) Chapter VI; and

(f) Chapter VII, except section 31.

(2) Where processing of personal data by any Court or Tribunal in India is necessary for the exercise of any judicial function, such processing shall be exempted from the following provisions of this Act—

(a) Chapter II, except section 4; (b) Chapter III;

(e) Chapter VI; and

(f) Chapter VII, except section 31.

Research, archiving or statisticalpurposes. —

(1) Where processing of personal data is necessary for research, archiving, or statistical purposes, such processing may be exempted from such provisions of this Act as the Authority may specify except section 4, section 31 and section 33.

(2) For the purpose of sub-section (1), the Authority may exempt different categories of research, archiving, or statistical purposes from different provisions of the Act.

(3) Sub-section (1) shall apply only where—

(a) compliance with the provisions of this Act will disproportionately divert resources from the purpose referred to in sub-section (1);

(b) the purposes of processing cannot be achieved if the personal data is anonymised; (c) the data fiduciary has carried out de-identification meeting the standard contained

in any code of practice under section 61, where the purpose of processing can be achieved if the personal data is in a de-identified form;

(d) personal data will not be used to take any decision specific to or action directed specifically towards the data principal; and

(e) personal data will not be processed in a manner that gives rise to a risk of

significant harm to the data principal.

Personal or domestic purposes. —

(1) Personal data processed by a natural person in the course of a purely personal or domestic purpose, shall be exempted from the following provisions of this Act—

(a) Chapter II, except section 4; (b) Chapter III;

(f) Chapter VII; and

(g) Chapter VIII.

(2) Sub-section (1) shall not apply where the relevant processing—

(a) involvesdisclosure to the public; or

(b) is undertaken in connection with any professional or commercial activity.

Journalistic purposes.—

(1) Where the processing of personal data is necessary for or relevant to a journalistic purpose, the following provisions of the Act shall not apply—

(a) Chapter II, except section 4; (b) Chapter III;

(f) Chapter VII except section 31; and

(g) Chapter VIII.

(2) Sub-section (1) shall apply only where itcan be demonstrated that the processing is in compliance with any code of ethics issued by—

(a) the Press Council of India, or

(b) any media self-regulatory organisation

Manual processing by small entities.—

(1) Subject to any law for the time being in force, where personal data is processed through means other than automated means by a small entity, the following provisions of the Act shall not apply—

(a) Sections 8, 9 and 10 in Chapter II;

(b) Clause (c) of sub-section (1) of section 24, and sections 26 and 27 in Chapter VI;

and

(2) For the purposes of sub-section (1), a small entity shall be any data fiduciary which—

(a) did not have a turnover of more than twenty lakh rupees or such other lower amount as may be prescribed by the Central Government in the preceding financial year;

(b) does not collect personal data for the purpose of disclosure to any other individuals or entities, including other data fiduciaries or processors; and

(c) did not process personal data of more than one hundred data principals in any one day in the preceding twelve calendar months.

Explanation: For the purpose of sub-section (2), “turnover” means the gross amount of revenue recognised in the profit and loss account or any other equivalent statement, as applicable, from the sale, supply or distribution of goods or services or on account of services rendered, or both, by the data fiduciary in the preceding financial year.

CHAPTER X

DATA PROTECTION AUTHORITY OF INDIA

Establishment and incorporation of Authority.—

(1) The Central Government shall, by notification, establish for the purposes of this Act, an

Authority to be called the Data Protection Authority of India.

(2) The Authority shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.

(3) The head office of the Authority shall be at such place as may be prescribed.

(4) The Authority may, with the prior approval of the Central Government, establish its offices at other places in India.

Composition and qualifications for appointment of members.—

(1) The Authority shall consist of a chairpersonand sixwhole-time members.

(2) The chairperson and the members of the Authority shall be appointed by the Central

Government on the recommendation made by a selection committee consisting of—

(a) the Chief Justice of India or a judge of the Supreme Court of India nominated by the Chief Justice of India, who shall be the chairperson of the selection committee;

(b) theCabinet Secretary; and

Justice of India or a judge of the Supreme Court of India nominated by the Chief

Justice of India,in consultation with the Cabinet Secretary.

(3) The procedure to be followed by the selection committee for recommending the names under sub-section (2) shall be such as may be prescribed.

(4) The chairperson and the members of the Authority shall be persons of ability, integrity and standing, and must have specialised knowledge of, and not less than ten years professional experience in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, and related subjects.

(5) A vacancy caused to the office of the chairperson or any other member shall be filled

ಭಾರತದಲ್ಲಿ ಅನ್ನದಾನ : ಬೋಧನೆ ಮತ್ತು ಅಚರಣೆ – ಈ ಸಂಶೋಧನಾ ಪುಸ್ತಕವು ಒಂಬತ್ತು ಭಾಷೆಗಳಲ್ಲಿ ಪ್ರಕಟವಾಗುತ್ತಿದೆ!

ಕೇಂದ್ರ ಸರ್ಕಾರದಿಂದ ಉನ್ನತ ಶಿಕ್ಷಣ ತರಗತಿಗಳಿಗಾಗಿ ಭಾರತೀಯ ಭಾಷೆಗಳಲ್ಲಿ 22 ಸಾವಿರ ಪಠ್ಯಪುಸ್ತಕಗಳು ರಚನೆಯಾಗುತ್ತಿವೆ!

ವಿಶ್ವಬಂಧು ಭಾರತ (WHY BHARAT MATTERS): ಎಸ್ ಜೈಶಂಕರ್ ಪುಸ್ತಕದ ಕನ್ನಡ ಆವೃತ್ತಿ ಬರಲಿದೆ!

READ: THE PERSONAL DATA PROTECTION BILL, 2018

Related Posts

ಭಾರತದಲ್ಲಿ ಅನ್ನದಾನ : ಬೋಧನೆ ಮತ್ತು ಅಚರಣೆ – ಈ ಸಂಶೋಧನಾ ಪುಸ್ತಕವು ಒಂಬತ್ತು ಭಾಷೆಗಳಲ್ಲಿ ಪ್ರಕಟವಾಗುತ್ತಿದೆ!

ಕೇಂದ್ರ ಸರ್ಕಾರದಿಂದ ಉನ್ನತ ಶಿಕ್ಷಣ ತರಗತಿಗಳಿಗಾಗಿ ಭಾರತೀಯ ಭಾಷೆಗಳಲ್ಲಿ 22 ಸಾವಿರ ಪಠ್ಯಪುಸ್ತಕಗಳು ರಚನೆಯಾಗುತ್ತಿವೆ!

ವಿಶ್ವಬಂಧು ಭಾರತ (WHY BHARAT MATTERS): ಎಸ್ ಜೈಶಂಕರ್ ಪುಸ್ತಕದ ಕನ್ನಡ ಆವೃತ್ತಿ ಬರಲಿದೆ!