The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) marks a significant legislative development in India’s data protection landscape. Enacted to safeguard individuals’ digital personal data while allowing lawful processing, this Act introduces essential definitions, consent requirements, and obligations for data fiduciaries.
Section 1 – Short Title and Commencement: This point establishes the Act’s official title as the “Digital Personal Data Protection Act, 2023.” It also outlines the Act’s commencement, stating that it comes into force on a date determined by the Central Government through a notification in the Official Gazette. This is a common practice in legislative documents, setting the effective date for the Act’s enforcement. Additionally, the point mentions that different dates can be appointed for different provisions of the Act. This flexibility allows for a phased implementation of various provisions.
Section 2 – Definitions: Point 2 introduces crucial definitions that form the basis for understanding the Act. It includes definitions of terms like “Appellate Tribunal,” “automated,” “Board,” “Data Fiduciary,” “Data Principal,” “Data Processor,” “personal data,” and many others. These definitions provide clarity and eliminate ambiguity in the interpretation of terms used throughout the Act. For example, “Data Fiduciary” is defined as a person who determines the purpose and means of processing personal data, while “Data Principal” refers to the individual to whom the personal data relates.
Section 3 – Application of the Act: This point outlines the scope of the Act’s application. It specifies that the Act applies to the processing of digital personal data within India’s territory, whether collected in digital or non-digital form and digitized subsequently. It also extends to the processing of digital personal data outside India if it’s related to offering goods or services to Data Principals within India. The point defines scenarios where the Act does not apply, such as personal data processed for personal or domestic purposes or data made publicly available by the Data Principal or under legal obligations. An illustration clarifies the application of this point.
Section 4 – Grounds for Processing Personal Data: Point 4 establishes the legal grounds for processing personal data. It emphasizes that personal data may only be processed based on the provisions of this Act and for lawful purposes. These lawful purposes include obtaining consent from the Data Principal or for certain legitimate uses, which are elaborated in Section 7 of the Act. The point reinforces that the term “lawful purpose” encompasses purposes that are not expressly prohibited by law.
Section 5 – Notice: Point 5 introduces the concept of providing notice to Data Principals when requesting consent for data processing. It mandates that every request for consent must be accompanied or preceded by a notice from the Data Fiduciary. The notice should include details about the personal data being processed, the purpose of processing, how Data Principals can exercise their rights, and how they can file complaints to the Data Protection Board. This requirement ensures transparency and informed decision-making by Data Principals. The point also addresses scenarios where consent was given before the Act’s commencement, emphasizing the need for retrospective notices.
Section 6 – Consent: Point 6 elaborates on the critical concept of consent in data processing. It defines the characteristics of valid consent, including being free, specific, informed, unconditional, and unambiguous. Clear affirmative action is required to signify agreement to process personal data for a specified purpose. The point also highlights that any part of consent that violates the Act, rules, or other laws will be invalid. It ensures that consent requests are presented in plain language and offers the option to access requests in languages specified in the Constitution’s Eighth Schedule. The right to withdraw consent is established, and the obligations of Data Fiduciaries and Consent Managers are outlined in the case of withdrawal.
Section 7 – Certain Legitimate Uses: This section outlines specific legitimate uses for which a Data Fiduciary can process personal data without seeking explicit consent. These include using data for purposes like those specified by the Data Principal, for government-provided subsidies or benefits, for state functions, compliance with laws, responding to emergencies, ensuring public health, ensuring safety during disasters, or for employment-related purposes. The point provides illustrative examples to clarify these legitimate uses.
Section 8 – General Obligations of Data Fiduciary: This section outlines the general obligations of a Data Fiduciary, including the responsibility to comply with the Act’s provisions and rules, appointing Data Processors under valid contracts, ensuring data accuracy and completeness, implementing technical and organizational measures for compliance, protecting personal data from breaches, notifying the Board and affected Data Principals of breaches, erasing personal data as required, publishing contact information for a Data Protection Officer, and establishing mechanisms to redress Data Principals’ grievances.
Section 9 – Processing of Personal Data of Children: This section pertains to the processing of personal data of children or persons with disabilities. It mandates obtaining verifiable consent from the parent or lawful guardian before processing such data. It prohibits processing that could harm a child’s well-being, tracking or behavioral monitoring, and targeted advertising directed at children. Certain exceptions are provided, and the Central Government can notify an age above which certain obligations don’t apply.
Section 10 – Additional Obligations of Significant Data Fiduciary: This section allows the Central Government to classify certain Data Fiduciaries as “Significant Data Fiduciaries” based on specified factors. Significant Data Fiduciaries are required to appoint a Data Protection Officer, undergo data audits, conduct Data Protection Impact Assessments, periodic audits, and adhere to additional measures as prescribed.
Section 11 – Right to Access Information About Personal Data: This section establishes the Data Principal’s right to access information about the processing of their personal data by the Data Fiduciary. This includes obtaining a summary of personal data being processed, identities of other entities with which data is shared, and other relevant information. Certain exemptions are provided for sharing data for legal purposes.
Section 12 – Right to Correction and Erasure of Personal Data: This section grants Data Principals the right to correct, complete, update, or erase their personal data. Data Fiduciaries are obliged to comply with such requests, correcting inaccurate or incomplete data and erasing data when requested unless retention is legally required.
Section 13 – Right of Grievance Redressal: This section establishes the right of Data Principals to have access to grievance redressal mechanisms provided by Data Fiduciaries or Consent Managers. The Data Fiduciary or Consent Manager is required to respond to grievances within a prescribed period.
Section 14 – Right to Nominate: Data Principals have the right to nominate individuals to exercise their rights under the Act in case of death or incapacity.
Section 15 – Duties of Data Principal: Data Principals are required to comply with applicable laws while exercising their rights, provide accurate information, not impersonate others, and not submit false grievances.
Section 16: Processing of personal data outside India
1. The Central Government has the authority to restrict the transfer of personal data by a Data Fiduciary to a country or territory outside India through a notification.
2. This restriction doesn’t affect any existing laws in India that might provide even higher levels of protection or restrictions on the transfer of personal data outside the country.
Section 17: Exemptions
1. Chapter II provisions don’t apply (except sub-sections (1) and (5) of section 8) along with Chapter III and section 16 in certain cases:
- Processing personal data is necessary for enforcing legal rights or claims.
- Processing personal data by a court, tribunal, or other authorized body for judicial, quasi-judicial, regulatory, or supervisory functions.
- Processing personal data in the interest of preventing, detecting, investigating, or prosecuting offenses.
- Processing personal data of Data Principals not in India based on a contract with a foreign entity.
- Processing personal data for court-approved schemes of company arrangements, mergers, amalgamations, etc.
- Processing personal data to ascertain financial information of loan defaulters.
2. The provisions of the Act do not apply to:
- Processing by government entities for national security, public order, etc.
- Processing necessary for research, archiving, or statistical purposes without specific decisions affecting Data Principals.
3. The Central Government can exclude certain Data Fiduciaries, including startups, from the application of specific sections like 5, sub-sections (3) and (7) of section 8, and sections 10 and 11 based on the volume and nature of data processed.
Section 18: Establishment of Board
- The Data Protection Board of India is established by the Central Government.
- The Board is a body corporate with perpetual succession, a common seal, and powers to acquire, hold, dispose of property, contract, sue, and be sued.
- The headquarters of the Board is determined by the Central Government.
Section 19: Composition and qualifications for appointment of Chairperson and Members
- The Board consists of a Chairperson and other Members as determined by the Central Government.
- Chairperson and Members are appointed as per prescribed procedures.
- They must possess ability, integrity, and expertise in various fields related to data governance, law, technology, etc., as determined by the Central Government.
Section 20: Salary, allowances payable to and term of office
- The salary, allowances, and other terms of service for Chairperson and Members are prescribed, and these terms can’t be changed to their disadvantage after appointment.
- The term of office for Chairperson and Members is two years, with eligibility for reappointment.
Section 21: Disqualifications for appointment and continuation
- Disqualifications for Chairperson or Members include insolvency, conviction of certain offenses, incapacity, financial conflicts of interest, or abuse of position.
- Removal from office requires an opportunity for the individual to be heard.
Section 22: Resignation by Members and filling of vacancy
- Chairperson or Members can resign with notice, and resignation takes effect on the specified date or after three months.
- Vacancies due to resignation, removal, or death are filled through fresh appointments.
- Post-service limitations on accepting employment are imposed, and acceptance of employment must be disclosed to the Central Government.
Section 23: Proceedings of Board
- Procedures for Board meetings and transactions are observed, including digital means.
- Irregularities or vacancies in the Board don’t necessarily invalidate its actions if they don’t affect the merits of the case.
- If Chairperson is absent, the senior-most Member temporarily assumes duties.
Section 24: Officers and employees of Board
The Board can appoint officers and employees, as necessary, with the Central Government’s approval, on terms and conditions prescribed.
Section 25: Members and officers to be public servants
Chairperson, Members, officers, and employees of the Board are considered public servants while acting in line with the Act.
Section 26: Powers of Chairperson
Chairperson has powers including overseeing administrative matters, authorizing scrutiny of communications, and allocating proceedings among Members.
Section 27: Powers and functions of Board
1. Board’s powers include addressing personal data breaches, conducting inquiries, imposing penalties for breaches, breaches by Consent Managers, breaches of registration conditions, and intermediary breaches.
2. Board can issue directions to ensure compliance and can modify, suspend, withdraw, or cancel directions based on representation or reference.
Section 28: Procedure to be followed by Board
- Board functions independently and digitally, using technological and legal measures.
- Board takes action based on intimation, complaint, reference, or directions.
- Board determines whether grounds for inquiry exist and can close proceedings if not sufficient grounds.
- If grounds for inquiry exist, Board inquires into compliance with Act provisions.
- Board follows natural justice principles during the inquiry.
- Board has powers similar to civil court under the Code of Civil Procedure.
- Access to premises is not blocked, and police or government officer assistance can be requisitioned.
- Interim orders can be issued during inquiry if necessary.
- On completion of inquiry, Board may close proceedings or proceed based on section 33.
- If a complaint is false or frivolous, Board can issue warnings or impose costs on complainant.
Section 29: Appeal to Appellate Tribunal
- Appeal to Appellate Tribunal: Individuals dissatisfied with an order or direction issued by the Board can file an appeal before the Appellate Tribunal.
- Timeframe and Formalities: The appeal must be filed within sixty days from receiving the order, accompanied by a prescribed fee and in the specified form.
- Extension of Time: If sufficient cause is established, the Appellate Tribunal can entertain an appeal even after the sixty-day period.
- Hearing and Orders: The Appellate Tribunal, after providing an opportunity for the parties to be heard, can pass orders confirming, modifying, or overturning the original order.
- Notification and Timeframe: The Appellate Tribunal must communicate its orders to the Board and the parties involved.
- Timely Disposal: The Appellate Tribunal should strive to finalize appeals within six months of their submission.
- Reasons for Delay: If the appeal isn’t concluded within six months, the Appellate Tribunal must provide written reasons for the delay.
- Procedural Framework: The Appellate Tribunal must follow the prescribed procedure for handling appeals, similar to the Telecom Regulatory Authority of India Act, 1997.
- Applicability of TRAI Act: Appeals against Appellate Tribunal orders under this Act are subject to the provisions of Section 18 of the Telecom Regulatory Authority of India Act, 1997.
- Digital Processing: The Appellate Tribunal should ideally function as a digital office, with digital processes for filing, hearings, and decision pronouncement.
Section 30: Orders passed by Appellate Tribunal to be executable as decree
1. Decree-like Executability: Orders issued by the Appellate Tribunal can be executed as if they were decrees from a civil court.
Transmittal to Civil Court: The Appellate Tribunal can transmit its orders to a civil court with local jurisdiction, which will then execute the order as a civil decree.
Section 31: Alternate dispute resolution
1. Mediation by Board: If the Board believes that a complaint can be resolved through mediation, it can direct the parties involved to seek dispute resolution via mediation.
2. Mediator Selection: The parties can mutually agree on a mediator, or a mediator can be chosen according to existing laws in India.
Section 32: Voluntary undertaking
1. Acceptance of Voluntary Undertaking: The Board has the authority to accept a voluntary undertaking from any person regarding compliance with this Act’s provisions, even during a proceeding under Section 28.
2. Scope of Undertaking: The voluntary undertaking can involve actions to be taken or refrained from, within specified timelines, and even publicizing the undertaking.
3. Variation of Terms: After acceptance, the Board, with the person’s consent, can modify the terms of the voluntary undertaking.
4. Legal Bar: The acceptance of a voluntary undertaking prevents legal proceedings related to its contents, except for specific cases mentioned.
5. Non-Adherence Consequences: Failure to adhere to the voluntary undertaking’s terms is considered a breach of this Act, and the Board can take action as per Section 33.
Section 33: Penalties
1. Monetary Penalties: The Board can impose monetary penalties on individuals or entities found to have significantly breached the Act’s provisions, following an inquiry.
2. Considerations for Penalties: Factors influencing the penalty amount include breach nature, personal data type affected, repetitiveness, gains or losses, mitigation efforts, proportionality, and impact.
Section 34: Crediting sums realized by way of penalties to Consolidated Fund of India
Funds from Penalties: All sums collected through penalties imposed by the Board are credited to the Consolidated Fund of India.
Section 35: Protection of action taken in good faith
Legal Protection: No legal action can be taken against the Central Government, the Board, its members, officers, or employees for actions carried out in good faith under this Act.
Section 36: Power to call for information
Information Request: The Central Government can require the Board, Data Fiduciaries, or intermediaries to provide information for the Act’s purposes.
Section 37: Power of Central Government to issue directions
The Central Government or authorized officers, acting on a Board reference, can direct public access blocking if a Data Fiduciary has received penalties in multiple instances, affecting public interests.
Section 38: Consistency with other laws
Supplementing Existing Laws: The Act’s provisions are complementary to other existing laws, not overriding them.
Section 39: Bar of jurisdiction
Exclusive Jurisdiction: Civil courts have no jurisdiction over matters within the Board’s authority, and no injunctions can be granted against actions taken under this Act.
Section 40: Power to make rules
Rule-making Authority: The Central Government can create rules for implementing the Act’s provisions, covering various matters listed in this section.
Section 41: Laying of rules and certain notifications
Parliamentary Oversight: Rules and notifications under Section 16 and Section 42 must be laid before both Houses of Parliament for a stipulated period before taking effect.
Section 42: Power to amend Schedule
Amendment Authority: The Central Government can amend the Schedule by notification, with limitations on increasing penalties beyond double the original amount.
Section 43: Power to remove difficulties
Addressing Challenges: The Central Government can issue orders to resolve difficulties in implementing the Act, subject to a three-year time limit.
Section 44: Amendments to certain Acts
Amendments in Other Acts: This section outlines amendments in the Telecom Regulatory Authority of India Act, 1997, the Information Technology Act, 2000, and the Right to Information Act, 2005, to accommodate this Act’s provisions.
*****
MINISTRY OF LAW AND JUSTICE
(Legislative Department)
New Delhi, the 11th August, 2023/ Sravana 20, 1945 (Saka)
The following Act of Parliament received the assent of the President on the 11th August, 2023 and is hereby published for general information:—
THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
(NO. 22 OF 2023)
[11th August, 2023.]
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
BE it enacted by Parliament in the Seventy-fourth Year of the Republic of India as follows:––
CHAPTER I
PRELIMINARY
1. Short title and commencement.
(1) This Act may be called the Digital Personal Data Protection Act, 2023.
(2) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.
2. Definitions.
(a) “Appellate Tribunal” means the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997;
(b) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
(c) “Board” means the Data Protection Board of India established by the Central Government under section 18;
(d) “certain legitimate uses” means the uses referred to in section 7;
(e) “Chairperson” means the Chairperson of the Board;
(f) “child” means an individual who has not completed the age of eighteen years;
(g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
(h) “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
(i) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
(j) “Data Principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
(k) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
(l) “Data Protection Officer” means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10;
(m) “digital office” means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode;
(n) “digital personal data” means personal data in digital form;
(o) “gain” means—
(i) a gain in property or supply of services, whether temporary or permanent; or
(ii) an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;
(p) “loss” means—
(i) a loss in property or interruption in supply of services, whether temporary or permanent; or
(ii) a loss of opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;
(q) “Member” means a Member of the Board and includes the Chairperson;
(r) “notification” means a notification published in the Official Gazette and the expressions “notify” and “notified” shall be construed accordingly;
(s) “person” includes—
(i) an individual;
(ii) a Hindu undivided family;
(iii) a company;
(iv) a firm;
(v) an association of persons or a body of individuals, whether incorporated or not;
(vi) the State; and
(vii) every artificial juristic person, not falling within any of the preceding sub-clauses;
(t) “personal data” means any data about an individual who is identifiable by or in relation to such data;
(u) “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;
(v) “prescribed” means prescribed by rules made under this Act;
(w) “proceeding” means any action taken by the Board under the provisions of this Act;
(x) “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
(y) “she” in relation to an individual includes the reference to such individual irrespective of gender;
(z) “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10;
(za) “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder; and
(zb) “State” means the State as defined under article 12 of the Constitution. 3. Subject to the provisions of this Act, it shall—
(a) apply to the processing of digital personal data within the territory of India where the personal data is collected––
(i) in digital form; or
(ii) in non-digital form and digitised subsequently;
(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;
(c) not apply to—
(i) personal data processed by an individual for any personal or domestic purpose; and
(ii) personal data that is made or caused to be made publicly available by—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
Illustration.
X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.
CHAPTER II
OBLIGATIONS OF DATA FIDUCIARY
4. Grounds for processing personal data.
(1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,—
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.
(2) For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law.
5. Notice.
(1) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,—
(i) the personal data and the purpose for which the same is proposed to be processed;
(ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the Board,
in such manner and as may be prescribed.
Illustration.
X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing.
(2) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,—
(a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,––
(i) the personal data and the purpose for which the same has been processed;
(ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.
(b) the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.
Illustration.
X, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by Y, an e-commerce service provider, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method information to X, describing the personal data and the purpose of its processing.
(3) The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution.
6. Consent.
(1) The consent given by the Data Principal shall be free, specific, informed, Consent. unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
Illustration.
X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.
(2) Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.
Illustration.
X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid.
(4) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.
(5) Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
(6) The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal.
Illustration.
X, an individual, is the user of an online shopping app or website operated by Y, an e-commerce service provider. X consents to the processing of her personal data by Y for the purpose of fulfilling her supply order and places an order for supply of a good while making payment for the same. If X withdraws her consent, Y may stop enabling X to use the app or website for placing orders, but may not stop the processing for supply of the goods already ordered and paid for by X.
(6) If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.
Illustration.
X, a telecom service provider, enters into a contract with Y, a Data Processor, for emailing telephone bills to the customers of X. Z, a customer of X, who had earlier given her consent to X for the processing of her personal data for emailing of bills, downloads the mobile app of X and opts to receive bills only on the app. X shall itself cease, and shall cause Y to cease, the processing of the personal data of Z for emailing bills.
(7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
(8) The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.
(9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.
(10) Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.
7. Certain legitimate uses.
A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:—
(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.
Illustrations.
(I) X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt.
(II) X, an individual, electronically messages Y, a real estate broker, requesting Y to help identify a suitable rented accommodation for her and shares her personal data for this purpose. Y may process her personal data to identify and intimate to her the details of accommodation available on rent. Subsequently, X informs Y that X no longer needs help from Y. Y shall cease to process the personal data of X;
(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––
(i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or
(ii) such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government,
subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.
Illustration.
X. a pregnant woman, enrols herself on an app or website to avail of government’s maternity benefits programme, while consenting to provide her personal data for the purpose of availing of such benefits. Government may process the personal data of X processing to determine her eligibility to receive any other prescribed benefit from the government;
(c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;
(d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force;
(e) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;
(f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;
(g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;
(h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order.
Explanation.—For the purposes of this clause, the expression “disaster” shall have the same meaning as assigned to it in clause (d) of section 2 of the Disaster Management Act, 2005; or
(i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.
8. General obligations of Data Fiduciary.
(1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.
(2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.
(3) Where personal data processed by a Data Fiduciary is likely to be—
(a) used to make a decision that affects the Data Principal; or
(b) disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency.
(4) A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.
(5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,—
(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
(b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor.
Illustrations.
(I) X, an individual, registers herself on an online marketplace operated by Y, an e-commerce service provider. X gives her consent to Y for the processing of her personal data for selling her used car. The online marketplace helps conclude the sale. Y shall no longer retain her personal data.
(II) X, an individual, decides to close her savings account with Y, a bank. Y is required by law applicable to banks to maintain the record of the identity of its clients for a period of ten years beyond closing of accounts. Since retention is necessary for compliance with law, Y shall retain X’s personal data for the said period.
(8) The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not––
(a) approach the Data Fiduciary for the performance of the specified purpose; and
(b) exercise any of her rights in relation to such processing, for such time period as may be prescribed, and different time periods may be prescribed for different classes of Data Fiduciaries and for different purposes.
(9) A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.
(10) A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.
(11) For the purposes of this section, it is hereby clarified that a Data Principal shall be considered as not having approached the Data Fiduciary for the performance of the specified purpose, in any period during which she has not initiated contact with the Data Fiduciary for such performance, in person or by way of communication in electronic or physical form.
9. Processing of personal data of children.
(1) The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
Explanation.—For the purpose of this sub-section, the expression “consent of the parent” includes the consent of lawful guardian, wherever applicable.
(2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.
(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
(4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed.
(5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations under sub-sections (1) and (3) in respect of processing by that Data Fiduciary as the notification may specify.
10. Additional obligations of Significant Data Fiduciary.
(1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including—
(a) the volume and sensitivity of personal data processed;
(b) risk to the rights of Data Principal;
(c) potential impact on the sovereignty and integrity of India;
(d) risk to electoral democracy;
(e) security of the State; and
(f) public order.
(2) The Significant Data Fiduciary shall—
(a) appoint a Data Protection Officer who shall—
(i) represent the Significant Data Fiduciary under the provisions of this Act;
(ii) be based in India;
(iii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and
(iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act;
(b) appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and
(c) undertake the following other measures, namely:—
(i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;
(ii) periodic audit; and
(iii) such other measures, consistent with the provisions of this Act, as may be prescribed.
CHAPTER III
RIGHTS AND DUTIES OF DATA PRINCIPAL
11. Right to access information about personal data.
(1) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,—
(a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
(b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
(c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
(2) Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.
12. Right to correction and erasure of personal data.
(1) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force.
(2) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,—
(a) correct the inaccurate or misleading personal data;
(b) complete the incomplete personal data; and
(c) update the personal data.
(3) A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.
13. Right of grievance redressal.
(1) A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.
(2) The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries.
(3) The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board.
14. Right to nominate.
(1) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.
(2) For the purposes of this section, the expression “incapacity” means inability to exercise the rights of the Data Principal under the provisions of this Act or the rules made thereunder due to unsoundness of mind or infirmity of body.
15. Duties of Data Principal.
A Data Principal shall perform the following duties, namely:—
(a) comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;
(b) to ensure not to impersonate another person while providing her personal data for a specified purpose;
(c) to ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
(d) to ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
(e) to furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.
CHAPTER IV
SPECIAL PROVISIONS
16. Processing of personal data outside India.
(1) The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified.
(2) Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.
17. Exemptions.
(1) The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where—
(a) the processing of personal data is necessary for enforcing any legal right or claim;
(b) the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function;
(c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India;
(d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India;
(e) the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and
(f) the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force.
Explanation.—For the purposes of this clause, the expressions “default” and “financial institution” shall have the meanings respectively assigned to them in sub-sections (12) and (14) of section 3 of the Insolvency and Bankruptcy Code, 2016.
Illustration.
X, an individual, takes a loan from Y, a bank. X defaults in paying her monthly loan repayment instalment on the date on which it falls due. Y may process the personal data of X for ascertaining her financial information and assets and liabilities.
(2) The provisions of this Act shall not apply in respect of the processing of personal data—
(a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and
(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.
(3) The Central Government may, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, as Data Fiduciaries to whom the provisions of section 5, sub-sections (3) and (7) of section 8 and sections 10 and 11 shall not apply.
Explanation.—For the purposes of this sub-section, the term “startup” means a private limited company or a partnership firm or a limited liability partnership incorporated in India, which is eligible to be and is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government.
(4) In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply.
(5) The Central Government may, before expiry of five years from the date of commencement of this Act, by notification, declare that any provision of this Act shall not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be specified in the notification.
CHAPTER V
DATA PROTECTION BOARD OF INDIA
18. Establishment of Board.
(1) With effect from such date as the Central Government may, by notification, appoint, there shall be established, for the purposes of this Act, a Board to be called the Data Protection Board of India.
(2) The Board shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.
(3) The headquarters of the Board shall be at such place as the Central Government may notify.
19. Composition and qualifications for appointment of Chairperson and Members.
(1) The Board shall consist of a Chairperson and such number of other Members as the Central Government may notify.
(2) The Chairperson and other Members shall be appointed by the Central Government in such manner as may be prescribed.
(3) The Chairperson and other Members shall be a person of ability, integrity and standing who possesses special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board, and at least one among them shall be an expert in the field of law.
20. Salary, allowances payable to and term of office.
(1) The salary, allowances and other terms and conditions of service of the Chairperson and other Members shall be such as may be prescribed, and shall not be varied to their disadvantage after their appointment.
(2) The Chairperson and other Members shall hold office for a term of two years and shall be eligible for re-appointment.
21. Disqualifications for appointment and continuation as Chairperson and Members of Board.
(1) A person shall be disqualified for being appointed and continued as the Chairperson or a Member, if she—
(a) has been adjudged as an insolvent;
(b) has been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude;
(c) has become physically or mentally incapable of acting as a Member;
(d) has acquired such financial or other interest, as is likely to affect prejudicially her functions as a Member; or
(e) has so abused her position as to render her continuance in office prejudicial to the public interest.
(2) The Chairperson or Member shall not be removed from her office by the Central Government unless she has been given an opportunity of being heard in the matter.
22. Resignation by Members and filling of vacancy.
(1) The Chairperson or any other Member may give notice in writing to the Central Government of resigning from her office, and such resignation shall be effective from the date on which the Central Government permits her to relinquish office, or upon expiry of a period of three months from the date of receipt of such notice, or upon a duly appointed successor entering upon her office, or upon the expiry of the term of her office, whichever is earliest.
(2) A vacancy caused by the resignation or removal or death of the Chairperson or any other Member, or otherwise, shall be filled by fresh appointment in accordance with the provisions of this Act.
(3) The Chairperson and any other Member shall not, for a period of one year from the date on which they cease to hold such office, except with the previous approval of the Central Government, accept any employment, and shall also disclose to the Central Government any subsequent acceptance of employment with any Data Fiduciary against whom proceedings were initiated by or before such Chairperson or other Member.
23. Proceedings of Board.
(1) The Board shall observe such procedure in regard to the holding of and transaction of business at its meetings, including by digital means, and authenticate its orders, directions and instruments in such manner as may be prescribed.
(2) No act or proceeding of the Board shall be invalid merely by reason of—
(a) any vacancy in or any defect in the constitution of the Board;
(b) any defect in the appointment of a person acting as the Chairperson or other Member of the Board; or
(c) any irregularity in the procedure of the Board, which does not affect the merits of the case.
(3) When the Chairperson is unable to discharge her functions owing to absence, illness or any other cause, the senior-most Member shall discharge the functions of the Chairperson until the date on which the Chairperson resumes her duties.
24. Officers and employees of Board.
The Board may, with previous approval of the Central Government, appoint such officers and employees as it may deem necessary for the efficient discharge of its functions under the provisions of this Act, on such terms and conditions of appointment and service as may be prescribed.
25. Members and officers to be public servants.
The Chairperson, Members, officers and employees of the Board shall be deemed, when acting or purporting to act in pursuance of provisions of this Act, to be public servants within the meaning of section 21 of the Indian Penal Code.
26. Powers of Chairperson.
The Chairperson shall exercise the following powers, namely:—
(a) general superintendence and giving direction in respect of all administrative matters of the Board;
(b) authorise any officer of the Board to scrutinise any intimation, complaint, reference or correspondence addressed to the Board; and
(c) authorise performance of any of the functions of the Board and conduct any of its proceedings, by an individual Member or groups of Members and to allocate proceedings among them.
CHAPTER VI
POWERS, FUNCTIONS AND PROCEDURE TO BE FOLLOWED BY BOARD
27. Powers and functions of Board.
(1) The Board shall exercise and perform the following powers and functions, namely:—
(a) on receipt of an intimation of personal data breach under sub-section (6) of section 8, to direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act;
(b) on a complaint made by a Data Principal in respect of a personal data breach or a breach in observance by a Data Fiduciary of its obligations in relation to her personal data or the exercise of her rights under the provisions of this Act, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, to inquire into such breach and impose penalty as provided in this Act;
(c) on a complaint made by a Data Principal in respect of a breach in observance by a Consent Manager of its obligations in relation to her personal data, to inquire into such breach and impose penalty as provided in this Act;
(d) on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act; and
(e) on a reference made by the Central Government in respect of the breach in observance of the provisions of sub-section (2) of section 37 by an intermediary, to inquire into such breach and impose penalty as provided in this Act.
(2) The Board may, for the effective discharge of its functions under the provisions of this Act, after giving the person concerned an opportunity of being heard and after recording reasons in writing, issue such directions as it may consider necessary to such person, who shall be bound to comply with the same.
(3) The Board may, on a representation made to it by a person affected by a direction issued under sub-section (1) or sub-section (2), or on a reference made by the Central Government, modify, suspend, withdraw or cancel such direction and, while doing so, impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.
28. Procedure to be followed by Board.
(1) The Board shall function as an independent body and shall, as far as practicable, function as a digital office, with the receipt of complaints and the allocation, hearing and pronouncement of decisions in respect of the same being digital by design, and adopt such techno-legal measures as may be prescribed.
(2) The Board may, on receipt of an intimation or complaint or reference or directions as referred to in sub-section (1) of section 27, take action in accordance with the provisions of this Act and the rules made thereunder.
(3) The Board shall determine whether there are sufficient grounds to proceed with an inquiry.
(4) In case the Board determines that there are insufficient grounds, it may, for reasons to be recorded in writing, close the proceedings.
(5) In case the Board determines that there are sufficient grounds to proceed with inquiry, it may, for reasons to be recorded in writing, inquire into the affairs of any person for ascertaining whether such person is complying with or has complied with the provisions of this Act.
(6) The Board shall conduct such inquiry following the principles of natural justice and shall record reasons for its actions during the course of such inquiry.
(7) For the purposes of discharging its functions under this Act, the Board shall have the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, in respect of matters relating to—
(a) summoning and enforcing the attendance of any person and examining her on oath;
(b) receiving evidence of affidavit requiring the discovery and production of documents;
(c) inspecting any data, book, document, register, books of account or any other document; and
(d) such other matters as may be prescribed.
(8) The Board or its officers shall not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person.
(9) The Board may require the services of any police officer or any officer of the Central Government or a State Government to assist it for the purposes of this section and it shall be the duty of every such officer to comply with such requisition.
(10) During the course of the inquiry, if the Board considers it necessary, it may for reasons to be recorded in writing, issue interim orders after giving the person concerned an opportunity of being heard.
(11) On completion of the inquiry and after giving the person concerned an opportunity of being heard, the Board may for reasons to be recorded in writing, either close the proceedings or proceed in accordance with section 33.
(12) At any stage after receipt of a complaint, if the Board is of the opinion that the complaint is false or frivolous, it may issue a warning or impose costs on the complainant.
CHAPTER VII
APPEAL AND ALTERNATE DISPUTE RESOLUTION
29. Appeal to Appellate Tribunal.
(1) Any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal.
(2) Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed.
(3) The Appellate Tribunal may entertain an appeal after the expiry of the period specified in sub-section (2), if it is satisfied that there was sufficient cause for not preferring the appeal within that period.
(4) On receipt of an appeal under sub-section (1), the Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against.
(5) The Appellate Tribunal shall send a copy of every order made by it to the Board and to the parties to the appeal.
(6) The appeal filed before the Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally within six months from the date on which the appeal is presented to it.
(7) Where any appeal under sub-section (6) could not be disposed of within the period of six months, the Appellate Tribunal shall record its reasons in writing for not disposing of the appeal within that period.
(8) Without prejudice to the provisions of section 14A and section 16 of the Telecom Regulatory Authority of India Act, 1997, the Appellate Tribunal shall deal with an appeal under this section in accordance with such procedure as may be prescribed.
(9) Where an appeal is filed against the orders of the Appellate Tribunal under this Act, the provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997 shall apply.
(10) In respect of appeals filed under the provisions of this Act, the Appellate Tribunal shall, as far as practicable, function as a digital office, with the receipt of appeal, hearing and pronouncement of decisions in respect of the same being digital by design.
30. Orders passed by Appellate Tribunal to be executable as decree.
(1) An order passed by the Appellate Tribunal under this Act shall be executable by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the powers of a civil court.
(2) Notwithstanding anything contained in sub-section (1), the Appellate Tribunal may transmit any order made by it to a civil court having local jurisdiction and such civil court shall execute the order as if it were a decree made by that court.
31. Alternate dispute resolution.
If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon, or as provided for under any law for the time being in force in India.
32. Voluntary undertaking.
(1) The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28.
(2) The voluntary undertaking referred to in sub-section (1) may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking.
(3) The Board may, after accepting the voluntary undertaking and with the consent of the person who gave the voluntary undertaking vary the terms included in the voluntary undertaking.
(4) The acceptance of the voluntary undertaking by the Board shall constitute a bar on proceedings under the provisions of this Act as regards the contents of the voluntary undertaking, except in cases covered by sub-section (5).
(5) Where a person fails to adhere to any term of the voluntary undertaking accepted by the Board, such breach shall be deemed to be breach of the provisions of this Act and the Board may, after giving such person an opportunity of being heard, proceed in accordance with the provisions of section 33.
CHAPTER VIII
PENALTIES AND ADJUDICATION
33. Penalties.
(1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.
(2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:—
(a) the nature, gravity and duration of the breach;
(b) the type and nature of the personal data affected by the breach;
(c) repetitive nature of the breach;
(d) whether the person, as a result of the breach, has realised a gain or avoided any loss;
(e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
(f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
(g) the likely impact of the imposition of the monetary penalty on the person.
34. Crediting sums realised by way of penalties to Consolidated Fund of India.
All sums realised by way of penalties imposed by the Board under this Act, shall be credited to the Consolidated Fund of India.
CHAPTER IX
MISCELLANEOUS
35. Protection of action taken in good faith.
No suit, prosecution or other legal proceedings shall lie against the Central Government, the Board, its Chairperson and any Member, officer or employee thereof for anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder.
36. Power to call for information.
The Central Government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for.
37. Power of Central Government to issue directions.
(1) The Central Government or any of its officers specially authorised by it in this behalf may, upon receipt of a reference in writing from the Board that—
(a) intimates the imposition of monetary penalty by the Board on a Data Fiduciary in two or more instances; and
(b) advises, in the interests of the general public, the blocking for access by the public to any information generated, transmitted, received, stored or hosted, in any computer resource that enables such Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within the territory of India,
after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it is necessary or expedient so to do, in the interests of the general public, for reasons to be recorded in writing, by order, direct any agency of the Central Government or any intermediary to block for access by the public or cause to be blocked for access by the public any such information.
(2) Every intermediary who receives a direction issued under sub-section (1) shall be bound to comply with the same.
(3) For the purposes of this section, the expressions “computer resource”, “information” and “intermediary” shall have the meanings respectively assigned to them in the Information Technology Act, 2000.
38. Consistency with other laws.
(1) The provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force.
(2) In the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict.
39. Bar of jurisdiction.
No civil court shall have the jurisdiction to entertain any suit or proceeding in respect of any matter for which the Board is empowered under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power under the provisions of this Act.
40. Power to make rules.
(1) The Central Government may, by notification, and subject to the condition of previous publication, make rules not inconsistent with the provisions of this Act, to carry out the purposes of this Act.
(2) In particular and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely:—
(a) the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (1) of section 5;
(b) the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (2) of section 5;
(c) the manner of accountability and the obligations of Consent Manager under sub-section (8) of section 6;
(d) the manner of registration of Consent Manager and the conditions relating thereto, under sub-section (9) of section 6;
(e) the subsidy, benefit, service, certificate, licence or permit for the provision or issuance of which, personal data may be processed under clause (b) of section 7;
(f) the form and manner of intimation of personal data breach to the Board under sub-section (6) of section 8;
(g) the time period for the specified purpose to be deemed as no longer being served, under sub-section (8) of section 8;
(h) the manner of publishing the business contact information of a Data Protection Officer under sub-section (9) of section 8;
(i) the manner of obtaining verifiable consent under sub-section (1) of section 9;
(j) the classes of Data Fiduciaries, the purposes of processing of personal data of a child and the conditions relating thereto, under sub-section (4) of section 9;
(k) the other matters comprising the process of Data Protection Impact Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10;
(l) the other measures that the Significant Data Fiduciary shall undertake under sub-clause (iii) of clause (c) of sub-section (2) of section 10;
(m) the manner in which a Data Principal shall make a request to the Data Fiduciary to obtain information and any other information related to the personal data of such Data Principal and its processing, under sub-section (1) of section 11;
(n) the manner in which a Data Principal shall make a request to the Data Fiduciary for erasure of her personal data under sub-section (3) of section 12;
(o) the period within which the Data Fiduciary shall respond to any grievances under sub-section (2) of section 13;
(p) the manner of nomination of any other individual by the Data Principal under sub-section (1) of section 14;
(q) the standards for processing the personal data for exemption under clause (b) of sub-section (2) of section 17;
(r) the manner of appointment of the Chairperson and other Members of the Board under sub-section (2) of section 19;
(s) the salary, allowances and other terms and conditions of services of the Chairperson and other Members of the Board under sub-section (1) of section 20;
(t) the manner of authentication of orders, directions and instruments under sub-section (1) of section 23;
(u) the terms and conditions of appointment and service of officers and employees of the Board under section 24;
(v) the techno-legal measures to be adopted by the Board under sub-section (1) of section 28;
(w) the other matters under clause (d) of sub-section (7) of section 28;
(x) the form, manner and fee for filing an appeal under sub-section (2) of section 29;
(y) the procedure for dealing an appeal under sub-section (8) of section 29;
(z) any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules.
41. Laying of rules and certain notifications.
Every rule made and every notification issued under section 16 and section 42 of this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or notification or both Houses agree that the rule or notification should not be made or issued, the rule or notification shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule or notification.
42. Power to amend Schedule.
(1) The Central Government may, by notification, amend the Schedule, subject to the restriction that no such notification shall have the effect of increasing any penalty specified therein to more than twice of what was specified in it when this Act was originally enacted.
(2) Any amendment notified under sub-section (1) shall have effect as if enacted in this Act and shall come into force on the date of the notification.
43. Power to remove difficulties
(1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order published in the Official Gazette, make such provisions not inconsistent with the provisions of this Act as may appear to it to be necessary or expedient for removing the difficulty.
(2) No order as referred to in sub-section (1) shall be made after the expiry of three years from the date of commencement of this Act.
(3) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament.
44. Amendments to certain Acts.
(1) In section 14 of the Telecom Regulatory Authority of India Act, 1997, in clause (c), for sub-clauses (i) and (ii), the following sub-clauses shall be substituted, namely:—
“(i) the Appellate Tribunal under the Information Technology Act, 2000;
(ii) the Appellate Tribunal under the Airports Economic Regulatory Authority of India Act, 2008; and
(iv) he Appellate Tribunal under the Digital Personal Data Protection Act, 2023.”.
(2) The Information Technology Act, 2000 shall be amended in the following manner, namely:—
(a) section 43A shall be omitted;
(b) in section 81, in the proviso, after the words and figures “the Patents Act, 1970”, the words and figures “or the Digital Personal Data Protection Act, 2023” shall be inserted; and
(c) in section 87, in sub-section (2), clause (ob) shall be omitted.
(3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause (j), the following clause shall be substituted, namely:—
“(j) information which relates to personal information;”.
THE SCHEDULE
[See section 33 (1)]
|
Sl. No. |
Breach of provisions of this Act or rules made thereunder | Penalty |
| (1) | (2) | (3) |
| 1. | Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8. | May extend to two hundred and fifty crore rupees. |
| 2. | Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8. | May extend to two hundred crore rupees. |
| 3. | Breach in observance of additional obligations in relation to children under section 9. | May extend to two hundred crore rupees. |
| 4. | Breach in observance of additional obligations of Significant Data Fiduciary under section 10. | May extend to one hundred and fifty crore rupees. |
| 5. | Breach in observance of the duties under section 15. | May extend to ten thousand rupees. |
| 6. | Breach of any term of voluntary undertaking accepted by the Board under section 32. | Breach of any term of voluntary undertaking accepted by the Board under section 32. |
| 7. | Breach of any other provision of this Act or the rules made thereunder. | May extend to fifty crore rupees. |
REETA VASISHTA,
Secretary to the Govt. of India.
