Chapter I II III IV V VI VII VIII IX X
Sections 1-3 4-11 12-17 18-22 23 24-28 29-39 40-41 42-48 49-68
Title Preliminary Data Protection Obligations Grounds for Processing Personal Data Grounds for processing Sensitive personal Data Personal and Sensitive Personal Data of Children Data Principal Rights Transparency and Accountability Measures Transfer of Personal data outside India Exemptions Data Protection Authority of India
Chapter XI XII XIII XIV XV   Schedule 1 Schedule 2    
Sections 69-78 79-89 90-96 97 98-112          
Title Penalties and Remedies Appellate Tribunal Offences Transitional Provisions Miscellaneous Preamble Amendment to ITA 2000 Amendment to RTI Act 2005 PDF Copy of the Proposed Act Srikrishna Committee Report

CHAPTER XV

MISCELLANEOUS

98. Power of Central Government to issue directions in certain circumstances.

(1) The Central Government may, from time to time, issue to the Authority such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order.

(2) Without prejudice to the foregoing provisions of this Act, the Authority shall, in exercise of its powers or the performance of its functions under this Act, be bound by such directions on questions of policy as the Central Government may give in writing to it from time to time:

(3) Any direction issued by the Central Government shall, as far as practicable, be given, after providing an opportunity to the Authority to express its views in this regard.

(4) The decision of the Central Government on whether a question is one of policy or not, shall be final.


99. Members, etc., to be public servants.

The chairperson, members, officers and employees of the Authority and the Appellate Tribunal shall be deemed, when acting or purporting to act in pursuance of any of the provisions of this Act, to be public servants within the meaning of section 21 of the Indian Penal Code, 1860 (45 of 1860).


100. Protection of action taken in good faith.

No suit, prosecution or other legal proceedings shall lie against the Authority or its chairperson, member, employee or officer for anything which is done in good faith or intended to be done under this Act, or the rules prescribed, or the regulations specified there under.


101. Exemption from tax on income.

Notwithstanding anything contained in the Income Tax Act, 1961 (43 of 1961) or any other enactment for the time being in force relating to tax on income, profits or gains, as the case may be, the Authority shall not be liable to pay income tax or any other tax in respect of its income, profits or gains derived.


102. Delegation.

The chairperson of the Authority may, by general or special order in writing delegate to any member or officer of the Authority subject to such conditions, if any, as may be specified in the order, such of its powers and functions under this Act except the powers under section 108 as it may deem necessary.


103. Power to remove difficulties.

(1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order, published in the Official Gazette, make such provisions not inconsistent with the provisions of this Act as may appear to be necessary or expedient for removing the difficulty.

(2) No such order shall be made under this section after the expiry of five years from the commencement of this Act.

(3) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament.


104. Power to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act or any provisions of this Act, processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.


105. No application to non-personal data

Nothing contained in this Act shall affect the power of the Central Government to formulate appropriate policies for the digital economy, including measures for its growth, security, integrity, prevention of misuse, in sofar as such policies do not govern personal data.


106. Bar on processing certain forms of biometric data

No data fiduciary shall process such biometric data as may be notified by the Central Government, unless such processing is permitted by law.


107. Power to make rules.

(1) The Central Government may, by notification, make rules to carry out the purposes of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely

(a) the form and manner in which an application to exercise the right under sub-section (4) of Section 27;

(b) the manner of review of the order passed by the Adjudicating Officer under sub- section (5) of section 27;

(c) the manner in which a complaint with the adjudication wing may be filed under sub-section (4) of section 39;

(d) the countries, sectors within a country, or international organisations to which transfers may be permitted under clause (b) of sub-section (1) of section 41;

(e) the time period of notification to the Authority under sub-section (4) of section 41 of the transfer of personal data to a particular country as permitted under clause (b) of sub-section (3) of section 41;

(f) the amount of turnover for a data fiduciary to qualify as a small entity under clause (a) of sub-section (2) of section 48;

(g) the place of establishment and incorporation of the head office of the Authority as under sub-section (3) of section 49;

(h) procedure to be followed by the selection committeeunder sub-section (3) of section 50;

(i) the salaries and allowances payable to, and other terms and conditions of service of the chairperson and the members of the Authority under sub-section (2) of section 51;

(j) the times and places for, and the rules and procedures in regard to, transaction of business at the meetings of the Authority under sub-section (1) of section 54;

(k) the form of accounts, other relevant records and annual statement of accounts under sub-section (1) of section 58;

(l) the intervals at which the accounts of the Authority will be audited under sub- section (2) of section 58;

(m) the time in which, and the form and manner in whichthe returns, statements, and particulars are to be furnished to the Central Government under sub-section (1) of
section 59;

(n) the time in which, and the form in which an annual report is to be prepared by the Authority and forwarded to the Central Government under sub-section (2) of section 59;

(o) other functions of the Authority under clause (x) of sub-section (2) of section 60;

(p) other matters under clause (e) of sub-section (3) of section 60 in respect of which the Authority shall have powers under the Code of Civil Procedure, 1908 (5 of
1908) that are vested in a civil court while trying a suit;

(q) the procedure of issuance of a code of practice under sub-section (4) of section 61; (r) the manner in which the Authority may review, modify or revoke a code of practice
under sub-section (9) of section 61;

(s) the manner in which the Authority shall maintain a register containing details of the codes of practice under sub-section (10) of section 61;

(t) the process for search and seizure under sub-section (11) of section 66;

(u) the number of Adjudicating Officers that the adjudication wing will consist of under sub-section (2) of section 68;

(v) the qualification, manner and terms of appointment, and jurisdiction of
Adjudicating Officers to ensure their independence, and the procedure for carrying out adjudication under this Act and other such requirements as deemed fit by the Central Government under sub-section (2) of section 68;

(w) the manner in which the Adjudicating Officer will conduct an inquiry under sub- section (1) of section 74;

(x) the form and manner of instituting a complaint under sub-section (2) of section 75;

(y) the procedure for hearing of a complaint and the limit on the amount of compensation under sub-section (8) of section 75;

(z) the qualifications, appointment, term of office, salaries and allowances, resignation, removal and the other terms and conditions of service of the chairperson and any member of the Appellate Tribunal under sub-section (1) of section 80;

(aa) the procedure of filling of vacancies in the Appellate Tribunal under section 81;

(bb) the salaries and allowances and other conditions of service of the officers and employees of the Appellate Tribunal under sub-section (3) of section 82;

(cc) the form, manner and fee for filing an appeal or application, as the case may be,with the Appellate Tribunal under sub-section (1) of section 84; and

(dd) other matters under clause (i) of sub-section (2) of section 85 in respect of which the Appellate Tribunal shall have powers under the Code of Civil Procedure, 1908
(5 of 1908) that are vested in a civil court while trying a suit.


108. Power to make regulations.

(1) The Authority may, by notification, make regulations consistent with this Act and the rules prescribed thereunder to carry out the purposes of this Act.

(2) In particular and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namely:

(a) information required to be provided by the data fiduciary to the data principal in its notice under clause (n) of sub-section (1) of section 8;

(b) manner in which the personal data retained by the data fiduciary must be deleted under sub-section (4) of section 10;

(c) reasonable purposes for which personal data may be processed in accordance with sub-section (2) of section17;

(d) safeguards as may be appropriate for protecting the rights of data principals under sub-section (3) of section17;

(e) any further categories of sensitive personal data and further grounds on which such data may be processed under sub-section (1) of section 22;
(f) such additional safeguards or restrictions applicable to processing of sensitive personal data and any further categories of personal data where there is repeated, continuous, systematic collection for the purposes of profiling and such additional safeguards required under sub-section (3) of section 22;

(g) the additional factors necessary for determining the appropriateness of age verification mechanisms to be incorporated by a data fiduciary processing the personal data and sensitive personal data of children under sub-section (3) of section 23;

(h) practices that may be undertaken by data fiduciaries offering counseling or child protection services under sub-section (6) of section 23;

(i) the time period within which a data fiduciary must comply with a request made under sub-section (3) of section 28;

(j) the time period within which a data principal may file a complaint under sub- section (4) of section 28;

(k) the form in which the data fiduciary is required to make available to the data principal information under sub-section (1) of section 30;

(l) the manner by which a data fiduciary shall notify the data principal regarding important operations in the processing of personal data under sub-section (2) of section 30;

(m) the manner of periodic review of security safeguards to be undertaken by the data fiduciary and the data processor under sub-section (2) of section 31;

(n) the circumstances or classes of data fiduciaries or processing operations where it is mandatory to carry out data protection impact assessments under sub-section (2) of section 33;
(o) the instances where a data auditor under this Act shall be engaged by the data fiduciary to undertake a data protection impact assessment under sub-section (2) of section 33;

(p) the manner in which the data fiduciary shall submit the data protection impact assessment to the Authority under sub-section (4) of section 33;

(q) any aspect of processing for which records shall be maintained under clause (d) of sub-section (1) of section 34;

(r) the form in which records shall be maintained under sub-section (2) of section 34;

(s) the factors to be taken into consideration while evaluating the compliance of data fiduciaries with the provisions of this Act under sub-section (2) of section 35;

(t) the form, manner and procedure by which data audits shall be conducted under sub-section (3) of section 35;

(u) criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 35;

(v) theeligibility, qualifications and functions to be performed by data auditors under sub-section (4) of section 35;

(w) the eligibility and qualification of a data protection officer under sub-section (3) of section 36;

(x) the registration requirements of significant data fiduciaries under sub-section (2) of section 38;

(y) the manner of certification and time period within which transfer of personal data shall be notified to the Authority under sub-section (6) of section 41;

(z) the provisions of the Act which may be exempted for different categories of research, archival or statistical purposes under sub-section (1) of section 45;

(aa) the remuneration, salary or allowances and other terms and conditions of service of such officers, employees, consultants and experts under sub-section (2) of section
56;

(bb) any other fees and charges for carrying out purposes of this Act under clause (t) of sub-section (2) of Section 60;

(cc) the manner in which information shall be provided to the authority by the data fiduciary under sub-section (3) of Section 63; and

(dd) any other matter which is required to be, or may be specified,or in respect of which provision is to be or may be made by regulations.


109. Rules and Regulations to be laid before Parliament.

Every rule and regulation made under this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or regulation or, both Houses agree that the rule or regulation should not be made, the rule or regulation shall thereafter have effect only in such modified form or be of no effect, as the case may be;so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule or regulation.


110. Overriding effect of this Act.

Save as otherwise expressly provided under this Act, the provisions of this Act shall have an overriding effect to the extent that such provisions are inconsistent with any other law for the time being in force or any instrument having effect by virtue of any such law.


111. Amendment of Act 21 of 2000.

The Information Technology Act, 2000 (21 of 2000) shall be amended in the manner set out in the First Schedule to this Act.


112. Amendment of Act 22 of 2005.

The Right to Information Act, 2005 (22 of 2005) shall be in the manner set out in the Second Schedule to this Act.


 

Chapter I II III IV V VI VII VIII IX X
Sections 1-3 4-11 12-17 18-22 23 24-28 29-39 40-41 42-48 49-68
Title Preliminary Data Protection Obligations Grounds for Processing Personal Data Grounds for processing Sensitive personal Data Personal and Sensitive Personal Data of Children Data Principal Rights Transparency and Accountability Measures Transfer of Personal data outside India Exemptions Data Protection Authority of India
Chapter XI XII XIII XIV XV   Schedule 1 Schedule 2    
Sections 69-78 79-89 90-96 97 98-112          
Title Penalties and Remedies Appellate Tribunal Offences Transitional Provisions Miscellaneous Preamble Amendment to ITA 2000 Amendment to RTI Act 2005 PDF Copy of the Proposed Act Srikrishna Committee Report