|
|
The Data Protection Bill 2021
(This Bill has since been withdrawn and a new Version is expected to
be presented ) |
|
Section |
CHAPTER XIV
MISCELLANEOUS |
| 87 |
Power of Central Government to issue directions.
(1) The Central Government may, from time to time, issue to the
Authority such directions as it may think necessary in the interest
of the sovereignty and integrity of India, the security of the
State, friendly relations with foreign States or public order.
(2) Without prejudice to the foregoing provisions of this Act, the
Authority shall, in exercise of its powers or the performance of its
functions under this Act, be bound by such directions (***) as the
Central Government may give in writing to it from time to time:
Provided that the Authority shall, as far as practicable, be given
an opportunity to express its views before any direction is given
under this sub-section.
(3) (***)
|
| 88 |
Members, etc., to be public servants.
The Chairperson, Members, officers and employees of the Authority and the
Appellate Tribunal shall be deemed, when acting or purporting to act
in pursuance of any of the provisions of this Act, to be public
servants within the meaning of section 21 of the Indian Penal
Code.(45 of 1860.)
|
| 89 |
Protection of action taken in good faith.
.No suit, prosecution or other legal proceedings shall lie against
the Authority or its Chairperson, Member, employee or officer for
anything which is (***) in good faith doneor intended to be done
under this Act, or the rules (***) or (***) regulations (***) made
thereunder.
|
| 90 |
Exemption from tax on income.
Notwithstanding anything contained in the Income Tax Act, 1961(43
of 1961.) or any other enactment for the time being in force
relating to tax on income, profits or gains, as the case may be, the
Authority shall not be liable to pay income tax or any other tax in
respect of its income, profits or gains derived.
|
| 91 |
Delegation.
The Authority may, by general or special order in writing
delegate to any Member or officer of the Authority subject to such
conditions, if any, as may be specified in the order, such of its
powers and functions under this Act, except the powers to make
regulations under section 95, as it may deem necessary.
|
| 92 |
Act to promote framing of policies for digital economy, etc..
(1) Nothing in this Act shall prevent the Central Government from
framing (***) any policy for the digital economy, including measures
for its growth, security, integrity, prevention of misuse,(***) and
handling of non personal data including anonymised personal data.
(2) The Central Government may, in consultation with the Authority,
direct any data fiduciary or data processor to provide any personal
data anonymised or other non-personal data to enable better
targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be
prescribed.
Explanation.-(***)
(3) The Central Government shall disclose annually the directions,
made by it under sub-section (2), in such form as may be prescribed
and such disclosure shall be included in its Annual Report which
shall be laid before each House of Parliament.
|
| 93 |
Bar on processing certain forms of biometric data.
(***) Any data fiduciary shall not process such biometric data as
may be (***) prescribed, unless such processing is permitted by law.
|
| 94 |
Power to make rules.
(1)The Central Government may, by notification and subject to the
condition of previous publication, make rules, not inconsistent with
the provisions of this Act, to carry out the (***) purposes of this
Act.
(2) In particular, and without prejudice to the generality of the
foregoing power, such rules may provide for all or any of the
following matters, namely:—
(a) (***) any other harm under sub-clause (xii) of clause (23) of
section 2;
(b) the manner in which a data fiduciary can share, transfer or
transmit the personal data to any person as part of any business
transaction under sub-section (4) of section 8;
(c) the other factors to be taken into consideration under clause
(d) of sub-section (3) of section 16;
(d) the form and manner in which an application may be made to
exercise the right under sub-section (2), and the manner of review
of the order passed by the Adjudicating Officer under sub-section
(4) of section 20;
(e) the steps to be taken by the Authority in case of breach of
non-personal data under sub-section (6) of section 25;
(f) the threshold with respect to users of social media platform
under sub-clause (i) of clause (f) of sub-section (1) and different
thresholds for different classes of social media platforms under the
proviso to clause (f) of sub-section (1) of section 26;
(g) the (***) manner of voluntary (***) verification of the accounts
of the users of social media platform under sub-section (3) and the
identifying mark of verification of a voluntarily verified user
under sub-section (4) of section 28;
(h) (***) the manner of registration of data auditors under
sub-section (4) of section 29;
(i) the qualifications and experience of data protection officer and
other personnel to be included under the expression “key managerial
personnel” under sub-section (1) of section 30;
(j) the entity or class of (***) entities in a country, or
international organisations to which transfers may be permitted
under clause (b) of sub-section (1) of section 34;
(k) the place of head office of the Authority under sub-section (3)
of section 41;
(l) the procedure to be followed by the selection committee under
sub-section (3) of section 42;
(m) the salaries and allowances payable to, and other terms and
conditions of service of the Chairperson and the Members of the
Authority under sub-section (2) of section 43;
(n) the time and place for, and the rules and procedures in regard
to transaction of business at the meetings (including quorum) of the
Authority under sub-section (1) of section 46;
(o) other functions of the Authority under clause (p) of sub-section
(2) of section 49;
(p) the procedure of issuance of a code of practice under
sub-section (4), the manner in which the Authority may review,
modify or revoke a code of practice under sub-section (7), of
section 50;
(q) other matters under clause (e) of sub-section (8) of section 53
in respect of which the Authority shall have powers;
(r) the penalties for contravening of certain provisions of this Act
by data fiduciaries including by State under sub-sections (1), (2)
and (3) of section 57;
(s) the form, manner and the period for filing an application for
compensation under sub-section (2) of section 62;
(t) the number of Adjudicating Officers, manner and terms of their
appointment, their jurisdiction and other requirements under
sub-section (2) and the qualifications and the experience of such
Adjudicating Officers under sub-section (3)of section 63;
(u) the manner in which the Adjudicating Officer shall conduct an
inquiry under sub-section (1) of section 64;
(v) the form and manner of making an application(***) and the
procedure for hearing of (***) an application under sub-section (7)
of section 65;
(w) the manner of appointment, term of office, salaries and
allowances, resignation, removal and the other terms and conditions
of service of the Chairperson and any Member of the Appellate
Tribunal under sub-section (2) of section 69;
(x)the procedure of filling of vacancies in the Appellate Tribunal
under section 70;
(y) the salaries and allowances and other conditions of service of
the officers and employees of the Appellate Tribunal under
sub-section (3) of section 71;
(z) the form, manner and fee for filing an appeal (***) with the
Appellate Tribunal under sub-section (1) of section 73;
(za) other matters under clause (i) of sub-section (2) of section 74
in respect of powers of the Appellate Tribunal;
(zb) the form of accounts, other relevant records and annual
statement of accounts under sub-section (1), the intervals at which
the accounts of the Authority shall be audited under sub-section (2)
of section 81;
(zc) the time, (***) the form and manner in which the returns,
statements, and particulars are to be furnished to the
Central Government under sub-section (1), and annual report under
sub-section (2) of section 82;
(zd) the manner in which the Central Government may issue a
direction, including the specific purposes for which data is sought
under sub-section (2) and the form of disclosure of such directions
under sub-section (3) of section 92;
(ze) the details of biometric data not to be processed under section
93;
(zf) any other matter which is required to be, or may be prescribed,
or in respect of which provision is to be made, by rules.
|
| 95 |
Power to make regulations.
(1) The Authority may, by notification and subject to the
condition of previous publication, make regulations, not
inconsistent with the provisions of this Act and the rules made
thereunder, to carry out the (***) purposes of this Act.
(2) In particular and without prejudice to the generality of the
foregoing power, such regulations may provide for all or any of the
following matters, namely:—
(a) any other information required to be provided by the data
fiduciary to the data principal in its notice under clause (n) of
sub-section (1) of section 7;
(b) the manner in which the personal data retained by the data
fiduciary must be deleted under sub-section (4) of section 9;
(c) the reasonable purposes under sub-section (1) and the safeguards
for protecting the rights of data principals under sub-section (3)
of section 14;
(d) the additional safeguards or restrictions under sub-section (2)
of section 15;
(e) the manner of obtaining consent of the parent or guardian of a
child (***) and the manner of verification of age of a child under
sub-section (2), application of provision in modified form to data
fiduciaries offering counselling or child protection services under
sub-section (5) of section 16;
(f) the manner in which the data principal shall have the right to
access in one place the identities of the data fiduciaries with whom
his personal data has been shared by any data fiduciary together
with the categories of
239
personal data shared with them under sub-section (3) of section 17;
(g) the conditions and the manner in which the data principal shall
have the right to correction and erasure of the personal data under
section 18;
(h) the manner for determining the compliance which would not be
technically feasible for non-application of the provisions of
sub-section (1) under clause (b) of sub-section (2) of section 19;
(i) the period within which a data fiduciary must acknowledge the
receipt of request under sub-section (1), the fee to be charged
under sub-section (2),the period within which request is to be
complied with under sub-section (3), and the manner and the period
within which a data principal may file a complaint under sub-section
(4) of section 21;
(j) the conditions under which the data fiduciary shall oblige to
comply with the request made by the data principal under sub-section
(5) of section 21;
(k) the manner and the period for submission of privacy by design
policy under sub-section (2) of section 22;
(l) the form and manner for making the information available, any
other information to be maintained by the data fiduciary under
sub-section (1) and the manner of notifying the important operations
in the processing of personal data related to data principal under
sub-section (2) of section 23;
(m) the manner and the technical, operational, financial and other
conditions for registration of the Consent Manager (***) under
sub-section (5) of section 23;
(n) the manner of review of security safeguards periodically by data
fiduciary or data processor under sub-section (2) of section 24;
(o) the form of notice under sub-section (2) of section 25;
(p) the manner of registration of significant data fiduciaries under
sub-section (2) of section 26;
(q) the circumstances or class(***) of data fiduciaries or
processing operations where data protection impact
assessments shall be mandatory and instances where data auditor
shall be (***) engaged under sub-section (2), (***) the manner in
which data protection officer shall review the data protection
impact assessment and submit to the Authority under sub-section (4)
of section 27(***)and the conditions for processing under
sub-section (5) of section 27;
(r) the form and manner for maintaining the records, and any other
aspect of processing for which records shall be maintained under
sub-section (1) of section 28;
(s) the other factors to be taken into consideration under clause
(g) of sub-section (2); the form and procedure for conducting audits
under sub-section (3); (***) criteria on the basis of which rating
in the form of a data trust score may be assigned to a data
fiduciary under sub-section (6) of section 29;
(t) the period within which transfer of personal data shall be
notified to the Authority under sub-section (3) of section 34;
(u) the provisions of the Act and the class of research, archiving
or statistical purposes which may be exempted under section 38;
(v) the manner of inclusion by the data fiduciary for inclusion in
the Sandbox under sub-section (2) and any other information required
to be included in the Sandbox by the data fiduciary under clause (d)
of sub-section (3) of section 40;
(w) the remuneration, salary or allowances and other terms and
conditions of service of such officers, employees, consultants and
experts under sub-section (2) of section 48;
(x) the code of practice under sub-section (1) of section 50;
(y) the manner, period and form(***) for providing information to
the Authority by the data fiduciary or data processor under
sub-section (3) of section 52;
(z) the place and time for discovery and production of books of
account, data and other documents to the Authority or Inquiry
Officer under clause (a) of sub-section (8) of section 53;
(za) the period and the manner of filing a complaint by the data
principal before the Authority under sub-section (1) of section 62;
(zb) any other matter which is required to be, or may be specified,
or in respect of which provision is to be or may be made by
regulations.
|
| 96 |
Rules (***), regulations and notification to be laid before
Parliament.
Every rule and regulation made under this Act and notification
issued under sub-section (4) of section 68 shall be laid, as soon as
may be after it is made, before each House of Parliament, while it
is in session, for a total period of thirty days which may be
comprised in one session or in two or more successive sessions, and
if, before the expiry of the session immediately following the
session or the successive sessions aforesaid, both Houses agree in
making any modification in the rule or regulation or notification or
both Houses agree that the rule or regulation or notification should
not be made, the rule or regulation or notification shall thereafter
have effect only in such modified form or be of no effect, as the
case may be; so, however, that any such modification or annulment
shall be without prejudice to the validity of anything previously
done under that rule or regulation or notification.
|
| 97 |
Overriding effect of this Act.
Save as otherwise provided in this Act, the provisions of this
Act shall have effect notwithstanding anything inconsistent
therewith contained in any other law for the time being in force or
any instrument having effect by virtue of any such law (***).
|
| 98 |
Power to remove difficulties.
(1)If any difficulty arises in giving effect to the provisions of
this Act, the Central Government may, by order, published in the
Official Gazette, make such provisions not inconsistent with the
provisions of this Act as may appear to it to be necessary or
expedient for removing the difficulty:
Provided that no such order shall be made under this section after
the expiry of five years from the date of commencement of this Act.
(2)Every order made under this section shall be laid, as soon as may
be after it is made, before each House of Parliament.
|
| 99 |
Amendment of Act 21 of 2000.
The Information Technology Act, 2000 shall be amended in the
manner specified in the Schedule to this Act.
|