The Data Protection Bill 2021

(This Bill has since been withdrawn and a new Version is expected to be presented )

CHAPTER IX
DATA PROTECTION AUTHORITY OF INDIA

(1) The Authority shall consist of a Chairperson and not more than six whole-time Members, of which one shall be (***) an expert in the area of law having such qualifications and experience (***) as may be prescribed.

(2) The Chairperson and the Members of the Authority shall be appointed by the Central Government on the recommendation made by a Selection Committee consisting of—
(i) the Cabinet Secretary, who shall be Chairperson of the Selection Committee;
(ii) the Attorney General of India - Member;
(iii) the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs - Member; (***)
(iv) the Secretary to the Government of India in the Ministry or Department dealing with (***) Electronics and Information Technology - Member;
(v) an independent expert to be nominated by the Central Government from the fields of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration or related subjects - Member;
(vi) a Director of any of the Indian Institutes of Technology to be nominated by the Central Government – Member; and
(vii) a Director of any of the Indian Institutes of Management to be nominated by the Central Government – Member.
(3) The procedure to be followed by the Selection Committee for recommending the names under sub-section (2) shall be such as may be prescribed.
(4) The Chairperson and the Members of the Authority shall be persons of ability, integrity and standing, and shall have qualifications and specialised knowledge and experience of (***) not less than ten years in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration, national security or related subjects.
(5) A vacancy caused to the office of the Chairperson or any other Member of the Authority shall be filled up within a period of three months from the date on which such vacancy occurs.

(1) The Chairperson and the Members of the Authority shall be appointed for a term of five years or till they attain the age of sixty-five years, whichever is earlier, and they shall not be eligible for re-appointment.

(2) The salaries and allowances payable to, and other terms and conditions of service of the Chairperson and the Members of the Authority shall be such as may be prescribed.
(3) The Chairperson and the Members shall not, during their term and for a period of two years from the date on which they cease to hold office, accept—
(a) any employment either under the Central Government or under any State Government; or
(b)any appointment, in any capacity whatsoever, with a significant data fiduciary.
(4) Notwithstanding anything contained in sub-section (1), the Chairperson or a Member of the Authority may—
(a) relinquish his office by giving in writing to the Central Government a notice of not less than three months; or
(b) be removed from his office in accordance with the provisions of this Act.

(1) The Central Government may remove from office, the Chairperson or any Member of the Authority who—

(a) has been adjudged as an insolvent;
(b) has become physically or mentally incapable of acting as a Chairperson or Member;
(c) has been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude;
(d) has so abused their position as to render their continuation in office detrimental to the public interest; or
(e) has acquired such financial or other interest as is likely to affect prejudicially(***) his functions as a Chairperson or a Member.
(2) No Chairperson or any Member of the Authority shall be removed under clause (d) or (e) of sub-section (1) unless he has been given an(***) opportunity of being heard.
 

The Chairperson of the Authority shall (***) have powers of general superintendence and direction in the conduct of the affairs of the Authority and he shall, (***) in addition to presiding over the meetings of the Authority, exercise all powers and do all such acts and things which may be exercised or done by the Authority under this Act.
 

(1) The Chairperson and Members of the Authority shall meet at such times and places and shall observe such rules and procedures in regard to transaction of business at its meetings including quorum at such meetings, as may be prescribed.
(2) If, for any reason, the Chairperson is unable to attend any meeting of the Authority, any other Member chosen by the Members present at the meeting, shall preside over the meeting.
(3) All questions which come up before any meeting of the Authority shall be decided by a majority of votes of the Members present and voting, and in the event of an equality of votes, the Chairperson or in his absence, the Member presiding, shall have the right to exercise a second or casting vote.
(4) Any Member who has any direct or indirect pecuniary interest in any matter coming up for consideration at a meeting of the Authority shall disclose the nature of his interest at such meeting, which shall be recorded in the proceedings of the Authority and such Member shall not take part in any deliberation or decision of the Authority with respect to that matter.
.

No act or proceeding of the Authority shall be invalid merely by reason of—

(a) any vacancy or defect in the constitution of the Authority;
(b) any defect in the appointment of a person as a Chairperson or Member; or
(c) any irregularity in the procedure of the Authority not affecting the merits of the case.
 

(1) The Authority may appoint such officers, other employees, consultants and experts as it may consider necessary for effectively discharging (***) its functions under this Act.
(2) Any remuneration, salary or allowances, and other terms and conditions of service of such officers, employees, consultants and experts shall be such as may be specified by regulations.
 

(1) It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection.

(2) Without prejudice to the generality of the foregoing and other functions under this Act, the functions of the Authority shall include—

(a) monitoring and enforcing application of the provisions of this Act and the rules and regulations made thereunder;
(b) taking prompt and appropriate action in response to (***) data breach in accordance with the provisions of this Act;
(c) maintaining a database on its website containing names of significant data fiduciaries along with a rating in the form of a data trust score indicating compliance with the obligations of this Act by such fiduciaries;
(d) examination of any data audit reports and taking any action pursuant thereto;
(e) issuance of a certificate of registration to data auditors and renewal, withdrawal, suspension or cancellation thereof and maintaining a database of registered data auditors and specifying the qualifications, code of conduct, practical training and functions to be performed by such data auditors;
(f) classification of data fiduciaries;
(g) monitoring cross-border transfer of personal data;
(h) specifying codes of practice;
(i) promoting awareness and understanding of the risks, rules, safeguards and rights in respect of protection of personal data amongst data fiduciaries and data principals;
(j) monitoring technological developments and commercial practices that may affect protection of personal data;
(k) promoting measures and undertaking research for innovation in the field of protection of personal data;
(l) advising Central Government, State Government and any other authority on measures required to be taken to promote protection of personal data and ensuring consistency of application and enforcement of this Act;
(m) specifying fees and other charges for carrying out the purposes of this Act;
(n) receiving and inquiring complaints under this Act; (***)
(o) monitoring, testing and certification by an appropriate agency authorized by the Central Government for this purpose to ensure integrity and trustworthiness of hardware and software on computing devices to prevent any malicious insertion that may cause data breach; and
(p) performing such other functions as may be prescribed.

(3) Where, pursuant to the provisions of this Act, the Authority processes any personal data, it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by (***) such data fiduciary or data processor, it shall not disclose such information unless required under any law for the time being in force to do so, or where it is required to carry out its functions under this section.
 

(1) The Authority shall, by regulations, specify codes of practice to promote good practices of data protection and facilitate compliance with the obligations under this Act.
(2) Notwithstanding anything contained in sub-section (1), the Authority may approve any code of practice submitted by-
 

(i) the associations representing-
 

(a) technical services organizations;
(b) (***) industry or trade (***)
(c) (***) the interest of data principals
 

(ii) any sectoral regulator or statutory Authority; or
(iii) any Departments or Ministries of the Central Government or State Government.
 

(3) The Authority shall ensure transparency and compliance with the obligations of data fiduciary and the rights of the data principal under this Act while specifying or approving any code of practice under this section.
(4) A code of practice under sub-section (1) or sub-section (2), shall not be issued unless the Authority has made consultation with the sectoral regulators and other stakeholders including the public and has followed such procedure as may be prescribed.
(5) A code of practice issued under this section shall not derogate from the provisions of this Actor any other law for the time being in force.
(6) The code of practice under this Act may include the following matters, namely:—
 

(a) requirements for notice under section 7 including any model forms or guidance relating to notice;
(b) measures for ensuring quality of personal data processed under section 8;
(c) measures pertaining to the retention of personal data under section 9;
(d) manner for obtaining valid consent under section 11;
(e) processing of personal data under section 12;
(f) activities where processing of personal data may be undertaken under section 14;
(g) processing of sensitive personal data under Chapter III;
(h) processing of personal data under any other ground for processing, including processing of personal data of children and age-verification under this Act;
(i) exercise of any right by data principals under Chapter V;
(j) the standards and means by which a data principal may avail the right to data portability under section 19;
(k) transparency and accountability measures including the standards thereof to be maintained by data fiduciaries and data processors under Chapter VI;
(l) standards for security safeguards to be maintained by data fiduciaries and data processors under section 24;
(m) methods of de-identification and anonymisation;
(n) methods of destruction, deletion, or erasure of personal data where required under this Act;
(o) appropriate action to be taken by the data fiduciary or data processor in response to a (***) data breach under section 25;
(p) manner in which data protection impact assessments may be carried out by the data fiduciary or a class thereof under section 27;
(q) transfer of personal data outside India pursuant to section 34;
(r) processing of any personal data or sensitive personal data to carry out any activity necessary for research, archiving or statistical purposes under section 38; and
(s) any other matter which, in (***) view of the Authority, may be necessary or relevant to be provided in the code of practice.
 

(7) The Authority may review, modify or revoke a code of practice issued under this section in such manner as may be prescribed.

(1) The Authority may, for the discharge of its functions under this Act, issue such directions from time to time as it may consider necessary to any data fiduciary or data processor who shall be bound to comply with such directions.

(2) No direction shall be issued under sub-section (1) unless the Authority has given an (***) opportunity of being heard to the data fiduciary (***) or the data processor concerned.
(3) The Authority may, on a representation made to it or on its own motion, modify, suspend, withdraw or cancel any direction issued under sub-section (1) and in doing so, may impose such conditions as it deems fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.

(1) Without prejudice to the other provisions of this Act, the Authority may require a data fiduciary or data processor to provide such information as may be reasonably required by it for discharging its functions under this Act.

(2) If the Authority requires a data fiduciary or a data processor to provide any information under sub-section (1), it shall provide a notice in writing to the data fiduciary or the data processor stating the reasons for such requisition.
(3) The Authority shall, by regulations, specify the manner in which the data fiduciary or data processor shall provide the information sought in sub-section (1), including the designation of the officer or employee of the Authority who may seek such information, the period within which such information is to be furnished and the form in which such information may be provided.
 

(1) The Authority may, on its own or on a complaint received by it, inquire or cause to be inquired, if it has reasonable grounds to believe that—
 

(a) the activities of the data fiduciary or data processor are being conducted in a manner which is detrimental to the interests of data principals; or
(b) any data fiduciary or data processor has contravened any of the provisions of this Act or the rules or regulations made thereunder, or any direction of the Authority.
 

(2) For the purposes of sub-section (1), the Authority shall, by an order in writing, appoint one of its officers as an Inquiry Officer to inquire into the affairs of such data fiduciary or data processor and to report to the Authority on any inquiry made.
(3) For the purpose of any inquiry under this section, the Inquiry Officer may, wherever necessary, seek the assistance of any other person.
(4) The order referred to in sub-section (2) shall specify the reasons for the inquiry and the scope of the inquiry and may be modified from time to time.
(5)Every officer, employee or other person acting under the direct authority of the data fiduciary or the data processor, or a service provider, or a contractor, where services are being obtained by or provided to the data fiduciary or data processor, as the case may be, shall be bound to produce before the Inquiry Officer, all such books, registers, documents, records and any data in their custody or power and to furnish to the Inquiry Officer any statement and information relating to the affairs of the data fiduciary or data processor as the Inquiry Officer may require within such time as the said Inquiry Officer may specify.
(6) The Inquiry Officer shall provide a notice in writing to the persons referred to in sub-section (5) stating the reasons thereof and the relationship between the data fiduciary and the scope of inquiry(***).
(7) The Inquiry Officer may keep in its custody any books, registers, documents, records and other data produced under sub-section (5) for six months and thereafter shall return the same to the person by whom or on whose behalf such books, registers, documents, records and data are produced, unless an approval to retain such books, registers, documents, record and data for an additional period not exceeding three months has been obtained from the Authority.
(8) Notwithstanding anything contained in any other law for the time being in force, while exercising the powers under this section, the Authority or the Inquiry Officer, as the case may be, shall have the same powers as are vested in a civil court under the Code of Civil Procedure, 1908 (5 of 1908.)while trying a suit, in respect of the following matters, namely—
 

(a) the discovery and production of books of account, data and other documents, at such place and at such time as may be specified by regulations;
(b) summoning and enforcing the attendance of persons and examining them on oath;
(c) inspection of any book, document, register, record ordata of any data fiduciary;
(d) issuing commissions for the examination of witnesses or documents; and
(e) any other matter which may be prescribed.

(1) On receipt of a report under sub-section (2) of section 53, the Authority may, after giving such opportunity to the data fiduciary or data processor to make a representation in connection with the report as the Authority deems reasonable, by an order in writing—

(a) issue a warning to the data fiduciary or data processor where the business or activity is likely to violate the provisions of this Act;
(b) issue a reprimand to the data fiduciary or data processor where the business or activity has violated the provisions of this Act;
(c) (***) direct the data fiduciary or data processor to cease and desist from committing or causing any violation of the provisions of this Act;
(d) (***) direct the data fiduciary or data processor to modify its business or activity to bring it in compliance with the provisions of this Act;
(e) temporarily suspend or discontinue business or activity of the data fiduciary or data processor which is in contravention of the provisions of this Act;
(f) vary, suspend or cancel any registration granted by the Authority in case of a significant data fiduciary;
(g) suspend or discontinue any cross-border (***) transfer of personal data; or
(h) (***) direct the data fiduciary or data processor to take any such action in respect of any matter arising out of the report as the Authority may deem(***) fit.
 

(2) A data fiduciary or data processor aggrieved by an order made under this section may prefer an appeal to the Appellate Tribunal under section 73.
 

(1) Where in the course of inquiry under section 53, the Inquiry Officer has reasonable ground to believe that any books, registers, documents, records or data belonging to any person as mentioned therein, are likely to be tampered with, altered, mutilated, manufactured, falsified or destroyed, the Inquiry Officer (***)shall, with the prior approval of the Authority,make an application to such designated court, as may be notified by the Central Government, for an order for the seizure of such books, registers, documents,(***) records or data.
(2) The Inquiry Officer may require the services of any police officer or any officer of the Central Government or State Government, or of (***) all, to assist him for the purposes (***) provided in sub-section (1) and it shall be the duty of every such officer to comply with such requisition.
(3) After considering the application and hearing the Inquiry Officer, if necessary, the designated court may, by order, authorise the Inquiry Officer—
 

(a) to enter, with such assistance, as may be required, the place or places where such books, registers, documents, (***) records or data are kept;
(b) to search that place or those places in the manner specified in the order; and
(c) to seize books, registers, documents, (***) records or data it considers necessary for the purposes of the inquiry.
 

(4) The Inquiry Officer shall keep in (***) his custody the books, registers, documents, (***) records or data seized under this section for such period not later than the conclusion of the inquiry as (***) he considers necessary and thereafter shall return the same to the person, from whose custody or power they were seized and inform the designated court of such return.

(5) Save as otherwise provided in this section, every search or seizure made under this section shall be carried out in accordance with the provisions of the Code of Criminal Procedure, 1973 (2 of 1974.)relating to searches or seizures made under that Code.
 

Where any action proposed to be taken by the Authority under this Act is such that any other regulator or authority constituted under a law made by Parliament or the State legislature may also have concurrent jurisdiction, the Authority shall consult such other regulator or authority before taking such action and may also enter into a memorandum of understanding with such other regulator or authority governing the coordination of such actions including economic activities.