PDPB 2019

Chapter I: Preliminary
Sec 1-3

Chapter II: Obligations of the Data Fiduciary
Sec 4-11

Chapter III: Grounds for Processing Personal Data without consent
Sec 12-15

Chapter IV: Personal data and Sensitive data of children
Sec 16

Chapter V:
 Rights of Data Principal
Sec 17-21

Chapter VI: Transparency and Accountability Measures
Sec 22-32

Chapter VII: Restriction on transfer of personal data outside India
Sec 33-34

Chapter VIII: Exemptions
Sec:35-40

Chapter IX:
Data Protection Authority of India
Sec 41-56

Chapter X: Penalties and Compensation
Sec 57-66

Chapter XI: Appellate Tribunal
Sec 67-77

Chapter XII: Finance, Accounts and Audit
Sec 78-81

Chapter XIII: Offences
82-85

Chapter XIV: Miscellaneous
Sec 86-98

Schedule I Amendments to ITA 2000
 
Preamble
Statement of Objectives and Reasons
Notes on Clauses
Memorandum on Delegated Legislation
Financial Memorandum
 
PDF Copy of PDPA 2019
PDF Copy of the PDPA2018
Sri Krishna Committee Report
©Naavi

CHAPTER I

PRELIMINARY

 

1. Short title and commencement

(1) This Act may be called the Personal Data Protection Act, 2019.

 

(2)  It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint; and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.

 


2. Application of Act to processing of personal data.

The provisions of this Act,—

(A) shall apply to—

(a) the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India;

(b) the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;

(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—

(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or

(ii) in connection with any activity which involves profiling of data principals within the territory of India.

(B) shall not apply to the processing of anonymised data, other than the anonymised data referred to in section 91.


3. Definitions.

 In this Act, unless the context otherwise requires,—

(1) "Adjudicating Officer" means the Adjudicating Officer appointed as such under sub-section (1) of section 62;

(2) "anonymisation" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority;

(3) "anonymised data" means data which has undergone the process of anonymisation;

(4) "Appellate Tribunal" means the Tribunal established under sub-section (1) or notified under sub-section (4) of section 67;

(5) "Authority" means the Data Protection Authority of India established under sub-section (1) of section 41;

(6) "automated means" means any equipment capable of operating automatically in response to instructions given for the purpose of processing data;

(7) "biometric data" means facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations which allow or confirm the unique identification of that natural person;

(8) "child" means a person who has not completed eighteen years of age;

(9) "code of practice" means a code of practice issued by the Authority under section 50;

(10) "consent" means the consent referred to in section 11;

(11) "data" includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;
(12) "data auditor" means an independent data auditor referred to in section 29;

(13) "data fiduciary" means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
(14) "data principal" means the natural person to whom the personal data relates;

(15) "data processor" means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary;

(16) "de-identification" means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;

(17) "disaster" shall have the same meaning as assigned to it in clause (d) of section 2 of the Disaster Management Act, 2005;

(18) "financial data" means any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a data principal or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history;

(19) "genetic data" means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

(20) "harm" includes—

(i) bodily or mental injury;
(ii) loss, distortion or theft of identity;

 

(iii) financial loss or loss of property;

 

 (iv) loss of reputation or humiliation;

 

(v) loss of employment;
(vi) any discriminatory treatment;
(vii) any subjection to blackmail or extortion;
(viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal;
(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or data principal;

 

(21) "health data" means the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration  for, or provision of health services, data associating the data principal to the provision of specific health services;

(22) "intra-group schemes" means the schemes approved by the Authority under clause (a) of sub-section (1) of section 34;

(23) "in writing" includes any communication in electronic format as defined in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000;

(24) "journalistic purpose" means any activity intended towards the dissemination through print, electronic or any other media of factual reports, analysis, opinions, views or documentaries regarding—

(i) news, recent or current events; or
(ii) any other information which the data fiduciary believes the public, or any significantly discernible class of the public, to have an interest in;

(25) "notification" means a notification published in the Official Gazette and the expression "notify" shall be construed accordingly;

(26) "official identifier" means any number, code, or other identifier, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal;

(27) "person" includes—

(i) an individual,
(ii) a Hindu undivided family,
(iii) a company,
(iv) a firm,
(v) an association of persons or a body of individuals, whether incorporated or not,
(vi) the State, and
(vii) every artificial juridical person, not falling within any of the preceding sub-clauses;
 

(28) "personal data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
(29) "personal data breach" means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data  principal;
(30) "prescribed" means prescribed by rules made under this Act;

(31) "processing" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
(32) "profiling" means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal;
(33) "regulations" means the regulations made by the Authority under this Act;

 

(34) "re-identification" means the process by which a data fiduciary or data processor may reverse a process of de-identification;
(35) "Schedule" means the Schedule appended to this Act;
(36) "sensitive personal data" means such personal data, which may, reveal, be related to, or constitute—

(i) financial data;
(ii) health data;
(iii) official identifier;
(iv) sex life;
(v) sexual orientation;
(vi) biometric data;
(vii) genetic data;
(viii) transgender status;
 (ix) intersex status;
(x) caste or tribe;
(xi) religious or political belief or affiliation; or
(xii) any other data categorised as sensitive personal data under section 15.

 


Explanation.— For the purposes of this clause, the expressions,—

(a) "intersex status" means the condition of a data principal who is—

(i) a combination of female or male;
(ii) neither wholly female nor wholly male; or
(iii) neither female nor male;

(b) "transgender status" means the condition of a data principal whose sense of gender does not match with the gender assigned to that data principal at birth, whether or not they have undergone sex reassignment surgery, hormone therapy, laser therapy, or any other similar medical procedure;

(37) "significant data fiduciary" means a data fiduciary classified as such under sub-section (1) of section 26;
(38) "significant harm" means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm;
(39) "State" means the State as defined under article 12 of the Constitution;
(40) "systematic activity" means any structured or organised activity that involves an element of planning, method, continuity or persistence.

 


 
 

PDPB 2021

Chapter I: Preliminary
Sec 1-3

Chapter II: Obligations of the Data Fiduciary
Sec 4-11

Chapter III: Grounds for Processing Personal Data without consent
Sec 12-15

Chapter IV: Personal data and Sensitive data of children
Sec 16

Chapter V:
 Rights of Data Principal
Sec 17-21

Chapter VI: Transparency and Accountability Measures
Sec 22-32

Chapter VII: Restriction on transfer of personal data outside India
Sec 33-34

Chapter VIII: Exemptions
Sec:35-40

Chapter IX:
Data Protection Authority of India
Sec 41-56

Chapter X: Penalties and Compensation
Sec 57-67

Chapter XI: Appellate Tribunal
Sec 68-78

Chapter XII: Finance, Accounts and Audit
Sec 79-82

Chapter XIII: Offences
83-86

Chapter XIV: Miscellaneous
Sec 87-99

Schedule  Amendments to ITA 2000
 
Preamble
PDPB 2019
 
PDF Copy of
PDPA 2021
JPC-2 Report
COMPARE
 
PDF Copy of PDPA 2019
PDF Copy of the PDPA2018
Sri Krishna Committee Report
©Naavi


The Data Protection Bill 2021

Section
CHAPTER I
PRELIMINARY

1 Short title and commencement.
(1) This Act may be called the (***) Data Protection Act, 2021.

(2) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint; and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.



2 Application of Act to processing of personal data and non-personal data
The provisions of this Act shall apply to,–

(A) (***)

(a) the processing of personal data where such data has been collected, stored, disclosed, shared or otherwise processed within the territory of India;
(b) the processing of personal data by (***) any person (***) under Indian law;
(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—


(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(ii) in connection with any activity which involves profiling of data principals within the territory of India; and


(d) the processing of non-personal data including anonymised personal data.


(B) (***)

3 Definitions.
In this Act, unless the context otherwise requires,—

(1) “Adjudicating Officer” means the Adjudicating Officer appointed as such under sub-section (1) of section 63;
(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority;
(3) “anonymised data” means data which has undergone the process of anonymisation;
(4) “Appellate Tribunal” means the Tribunal established under sub-section (1) or notified under sub-section (4) of section 68;
(5) “Authority” means the Data Protection Authority of India established under sub-section (1) of section 41;
(6) “automated means” means any equipment capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
(7) “biometric data” means facial images, fingerprints, iris scans or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological or behavioral characteristics of a data principal, which allow or confirm the unique identification of that natural person;
(8) “child” means a person who has not completed eighteen years of age;
(9) “code of practice” means a code of practice issued by the Authority under section 50;
(10) “consent” means the consent referred to in section 11;
(11) “Consent Manager” means a data fiduciary which enables a data principal to give, withdraw, review and manage his consent through an accessible, transparent and interoperable platform;
(12) “data” includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;
(13) “data auditor” means a (***) data auditor referred to in section 29;
(14)“data breach” includes personal data breach and non-personal data breach;
(15) “data fiduciary” means any person, including a State, a company, a non-government organisation, (***) juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
(16) “data principal” means the natural person to whom the personal data relates;
(17) “data processor” means any person, including a State, a company, a non-government organisation,(***) juristic entity or any individual, who processes personal data on behalf of a data fiduciary;
(18) “data protection officer” means an officer who shall be appointed by the significant data fiduciary under section 30;
(19) “de-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;
(20) “disaster” shall have the same meaning as assigned to it in clause (d) of section 2 of the Disaster Management Act, 2005;(53 of 2005.)
(21)“financial data” means any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a data principal or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history;
(22) “genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the behavioral characteristics, physiology or the health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question;
(23) “harm” includes—


(i) bodily or mental injury;
(ii) loss, distortion or theft of identity;
(iii) financial loss or loss of property,
(iv) loss of reputation or humiliation;
(v) loss of employment;
(vi) any discriminatory treatment;
(vii) any subjection to blackmail or extortion;
(viii) any denial or withdrawal of a service, benefit or goods resulting from an evaluative decision about the data principal;
(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; (***)
(x) any observation or surveillance that is not reasonably expected by the data principal;
(xi) psychological manipulation which impairs the autonomy of the individual; or
(xii) such other harm as may be prescribed;


(24) “health data” means the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services;
(25) “intra-group schemes” means the schemes approved by the Authority under clause (a) of sub-section (1) of section 34;
(26) “in writing” includes any communication or information in electronic form (***) generated, sent, received or stored in media, magnetic, optical, (***) computer memory, micro film, computer generated micro fiche or similar device (***);
(27) “journalistic purpose” means any activity intended towards the dissemination through print, electronic or any other media of factual reports, analysis, opinions, views or documentaries regarding—


(i) news, recent or current events; or
(ii) any other information which the data fiduciary believes the public, or any significantly discernible class of the public, to have an interest in;


(28) “non-personal data” means the data other than personal data;
(29) “non-personal data breach” means any unauthorized including accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to non-personal data that compromises the confidentiality, integrity or availability of such data;
(30)“notification” means a notification published in the Official Gazette and the expressions “notify” and “notified” shall be construed accordingly;
(31) “official identifier” means any number, code, or other identifier, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal;
(32)“person” includes—


(i) an individual;
(ii) a Hindu undivided family;
(iii) a company;
(iv) a firm;
(v) an association of persons or a body of individuals, whether incorporated or not;
(vi) the State; and
(vii) every artificial juridical person, not falling within any of the preceding sub-clauses;


(33) “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
(34) “personal data breach” means any unauthorised (***) including accidental disclosure, acquisition, sharing, use, alteration, destruction (***) or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data to a data principal;
(35) “prescribed” means prescribed by rules made under this Act;
(36) “processing” in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
(37) “profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal;
(38) “regulations” means the regulations made by the Authority under this Act;
(39) “re-identification” means the process by which a data fiduciary or data processor may reverse a process of de-identification;
(40) “Schedule” means the Schedule appended to this Act;
(41) “sensitive personal data” means such personal data, which may reveal, be related to, or constitute—


(i) financial data;
(ii) health data;
(iii) official identifier;
(iv) sex life;
(v) sexual orientation;
(vi) biometric data;
(vii) genetic data;
(viii) transgender status;
(ix) intersex status;
(x) caste or tribe;
(xi) religious or political belief or affiliation; or
(xii) any other data categorised as sensitive personal data under section 15;


Explanation.— For the purposes of this clause, the expressions,—


(a) “intersex status” means the condition of a data principal who is—


(i) a combination of female or male;
(ii) neither wholly female nor wholly male; or
(iii) neither female nor male;


(b) “transgender status” means the condition of a data principal whose sense of gender does not match with the gender assigned to that data principal at birth, whether or not they have undergone sex reassignment surgery, hormone therapy, laser therapy, or any other similar medical procedure;


(42) “significant data fiduciary” means a data fiduciary classified as such under sub-section (1) of section 26;
(43) “significant harm” means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm;
(44)“social media platform” means a platform which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services;
(45) “State” means the State as defined under article 12 of the Constitution;
(46) “systematic activity” means any structured or organised activity that involves an element of planning, method, continuity or persistence.