Personal Data Protection Act 2018 of India

CHAPTER X

Chapter X

DATA PROTECTION AUTHORITY OF INDIA

49. Establishment and incorporation of Authority.—

(1) The Central Government shall, by notification, establish for the purposes of this Act, an Authority to be called the Data Protection Authority of India.

(2) The Authority shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.

(3) The head office of the Authority shall be at such place as may be prescribed.

(4) The Authority may, with the prior approval of the Central Government, establish its offices at other places in India.

50. Composition and qualifications for appointment of members.—

(1) The Authority shall consist of a chairperson and six whole-time members.

(2) The chairperson and the members of the Authority shall be appointed by the Central Government on the recommendation made by a selection committee consisting of—

(a) the Chief Justice of India or a judge of the Supreme Court of India nominated by the Chief Justice of India, who shall be the chairperson of the selection committee;

(b) the Cabinet Secretary; and

(c) one expert of repute as mentioned in sub-section (6), to be nominated by the Chief Justice of India or a judge of the Supreme Court of India nominated by the Chief
Justice of India, in consultation with the Cabinet Secretary.

(3) The procedure to be followed by the selection committee for recommending the names under sub-section (2) shall be such as may be prescribed.

(4) The chairperson and the members of the Authority shall be persons of ability, integrity and standing, and must have specialised knowledge of, and not less than ten years professional experience in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, and related subjects.

(5) A vacancy caused to the office of the chairperson or any other member shall be filled up within a period of three months from the date on which such vacancy occurs.

(6) The Central Government shall maintain a list of at least five experts who have specialised knowledge of, and professional experience in the field of data protection, information technology, data management, data science, cyber and internet laws, and related subjects.

51. Terms and conditions of appointment.—

(1) The chairperson and the members shall be appointed for a term of five years or till they attain the age of sixty-five years, whichever is earlier, and they shall not be eligible for re- appointment.

(2) The salaries and allowances payable to, and other terms and conditions of service of the chairperson and the members shall be such as may be prescribed and shall not be varied to their disadvantage during their term.

(3) The chairperson and the members shall not, during their term and for a period of two years from the date on which they cease to hold office, accept—

(a) any employment either under the Central Government or under any State Government; or

(b) any appointment, in any capacity whatsoever, with a significant data fiduciary.

(4) Notwithstanding anything contained in sub-section (1), the chairperson or a member may—

(a) relinquish his office by giving in writing to the Central Government a notice of not less than three months; or
(b) be removed from his office in accordance with the provisions of this Act.

52. Removal of members.—

(1) The Central Government may remove from office, the chairperson or any member who—

(a) has been adjudged an insolvent;

(b) has become physically or mentally incapable of acting as a chairperson or member;

(c) has been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude;

(d) has so abused her position as to render her continuation in office detrimental to the public interest; or

(e) has acquired such financial or other interest as is likely to affect prejudicially her functions as a chairperson or a member.

(2) No chairperson or any member shall be removed under clause (d) or (e) of sub-section (1) unless she has been given a reasonable opportunity of being heard.

53. Powers of the chairperson.—

The chairperson shall have powers of general superintendence and direction of the affairs of the Authority and shall also exercise all powers and do all such acts and things which may be exercised or done by the Authority under the Act.

54. Meetings of the Authority.—

(1) The chairperson and members of the Authority shall meet at such times and places and shall observe such rules and procedures in regard to transaction of business at its meetings including quorum at such meetings, as may be prescribed.

(2) If, for any reason, the chairperson is unable to attend any meeting of the Authority, any other member chosen by the members present at the meeting, shall preside at the meeting.

(3) All questions which come up before any meeting of the Authority shall be decided by a majority of votes of the members present and voting, and in the event of an equality of votes, the chairperson or in her absence, the member presiding, shall have a casting or a second vote.

(4) Any member who has any direct or indirect pecuniary interest in any matter coming up for consideration at a meeting of the Authority shall disclose the nature of her interest at such meeting, which shall be recorded in the proceedings of the Authority and such member shall not take part in any deliberation or decision of the Authority with respect to that matter.

55. Vacancies, etc. not to invalidate proceedings of the Authority.—

No act or proceeding of the Authority shall be invalid merely by reason of—

(a) any vacancy or defect in the constitution of the Authority;

(b) any defect in the appointment of a person as a chairperson or member; or,

(c) any irregularity in the procedure of the Authority not affecting the merits of the case.

56. Officers and Employees of the Authority.—

(1) The Authority may appoint such officers, employees, consultants and experts as it may consider necessary for effectively discharging its functions under this Act.

(2) Any remuneration, salary or allowances, and other terms and conditions of service of such officers, employees, consultants and experts shall be such as may be specified.

57. Grants by Central Government.—

The Central Government may, after due appropriation made by Parliament by law in this behalf, make to the Authority grants of such sums of money as it may think fit for the purposes of this Act.

58. Accounts and Audit —

(1) The Authority shall maintain proper accounts and other relevant records and prepare an annual statement of accounts in such form as may be prescribed by the Central Government in consultation with the Comptroller and Auditor-General of India.

(2) The accounts of the Authority shall be audited by the Comptroller and Auditor-General of India at such intervals as may be prescribed and any expenditure incurred by her in connection with such audit shall be reimbursed to her by the Authority.

(3) The Comptroller and Auditor-General of India and any other person appointed by her in connection with the audit of the accounts of the Authority shall have the same rights and privileges and authority in connection with such audit as the Comptroller and Auditor- General of India generally has in connection with the audit of the Government accounts and, in particular, shall have the right to demand the production of books, accounts, connected vouchers and other documents and papers, and to inspect any of the offices of the Authority.

(4) The accounts of the Authority as certified by the Comptroller and Auditor-General of India or any other person appointed by the Comptroller and Auditor-General of India in this behalf together with the audit report thereon shall be forwarded annually to the Central Government and the Central Government shall cause the same to be laid before each House of the Parliament.

59. Furnishing of returns, etc. to Central Government.—

(1) The Authority shall furnish to the Central Government at such time and in such form and manner as may be prescribed or as the Central Government may direct, such returns and statements and such particulars in regard to any proposed or existing programme for the promotion and development of protection of personal data, as the Central Government from time to time, require.

(2) The Authority shall prepare once every year in such form and at such time as may be prescribed, an annual report giving a summary of its activities during the previous year and copies of the report shall be forwarded to the Central Government.

(3) A copy of the report received under sub-section (2) shall be laid, as soon as may be after it is received, before each House of the Parliament.

60. Powers and Functions of the Authority.—

(1) It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness of data protection.

(2) Without prejudice to the generality of the foregoing and other functions set out under this Act, the functions of the Authority shall include—

(a) monitoring and enforcing application of the provisions of this Act;

(b) specifying reasonable purposes for which personal data may be processed under section 17 of this Act;

(c) specifying residuary categories of sensitive personal data under section 22 of this Act;

(d) taking prompt and appropriate action in response to a data security breach in accordance with the provisions of this Act;

(e) specifying the circumstances where a data protection impact assessment may be required to be undertaken in accordance with section 33 of this Act;

(f) maintaining a database on its website containing names of significant data fiduciaries along with a rating in the form of a data trust score indicating compliance with the obligations of this Act by such fiduciaries;

(g) specifying the criteria for assigning a rating in the form of a data trust score by a data auditor having regard to the factors mentioned in sub-section (2) of section 35;

(h) examination of any data audit reports submitted under section 35 of this Act and taking any action pursuant thereto in accordance with the provisions of this Act;

(i) issuance of a certificate of registration to data auditors and renewal, modification, withdrawal, suspension or cancellation thereof and maintaining a database on its website of such registered data auditors and specifying the requisite qualifications, code of conduct, practical training and functions to be performed by such data auditors;

(j) categorisation and issuance of certificate of registration to significant data fiduciaries and renewal, modification, withdrawal, suspension or cancellation thereof under section 38;

(k) monitoring cross-border transfer of personal data undersection 41 of this Act;

(l) issuing codes of practice in accordance with section 61 of this Act and publishing such codes on its website;

(m) promoting public awareness and understanding of the risks, rules, safeguards and rights in respect of protection of personal data, including issuance of any public statement setting out trends in, or specific instances of, contravention of the provisions of this Act by a data fiduciary or a class of data fiduciaries, as the case may be;

(n) promoting awareness among data fiduciaries of their obligations and duties under this Act;

(o) monitoring technological developments and commercial practices that may affect protection of personal data;

(p) promoting measures and undertaking research for innovation in the field of protection of personal data;

(q) advising Parliament, Central Government, State Government and any regulatory or statutory authority on measures that must be undertaken to promote protection of personal data and ensuring consistency of application and enforcement of this Act;

(r) issuing guidance on any provision under this Act either on its own or in response to any query received from a data fiduciary where the Authority considers it necessary, subject always to the provisions of this Act;

(s) advising the Central Government on the acceptance of any relevant international instrument relating to protection of personal data;

(t) specifying fees and other charges for carrying out the purposes of this Act; (u) receiving and handling complaints under the provisions of this Act;

(v) calling for information from, conducting inspections and inquiries into the affairs of data fiduciaries in accordance with the provisions of this Act;

(w) preparation and publication of reports setting out the result of any inspection or inquiry and any other comments that the Authority deems to be in public interest; and

(x) performing such other functions, including maintaining, updating and submitting any records, documents,books, registers or any other data, as may be prescribed.

(3) Notwithstanding anything contained in any other law for the time being in force, while exercising the powers under clause (v) of sub-section (2), the Authority shall have the same powers as are vested in a civil court under the Code of Civil Procedure, 1908 (5 of 1908) while trying a suit, in respect of the following matters, namely—

(a) the discovery and production of books of account and other documents, at such place and at such time as may be specified;

(b) summoning and enforcing the attendance of persons and examining them on oath;

(c) inspection of any book, document, register or record of any data fiduciary;

(d) issuing commissions for the examination of witnesses or documents;

(e) any other matter which may be prescribed.

(4) Where, pursuant to the provisions of this Act, the Authority processes personal data,it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by the data fiduciary or data processor, it shall not disclose such information unless required as per law, or where it is required to carry out its function under clause (w) of sub-section (2).

61. Codes of Practice.—

(1) The Authority shall issue codes of practice in accordance with this section to promote good practices of data protection and facilitate compliance with the obligations under this Act.

(2) Notwithstanding sub-section (1), the Authority may also approve,and issue codes of practice submitted by an industry or trade association, an association representing the interest of data principals, any sectoral regulator or statutory authority, or any departments or ministries of the Central or State Government.

(3) The Authority shall ensure transparency while approving or issuing any code of practice under this section in accordance with sub-section (4).

(4) A code of practice, whether under sub-section (1) or sub-section (2), shall not be issued unless the Authority has undertaken a requisite consultation process with relevant sectoral regulators and stakeholders including the public and has followed the procedure for issuance of such code of practice, as may be prescribed.

(5) A code of practice issued under this section shall not derogate from the provisions of this Actor any applicable law.

(6) Without prejudice to sub-sections (1) or (2), or any other provision of this Act, the Authority may issue codes of practice in respect of the following matters—

(a) requirements for notice undersection 8 of this Act including any model forms or guidance relating to notice;

(b) measures for ensuring quality of personal data processed under section 9 of this Act;

(c) measures pertaining to the retention of personal data under section 10 of this Act;

(d) conditions for valid consent under section 12 of this Act;

(e) processing of personal data under section 15 of this Act;

(f) activities where processing of personal data may be undertaken undersection 17; (g) processing of sensitive personal data underChapter IV of this Act;

(h) processing of personal data under any other ground for processing, including processing of personal data of children and development of appropriate age- verification mechanisms under section 23 and mechanisms for processing personal data on the basis of consent of users incapable of providing valid consent under this Act;

(i) exercise of any right by data principals under Chapter VI of this Act;

(j) the standards and means by which a data principal may avail the right to data portability under section 26 of this Act;

(k) transparency and accountability measures including the standards thereof to be maintained by data fiduciaries and data processors under Chapter VII of this Act;

(l) standards for security safeguards to be maintained by data fiduciaries and data processors under section 31 of this Act;

(m) methods of de-identification and anonymisation;

(n) methods of destruction, deletion, or erasure of personal data where required under this Act;

(o) appropriate action to be taken by the data fiduciary or data processor in response to a personal data breach under section 32 of this Act;

(p) manner in which data protection impact assessments may be carried out by the data fiduciary or a class thereof under section 33 of this Act;

(q) cross-border transfer of personal data pursuant to section 41 of this Act;

(r) processing of any personal data or sensitive personal data to carry out any activity necessary for research, archiving or statistical purposes under section 45 of this Act; and

(s) any other matter which, in the view of the Authority, may require issuance of a code of practice.

(7) Non-compliance by the data fiduciary or data processor with any code of practice issued under this section and applicable to it may be considered by the Authority, or any court, tribunal or statutory body, while determining whether such data fiduciary or data processor has violated the provisions of this Act.

(8) Nothing contained in sub-section (7) shall prevent a data fiduciary or data processor from demonstrating before the Authority, or any court, tribunal or statutory body, that it has adopted an equivalent or a higher standard than that stipulated under the relevant code of practice.

(9) The Authority may review, modify or revoke a code of practice issued under this section in the manner prescribed.

(10) The Authority shall maintain a register in the manner prescribed containing details of the codes of practice, which are currently in force and shall make such codes of practice publicly available on its website.

62. Power of Authority to issue directions.—

(1) The Authority may, for the discharge of its functions under this Act, issue such directions from time to time as it may consider necessary to data fiduciaries or data processors generally, or to any data fiduciary or data processor in particular, and such data fiduciaries or data processors, as the case may be, shall be bound to comply with such directions.

(2) No such direction shall be issued under sub-section (1) unless the Authority has given a reasonable opportunity of being heard to the data fiduciaries or data processors concerned.

(3) The Authority may, on a representation made to it or on its own motion, modify, suspend, withdraw or cancel any direction issued under sub-section (1) and in doing so, may impose such conditions as it thinks fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.

63. Power of Authority to call for information.—

(1) Without prejudice to the other provisions of this Act, the Authority may require a data fiduciary or data processor to provide such information as may be reasonably required by it for discharging its functions under this Act.

(2) If the Authority requires a data fiduciary or a data processor to provide information as per sub-section (1), it must provide a written notice to the data fiduciary or the data processor stating the reasons for such requisition.

(3) The Authority shall specify the manner in which the data fiduciary or data processor shall provide the information sought in sub-section (1), including the designation of the officer or employee of the Authority who may seek such information, time frame within which such information is required to be furnished and the form in which such information may be provided.

64. Power of Authority to conduct inquiry. —

(1) The Authority may conduct an inquiry where it has reasonable grounds to believe that—

(a) the activities of the data fiduciary or data processor being conducted in a manner which is detrimental to the interest of data principals; or
(b) any data fiduciary or data processor has violated any of the provisions of this Act or the rules prescribed, or the regulations specified, or directions issued by the Authority there under.

(2) For the purpose of sub-section (1), the Authority shall, by an order in writing, appoint one of its officers as an Inquiry Officer to inquire into the affairs of such data fiduciaryor data processor and to report to the Authority on any inquiry made.

(3) An Inquiry Officer, may wherever necessary, appoint any other person for the purpose of assisting in any inquiry under this section.

(4) The order referred to in sub-section (2) shall also set out the reasons for commencing the inquiry and the scope of the inquiry and may be modified from time to time.

(5) Every officer, employee or other person acting under the direct authority of the data fiduciary or the data processor, or a service provider, or a contractor, where services are being obtained by or provided to the data fiduciary or data processor, as the case may be,shall be bound to produce before the Inquiry Officer directed to make the inquiry, all such books, registers, documents, records and any data in their custody or power and to furnish to the Inquiry Officer any statement and information relating to the affairs of the data fiduciary or data processor as the Inquiry Officer may require within such time as the said Inquiry Officer may specify.

(6) The Inquiry Officer shall undertake the inquiry only after providing a written notice to the persons referred to in sub-section (5) stating the reasons for the inquiry and the relationship between the data fiduciary and the scope of the inquiry.

(7) The Inquiry Officer may keep in its custody any books, registers, documents, records and other data produced under sub-section (5) for six months and thereafter shall return the same to the person by whom or on whose behalf such books, registers, documents, record and data are produced, unless an approval to retain such books, registers, documents, record and data for an additional period not exceeding three months has been obtained from the Authority.

(8) Without prejudice to any other power set out in this Act or under any other law, any Inquiry Officer directed to make an inquiry may examine on oath, any officer, employee or other person acting under the direct authority of the data fiduciary or the data processor, or a service provider, or a contractor where services are being obtained by or provided to the data fiduciary or data processor, as the case may be, in relation to the business or activity of the data fiduciary or data processor.

65. Action to be taken by Authority pursuant to an inquiry.—

(1) On receipt of a report under sub-section (2) of section 64, the Authority may, after giving such opportunity to the data fiduciary or data processor to make a representation in connection with the report as the Authority deems reasonable, by an order in writing—

(a) issue a warning to the data fiduciary or data processor where the business or activity is likely to violate the provisions of this Act;

(b) issue a reprimand to the data fiduciary or data processor where the business or activity has violated the provisions of this Act;

(c) require the data fiduciary or data processor to cease and desist from committing or causing any violation of the provisions of this Act;

(d) require the data fiduciaryor data processor to modify its business or activity to bring it in compliance with the provisions of this Act;

(e) temporarily suspend or discontinue business or activity of the data fiduciary or data processor which is in contravention of the provisions of this Act;

(f) vary, suspend or cancel any registration granted by the Authority in case of a significant data fiduciary;

(g) suspend or discontinue any cross-border flow of personal data; or

(h) require the data fiduciary or data processor to take any such action in respect of any matter arising out of the report as the Authority may think fit.

(2) A data fiduciary or data processor aggrieved by an order made under this section by the Authority may prefer an appeal to the Appellate Tribunal.

66. Search and Seizure.—

(1) Where the Authority has reasonable grounds to believe that—

(a) any person who has been required under sub-section (5) of section 64to produce, or cause to be produced, any books, registers, documents, records or data in her custody or power is likely to omit or fail, or has omitted or failed, to do so; or

(b) any books, registers, documents, records or data belonging to any person as mentioned in clause(a) of sub-section (1) are likely to be tampered with, altered, mutilated, manufactured, falsified or destroyed; or

(c) a contravention of any provision of this Act has been committed or is likely to be committed by a data fiduciary, it may authorise any officer of the Authority not below the rank equivalent to that of a Gazetted Officer of the Central Government (hereinafter referred to as “Authorised Officer”) to—

(i) enter and search any building or place where she has reason to suspect that such books, registers, documents, records or data are kept;

(ii) break open the lock of any box, locker, safe, almirah or other receptacle for exercising the powers conferred by clause (i) where the keys thereof are not available;

(iii) access any computer, computer resource, or any other device containing or suspected to be containing data;

(iv) seize all or any such books, registers, documents, records or data found as a result of such search;

(v) place marks of identification on such books, registers, documents, records or databases or make extracts or copies of the same.

(2) The Authorised Officer may requisition the services of any police officer or of any officer of the Central Government, or of both, as the case may be, for assistance related to any of the purposes specified in sub-section (1) and it shall be the duty of every such police officer or officer to comply with such requisition.

(3) The Authorised Officer may, where it is not practicable to seize any such book, register, document, record or data specified in sub-section (1), serve an order on the person who is in immediate possession or control thereof that such person shall not remove, part with or otherwise deal with it except with the previous permission of such officer and such officer may take such steps as may be necessary for ensuring compliance with this sub- section.

(4) The Authorised Officer may, during the course of the search or seizure, examine on oath any person who is found to be in possession or control of any books, registers, documents, records or data, and any statement made by such person during such examination may thereafter be used in evidence in any proceeding under this Act.

(5) The books, registers, documents, records or data seized under sub-section (1) shall not be retained by the Authorised Officer for a period exceeding six months from the date of the seizure unless the reasons for retaining the same are recorded by her in writing and the approval of the Authority for such retention is obtained.

(6) The Authority shall not authorise the retention of the books, registers, documents, records or data for a period exceeding thirty days after all the proceedings under this Act, for which the said books, registers, documents, records or data are relevant, are completed.

(7) The person from whose custody the books, registers, documents, records or data are seized under sub-section (1) may make copies thereof, or take extracts therefrom, in the presence of the Authorised Officer or any other person appointed by her in this behalf at such place and time as the Authorised Officer may designate in this behalf.

(8) If a person legally entitled to the books, registers, documents, records or data seized under sub-section (1) objects for any reason to the approval given by the Authority under sub- section (5) such person may make an application to the Appellate Tribunal stating therein the reason for such objection and requesting for the return of the books, registers, documents, records or data.

(9) On receipt of the application under sub-section (8), the Appellate Tribunal may, after giving the parties an opportunity of being heard, pass such order as it thinks fit including any order prohibiting the destruction or alteration of such books, registers, documents, records or data.

(10) The provisions of the Code of Criminal Procedure, 1973 (2 of 1974) relating to searches and seizures shall apply, so far as may be, to every search and seizure made under sub- section (1)

(11) Without prejudice to the generality of the foregoing, rules may be prescribed in relation to the process for search and seizure under this section and in particular may provide for—

(a) obtaining ingress into such building or place to be searched where free ingress thereto is not available;

(b) obtaining access to a computer, computer resource, or any other device containing or suspected to be containing data, where such access is not available;

(c) ensuring safe custody of any books, registers, documents, records or data seized under this section.

67. Coordination between Authority and other regulators or authorities:-

Where any action proposed to be taken by the Authority under this Act is such that any other regulator or authority constituted under a law made by Parliament or the State legislature may also have concurrent jurisdiction, the Authority shall consult such other regulator or authority before taking such action and may also enter into a memorandum of understanding with such other regulator or authority governing the coordination of such actions.

68. Appointment of Adjudicating Officer.—

(1) Without prejudice to any other provision of this Act and for the purpose of imposing of penalties under section69to section 73or awarding compensation under section 75, the Authority shall have a separate adjudication wing.

(2) The Central Government shall, having regard to the need to ensure the operational segregation, independence, and neutrality of the adjudication wing, prescribe—

(a) number of Adjudicating Officers;

(b) qualification of Adjudicating Officers;

(c) manner and terms of appointment of Adjudicating Officers ensuring independence of such officers;

(d) jurisdiction of Adjudicating Officers;

(e) procedure for carrying out an adjudication under this Act; and

(f) other such requirements as the Central Government may deem fit.

(3) The Adjudicating Officers shall be persons of ability, integrity and standing, and must have specialized knowledge of, and not less than seven years professional experience in the fields of constitutional law, cyber and internet laws, information technology law and policy, data protection and related subjects.