CHAPTER IX
DATA PROTECTION AUTHORITY OF INDIA
41. Establishment of Authority.
(1) The Central Government shall, by
notification, establish, for the purposes of this Act, an Authority to
be called the Data Protection Authority of India.
(2) The Authority referred to in sub-section (1) shall be a body
corporate by the name aforesaid, having perpetual succession and a
common seal, with power, subject to the provisions of this Act, to
acquire, hold and dispose of property, both movable and immovable, and
to contract and shall, by the said name, sue or be sued.
(3) The head office of the Authority shall be at such place as may be
prescribed.
(4) The Authority may, with the prior approval of the Central
Government, establish its offices at other places in India.
42.Composition and qualifications for appointment of Members.
(1) The Authority shall consist of a Chairperson and not more than six
whole-time
Members, of which one shall be a person having qualification and
experience in law.
(2) The Chairperson and the Members of the Authority shall be appointed
by the
Central Government on the recommendation made by a selection committee
consisting of—
(a) the Cabinet Secretary, who shall be Chairperson of the selection committee;
(b) the Secretary to the Government of India in the Ministry
or Department
dealing with the Legal Affairs; and
(c) the Secretary to the Government of India in the Ministry or
Department dealing with the Electronics and Information Technology.
(3) The procedure to be followed by the Selection Committee for
recommending the names under sub-section (2) shall be such as may be
prescribed.
(4) The Chairperson and the Members of the Authority shall be persons of
ability,
integrity and standing, and shall have qualification and specialised
knowledge and experience
of, and not less than ten years in the field of data protection,
information technology, data management, data science, data security,
cyber and internet laws, public administration, national security or
related subjects.
(5) A vacancy caused to the office of the Chairperson or any other
member of the
Authority shall be filled up within a period of three months from the
date on which such
vacancy occurs.
43. Terms and conditions of appointment.
(1) The Chairperson and the Members of the Authority shall be appointed
for a term of five years or till they attain the age of sixty-five
years, whichever is earlier, and they
shall not be eligible for re-appointment.
(2) The salaries and allowances payable to, and other terms and
conditions of service of the Chairperson and the Members of the
Authority shall be such as may be prescribed.
(3) The Chairperson and the Members shall not, during their term and for
a period of two years from the date on which they cease to hold office,
accept—
(a) any employment either under the Central Government or under any
State
Government; or
(b) any appointment, in any capacity whatsoever, with a significant data
fiduciary.
(4) Notwithstanding anything contained in sub-section (1),
the Chairperson or a
Member of the Authority may—
(a) relinquish his office by giving in writing to the Central Government
a notice
of not less than three months; or
(b) be removed from his office in accordance with the provisions of this
Act.
44.Removal of Chairperson or other Members.
(1) The Central Government may remove from office, the Chairperson or any Member of the Authority who—
(a) has been adjudged as an insolvent;
(b) has become physically or mentally incapable of acting as a
Chairperson or member;
(c) has been convicted of an offence, which in the opinion of the
Central
Government, involves moral turpitude;
(d) has so abused their
position as to render their continuation in office
detrimental to the public interest; or
(e) has acquired such financial or other interest as is likely to affect
prejudicially their functions as a Chairperson or a member.
(2) No Chairperson or any member of the Authority shall be removed under clause (d) or (e) of sub-section (1) unless he has been given a reasonable opportunity of being heard.
45. Powers of Chairperson.
The Chairperson of the Authority shall have powers of general
superintendence and direction of the affairs of the Authority and shall
also exercise all powers and do all such acts and things which may be
exercised or done by the Authority under this Act.
46.Meetings of Authority.
(1) The Chairperson and Members of the Authority shall meet at such
times and places and shall observe such rules and procedures in regard
to transaction of business at its meetings including quorum at such
meetings, as may be prescribed.
(2) If, for any reason, the Chairperson is unable to attend any meeting
of the Authority,
any other member chosen by the Members present at the meeting, shall
preside the meeting.
(3) All questions which come up before any meeting of the Authority
shall be decided by a majority of votes of the Members present and
voting, and in the event of an equality of votes, the Chairperson or in
his absence, the member presiding, shall have the right to exercise a
second or casting vote.
(4) Any Member who has any direct or indirect pecuniary interest in any
matter coming up for consideration at a meeting of the Authority shall
disclose the nature of his interest at such meeting, which shall be
recorded in the proceedings of the Authority and such member shall not
take part in any deliberation or decision of the Authority with respect
to that matter.
47. Vacancies, etc., not to invalidate proceedings of Authority.
No act or proceeding of the Authority shall be invalid merely by reason
of—
(a) any vacancy or defect in the constitution of the Authority;
(b) any defect in the appointment of a person as a Chairperson or
member; or
(c) any irregularity in the procedure of the Authority not affecting the
merits of the case.
48. Officers and other employees of Authority.
(1) The Authority may appoint such officers, other employees,
consultants and
experts as it may consider necessary for effectively discharging of its
functions under this
Act.
(2) Any remuneration, salary or allowances, and other terms and
conditions of service of such officers, employees, consultants and
experts shall be such as may be specified by regulations.
49. Powers and functions of Authority.
(1) It shall be the duty of the Authority to protect the interests of
data principals, prevent any misuse of personal data, ensure compliance
with the provisions of this Act, and promote awareness about data protection.
(2) Without prejudice to the generality of the foregoing and other
functions under this Act, the functions of the Authority shall include—
(a) monitoring and enforcing application of the provisions of this Act;
(b) taking prompt and appropriate action in response to personal data
breach in accordance with the provisions of this Act;
(c) maintaining a database on its website containing names of
significant data fiduciaries along with a rating in the form of a data
trust score indicating compliance with the obligations of this Act by such fiduciaries;
(d) examination of any data audit reports and taking any action pursuant
thereto;
(e) issuance of a certificate of registration to data auditors and
renewal, withdrawal, suspension or cancellation thereof and maintaining a database of
registered data auditors and specifying the qualifications, code of
conduct, practical training and
functions to be performed by such data auditors;
( f ) classification of data fiduciaries;
(g) monitoring cross-border transfer of personal data;
(h) specifying codes of practice;
(i) promoting awareness and understanding of the risks, rules,
safeguards and rights in respect of protection of personal data amongst
data fiduciaries and data principals;
(j) monitoring technological
developments and commercial practices that may affect protection of
personal data;
(k) promoting measures and undertaking research for innovation in the
field of protection of personal data;
(l) advising Central
Government, State Government and any other authority on measures
required to be taken to promote protection of personal data and
ensuring consistency of application and enforcement of this Act;
(m) specifying fees and other charges for carrying out the purposes of
this Act;
(n) receiving and inquiring complaints under this Act; and
(o) performing such other functions as may be prescribed.
(3) Where, pursuant to the provisions of this Act, the Authority processes any personal data, it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by the data fiduciary or data processor, it shall not disclose such information unless required under any law to do so, or where it is required to carry out its function under this section.
50. Codes of practice.
(1) The Authority shall, by regulations, specify codes of practice to
promote good practices of data protection and facilitate compliance with the
obligations under this Act.
(2) Notwithstanding anything contained in sub-section (1), the Authority
may approve any code of practice submitted by an industry or trade
association, an association representing the interest of data
principals, any sectoral regulator or statutory Authority, or any departments or ministries of the Central or State Government.
(3) The Authority shall ensure transparency and compliance with the
obligations of data fiduciary and the rights of the data principal under
this Act while specifying or approving any code of practice under this
section.
(4) A code of practice under sub-section (1) or sub-section (2), shall
not be issued unless the Authority has made consultation with the sectoral regulators
and other stakeholders including the public and has followed such
procedure as may be prescribed.
(5) A code of practice issued under this section shall not derogate from
the provisions of this Act or any other law for the time being in force.
(6) The code of practice under this Act may include the following
matters, namely:—
(a) requirements for notice under section 7 including any model forms or
guidance
relating to notice;
(b) measures for ensuring quality of personal data processed under
section 8;
(c) measures pertaining to the retention of personal data under section 9;
(d) manner for obtaining valid consent under section 11;
(e) processing of personal data under section 12;
(f) activities where processing of personal data may be undertaken under
section 14;
(g) processing of sensitive personal data under Chapter III;
(?)
(h) processing of personal data under any other ground for processing,
including processing of personal data of children and age-verification
under this Act;
(i) exercise of any right by data principals under Chapter V;
(j) the standards and means by which a data principal may avail the
right to data portability under section 19;
(k) transparency and accountability measures including the standards
thereof
to be maintained by data fiduciaries and data processors under Chapter
VI;
(l) standards for security safeguards to be maintained by data
fiduciaries and data processors under section 24;
(m) methods of de-identification and anonymisation;
(n) methods of destruction, deletion, or erasure of personal data where
required
under this Act;
(o) appropriate action to be taken by the data fiduciary or data
processor in response to a personal data breach under section 25;
(p) manner in which data protection impact assessments may be carried
out by the data fiduciary or a class thereof under section 27;
(q) transfer of personal data outside India pursuant to section 34;
(r) processing of any personal data or sensitive personal data to carry
out any activity necessary for research, archiving or statistical
purposes under section 38; and
(s) any other matter which, in the view of the Authority, may be
necessary to be
provided in the code of practice.
(7) The Authority may review, modify or revoke a code of practice issued under this section in such manner as may be prescribed.
51.Power of Authority to issue directions
(1) The Authority may, for the discharge of its functions under this
Act, issue such directions from time to time as it may consider
necessary to any data fiduciary or data
processor who shall be bound to comply with such directions.
(2) No direction shall be issued under sub-section (1) unless the
Authority has given a reasonable opportunity of being heard to the data
fiduciaries or data processor concerned.
(3) The Authority may, on a representation made to it or on its own
motion, modify, suspend, withdraw or cancel any direction issued under
sub-section (1) and in doing so,
may impose such conditions as it deems fit, subject to which the
modification, suspension, withdrawal or cancellation shall have effect.
52. Power of Authority to call for information
(1) Without prejudice to the other provisions of this Act, the Authority may require a data fiduciary or data processor to provide such information as may be reasonably required by it for discharging its functions under this Act.
(2) If the Authority requires a data fiduciary or a data processor to provide any information under sub-section (1), it shall provide a notice in writing to the data fiduciary or the data processor stating the reasons for such requisition.
(3) The Authority shall, by regulations, specify the manner in which the data fiduciary or data processor shall provide the information sought in sub-section (1), including the designation of the officer or employee of the Authority who may seek such information, the period within which such information is to be furnished and the form in which such information may be provided.
53.Power of Authority to conduct inquiry
(1) The Authority may, on its own or on a complaint received by it,
inquire or cause to be inquired, if it has reasonable grounds to believe
that—
(a) the activities of the data fiduciary or data processor are being
conducted in a manner which is detrimental to the interest of data
principals; or
(b) any data fiduciary or data processor has contravened any of the
provisions of this Act or the rules or regulations made thereunder, or
any direction of the Authority.
(2) For the purposes of sub-section (1), the Authority shall, by an
order in writing, appoint one of its officers as an Inquiry Officer to
inquire into the affairs of such data fiduciary or data processor and to
report to the Authority on any inquiry made.
(3) For the purpose of any inquiry under this section, the Inquiry
Officer may, wherever necessary, seek the assistance of any other
person.
(4) The order referred to in sub-section (2) shall specify the reasons
for the inquiry and the scope of the inquiry and may be modified from
time to time.
(5) Every officer, employee or other person acting under the direct
authority of the data fiduciary or the data processor, or a service
provider, or a contractor, where services are being obtained by or
provided to the data fiduciary or data processor, as the case may be,
shall be bound to produce before the Inquiry Officer, all such books,
registers, documents, records and any data in their custody or power and
to furnish to the Inquiry Officer any statement and information relating
to the affairs of the data fiduciary or data processor as the Inquiry
Officer may require within such time as the said Inquiry Officer may
specify.
(6) The Inquiry Officer shall provide a notice in writing to the persons
referred to in sub-section (5) stating the reasons thereof and the
relationship between the data fiduciary and the Inquiry Officer.
(7) The Inquiry Officer may keep in its custody any books, registers,
documents, records and other data produced under sub-section (5) for six
months and thereafter shall return the same to the person by whom or on
whose behalf such books, registers, documents, record and data are
produced, unless an approval to retain such books, registers, documents,
record and data for an additional period not exceeding three months has
been obtained from the Authority.
(8) Notwithstanding anything contained in any other law for the time
being in force, while exercising the powers under this section, the
Authority or the Inquiry Officer, as the case may be, shall have the
same powers as are vested in a civil court under the Code of Civil
Procedure, 1908 while trying a suit, in respect of the following
matters, namely—
(a) the discovery and production of books of account and other
documents, at such place and at such time as may be specified;
(b) summoning and enforcing the attendance of persons and examining them
on oath;
(c) inspection of any book, document, register or record of any data
fiduciary;
(d) issuing commissions for the examination of witnesses or documents;
and
(e) any other matter which may be prescribed.
54.Action to be taken by Authority pursuant to an inquiry
(1) On receipt of a report under sub-section (2) of section 53, the
Authority may, after giving such opportunity to the data fiduciary or
data processor to make a representation in connection with the report as
the Authority deems reasonable, by an order in writing—
(a) issue a warning to the data fiduciary or data processor where the
business or
activity is likely to violate the provisions of this Act;
(b) issue a reprimand to the data fiduciary or data processor where the
business or activity has violated the provisions of this Act;
(c) require the data fiduciary or data processor to cease and desist
from committing or causing any violation of the provisions of this Act;
(d) require the data fiduciary or data processor to modify its business or activity to bring it in compliance with the provisions of this Act;
(e) temporarily suspend or discontinue business or activity of the data
fiduciary or data processor which is in contravention of the provisions
of this Act;
(f) vary, suspend or cancel any registration granted by the Authority in
case of a significant data fiduciary;
(g) suspend or discontinue any cross-border flow of personal data; or
(h) require the data fiduciary or data processor to take any such action
in respect of any matter arising out of the report as the Authority may
deems fit.
(2) A data fiduciary or data processor aggrieved by an order made under this section may prefer an appeal to the Appellate Tribunal.
55. Search and seizure.
(1) Where in the course of inquiry under section 53, the Inquiry Officer has reasonable ground to believe that any books, registers, documents, records or data belonging to any person as mentioned therein, are likely to be tampered with, altered, mutilated, manufactured, falsified or destroyed, the Inquiry Officer may make an application to such designated court, as may be notified by the Central Government, for an order for the seizure of such books, registers, documents and records.
(2) The Inquiry Officer may require the services of any police officer or any officer of the Central Government, or of both, to assist him for the purposes specified in sub-section (1) and it shall be the duty of every such officer to comply with such requisition.
(3) After considering the application and hearing the Inquiry Officer, if necessary, the designated court may, by order, authorise the Inquiry Officer—
(a) to enter, with such assistance, as may be required, the place or
places where such books, registers, documents and records are kept;
(b) to search that place or those places in the manner specified in the
order; and
(c) to seize books, registers, documents and records it considers
necessary for the purposes of the inquiry.
(4)The Inquiry Officer shall keep in its custody the books, registers,
documents and records seized under this section for such period not
later than the conclusion of the inquiry as it considers necessary and
thereafter shall return the same to the person, from whose custody or
power they were seized and inform the designated court of such return.
(5) Save as otherwise provided in this section, every search or seizure
made under this section shall be carried out in accordance with the
provisions of the Code of Criminal Procedure, 1973 relating to searches
or seizures made under that Code.
56.Co-ordination between Authority and other regulators or authorities.
Where any action proposed to be taken by the Authority under this Act is
such that any other regulator or authority constituted under a law made
by Parliament or the State legislature may also have concurrent
jurisdiction, the Authority shall consult such other regulator or
authority before taking such action and may also enter into a memorandum
of understanding with such other regulator or authority governing the
coordination of such actions.