Personal Data Protection Act 2018 of India

Memorandum Regarding Delegated Legislation

1. Clause 93 of the Personal Data Protection Bill 2019 seeks to empower the Central Government to make rules for—

(a) categorization of sensitive personal data under section 15;
(b) verification of the age of child under sub-section (3) of section (3);
(c) the form and manner in which an application to enforce the right to be forgotten can be exercised under sub-section (2) of section 20 and the manner of review of order passed by the Adjudicating Officer under sub-section (4) of section 20;
(d) the methods of voluntary identification to identify users of social media under sub-section (3) and the identifying mark of verification of a voluntarily verified user under sub-section (4) of section 28;
(e) the manner in which a complaint regarding grievance redressal may be filed under sub-section (4) of section 32 ;
(f) the entity or class of entity in a country, or international organisations to which transfers may be permitted under clause (b) of sub-section (1) of section 34;
g) the place of head office of the Authority under sub-section (3) of section 41;
(h) procedure to be followed by the Selection Committee under sub-section (3) of section 42;
(i) the salaries and allowances payable to, and other terms and conditions of service of the Chairperson and the Members of the Authority under sub-section (2) of section 43;
(j) the procedure for conducting any inquiry under sub-section (2) of section 44;
(k) the time and place for, and the rules and procedures in regard to, transaction of business at the meetings of the Authority under sub-section (1) of section 46;
(l) other functions of the Authority under clause (o) of sub-section (2) of section 49;
(m) the procedure of issuance of a code of practice under sub-section (4), the manner in which the Authority may review, modify or revoke a code of practice under sub-section (7), of section 50;
(n) other matters under clause (e) of sub-section (8) of section 53 in respect of which the Authority shall have powers;
(o) the number of Adjudicating Officers, manner and terms of their appointment, their jurisdiction and other requirements under sub-section (2) of section 62;
(p) the manner in which the Adjudicating Officer shall conduct an inquiry under sub-section (1) of section 63;
(q) the form and manner of making a complaint under sub-section (2), and the procedure for hearing of a complaint under sub-section (8) of section 64;
(r) the manner of appointment, term of office, salaries and allowances, resignation, removal and the other terms and conditions of service of the Chairperson and any member of the Appellate Tribunal under sub-section (2) of section 68;
(s) the procedure of filling of vacancies in the Appellate Tribunal under section 69;
(t) the salaries and allowances and other conditions of service of the officers and employees of the Appellate Tribunal under sub-section (3) of section 70;
(u) the form, manner and fee for filing an appeal or application, as the case may be, with the Appellate Tribunal under sub-section (1) of section 72;
(v) other matters under clause (i) of sub-section (2) of section 73 in respect of powers of the Appellate Tribunal;
(w) the form of accounts, other relevant records and annual statement of accounts under sub-section (1), the intervals at which the accounts of the Authority shall be audited under sub-section (2) of section 80;
(x) the time in which and the form and manner in which the returns, statements, and particulars are to be furnished to the Central Government under sub-section (1) and annual report under sub-section (2) of section 81;
(y) the manner in which the Central Government may issue a direction, including the specific purposes for which data is sought under sub-section (2) and the form of disclosure of such directions under sub-section (3) of section 91;
(z) any other matter which is required to be, or may be, prescribed, or in respect of which provision is to be made, by rules.

2. Clause 94 of the Bill empowers the Authority, with the previous approval of the Central Government, by notification, to make regulations consistent with the provisions of the Act and the rules made thereunder to provide for—

(a) information required to be provided by the data fiduciary to the data principal in its notice under clause (n) of sub-section (1) of section 7;
(b) manner in which the personal data retained by the data fiduciary must be deleted under sub-section (4) of section 9;
(c) the safeguards for protecting the rights of data
principals under sub-section (3) of section 14;
(d) the additional safeguards or restrictions under sub-section (2) of section 15;
(e) the manner of obtaining consent of the parent or guardian of a child under sub-section (2), the manner of verification of age of a child under sub-section (3), application of provision in modified form to data fiduciaries offering counselling or child protection services under sub-section (6) of section 16;
(f) the period within which a data fiduciary must acknowledge the receipt of request under sub-section (1), the fee to be charged under sub-section (2), the period within which request is to be complied with under sub-section (3), and the manner and the period within which a data principal may file a complaint under sub-section (4) of section 21;
(g) the manner for submission of privacy by design policy under sub-section (2) of section 22;
(h) the manner and the technical, operation, financial and other conditions for registration of the consent manager and its compliance under sub-section (5) of section 23;
(i) the manner of registration of significant data fiduciaries under sub-section (2) of section 26;
(j) the circumstances or classes of data fiduciaries or processing operations where data protection impact assessments shall be mandatory and instances where data auditor shall be appointed under sub-section (2), and the manner in which data protection officer shall review the data protection impact assessment and submit to the Authority under sub-section (4) of section 27;
(k) the form and manner for maintaining the records, and any other aspect of processing for which records shall be maintained under sub-section (1) of section 28;
(l) the other factors to be taken into consideration under clause (g) of sub-section (2); the form and procedure for conducting audits under sub-section (3); the manner of registration of auditors under sub-section (4); criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 29;
(m) the qualification and experience of a data protection officer under sub-section (1) of section 30;
(n) the period within which transfer of personal data shall be notified to the Authority under sub-section (3) of section 34; (o) the provisions of the Act and the class of research, archival or statistical purposes which may be exempted under section 38; (p) the remuneration, salary or allowances and other terms and conditions of service of such officers, employees, consultants and experts under sub-section (2) of section 48;
(q) the code of practice under sub-section (1) of section 50;
(r) the form and manner for providing information to the Authority by the data fiduciary under sub-section (3) of section 52; and
(s) any other matter which is required to be, or may be specified, or in respect of which provision is to be or may be made by regulations.

3. The matters in respect of which the aforementioned rules and regulations may be made are matters of procedure and administrative detail, and as such, it is not practicable to provide for them in the proposed Bill itself. The delegation of legislative power is, therefore, of a normal character.