Notes on Clauses
Clause 1.—This clause seeks to provide for
short title and commencement of the Act.
Clause 2.—This clause seeks to clarify the application of the Act with
regard to personal data of Indians and save for clause 91 would not be
applicable to processing of anonymised data.
Clause 3.- This clause seeks to define certain expressions occurring in the
Act.
Clause 4.—This clause seeks to prohibit processing of personal data
without any
specific, clear and lawful purpose.
Clause 5.—This clause seeks to limit the processing of personal data to the
purpose consented to by the data principal or which is incidental or
connected thereto.
Clause 6.—This clause seeks to lay down limitation on collection of personal
data specifying that it should be only to the extent that is necessary.
Clause 7.—This clause seeks to lay down the requirement of notice for
collection or processing of personal data and lists the various types of
information that should be contained in the notice given to the data
principal.
Clause 8.—This clause seeks to lay down that the data fiduciary should
ensure the quality of the personal data processed.
Clause 9.—This clause seeks to lay down restriction on retention of personal
data beyond what is necessary.
Clause 10.—This clause seeks to lay down the responsibility for complying
with the provisions of this Act on the data fiduciary.
Clause 11.—This clause seeks to expound the various aspects of consent which
are necessary for processing of personal data.
Clause 12.—This clause seeks to list out certain cases which provide for
processing of personal data without consent.
Clause 13.—This clause seeks to provide for processing of personal data
necessary for purposes related to employment.
Clause 14.—This clause seeks to provide for other reasonable purposes for
which personal data may be processed.
Clause 15.—This clause seeks to provide for categorisation of personal data
as sensitive personal data and lists out criteria for such categorisation.
Clause 16.—This clause seeks to provide for obligations on data fiduciaries
who processed personal data of children.
Clause 17.—This clause seeks to provide the data principal with the right to
confirmation and access to his personal data.
Clause 18.—This clause seeks to provide the data principal with a right to
correct and erase his personal data.
Clause 19.—This clause seeks to provide the data principal the right to port
personal data to any data fiduciary.
Clause 20.—This clause seeks to provide the data principal the right to be
forgotten.
Clause 21.—This clause seeks to lay down the general conditions for the
exercise of the rights in clauses 17 to 20.
Clause 22.—This clause seeks to list out the constituents of privacy by
design policy.
Clause 23.—This clause seeks to require transparency in processing of
personal data by requiring the fiduciary to inform the data principal and
making information available.
Clause 24.—This clause seeks to require the data fiduciary to implement
necessary security safeguards.
Clause 25.—This clause seeks to require the data fiduciary to report to the
Authority about breach of any personal data.
Clause 26.—This clause seeks to provide for classification of certain data
fiduciaries as significant data fiduciaries including certain social media
intermediaries.
Clause 27.—This clause seeks to require significant data fiduciaries to
undertake data protection impact assessment.
Clause 28.—This clause seeks to require significant data fiduciaries to
maintain accurate and up-to-date records, including requiring significant
social media intermediaries to provide for voluntary verification mechanism.
Clause 29.—This clause seeks to require significant data fiduciaries to have
their policies and conduct audited by data auditors.
Clause 30.—This clause seeks to require significant data fiduciaries to
appoint a Data
Protection Officer.
Clause 31.—This clause seeks to require data fiduciaries to ensure a
contract for processing by other data processors.
Clause 32.—This clause seeks to require every data fiduciary to have a
grievance redressal mechanism.
Clause 33.—This clause seeks to prohibit processing of sensitive personal
data and critical personal data outside India.
Clause 34.—This clause seeks to list out conditions under which sensitive
personal data and critical personal data could be transferred outside India.
Clause 35.—This clause seeks to empower the Central Government to exempt any
agency of the Government from application of the Act.
Clause 36.—This clause seeks to provide for exemption of certain provisions
of the
Act for certain processing of personal data.
Clause 37.—This clause seeks to clarify that the Government could exempt
certain data processors who are processing data of foreigners, from the
application of this Act.
Clause 38.—This clause seeks to provide for exemption when personal data is
processed for research, archival or statistical purposes.
Clause 39.—This clause seeks to provide for exemption for small entities who
are engaged in manual processing of personal data.
Clause 40.—This clause seeks to provide for a Sandbox which can facilitate
new ideas and approaches without any regulatory violations.
Clause 41.—This clause seeks to establish a regulator namely the Data
Protection
Authority of India (the Authority).
Clause 42—This clause seeks to lift the compositions and qualifications for
appointment of Chairperson and Members of the Authority and their method of
selection.
Clause 43.—This clause seeks to list the terms and conditions of appointment
for the
Chairperson and Members of the Authority.
Clause 44.—This clause seeks to list the conditions under which a
Chairperson or other Members of the Authority can be removed.
Clause 45.—This clause seeks to lay down that the powers of the Authority
rests with the Chairperson
Clause 46.—This clause seeks to provide for the matters relating to meetings
of the
Authority.
Clause 47.—This clause seeks to provide that the proceedings of the
Authority would not be invalidated due to vacancy, procedural irregularity,
etc.
Clause 48.—This clause seeks to empower the Authority to appoint officers
and other employees.
Clause 49.—This clause seeks to list the powers and functions of the
Authority.
Clause 50.—This clause seeks to require the Authority to specify codes of
practice to promote good practices of data protection.
Clause 51.—This clause seeks to empower the Authority to issue directions to
any data fiduciary for the discharge of its functions.
Clause 52.—This clause seeks to empower the Authority to call for
information from any data fiduciary
Clause 53.—This clause seeks to empower the Authority to conduct an inquiry
into the affairs of a data fiduciary.
Clause 54.- This clause seeks to list out various actions that can be taken
by the
Authority pursuant to an inquiry
Clause 55.—This clause seeks to empower the Inquiry Officer of the Authority
to order for search and seizure of documents, records, etc.
Clause 56.—This clause seeks to provide for coordination between the
Authority and other regulators.
Clause 57.—This clause seeks to list out penalties for contravening certain
provisions of the Act.
Clause 58.—This clause seeks to list out penalties for failure to comply
with request made by data principal.
Clause 59.—This clause seeks to list out penalty for failure of the data
fiduciary to furnish report, return, information to the Authority.
Clause 60.—This clause seeks to list out penalty for failure of the data
fiduciary to comply with direction or order issued by the Authority.
Clause 61.—This clause seeks to list out penalty for contravention of any
provision of this Act or rules or regulations made thereunder for which no
separate penalty has been provided.
Clause 62.—This clause seeks to provide for appointment of Adjudicating
Officer for adjudging penalties.
Clause 63.—This clause seeks to lay down the procedure for adjudication by
Adjudicating Officer.
Clause 64—This clause seeks to provide for data principal's right to seek
compensation from the data fiduciary in case of suffering harm.
Clause 65.—This clause seeks to ensure that compensation or penalties under
this
Act would not interfere with any other penalty or punishment.
Clause 66.—This clause seeks to lay down that penalties or compensation
awarded under this Act may be recovered as arrear of land revenue.
Clause 67.—This clause seeks to lay down provisions relating to
establishment of
Appellate Tribunal.
Clause 68.—This clause seeks to list out qualifications, appointment, term,
conditions of service of Chairperson and Members of Appellate Tribunal.
Clause 69.—This clause seeks to provide for filling up vacancies in the
office of
Chairperson and Members of Appellate Tribunal.
Clause 70.—This clause seeks to provide for staffing of Appellate Tribunal.
Clause 71.—This clause seeks to provide for distribution of business to
different benches of the Appellate Tribunal.
Clause 72.—This clause seeks to provide for appeal to the Appellate Tribunal
against any decision of the Authority.
Clause 73.—This clause seeks to lay down the procedure and powers of the
Appellate
Tribunal.
Clause 74.—This clause seeks to provide that the Appellate Tribunal shall
have all the powers of a civil court.
Clause 75.—This clause seeks to provide for an appeal to the Supreme Court
against any order of the Appellate Tribunal.
Clause 76.—This clause seeks to provide for the applicant or appellant to
appear in person or authorise legal representative.
Clause 77.—This clause seeks to lay down that no civil court would have
jurisdiction to entertain any suit on any matter which falls within the
ambit of Appellate Tribunal.
Clause 78.—This clause seeks to provide for the Central Government to make
grants to the Authority.
Clause 79. —This clause seeks to provide for constitution of the Data
Protection
Authority Fund.
Clause 80.—This clause seeks to require the Authority to maintain proper
accounts which are to be audited by the Comptroller and Auditor-General of
India.
Clause 81.—This clause seeks to require the Authority to furnish returns,
statements, etc., to the Central Government.
Clause 82.—This clause seeks to list out punishment for the offence of
reidentifying of deidentified personal data.
Clause 83.—This clause seeks to lays out that offence in Clause 82 to be
cognizable and non-bailable.
Clause 84.—This clause seeks to list out provisions relating to commission
of offence by companies.
Clause 85.—This clause seeks to list out provisions relating to commission
of offence by any State Government or Central Government Department or
agency.
Clause 86.—This clause seeks to empower the Central Government to issue
directions to the Authority.
Clause 87.—This clause seeks to deem Members, officers etc. of the Authority
to be public servants when acting pursuant to any provisions of the Act.
Clause 88.—This clause seeks to protect the Authority, Member, employee in
case of action done under this Act in good faith.
Clause 89.—This clause seeks to exempts Authority from tax on income in
respect of its income, profits.
Clause 90.—This clause seeks to empower the Authority to delegate its powers
or functions to any Member or officer.
Clause 91.—This clause seeks to empower the Central Government to frame
policies for digital economy in respect of non-personal data.
Clause 92.—This clause seeks to ban processing of certain forms of biometric
data unless permitted by law.
Clause 93.—This clause seeks to empowers the Central Government to make
rules to carry out the provisions of the Act.
Clause 94.—This clause seeks to empowers the Authority to make regulations
consistent with the Act and rules made there under.
Clause 95.—This clause seeks to require that rules and regulations made
under this
Act are to be laid before the Parliament.
Clause 96.—This clause seeks to provide for the overriding effect of this
Act notwithstanding anything inconsistent with any other law.
Clause 97.—This clause seeks to provide for power of Central Government to
remove difficulties.
Clause 98.—This clause seeks to provide for related amendments to the
Informations
Technology Act, 2000.