The Data Protection Bill 2021

Section

CHAPTER XIV
MISCELLANEOUS

87
Power of Central Government to issue directions.


(1) The Central Government may, from time to time, issue to the Authority such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order.

(2) Without prejudice to the foregoing provisions of this Act, the Authority shall, in exercise of its powers or the performance of its functions under this Act, be bound by such directions (***) as the Central Government may give in writing to it from time to time:
Provided that the Authority shall, as far as practicable, be given an opportunity to express its views before any direction is given under this sub-section.
(3) (***)
 

88

Members, etc., to be public servants.


 The Chairperson, Members, officers and employees of the Authority and the Appellate Tribunal shall be deemed, when acting or purporting to act in pursuance of any of the provisions of this Act, to be public servants within the meaning of section 21 of the Indian Penal Code.(45 of 1860.)
 

89 Protection of action taken in good faith.


.No suit, prosecution or other legal proceedings shall lie against the Authority or its Chairperson, Member, employee or officer for anything which is (***) in good faith doneor intended to be done under this Act, or the rules (***) or (***) regulations (***) made thereunder.
 

90 Exemption from tax on income.

Notwithstanding anything contained in the Income Tax Act, 1961(43 of 1961.) or any other enactment for the time being in force relating to tax on income, profits or gains, as the case may be, the Authority shall not be liable to pay income tax or any other tax in respect of its income, profits or gains derived.

 

91 Delegation.

The Authority may, by general or special order in writing delegate to any Member or officer of the Authority subject to such conditions, if any, as may be specified in the order, such of its powers and functions under this Act, except the powers to make regulations under section 95, as it may deem necessary.
 

92 Act to promote framing of policies for digital economy, etc..

(1) Nothing in this Act shall prevent the Central Government from framing (***) any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse,(***) and handling of non personal data including anonymised personal data.

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.
Explanation.-(***)
(3) The Central Government shall disclose annually the directions, made by it under sub-section (2), in such form as may be prescribed and such disclosure shall be included in its Annual Report which shall be laid before each House of Parliament.

93 Bar on processing certain forms of biometric data.

(***) Any data fiduciary shall not process such biometric data as may be (***) prescribed, unless such processing is permitted by law.
 

94 Power to make rules.

(1)The Central Government may, by notification and subject to the condition of previous publication, make rules, not inconsistent with the provisions of this Act, to carry out the (***) purposes of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely:—
 

(a) (***) any other harm under sub-clause (xii) of clause (23) of section 2;
(b) the manner in which a data fiduciary can share, transfer or transmit the personal data to any person as part of any business transaction under sub-section (4) of section 8;
(c) the other factors to be taken into consideration under clause (d) of sub-section (3) of section 16;
(d) the form and manner in which an application may be made to exercise the right under sub-section (2), and the manner of review of the order passed by the Adjudicating Officer under sub-section (4) of section 20;
(e) the steps to be taken by the Authority in case of breach of non-personal data under sub-section (6) of section 25;
(f) the threshold with respect to users of social media platform under sub-clause (i) of clause (f) of sub-section (1) and different thresholds for different classes of social media platforms under the proviso to clause (f) of sub-section (1) of section 26;
(g) the (***) manner of voluntary (***) verification of the accounts of the users of social media platform under sub-section (3) and the identifying mark of verification of a voluntarily verified user under sub-section (4) of section 28;
(h) (***) the manner of registration of data auditors under sub-section (4) of section 29;
(i) the qualifications and experience of data protection officer and other personnel to be included under the expression “key managerial personnel” under sub-section (1) of section 30;
(j) the entity or class of (***) entities in a country, or international organisations to which transfers may be permitted under clause (b) of sub-section (1) of section 34;
(k) the place of head office of the Authority under sub-section (3) of section 41;
(l) the procedure to be followed by the selection committee under sub-section (3) of section 42;
(m) the salaries and allowances payable to, and other terms and conditions of service of the Chairperson and the Members of the Authority under sub-section (2) of section 43;
(n) the time and place for, and the rules and procedures in regard to transaction of business at the meetings (including quorum) of the Authority under sub-section (1) of section 46;
(o) other functions of the Authority under clause (p) of sub-section (2) of section 49;
(p) the procedure of issuance of a code of practice under sub-section (4), the manner in which the Authority may review, modify or revoke a code of practice under sub-section (7), of section 50;
(q) other matters under clause (e) of sub-section (8) of section 53 in respect of which the Authority shall have powers;
(r) the penalties for contravening of certain provisions of this Act by data fiduciaries including by State under sub-sections (1), (2) and (3) of section 57;
(s) the form, manner and the period for filing an application for compensation under sub-section (2) of section 62;
(t) the number of Adjudicating Officers, manner and terms of their appointment, their jurisdiction and other requirements under sub-section (2) and the qualifications and the experience of such Adjudicating Officers under sub-section (3)of section 63;
(u) the manner in which the Adjudicating Officer shall conduct an inquiry under sub-section (1) of section 64;
(v) the form and manner of making an application(***) and the procedure for hearing of (***) an application under sub-section (7) of section 65;
(w) the manner of appointment, term of office, salaries and allowances, resignation, removal and the other terms and conditions of service of the Chairperson and any Member of the Appellate Tribunal under sub-section (2) of section 69;
(x)the procedure of filling of vacancies in the Appellate Tribunal under section 70;
(y) the salaries and allowances and other conditions of service of the officers and employees of the Appellate Tribunal under sub-section (3) of section 71;
(z) the form, manner and fee for filing an appeal (***) with the Appellate Tribunal under sub-section (1) of section 73;
(za) other matters under clause (i) of sub-section (2) of section 74 in respect of powers of the Appellate Tribunal;
(zb) the form of accounts, other relevant records and annual statement of accounts under sub-section (1), the intervals at which the accounts of the Authority shall be audited under sub-section (2) of section 81;
(zc) the time, (***) the form and manner in which the returns, statements, and particulars are to be furnished to the
Central Government under sub-section (1), and annual report under sub-section (2) of section 82;
(zd) the manner in which the Central Government may issue a direction, including the specific purposes for which data is sought under sub-section (2) and the form of disclosure of such directions under sub-section (3) of section 92;
(ze) the details of biometric data not to be processed under section 93;
(zf) any other matter which is required to be, or may be prescribed, or in respect of which provision is to be made, by rules.

95 Power to make regulations.

(1) The Authority may, by notification and subject to the condition of previous publication, make regulations, not inconsistent with the provisions of this Act and the rules made thereunder, to carry out the (***) purposes of this Act.

(2) In particular and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namely:—
 

(a) any other information required to be provided by the data fiduciary to the data principal in its notice under clause (n) of sub-section (1) of section 7;
(b) the manner in which the personal data retained by the data fiduciary must be deleted under sub-section (4) of section 9;
(c) the reasonable purposes under sub-section (1) and the safeguards for protecting the rights of data principals under sub-section (3) of section 14;
(d) the additional safeguards or restrictions under sub-section (2) of section 15;
(e) the manner of obtaining consent of the parent or guardian of a child (***) and the manner of verification of age of a child under sub-section (2), application of provision in modified form to data fiduciaries offering counselling or child protection services under sub-section (5) of section 16;
(f) the manner in which the data principal shall have the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of
239
personal data shared with them under sub-section (3) of section 17;
(g) the conditions and the manner in which the data principal shall have the right to correction and erasure of the personal data under section 18;
(h) the manner for determining the compliance which would not be technically feasible for non-application of the provisions of sub-section (1) under clause (b) of sub-section (2) of section 19;
(i) the period within which a data fiduciary must acknowledge the receipt of request under sub-section (1), the fee to be charged under sub-section (2),the period within which request is to be complied with under sub-section (3), and the manner and the period within which a data principal may file a complaint under sub-section (4) of section 21;
(j) the conditions under which the data fiduciary shall oblige to comply with the request made by the data principal under sub-section (5) of section 21;
(k) the manner and the period for submission of privacy by design policy under sub-section (2) of section 22;
(l) the form and manner for making the information available, any other information to be maintained by the data fiduciary under sub-section (1) and the manner of notifying the important operations in the processing of personal data related to data principal under sub-section (2) of section 23;
(m) the manner and the technical, operational, financial and other conditions for registration of the Consent Manager (***) under sub-section (5) of section 23;
(n) the manner of review of security safeguards periodically by data fiduciary or data processor under sub-section (2) of section 24;
(o) the form of notice under sub-section (2) of section 25;
(p) the manner of registration of significant data fiduciaries under sub-section (2) of section 26;
(q) the circumstances or class(***) of data fiduciaries or processing operations where data protection impact
assessments shall be mandatory and instances where data auditor shall be (***) engaged under sub-section (2), (***) the manner in which data protection officer shall review the data protection impact assessment and submit to the Authority under sub-section (4) of section 27(***)and the conditions for processing under sub-section (5) of section 27;
(r) the form and manner for maintaining the records, and any other aspect of processing for which records shall be maintained under sub-section (1) of section 28;
(s) the other factors to be taken into consideration under clause (g) of sub-section (2); the form and procedure for conducting audits under sub-section (3); (***) criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 29;
(t) the period within which transfer of personal data shall be notified to the Authority under sub-section (3) of section 34;
(u) the provisions of the Act and the class of research, archiving or statistical purposes which may be exempted under section 38;
(v) the manner of inclusion by the data fiduciary for inclusion in the Sandbox under sub-section (2) and any other information required to be included in the Sandbox by the data fiduciary under clause (d) of sub-section (3) of section 40;
(w) the remuneration, salary or allowances and other terms and conditions of service of such officers, employees, consultants and experts under sub-section (2) of section 48;
(x) the code of practice under sub-section (1) of section 50;
(y) the manner, period and form(***) for providing information to the Authority by the data fiduciary or data processor under sub-section (3) of section 52;
(z) the place and time for discovery and production of books of account, data and other documents to the Authority or Inquiry Officer under clause (a) of sub-section (8) of section 53;
(za) the period and the manner of filing a complaint by the data principal before the Authority under sub-section (1) of section 62;
(zb) any other matter which is required to be, or may be specified, or in respect of which provision is to be or may be made by regulations.

96 Rules (***), regulations and notification to be laid before Parliament.

Every rule and regulation made under this Act and notification issued under sub-section (4) of section 68 shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or regulation or notification or both Houses agree that the rule or regulation or notification should not be made, the rule or regulation or notification shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule or regulation or notification.

97 Overriding effect of this Act.

Save as otherwise provided in this Act, the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force or any instrument having effect by virtue of any such law (***).

98 Power to remove difficulties.

(1)If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order, published in the Official Gazette, make such provisions not inconsistent with the provisions of this Act as may appear to it to be necessary or expedient for removing the difficulty:

Provided that no such order shall be made under this section after the expiry of five years from the date of commencement of this Act.
(2)Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament.

 

99

Amendment of Act 21 of 2000.

The Information Technology Act, 2000 shall be amended in the manner specified in the Schedule to this Act.