The Data Protection Bill 2021

Section

CHAPTER VIII
EXEMPTIONS

35 Power of Central Government to exempt any agency of Government from application of (***) Act.
 

Notwithstanding anything contained in any law for the time being in force, where the Central Government is satisfied that it is necessary or expedient,—

(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,
it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.
Explanation. —For the purposes of this section, —

(i)the term “cognizable offence” means the offence as defined in clause (c) of section 2 of the Code of Criminal Procedure, 1973;(2 of 1974.)
(ii) the expression “processing of such personal data” includes sharing by or sharing with such agency of the Government by any data fiduciary, data processor or data principal; and
(iii) the expression “such procedure” refers to just, fair, reasonable and proportionate procedure.


 

36 Exemption of certain provisions for certain processing of personal data.

 

The provisions of Chapter II (***) to VII, except section 24, shall not apply where—

(a) thepersonal data is processed in the interests of prevention, detection, investigation and prosecution of any offence or (***) contravention of any law for the time being in force;
(b) the disclosure of personal data is necessary for enforcing any legal right or claim, seeking any relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding;
(c) theprocessing of personal data by any court or tribunal in India is necessary for the exercise of any judicial function;
(d) the personal data is processed by a natural person for any personal or domestic purpose, except where such processing involves disclosure to the public, or is undertaken in connection with any professional or commercial activity; or
(e) the processing of personal data is necessary for or relevant to a journalistic purpose, by any person and is in compliance withthe rules and regulations made under this Act, (***) code of ethics issued by the Press Council of India, or by any statutory media (***) regulatory organisation.

37 Power of Central Government to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.
 

38 Exemption for research,

Where the processing of personal data is necessary for research, archiving, or statistical purposes, and the Authority is satisfied that—
archiving or statistical purposes.


(a) the compliance with the provisions of this Act shall disproportionately divert resources from such purpose;
(b) the purposes of processing cannot be achieved if the personal data is anonymised;
(c) the data fiduciary has carried out de-identification in accordance with the code of practice specified under section 50 and the purpose of processing can be achieved if the personal data is in de-identified form;
(d) the personal data shall not be used to take any decision specific to or action directed to the data principal; and
(e) the personal data shall not be processed in the manner that gives rise to a risk of significant harm to the data principal,
it may, by notification, exempt such class of research, archiving, or statistical purposes from the application of any of the provisions of this Act as may be specified by regulations.

39 Exemption for (***) non automated processing by small entities.

(1) The provisions of sections 7, 8, 9, clause (c) of sub-section (1) of section 17 and sections 19 to 32 shall not apply where the processing of personal data by a small entity is not automated.

(2) For the purposes of sub-section (1), a “small entity” means such data fiduciary as may be classified, by regulations, by Authority, having regard to—
 

(a) the turnover of data fiduciary in the preceding financial year;
(b) the purpose of collection of personal data for disclosure to any other individuals or entities; and
(c) the volume of personal data processed by such data fiduciary in any one day in the preceding twelve calendar months.

40

Sandbox for encouraging innovation, etc.

(1) The Authority (***) may, for the purposes of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest, create a Sandbox.

(2) Any data fiduciary as well as start-ups whose privacy by design policy is certified by the Authority under sub-section (3) of section 22 shall be eligible to apply, in such manner as may be specified by regulations, for inclusion in the Sandbox created under sub-section (1).
(3) Any data fiduciary applying for inclusion in the Sandbox under sub-section (2) shall furnish the following information, namely:—
 

(a) the term for which it seeks to utilise the benefits of Sandbox, provided that such term shall not exceed twelve months;
(b) the innovative use of technology and its beneficial uses;
(c) the data principals or categories of data principals participating under the proposed processing; and
(d) any other information as may be specified by regulations.
 

(4) The Authority shall, while including any data fiduciary in the Sandbox, specify—
 

(a) the term of the inclusion in the Sandbox, which may be renewed not more than twice, subject to a total period of thirty-six months;
(b)the safeguards including terms and conditions in view of the obligations under clause (c) including the requirement of consent of data principals participating under any licensed activity, compensation to such data principals and penalties in relation to such safeguards; and
(c) that the following obligations shall not apply or apply with modified form to such data fiduciary, namely:—
(i) the obligation to (***) comply with the provisions under sections 4 and 5;
(ii) limitation on collection of personal data under section 6; and
(iii) any other obligation to the extent, it is directly depending on (***) sections 5 and 6; and
(iv) the restriction on retention of personal data under section 9.
Explanation.- For the purposes of this Act, the expression “Sandbox” means such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a specified period of time for the limited purpose of the testing.