The Personal Data Protection Bill, 2019 is a bill to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto. This document is Draft Bill No. 373 of 2019. The Bill includes:
- Identifying Categories of Sensitive Data
- Consent Manager
- Social Media Intermediaries
- Data Localization
- Transferring Sensitive Personal Data
- Requirement to Share Anonymized Data with the Indian Government
CHAPTER I: PRELIMINARY
1. Short title and commencement.
2. Application of Act to processing of personal data.
CHAPTER II: OBLIGATIONS OF DATA FIDUCIARY
4. Prohibition of processing of personal data.
5. Limitation on purpose of processing of personal data.
6. Limitation on collection of personal data.
7. Requirement of notice for collection or processing of personal data.
8. Quality of personal data processed.
9. Restriction on retention of personal data.
10. Accountability of data fiduciary.
11. Consent necessary for processing of personal data.
CHAPTER III: GROUNDS FOR PROCESSING OF PERSONAL DATA WITHOUT CONSENT
12. Grounds for processing of personal data without consent in certain cases.
13. Processing of personal data necessary for purposes related to employment, etc.
14. Processing of personal data for other reasonable purposes.
15. Categorisation of personal data as sensitive personal data.
CHAPTER IV: PERSONAL DATA AND SENSITIVE PERSONAL DATA OF CHILDREN
16. Processing of personal data and sensitive personal data of children.
CHAPTER V: RIGHTS OF DATA PRINCIPAL
17. Right to confirmation and access.
18. Right to correction and erasure.
19. Right to data portability.
20. Right to be forgotten.
21. General conditions for the exercise of rights in this Chapter.
CHAPTER VI: TRANSPARENCY AND ACCOUNTABILITY MEASURES
22. Privacy by design policy.
23. Transparency in processing of personal data.
24. Security safeguards.
25. Reporting of personal data breach.
26. Classification of data fiduciaries as significant data fiduciaries.
27. Data protection impact assessment.
28. Maintenance of records.
29. Audit of policies and conduct of processing, etc.
30. Data protection officer.
31. Processing by entities other than data fiduciaries.
32. Grievance redressal by data fiduciary.
CHAPTER VII: RESTRICTION ON TRANSFER OF PERSONAL DATA OUTSIDE INDIA
33. Prohibition of processing of sensitive personal data and critical personal data outside
34. Conditions for transfer of sensitive personal data and critical personal data.
CHAPTER VIII: EXEMPTIONS
35. Power of Central Government to exempt any agency of Government from application
of the Act.
36. Exemption of certain provisions for certain processing of personal data.
37. Power of Central Government to exempt certain data processors.
38. Exemption for research, archiving or statistical purposes.
39. Exemption for manual processing by small entities.
40. Sandbox for encouraging innovation, etc.
CHAPTER IX: DATA PROTECTION AUTHORITY OF INDIA
41. Establishment of Authority.
42. Composition and qualifications for appointment of Members.
43. Terms and conditions of appointment.
44. Removal of Chairperson or other Members.
45. Powers of Chairperson.
46. Meetings of Authority.
47. Vacancies, etc., not to invalidate proceedings of Authority.
48. Officers and other employees of Authority.
49. Powers and functions of Authority.
50. Codes of practice.
51. Power of Authority to issue directions.
52. Power of Authority to call for information.
53. Power of Authority to conduct inquiry.
54. Action to be taken by Authority pursuant to an inquiry.
55. Search and seizure.
56. Co-ordination between Authority and other regulators or authorities.
CHAPTER X: PENALTIES AND COMPENSATION
57. Penalties for contravening certain provisions of the Act.
58. Penalty for failure to comply with data principal requests under Chapter V.
59. Penalty for failure to furnish report, returns, information, etc.
60. Penalty for failure to comply with direction or order issued by Authority.
61. Penalty for contravention where no separate penalty has been provided.
62. Appointment of Adjudicating Officer.
63. Procedure for adjudication by Adjudicating Officer.
65. Compensation or penalties not to interfere with other punishment.
66. Recovery of amounts.
CHAPTER XI: APPELLATE TRIBUNAL
67. Establishment of Appellate Tribunal.
68. Qualifications, appointment, term, conditions of service of Members.
70. Staff of Appellate Tribunal.
71. Distribution of business amongst Benches.
72. Appeals to Appellate Tribunal.
73. Procedure and powers of Appellate Tribunal.
74. Orders passed by Appellate Tribunal to be executable as a decree.
75. Appeal to Supreme Court.
76. Right to legal representation.
77. Civil court not to have jurisdiction.
CHAPTER XII: FINANCE, ACCOUNTS AND AUDIT
78. Grants by Central Government.
79. Data Protection Authority of India Funds.
80. Accounts and Audit.
81. Furnishing of returns, etc., to Central Government.
CHAPTER XIII: OFFENCES
82. Re-identification and processing of de-identified personal data.
83. Offences to be cognizable and non-bailable
84. Offences by companies.
85. Offences by State.
CHAPTER XIV: MISCELLANEOUS
86. Power of Central Government to issue directions.
87. Members, etc., to be public servants.
88. Protection of action taken in good faith.
89. Exemption from tax on income.
91. Act to promote framing of policies for digital economy, etc.
92. Bar on processing certain forms of biometric data.
93. Power to make rules.
94. Power to make regulations.
95. Rules and regulations to be laid before Parliament.
96. Overriding effect of this Act.
97. Power to remove difficulties.
98. Amendment of Act 21 of 2000.