THE DATA PRIVACY AND PROTECTION BILL, 2017
28/July/2017

THE DATA PRIVACY AND PROTECTION BILL, 2017

 

A

BILL

 

to establish an effective regime to protect the right to privacy of all natural persons and personal data concerning them, to set out conditions upon which surveillance of natural persons and interception of communications may be carried out, to constitute a Privacy Commission, and for matters connected therewith and incidental thereto.

 

WHEREAS the right to privacy is an inalienable right of all persons;

 

AND WHEREAS the need to protect privacy has only increased in the digital age, with the emergence of big data analytics;

 

AND WHEREAS the delivery of goods and provision of services requires the collection, storage, processing and disclosure, including international transfers, of personal data;

 

AND WHEREAS good governance requires that all interceptions of communications and surveillance must be conducted in a systematic and transparent manner subservient to the rule of law;

 

AND WHEREAS it is necessary to harmonise any conflicting interests and competing legislation;

 

NOW, THEREFORE, it is expedient to provide for an enforceable means to protect the privacy of persons.

 

BE IT ENACTED by Parliament in the Sixty-Eighth Year of the Republic of India as follows –

 

 

 

 

 

 

 

 

 

 

 

 

CHAPTER I

 

Preliminary

 

  1. Short title, extent and commencement. –

 

(1) This Act may be called the Data Privacy And Protection Act, 2017.

 

(2) It extends to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention hereunder committed outside India by any person.

 

(3) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint.

 

  1. Definitions. –

 

(1) In this Act and in any rules made thereunder, unless the context otherwise requires, –

 

(a) “anonymise” means, in relation to personal data, the encryption or removal of all data that may, whether directly or indirectly in conjunction with any other data, be used to identify a natural person or data subject;

 

(b) “appropriate government” means, in relation to the Central Government or a Union Territory Administration, to the Central Government; in relation a State Government, that State Government; and, in relation to a public authority which is established, constituted, owned, controlled or substantially financed by funds provided directly or indirectly :

 

(i) by the Central Government or a Union Territory Administration, the Central                 Government;

                       

(ii) by a State Government, that State Government;

 

(c) “armed force” means any body raised or constituted pursuant to or in connection with, or presently governed by, the Army Act, 1950 (46 of 1950), the Indian Reserve Forces Act, 1888 (4 of 1888), the Territorial Army Act, 1948 (6 of 1948), the Navy Act, 1957 (62 of 1957), the Air Force Act, 1950 (45 of 1950), the Reserve and Auxiliary Air Forces Act, 1952 (62 of 1952), the Coast Guard Act, 1978 (30 of 1978) or the Assam Rifles Act, 2006 (47 of 2006);

 

(d) “authorised officer” means an officer, not below the rank of a Gazetted Officer, of an All India Service or a Central Civil Service, as the case may be, who is empowered by the Central Government, by notification in the Official Gazette, to intercept a communication of another person or carry out surveillance of another person under this Act;

 

(e) “biometric data” means any data relating to the physical, physiological or behavioural characteristics of a natural person which allow their unique identification including, but not restricted to, facial images, fingerprints, hand prints, foot prints, iris recognition, hand writing, typing dynamics, gait analysis and speech recognition;

 

(f) “Chief Privacy Commissioner” and “Privacy Commissioner” mean the Chief Privacy Commissioner and Privacy Commissioner appointed under section 33;

 

(g) “collect”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or activity that results in a data controller, police force, armed force, intelligence organisation, public authority, company, person, State or other entity (natural or otherwise) obtaining, or coming into the knowledge or possession of, any personal data of another person;

 

(h) “communication” means a word, signs, gestures, spoken, written or indicated, in any form, manner or language, encrypted or unencrypted, meaningful or otherwise, and includes visual representations of words, ideas, symbols and images, and the meta data in relation whether transmitted or not transmitted and, if transmitted, irrespective of the medium of transmission;

 

(i) “competent organisation” means an organisation or public authority listed in the Schedule to this Act;

 

(j) “consent” means an unambiguous indication of a data subject’s agreement to the collection, processing, use or dissemination of personal data relating to him or her.

 

(k) “data controller” means a person who, either alone, or jointly, or in concert with other persons, determines the purposes for which and the manner in which any personal data is processed;

 

(l) “data processor” means a person who processes any personal data on behalf of a data controller;

 

(m) “data subject” means a natural person who is the subject of personal data;

 

(n) “deoxyribonucleic acid data” means all data, of whatever type, concerning the characteristics of a natural person that are inherited or acquired during early prenatal development;

 

(o) “destroy”, with its grammatical variations and cognate expressions, means, in relation to personal data, to cease the existence of, by deletion, erasure or otherwise, any personal data;

 

(p) “disclose”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or activity that results in a person coming into the knowledge or possession of any personal data of another person;

 

(q) “intelligence organisation” means an intelligence organisation under the Intelligence Organisations (Restriction of Rights) Act, 1985 (58 of 1985)and includes the National Investigation Agency constituted under sub-section (1) of section 3 of the National Investigation Agency Act, 2008 (34 of 2008) and the Central Bureau of Investigation constituted under the Delhi Special Police Establishment Act, 1946;

 

(r) “interception” or “intercept” means any activity intended to capture, read, listen to or understand the communication of a person;

 

(s) “officer-in-charge of a police station” shall have the meaning ascribed to it under clause (o) of section 2 of the Code of Criminal Procedure, 1973 (2 of 1974);

  

(t) “person” means and includes a natural person, a company, a firm, an association of persons or a body of individuals, whether incorporated or not;

(u) “personal data” means any data which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data;

Provided that the term “personal data” shall not include data which is a matter of public record except details of victims in cases of sexual assault, kidnapping or abduction.

 

(v) “police force” means –

(i) any body raised or constituted by the appropriate government for the preservation of law and order and enforcement of laws related to customs, revenue, foreign exchange, excise, income tax and narcotics;

(ii) the bodies raised or constituted pursuant to or in connection with, or presently governed by, the Police Act, 1861 (5 of 1861), the Central Reserve Police Force Act, 1949 (66 of 1949), the Border Security Force Act, 1968 (47 of 1968), the Indo-Tibetan Border Police Force Act, 1992 (35 of 1992), the Sashastra Seema Bal Act, 2007 (53 of 2007), the Central Industrial Security Force Act, 1968 (50 of 1968), the Railway Protection Force Act, 1957 (23 of 1957) and the National Security Guard Act, 1986 (47 of 1986);

(iii) the bodies raised or constituted pursuant to or in connection with, or presently governed by, the Delhi Special Police Establishment Act, 1946 (25 of 1946), the Income Tax Act, 1961 (43 of 1961), the National Investigation Agency Act, 2008 (34 of 2008) and the Central Vigilance Commission Act, 2003 (45 of 2003);

(iv) any police forces raised or constituted by the States, armed or otherwise;

 

(w) “prescribed” means prescribed by rules made under this Act;

 

(x) “Privacy Commission” means the Privacy Commission constituted under sub-section (1) of section 33;

 

(y) “Privacy Officer” means the Privacy Officer designated under sub-section (3) of section 22 and sub-sections (3) and (4) of section 30.

 

(z) “process”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or operation which is performed upon personal data of another person, whether or not by automated means including, but not restricted to, organisation, structuring, adaptation, modification, retrieval, consultation, use, alignment or destruction;

 

(aa) “public authority” shall have the meaning ascribed to it under clause (h) of section 2 of the Right to Information Act, 2005 (22 of 2005);

 

(bb) “receive”, with its grammatical variations and cognate expressions, means, in relation to personal data, to come into the knowledge or possession of any personal data of another person;

 

            (cc) “sensitive personal data” means personal data or metadata as to a person's –

 

                        (i) biometric data;

 

                        (ii) deoxyribonucleic acid data;

 

                        (iii) sexual preferences and practices;

 

                        (iv) medical history and health;

 

                        (v) political affiliation;

 

                        (vi) ethnicity, religion, race or caste; and

 

                        (vii) financial and credit information, including financial history and transactions.

 

(dd) “store”, with its grammatical variations and cognate expressions, means, in relation to personal data, to retain, in any form or manner and for any purpose or reason, any personal data of another person;

 

(ee) “surveillance” means any activity, directly or indirectly intended to watch, monitor, record or collect, or to enhance the ability to watch, record or collect, any information, images, signals, data, movement, behaviour or actions, of a person, a group of persons, a place or an object, for the purpose of obtaining information of a person, but does not include collection of personal data under Sections 7 and 8 of this Act;

 

(2) All other expressions used herein shall have the meanings ascribed to them under the General Clauses Act, 1897 (10 of 1897) or the Code of Criminal Procedure, 1973 (2 of 1974), as the case may be.

 

  1. Principles applicable to protecting privacy. – In exercising the powers conferred by this Act, regard shall be had to the following considerations, namely –

 

(a) that personal data with its attributes belongs solely to the person to whom it pertains;

 

(b) that personal data is required by governments and commercial service providers and others to enable good governance and the delivery of goods and provision of services without undue delay which may be provided by a meaningful, revocable notice and consent framework;

 

(c) that the right to privacy is recognised as a fundamental human right by various international treaties to which India is a party;

 

(d) that intrusions into privacy need always be measured by principles of necessity and proportionality;

 

(e) that the right to privacy is a fundamental right essential to the maintenance of a democratic society;

 

(f) that privacy must be upheld by a competent authority that is independent, impartial, well resourced and free from unwarranted influence.

 

CHAPTER II

Right to Privacy

 

  1. Right to privacy. –

 

(1) Without prejudice to the generality of the provisions contained herein, all natural persons shall have a right to privacy which shall be implemented as per Section 3 of this Act.

 

(2) For the purpose of sub-section (1) no person shall collect, store, process, disclose or otherwise handle any personal data of a natural person, intercept any communication of another person, or carry out surveillance of another person except in accordance with the provisions of this Act.

 

  1. Exemptions. – Nothing in this Act shall apply to –

 

(a) the collection, storage or processing by a person of their own personal data  for personal or family use; or

 

(b) surveillance by a resident of their own residential property.

CHAPTER III

Protection of Personal Data

 

  1. Effecting consent from a data subject –

 

A data subject may be said to have given effective consent only when -

 

(1)  it is free, in the terms of section 14 of the Indian Contract Act, 1872;

 

(2) it is obtained prior to all data collection, except in the cases expressly excluded by section 8;

 

(3)  it is voluntarily given through an express and affirmative act and is recorded in writing;

 

Provided that effective consent can only be said to have been obtained where:

(i) a conspicuous means for its withdrawal is made available to the data subject, and

(ii) the means for its withdrawal can be employed with the same ease as the means by which it was obtained.

 

(4)  it is obtained after the data subject has been duly informed, in language that a reasonable person can comprehend, of the matters enumerated in sub-section (3) of section 7 or sub-section (3) of section 13 as the case may be, and;

 

Provided that, in case of any dispute, ambiguities in the terms of the notice and of any privacy policies that apply will be resolved in favour of the data subject.

 

(5)  it is specific and limited as to purpose and duration.

 

Explanation 1:  Consent will be deemed to be limited only if it is obtained in respect of the purposes and duration strictly necessary to provide the product or service in relation to which personal data is sought to be collected, processed or disclosed 

 

Explanation 2: When the purposes for which personal data was collected are materially altered or expanded subsequent to its collection, consent will be be deemed to be specific only if it is obtained afresh in respect of that alteration or expansion -

(i)   after duly informing the data subject of the alteration or expansion in purpose, and

(ii)  prior to any use of that data for the expanded purposes.

 

  1. Collection of personal data. –

 

(1) No person, including a data controller and data processor, shall collect any personal data without obtaining the effective consent of the data subject to whom it pertains.

 

(2) Subject to sub-section (1), no person shall collect any personal data that is not necessary for the achievement of a purpose that is connected to a stated function of the person seeking its collection.

 

(3) A person seeking to collect any personal data shall, prior to its collection and as notified by the Privacy Commission, inform the data subject free of any charges, direct or indirect, to whom it pertains of the following details in respect of their personal data, namely –

 

(a) when it will be collected;

 

(b) its content and nature;

 

(c) the purpose of its collection;

 

(d) the purpose and manner in which it will be used;

 

(e) the persons to whom it will be made available;

 

(e) the duration for which it will be stored;

 

(f) the manner in which it may be accessed, checked and modified;

 

(g) the security practices and other safeguards, if any, to which it will be subject;

 

(h) the privacy policies and other policies, if any, that will protect it;

 

(i) whether, and the conditions and procedure upon which, it may be disclosed to others;

 

(j) the time and manner in which it will be destroyed, or the criteria used to determine that time period;

 

(k) the procedure for recourse in case of any grievance in relation to it; and

 

(m) the identity and contact details of the data collector and data processor

 

(4) Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith:

Provided that the person who collected the personal data in respect of which consent is subsequently withdrawn may, only if the personal data is necessary for the delivery of any good or the provision of any service,  or the fulfilment of a lawful contract, not deliver that good or deny that service  or fulfil that contract to the data subject who withdrew the grant of consent easily and at any point during the duration of a service.

 

  1. Collection of personal data without prior consent. –

 

Personal data may be collected without the prior consent of the data subject if it is –

 

(a) necessary for the provision of an emergency medical service to the data subject;

 

(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;

           

(c) necessary to prevent, investigate or prosecute a cognisable offence.

 

  1. Storage and destruction of personal data. –

 

(1) No person, including a data controller and a data processor, shall store any personal data for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose is achieved or ceases to exist for any reason, for any period following such achievement or cessation.

 

(2) Save as provided in sub-section (3), any personal data collected or received in relation to the achievement of a purpose shall, if that purpose is achieved or ceases to exist for any reason, be destroyed forthwith.

 

(3) Notwithstanding anything contained in this section, any personal data may be stored for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation, if –

 

(a) the data subject to whom it pertains grants their effective consent to such storage prior to the purpose for which it was collected or received being achieved or ceasing to exist;

 

(b) it is adduced for an evidentiary purpose in a legal proceeding; or

 

(c) it is required to be stored for historical, statistical or research purposes under the provisions of an Act of Parliament:

 

Provided that only such amount of personal data that is necessary to achieve the purpose of storage under this sub-section shall be stored and any personal data that is not required to be stored for such purpose shall be destroyed forthwith:

 

Provided further that any personal data stored under this sub-section shall, to the extent possible, be anonymised.

 

  1.     Processing of personal data. –

 

(1) No person shall process any personal data that is not necessary for the achievement of the purpose for which it was collected or received.

 

(2) Save as provided in sub-section (3), no personal data shall be processed for any purpose other than the purpose for which it was collected or received.

 

(3) Notwithstanding anything contained in this section, any personal data may be processed for a purpose other than the purpose for which it was collected or received if the data subject grants their effective consent to such processing and only that amount of personal data that is necessary to achieve the other purpose is processed.

 

(4) Notwithstanding anything contained in this section, any personal data may be processed for a purpose other than the purpose for which it was collected or received if –

 

(a) the data subject grants his/her effective consent to the processing and only that amount of personal data that is necessary to achieve the other purpose is processed;

 

(b) it is necessary to perform a contractual duty to the data subject;

 

(c) it is necessary to prevent a reasonable threat to security of the State or public order; or

           

(d) it necessary to prevent, investigate or prosecute a cognisable offence.

 

     

  1. Security of personal data and duty of confidentiality. –

 

(1) No person shall collect, receive, store, process or otherwise handle any personal data without implementing measures, including, but not restricted to, technological, physical and administrative measures, adequate to secure its confidentiality, secrecy, integrity and safety, including from theft, loss, damage or destruction.

 

(2) Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.

 

(3) Data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control.

 

(4) Without prejudice to the provisions of this section, any person who collects, receives, stores, processes or otherwise handles any personal data shall, if its confidentiality, secrecy, integrity or safety is violated by theft, loss, negligence, damage or destruction, or as a result of any collection, processing or disclosure contrary to the provisions of this Act, or for any other reason whatsoever, as soon as he or she becomes aware of such violation, notify the person to whom it pertains, the Privacy Commission and any other agencies whom the Central Government notifies for this purpose, in such form and manner as may be prescribed, forthwith. Further, any persons, who collects, receives, stores, processes, or otherwise handles any personal data shall report all breaches of provisions of this Chapter III to the Privacy Commission, that are brought to its notice, or are reasonably expected to be known to such persons.

 

  1. Transfer of personal data for processing. –

 

(1) Subject to the provisions of this section, personal data that has been collected in conformity with this Act may be transferred by a data controller to a data processor, whether located in India or otherwise, if the transfer is pursuant to an agreement that explicitly binds the data processor to same or stronger measures in respect of the storage, processing, destruction, disclosure and other handling of the personal data as are contained in this Act.

 

(2) No data processor shall process any personal data transferred under this section except to achieve the purpose for which it was collected.

 

(3) A data controller that transfers personal data under this section shall remain liable to the data subject for the actions of the data processor.

 

  1. Disclosure of personal data. –

 

(1) Save as provided in this section, no person shall disclose, or otherwise cause any other person to receive, the content or nature of any personal data, including any other details in respect thereof, except to the person to whom it pertains.

 

(2) No person shall disclose any personal data without obtaining the prior effective consent of the data subject and such effective consent may be obtained in any manner, and through any medium, but shall not be obtained as a result of a threat, duress, denial of service or coercion.

 

(3) For the purpose of sub-section (2), a person seeking to disclose any personal data shall, prior to its disclosure, inform the data subject of the following details in respect of their personal data, namely: –

 

(a) when it will be disclosed;

 

(b) the purpose of its disclosure;

 

(c) the security practices and other safeguards, if any, to which it will be subject;

 

(d) the privacy policies and other policies, if any, that will protect it; and

 

(e) the procedure for recourse in case of any grievance in relation to it.

 

(4) Notwithstanding anything contained in this section, any person who collects, receives, stores, processes or otherwise handles any personal data may disclose it to a person other than the data subject, whether located in India or otherwise, for the purpose only of processing it to achieve the purpose for which it was collected if such a disclosure is pursuant to an agreement that explicitly binds the person receiving it to same or stronger measures in respect of its storage, processing, destruction, disclosure or other handling as are contained in this Act.

           

  1. Quality and accuracy of personal data. –

 

(1) Any person who collects, receives, stores, processes or otherwise handles any personal data shall, to the extent possible, ensure that it is accurate and, where necessary, is kept up to date.

 

(2) No person who collects, receives, stores, processes or otherwise handles any personal data shall deny, to the data subject, the opportunity to review and obtain a copy of such data  and, where necessary, rectify anything that is inaccurate or not up to date.

 

(3) Any person to whom any personal data collected, received, stored, processed or otherwise handled under this Act pertains may, if it is not necessary to achieve the purpose of its collection, reception, storage, processing or other handling, demand its destruction, and the person so collecting, receiving, storing, processing or otherwise handling that personal data shall destroy it forthwith.

 

  1. Special provisions for sensitive personal data. –

 

Notwithstanding anything contained in this Act and the provisions of any other law for the time being in force –

 

(a) no person shall collect sensitive personal data without explicit effective consent from the data subject;

 

(b) no person shall store sensitive personal data for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation;

           

(c) no person shall process sensitive personal data for a purpose other than the purpose for which it was collected or received;

           

(d) no person shall disclose sensitive personal data to another person, or otherwise cause any other person to come into the knowledge or possession of, the content or nature of any sensitive personal data, including any other details in respect thereof, except the data subject.

 

  1. Special provisions for intelligence organisations. –

 

(1) Notwithstanding anything contained in this Act, the provisions of section 6, section 7, section 8, sub-section (4) of section 10 and section 11 shall not apply in respect of an intelligence organisation.

           

(2) Any intelligence organisation seeking to collect any personal data shall prefer an application, in such form and manner as may be prescribed, to the Chief Privacy Commissioner or any other person authorised by him in this behalf.

 

(3) The Chief Privacy Commissioner, or any other person authorised by him in this behalf, may, if he is satisfied that the collection of the personal data is necessary to prevent a reasonable threat to security of the state or public order, or prevent, investigate or prosecute a cognisable offence, order the collection of the personal data by recording reasons in writing within a period of 14 days from the receipt of an application under sub-section (2).

 

(4) Notwithstanding anything contained in sub-section (2) and sub-section (3), if the Central Government is satisfied that a grave threat to the security of the State or public order exists, it may, for reasons to be recorded in writing, which shall include the reason for not getting an order under sub-section (3), order the collection of any personal data.

 

(5) Before the expiry of a period of seven days from the date of an order for collection of personal data made under sub-section (4), the intelligence organisation that collected the personal data shall notify the Chief Privacy Commissioner of the fact of such collection, the name and address of the person to whom the personal data pertains and shall furnish a copy of the order of the Central Government authorising the collection of the personal data.

 

(6) No intelligence organisation shall process or store any personal data without implementing measures to secure that the number of persons within that intelligence organisation to whom it is made available, and the extent to which it is copied, is limited to the minimum that is necessary to fulfill the purpose for which it is processed or stored, as the case may be.

 

(7) Any intelligence organisation that processes or stores personal data shall, before the expiry of a period of seven days from the date of the processing or storage, as the case may be, notify the Chief Privacy Commissioner of the fact of such processing or storage and the name and address of the person to whom the personal data pertains.

 

(8) Any intelligence organisation that processes or stores personal data shall have to comply with the provisions of Section 10 with respect to such data.

 

CHAPTER IV

Interception of Communications

 

  1. Bar against interception of communications. –

 

(1) Notwithstanding anything contained in any other law for the time being in force, but save as provided in this chapter, no person shall intercept, or cause to be intercepted, any communication of another person save in pursuance of an order by the Chief Privacy Commissioner or any other person authorised by him in this behalf.

 

(2) No interception of any communication shall be ordered or carried out that is not necessary to achieve the purpose for which the interception is sought.

 

  1. Prior authorisation by the Chief Privacy Commissioner. –

 

(1) Any authorised officer seeking to intercept any communication of another person shall prefer an application, in such form and manner as may be prescribed, to the Chief Privacy Commissioner or any other person authorised by him in this behalf.

 

(2) The Chief Privacy Commissioner, or any other person authorised by him this behalf, may, if he is satisfied that the interception is necessary to to prevent a reasonable threat to security of the state or public order, or prevent, investigate or prosecute a cognisable offence, order the interception of communications by recording reasons in writing within a period of 14 days from the receipt of an application under sub-section (1).

 

(3) Prior to issuing an order for interception of any communication, the Chief Privacy Commissioner, or any other person authorised by him in this behalf, shall satisfy himself that all other lawful means to acquire the information sought to be intercepted have been exhausted and that the proposed interception is reasonable, proportionate and not excessive.

 

(4) Any interception of any communication ordered, authorised or carried out prior to the commencement of this Act shall, immediately upon the constitution of the Privacy Commission, be reported to the Chief Privacy Commissioner.

 

  1. Authorisation by Home Secretary in emergent circumstances. –

 

(1) Notwithstanding anything contained in Section 17, if the Home Secretary of the appropriate government is satisfied that an imminent grave threat to the security of the state or public order exists, he may, for reasons to be recorded in writing, order the interception of any communication.

 

(2) No order for interception of any communication made under this section shall be valid upon the expiry of a period of seven days from the date of the order.

 

(3) Before the expiry of a period of seven days from the date of an order for interception made under this section, the person who carried out the interception of communication shall notify the Chief Privacy Commissioner of the fact of such interception, the name and address of the person whose communication is being intercepted, and the duration of the interception and, furthermore, shall furnish a copy of the order of the Home Secretary authorising the interception.

 

  1. Duration of interception. –

 

(1) An order for interception of any communication shall specify the period of its validity and, upon the expiry of the validity of the order, all interception carried out in relation to that order shall cease forthwith:

 

Provided that no order for interception of any communication shall be valid upon the expiry of a period of sixty days from the date of the order.

 

(2) The Chief Privacy Commissioner, or any other person authorised by him in this behalf, may, upon receipt of an application from an authorised officer in such form and manner as may be prescribed, renew any order for interception of any communication if he is satisfied that the conditions upon which the original order was issued continue to exist.

 

 

  1. Duty to inform the person concerned. –

 

(1) Subject to sub-section (2), before the expiry of a period of sixty days from the conclusion of any interception of communication ordered or carried out under this Act, the authorised officer who carried out the interception of communication shall, in writing in such form and manner as may be prescribed, notify, with reference to the relevant order of the Chief Privacy Commissioner, each person whose communication was intercepted of the fact of such interception and duration thereof.

 

(2) The Chief Privacy Commissioner may, on an application made by an authorised officer in such form and manner as may be prescribed, if he is satisfied that the notification under sub-section (1) would reasonably present a reasonable threat to the security of the state or public order, or adversely affect the prevention, investigation or prosecution of a cognisable offence,  for reasons to be recorded in writing addressed to the authorised officer, order that the person whose communication was intercepted not be notified of the fact of such interception or the duration thereof:

 

Provided any orders passed preventing disclosure of interception under Section (2) shall not operate in infinity and shall record reasons in writing with the period till when the reasonable threat is anticipated to extend, on whose cessation the duty to inform under sub-section (1) will operate.

 

  1. Security and duty of confidentiality and secrecy. –

 

(1) No person shall intercept any communication of another person without implementing measures, including, but not restricted to, technological, physical and administrative measures, to secure the confidentiality and secrecy of all information obtained as a result of an interception of communication, including from theft, negligence, loss or unauthorised disclosure.

 

(2) Any person who carries out any interception of any communication, or who obtains any information, including personal data, as a result of an interception of communication, shall be subject to a duty of confidentiality and secrecy in respect of it.

 

(3) Every competent organisation shall, before the expiry of a period of one hundred days from the enactment of this Act, designate as many officers as it deems fit as Privacy Officers who shall be administratively responsible for all interceptions of communications carried out by that competent organisation.

  1. Disclosure of intercepted communications. –

 

(1) Save as provided in this section, no person shall disclose to any other person, or otherwise cause any other person to come into the knowledge or possession of, the content or nature of any information, including personal data, obtained as a result of an interception of any communication including the fact that the interception of communication was carried out.

 

(2) Notwithstanding anything contained in this section, if the disclosure of any information, including personal data, obtained as a result of an interception of any communication is necessary to prevent a reasonable threat to the security of the state or public order, or prevent, investigate or prosecute a cognisable offence, an authorised officer may disclose the information, including personal data, obtained as a result of the interception of any communication to any authorised officer of any other competent organisation.

 

Provided that no authorised officer shall disclose any information, including personal data, obtained as a result of the interception of any communication that is not necessary to achieve the purpose for which the disclosure is sought.

 

  1. Storage of intercepted communications. –

 

(1) Subject to sub-section (2), no person shall store any information, including personal data, obtained as a result of an interception of any communication for a period longer than one hundred and eighty days from the date on which the last order for interception of the communication to which the obtained information pertains expired.

 

(2) The Chief Privacy Commissioner may, on an application made in such form and manner as may be prescribed, if he is satisfied that it is necessary to prevent a reasonable threat to the security of the state or public order, or to prevent, investigate or prosecute a cognisable offence, for reasons to be recorded in writing, order that any information, including personal data, obtained as a result of an interception of any communication may be stored for a period longer than one hundred and eighty days from the date on which the last order for interception of the communication to which the obtained information pertains expired.

 

(3) Any data obtained as a result of interception of any communication shall be stored in a manner that complies with the provisions of Section 9 with respect to such data.

 

CHAPTER V

Surveillance

 

  1. Bar against surveillance. –

 

Notwithstanding anything contained in any other law for the time being in force, but save as provided in this chapter, no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person.

 

Provided that there shall be an absolute bar to the subjection of persons to indiscriminate monitoring through any methods of mass or bulk surveillance given that it is neither necessary or proportionate to any stated purpose including but not limited to the security of state, interests of public order or to prevent, investigate or prosecute a commission of a cognisable offence.

 

  1. Surveillance by the State. –

 

(1) No member of a police force, armed force, intelligence organisation, public authority or the State shall order or carry out, or cause to be ordered or carried out, any surveillance of another person save in pursuance of an order by the Chief Privacy Commissioner or any other person authorised by him in this behalf.

 

(2) No surveillance shall be ordered or carried out that is not necessary to achieve the purpose for which the surveillance is sought.

 

(3) Any authorised officer seeking to carry out any surveillance of another person shall prefer an application, in such form and manner as may be prescribed, to the Chief Privacy Commissioner or any other person authorised by him in this behalf.

 

(4) The Chief Privacy Commissioner, or any other person authorised by him this behalf, may, if he is satisfied that the surveillance is necessary to prevent a reasonable threat to the security of the state or public order, or to prevent, investigate or prosecute a cognisable offence, for reasons to be recorded in writing addressed to the authorised officer, order the surveillance.

 

(5) Prior to issuing an order for surveillance, the Chief Privacy Commissioner, or any other person authorised by him in this behalf, shall satisfy himself that all other lawful means to acquire the information sought to be obtained as a result of the proposed surveillance have been exhausted and that the proposed surveillance is reasonable, proportionate and not excessive.

 

  1. Surveillance by private persons or entities. –

 

(1) Notwithstanding anything contained in any other law for the time being in force, and without prejudice to the provisions of section 25 of this Act, no person who is not a member of a police force, armed force, intelligence organisation, public authority or the State shall carry out, or cause to be carried out, any surveillance in any public place or in any property or premises that is not in his possession.

 

(2) Without prejudice to sub-section (1), any person who carries out any surveillance under this section shall be subject to a duty to inform, in such manner as may be prescribed, members of the public of such surveillance.

 

  1. Duration of surveillance. –

 

(1) An order for surveillance shall specify the period of its validity and, upon the expiry of the validity of the order, all surveillance carried out in relation to that order shall cease forthwith:

 

Provided that no order for surveillance shall be valid upon the expiry of a period of sixty days from the date of the order.

 

(2) The Chief Privacy Commissioner, or any other person authorised by him in this behalf, may, upon receipt of an application from an authorised officer in such form and manner as may be prescribed, renew any order for surveillance if he is satisfied that the conditions upon which the original order was issued continue to exist.

 

  1. Duty to inform the person concerned. –

 

(1) Subject to sub-section (2), before the expiry of a period of sixty days from the conclusion of any surveillance ordered or carried out under this Act, the authorised officer who carried out the surveillance shall, in writing in such form and manner as may be prescribed, notify, with reference to the relevant order of the Chief Privacy Commissioner, each person in respect of whom surveillance was carried out of the fact of such surveillance and duration thereof.

 

(2) The Chief Privacy Commissioner may, on an application made by an authorised officer in such form and manner as may be prescribed, if he is satisfied that the notification under sub-section (1) would present a reasonable threat to the security of the state or public order, or adversely affect the prevention, investigation or prosecution of a cognisable offence,  for reasons to be recorded in writing addressed to the authorised officer, order that the person not be notified of the fact of such surveillance or the duration thereof:

 

Provided any orders passed preventing disclosure of surveillance under Section (2) shall not operate in infinity and shall record reasons in writing with the period till when the reasonable threat is anticipated to extend, on whose cessation the duty to inform under sub-section (1) will operate.

 

  1. Security and duty of confidentiality and secrecy. –

 

(1) No person shall carry out any surveillance of another person without implementing measures, including, but not restricted to, technological, physical and administrative measures, to secure the confidentiality and secrecy of all information obtained as a result of surveillance, including from theft, loss or unauthorised disclosure.

 

(2) Any person who carries out any surveillance, or who obtains any information, including personal data, as a result of surveillance, shall be subject to a duty of confidentiality and secrecy in respect of it.

 

(3) Every police force, armed force, intelligence organisation, public authority or State shall, before the expiry of a period of one hundred days from the enactment of this Act, designate as many officers as it deems fit as Privacy Officers who shall be administratively responsible for all surveillance carried out:

 

Provided that a public authority that does not order or carry out surveillance shall not be required to designate any Privacy Officers under this sub-section.

 

(4) Every person who is not a member of a police force, armed force, intelligence organisation, public authority or State and who seeks to carry out any surveillance shall, at least seven days before the surveillance is first carried out, designate or appoint as many persons as it deems fit as Privacy Officers who shall be responsible for all surveillance carried out:

 

Provided that where surveillance is carried out by a single person, that person shall be deemed to be a Privacy Officer.

 

  1. Disclosure of surveillance. –

 

(1) Save as provided in this section, no person shall disclose to any other person, or otherwise cause any other person to come into the knowledge or possession of, the content or nature of any information, including personal data, obtained as a result of any surveillance including the fact that the surveillance was carried out.

 

(2) Notwithstanding anything contained in this section, if the disclosure of any information, including personal data, obtained as a result of surveillance is necessary to prevent a reasonable threat to the security of the State or public order, or prevent, investigate or prosecute a cognisable offence, that information, including personal data, obtained as a result of surveillance may be disclosed to a police force, armed force, intelligence organisation, public authority or State only:

 

Provided that no person shall disclose any information, including personal data, obtained as a result of surveillance that is not necessary to achieve the purpose for which the disclosure is sought.

 

 

 

 

  1. Storage of surveillance. –

 

(1) Subject to sub-section (2), no person shall store any information, including personal data, obtained as a result of surveillance for a period longer than one hundred and eighty days from the date on which the surveillance to which the obtained information pertains ceased.

 

(2) The Chief Privacy Commissioner may, on an application made in such form and manner as may be prescribed, if he is satisfied that it is necessary to prevent a reasonable threat to the security of the state or public order, or to prevent, investigate or prosecute a cognisable offence, for reasons to be recorded in writing, order that any information, including personal data, obtained as a result of surveillance may be stored for a period longer than one hundred and eighty days from the date on which the last order for surveillance to which the obtained information pertains expired.

 

(3) Any data obtained as a result of surveillance shall be stored in a manner that complies with the provisions of Section 9 with respect to such data.

 

CHAPTER VI

The Privacy Commission

 

  1. Constitution of the Privacy Commission. –

 

(1) The Central Government shall, by notification, constitute, with effect from such date as may be specified therein, a body to be called the Privacy Commission consisting of a Chief Privacy Commissioner and not more than six other Privacy Commissioners, to be appointed by the President, by warrant under its hand and seal, to exercise the jurisdiction and powers and discharge the functions and duties conferred or imposed upon them by or under this Act.

 

(2) The Chief Privacy Commissioner shall be a person who has been a Judge of the Supreme Court of India:

 

(3) One Privacy Commissioner shall be a person who is or has been a Judge of a High Court:

 

(4) One Privacy Commissioner shall be a person of ability, integrity and standing who has a special knowledge of, and professional experience of not less than ten years in privacy law and policy.

 

(5) The other Privacy Commissioners shall be persons with technical expertise and knowledge in the fields of data collection and storage practices, or data protection and ethics, or big data analytics and technologies or information technology while one Privacy Commissioner should be an ordinary citizen representing the interests of the public who are consumers of data.

 

(6) The office of the Privacy Commission shall be autonomous, independent, and free from external interference. The Office shall be provided with sufficient operational resources including human, technical, and financial for the effective discharge of its duties and exercise of its powers. Such powers shall be subject to audit by the Comptroller and Auditor General of India.

 

(8) The Central Government shall issue a public advertisement inviting applications to fill all vacancies in the Privacy Commission. The selection committee for the appointment of the members of the Privacy Commission shall comprise the Chief Justice of India, the Law Minister, the Leader of the Opposition from Lok Sabha or of the single largest Opposition party being one with the greatest numerical strength in the Lok Sabha, one eminent person representing the private sector and one eminent person representing the civil society. All proceedings of the selection committee will constitute a public record.

 

Explanation: “Civil society” shall mean the aggregate of non-governmental and non-profit organisations that perform activities for the general upliftment and interests of the people in the field of privacy and is independent of government funding, interference or influence.

 

  1. Term of office, conditions of service, etc. of Chief Privacy Commissioner and Privacy Commissioners. –

 

(1) Before appointing any person as the Chief Privacy Commissioner or Privacy Commissioner, the President shall satisfy himself or herself that the person does not, and will not, have any such financial or other interest as is likely to affect prejudicially their functions as such Chief Privacy Commissioner or Privacy Commissioner.

 

(2) The Chief Privacy Commissioner and every Privacy Commissioner shall hold office for such period, not exceeding five years, as may be specified by the President in the order of his appointment, but shall be eligible for reappointment:

 

Provided that no person shall hold office as the Chief Privacy Commissioner or Privacy Commissioner for more than two terms.

Provided that no person shall hold office as the Chief Privacy Commissioner or Privacy Commissioner after they have attained the age of 75 years.

 

(3) Notwithstanding anything contained in sub-section (2), the Chief Privacy Commissioner or any Privacy Commissioner may –

(a) by writing under his hand and addressed to the President resign his office at any time;

(b) be removed from office in accordance with the provisions of Section 35 of this Act.

 

(4) A vacancy caused by the resignation or removal of the Chief Privacy Commissioner or Privacy Commissioner under sub-section (3) shall be filled by fresh appointment.

 

(5) In the event of the occurrence of a vacancy in the office of the Chief Privacy Commissioner, such one of the Privacy Commissioners as the President may, by notification, authorise in this behalf, shall act as the Chief Privacy Commissioner till the date on which a new Chief Privacy Commissioner, appointed in accordance with the provisions of this Act, to fill such vacancy, enters upon his office.

 

(6) When the Chief Privacy Commissioner is unable to discharge his functions owing to absence, illness or any other cause, such one of the Privacy Commissioners as the Chief Privacy Commissioner may authorise in writing in this behalf shall discharge the functions of the Chief Privacy Commissioner, till the date on which the Chief Privacy Commissioner resumes his duties.

 

(7) The salaries and allowances payable to and the other terms and conditions of service of the Chief Privacy Commissioner and Privacy Commissioners shall be such as may be prescribed:

 

Provided that neither the salary and allowances nor the other terms and conditions of service of the Chief Privacy Commissioner and any Privacy Commissioner shall be varied to their disadvantage after their appointment.

 

(8) The Chief Privacy Commissioner and Privacy Commissioners ceasing to hold office as such shall not hold any appointment under the Government of India or under the Government of any State for a period of five years from the date on which they cease to hold such office.

 

  1. Removal of Chief Privacy Commissioner and Privacy Commissioners from office in certain circumstances. –

 

(1) The President may remove from office the Chief Privacy Commissioner or any Privacy Commissioner, who –

 

(a) is adjudged an insolvent; or

 

(b) engages during his term of office in any paid employment outside the duties of his office; or

 

(c) is unfit to continue in office by reason of infirmity of mind or body; or

 

(d) is of unsound mind and stands so declared by a competent court; or

 

(e) is convicted for an offence which in the opinion of the President involves moral turpitude; or

 

(f) has acquired such financial or other interest as is likely to affect prejudicially his functions as a Chief Privacy Commissioner or Privacy Commissioner,  or cause some conflict of interest including benefits directly or indirectly to relatives or family members, or

 

(g) has so abused his position as to render his continuance in offence prejudicial to the public interest.

 

(2) Notwithstanding anything contained in sub-section (1), neither the Chief Privacy Commissioner nor any Privacy Commissioner shall be removed from his office on the ground specified in clause (f) or clause (g) of that sub-section unless the Supreme Court on a reference being made to it in this behalf by the President, has on an inquiry held by it in accordance with such procedure as it may specify in this behalf, reported that the Chief Privacy Commissioner or Privacy Commissioner ought, on such grounds, to be removed.

 

  1. Functions of the Privacy Commission. –

 

(1) The Privacy Commission may, through decisions arrived at by a simple majority of its members present and voting as set out in Section 44(1) of this Act, authorise, review, investigate, make an inquiry,  and/or monitor, suo moto or on a petition presented to it by any person or by someone acting on his behalf, the implementation and application of this Act and give such directions or pass such orders as are necessary for reasons to be recorded in writing.

           

(2) Without prejudice to the generality of the foregoing provision, the Privacy Commission shall perform all or any of the following functions, namely –

 

  1. a) review the safeguards provided under this Act and under other laws for the time being in force for the protection of personal data and recommend measures for their effective implementation or amendment, as may be necessary from time to time;

 

(b) authorise, review, investigate, make an inquiry,  and/or monitor any measures taken by any competent organisation, police force, armed force, intelligence organisation, public authority, company, person or other entity for the protection of privacy and take such further action is it deems fit;

 

(c) authorise, review, investigate, make an inquiry,  and/or monitor any action, code, certification,  policy or procedure of any competent organisation, police force, armed force, intelligence organisation, public authority, company, person or other entity to ensure compliance with this Act and any rules made hereunder;

 

(d) Investigate and direct data controllers and processors to do or cease to do any act in order to address activity which is in contravention of the provisions of this Act

 

(e) formulate through public consultation with experts, other stakeholders, and the general public, norms for the effective protection of privacy by competent organisations, police forces, armed forces, intelligence organisations, public     authorities, companies, persons or other entities;

 

(f) promote awareness and knowledge of personal data protection through any means necessary and to all stakeholders including providing information to any data subject regarding their rights under this Act as requested ;

 

(g) undertake and promote research in the field of protection of personal data and privacy;

 

(h) encourage the efforts of non-governmental organisations and institutions working in the field of personal data protection and privacy;

 

(i) publish periodic reports concerning the incidence of compliance including violations of this Act and data breaches as reported under Chapter III section 11(4) of this Act, collection, processing, storage, disclosure and other handling of personal data, interception of communications and surveillance;

 

(j) hear and decide applications for interception and surveillance under Chapters IV and V of this Act;

 

(k) exercise its powers under Section 28, to ensure the speedy and efficient redressal of all complaints whose cause of action arises from this Act;

 

(k) such other functions as it may consider necessary for the protection of privacy, personal data, and enforcement of this Act.  

 

(3) The Periodic Reports published by the Privacy Commission, stipulated in Section 36(2)(i), shall be tabled before the Lok Sabha by the Law Minister during the Parliamentary Session that succeeds the publication of any Periodic Report.

 

(4) The Chief Privacy Commissioner and the Privacy Commissioners shall appear before a special ad hoc Committee, constituted by the Speaker of the Lok Sabha and comprising of members from both the governing and the opposition parties from both houses of Parliament, on an annual basis, in a manner that may be prescribed by rules. 

(i)The ad hoc Committee shall be empowered to review the functioning of the Privacy Commission, and may ask the Chief Privacy Commissioner and the Privacy Commissioners any questions in this regard, as per rules. 

(ii)The ad hoc Committee will function and present periodic reports to both houses of Parliament in a manner prescribed as per the rules. 

 

(5) Subject to the provisions of any rules prescribed in this behalf by the Central Government, the Privacy Commission shall have the power to review any decision, judgement, decree or order made by it.

 

(6) In the exercise of its functions under this Act, the Privacy Commission shall give such directions or pass such orders as are necessary for reasons to be recorded in writing.

 

(7) The Privacy Commission may, in its own name, sue or be sued.

 

 

  1. Secretary, officers and other employees of the Privacy Commission. –

 

(1) The Central Government shall appoint a Secretary to the Privacy Commission to exercise and perform, under the control of the Chief Privacy Commissioner such powers and duties as may be prescribed or as may be specified by the Chief Privacy Commissioner.

 

(2) The Central Government may provide the Privacy Commission with such other officers and employees as may be necessary for the efficient performance of the functions of the Privacy Commission.

           

(3) The salaries and allowances payable to and the conditions of service of the Secretary and other officers and employees of the Privacy Commission shall be such as may be prescribed.

 

  1. Salaries, etc. be defrayed out of the Consolidated Fund of India. –

 

The salaries and allowances payable to the Chief Privacy Commissioner and Privacy Commissioners and the administrative expenses, including salaries, allowances and pension, payable to or in respect of the officers and other employees of the of the Privacy Commission shall be defrayed out of the Consolidated Fund of India.

 

  1. Vacancies, etc. not to invalidate proceedings of the Privacy Commission. –

 

No act or proceeding of the Privacy Commission shall be questioned on the ground merely of the existence of any vacancy or defect in the constitution of the Privacy Commission or any defect in the appointment of a person acting as the Chief Privacy Commissioner or Privacy Commissioner.

 

  1. Chief Privacy Commissioner, Privacy Commissioners and employees of the Privacy Commission to be public servants. –

 

The Chief Privacy Commissioner and Privacy Commissioners and other employees of the Privacy Commission shall be deemed to be public servants within the meaning of section 21 of the Indian Penal Code, 1860 (45 of 1860).

 

  1. Location of the office of the Privacy Commission.

 

The offices of the Privacy Commission shall be in New Delhi or any other location as directed by the Chief Privacy Commissioner in consultation with the Central Government.

 

  1. Procedure to be followed by the Privacy Commission. –

 

(1) Subject to the provisions of this Act, the Privacy Commission shall have powers to regulate –

 

(a) the procedure and conduct of its business;

 

(b) the delegation to one or more Privacy Commissioners of such powers or functions as the Chief Privacy Commissioner may specify.

 

(2) In particular and without prejudice to the generality of the foregoing provisions, the powers of the Privacy Commission shall include the power to determine the extent to which persons interested or claiming to be interested in the subject-matter of any proceeding before it may be allowed to be present or to be heard, either by themselves or by their representatives or to cross-examine witnesses or otherwise take part in the proceedings:

 

Provided that any such procedure as may be prescribed or followed shall be guided by the principles of natural justice.

 

  1. Power relating to inquiries. –

 

(1) The Privacy Commission shall, for the purposes of any inquiry or for any other purpose under this Act, have the same powers as vested in a civil court under the Code of Civil Procedure, 1908 (5 of 1908), while trying suits in respect of the following matters, namely –

 

(a) the summoning and enforcing the attendance of any person from any part of India and examining him on oath;

 

(b) the discovery and production of any document or other material object producible as evidence;

 

                        (c) the reception of evidence on affidavit;

                       

(d) the requisitioning of any public record from any court or office;

                       

(e) the issuing of any commission for the examination of witnesses; and,

                       

(f) any other matter which may be prescribed.

 

(2) The Privacy Commission shall have power to require any person, subject to any privilege which may be claimed by that person under any law for the time being in force, to furnish information on such points or matters as, in the opinion of the Privacy Commission, may be useful for, or relevant to, the subject matter of an inquiry and any person so required shall be deemed to be legally bound to furnish such information within the meaning of section 176 and section 177 of the Indian Penal Code, 1860 (45 of 1860).

 

(3) The Privacy Commission or any other officer, not below the rank of a Gazetted Officer, specially authorised in this behalf by the Privacy Commission may enter any building or place where the Privacy Commission has reason to believe that any document relating to the subject matter of the inquiry may be found, and may seize any such document or take extracts or copies therefrom subject to the provisions of section 100 of the Code of Criminal Procedure, 1973 (2 of 1974), in so far as it may be applicable.

           

(4) The Privacy Commission shall be deemed to be a civil court and when any offence as is described in section 175, section 178, section 179, section 180 or section 228 of the Indian Penal Code, 1860 (45 of 1860) is committed in the view or presence of the Privacy Commission, the Privacy Commission may, after recording the facts constituting the offence and the statement of the accused as provided for in the Code of Criminal Procedure, 1973 (2 of 1974), forward the case to a Magistrate having jurisdiction to try the same and the Magistrate to whom any such case is forwarded shall proceed to hear the complaint against the accused as if the case had been forwarded to him under section 346 of the Code of Criminal Procedure, 1973 (2 of 1974).

           

  1. Decisions of the Privacy Commission. –

 

(1) The decisions of the Privacy Commission shall be taken by majority and be binding and enforceable as a decree of a court as per the provisions of the Code of Civil Procedure, 1908.

           

(2) In its decisions, the Privacy Commission has the power to –

 

(a) require a competent organisation, police force, armed force, intelligence organisation, public authority, company, person or other entity to take such steps as may be necessary to secure compliance with the provisions of this Act;

                       

(b) require a competent organisation, police force, armed force, intelligence organisation,public authority, company, person or other entity to compensate any person for any loss or detriment suffered;

                       

(c) impose any of the penalties provided under this Act.              

 

  1. Proceedings before the Privacy Commission to be judicial proceedings. –

 

The Privacy Commission shall be deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973 (2 of 1974), and every proceeding before the Privacy Commission shall be deemed to be a judicial proceeding within the meaning of section 193 and section 228 and for the purposes of section 196 of the Indian Penal Code, 1860 (45 of 1860).

 

 

 

CHAPTER VI-A

Regulation by Data Controllers and Data Processors

 

  1. Co-regulation by Data Controllers and the Privacy Commission. –

 

(1) Without prejudice to the provisions of clause (d) of sub-section (2) of section 36, the Privacy Commission may, after a public consultation, formulate codes of conduct for the collection, storage, processing, disclosure or other handling of any personal data.

 

(2) No code of conduct formulated under sub-section (1) shall be binding on a data controller unless –

                       

(a) it has received the written approval of the Chief Privacy Commissioner and at least two Privacy Commissioners; and

                       

(b) it has received the approval, by signature of a director or authorised signatory, of the data controller.

           

  1. Self-regulation by data controllers. –

 

(1) The Privacy Commission may encourage data controllers and data processors to formulate professional codes of conduct to establish rules for the collection, storage, processing, disclosure or other handling of any personal data.

           

(2) No code of conduct formulated under sub-section (1) shall be effective unless it is registered, in such form and manner as may be prescribed, by the Privacy Commission.

           

(3) The Privacy Commission shall, for reasons to be recorded in writing, not register any code of conduct formulated under sub-section (1) that is not adequate to protect personal data.

 

  1. Co-regulation & Self-regulation without prejudice to other remedies. –

 

Any code of conduct formulated under this chapter shall be without prejudice to the jurisdiction, powers and functions of the Privacy Commission.

 

 

 

CHAPTER VII

Offences and penalties

 

  1. Punishment for offences related to personal data. –

 

(1) Whoever, except in conformity with the provisions of this Act, collects, receives, stores, processes, discloses or otherwise handles any personal data shall be liable to fine which may extend to 1 crore rupees.

 

Provided that whoever commits the offence defined above either intentionally, or with reckless disregard, shall be liable for a term of imprisonment extending upto three years, and shall also be liable to fine.

 

(2) Whoever attempts to commit any offence under sub section (1) shall be liable in the manner and to the extent provided for such offence under that sub-section.

 

(3) Whoever, except in conformity with the provisions of this Act, collects, receives, stores, processes, discloses or otherwise handles any sensitive personal data shall be liable to fine which may extend to 10 crore rupees.

 

Provided that whoever commits the offence defined above either intentionally, or with reckless disregard, shall be liable for a term of imprisonment extending upto five years, and shall also be liable to fine.

 

(4) Whoever attempts to commit any offence under sub section (3) shall be punishable with the punishment provided for such offence under that sub-section.

 

  1. Punishment for offences related to interception of communication. –

 

(1) Whoever, except in conformity with the provisions of this Act, intercepts, or causes the interception of, any communication of another person shall be liable to a fine which may extend to 1 crore rupees.

 

Provided that whoever commits the offence defined above either intentionally, or with reckless disregard, shall be liable for a term of imprisonment extending upto three years, and shall also be liable to fine.

 

(2) Whoever attempts to commit any offence under sub section (1) shall be punishable with the punishment provided for such offence under that sub section.

 

  1. Punishment for offences related to surveillance. –

 

(1) Whoever, except in conformity with the provisions of this Act, orders or carries out, or causes the ordering or carrying out, of any surveillance of another person shall be liable to a fine which may extend to 10 crore rupees.

 

Provided that whoever commits the offence defined above either intentionally, or with reckless disregard, shall be liable for a term of imprisonment extending upto five years, and shall also be liable to fine.

 

(2) Whoever attempts to commit any offence under sub section (1) shall be punishable with the punishment provided for such offence under that sub section.

 

  1. Abetment and repeat offenders. –

Whoever abets any offence punishable under this Act shall, if the act abetted is committed in consequence of the abetment, be punishable with the punishment provided for that offence.

 

  1. Offences by companies. –

 

(1) Where an offence under this Act has been committed by a company, every person who, at the time of the offence was committed, was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly:

 

Provided that nothing contained in this sub-section shall render any such person liable to any punishment, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.

 

(2) Notwithstanding anything contained in sub-section (1), where any offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall be deemed to be guilty of that offence, and shall be liable to be proceeded against and punished accordingly.

 

  1. Cognisance. –

 

Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), the offences under this chapter shall be cognisable and non-bailable.

 

  1. General penalty. –

 

Whoever, in any case in which a penalty is not expressly provided by this Act, fails to comply with any notice or order issued under any provisions thereof,  including an order of the Chief Privacy Commissioner or otherwise contravenes any of the provisions of this Act, shall be punishable with fine which may extend to 1 crore rupees, and, in the case of a continuing failure or contravention, with an additional fine which may extend to 10 lakh rupees for every day after the first during which he has persisted in such failure or contravention.

 

  1. Punishment to be without prejudice to any other action. –

 

The award of punishment for an offence under this Act shall be without prejudice to any other action which has been or which may be taken under this Act with respect to such contravention.

 

CHAPTER VIII

Miscellaneous

 

  1. Power to make rules. –

 

(1) The Central Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.

           

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for –

 

(a) the notification of theft, loss or damage under sub-section (4) of section 11;

 

 

(c) the notification of disclosure under sub-section (4) of section 13;

 

(d) the application by an intelligence organisation under sub-section (2) of section 15;

 

(e) the application to intercept a communication under sub-section (1) of section 18;

 

(f) the application to renew an interception of communication under sub-section (2) of section 20;

                       

(g) the notification of an interception of communication under sub-section (1) of section  21;

 

                        (h) the application to not inform under sub-section (2) of section 21;

 

(i) the application to store information obtained as a result of any interception of              communication under sub-section (2) of section 24;

                       

(j) the application to carry out surveillance under sub-section (3) of section 26;

                       

(k) notification to the general public under sub-section (2) of section 27;

                       

                       

(m) the application to renew surveillance under sub-section (2) of section 28;

                       

(n) the notification of surveillance under sub-section (1) of section 29;

                       

(o) the application to not inform under sub-section (2) of section 29;

                       

(p) the application to store information obtained as a result of surveillance under sub-section (2) of section 32;

                       

(q) salaries, allowances and other terms and conditions of service of the Chief Privacy Commissioner, Privacy Commissioners, Secretaries and other members, staff and employees of the Privacy Commission;

                       

(r) procedure to be followed by the Privacy Commission;

                       

(s) powers and duties of Secretaries, officers and other employees of the Privacy  Commission;

                       

(t) the effective implementation of this Act.

 

(3) Every rule made under this section shall be laid, as soon as may be after it is made, before each House of Parliament while it is in session for a period of thirty days which may be comprised in one session or in two successive sessions and if before the expiry of the session in which it is so laid or the session immediately following, both Houses agree in making any modification in the rule, or both Houses agree that the rule should not be made, the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be, so however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule.

 

  1. Bar of jurisdiction. –

 

(1) On and from the appointed day, no court or authority shall have, or be entitled to exercise, any jurisdiction, powers or authority (except the Supreme Court and a High Court exercising powers under Article 32, Article 226 and Article 227 of the Constitution) in relation to matters over which the Privacy Commission has jurisdiction.

           

(2) No order passed under this Act shall be appealable except as provided therein and no civil court shall have jurisdiction in respect of any matter which the Privacy Commission is empowered by, or under, this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.

 

  1. Protection of action taken in good faith. –

 

No suit or other legal proceeding shall lie against the Central Government, State Government, Privacy Commission, Chief Privacy Commissioner, Privacy Commissioner or any person acting under the direction either of the Central Government, State Government, Privacy Commission, Chief Privacy Commissioner or Privacy Commissioner in respect of anything which is in good faith done or intended to be done in pursuance of this Act or of any rules or any order made thereunder.

 

 

  1. Power to remove difficulties. –

 

(1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order, published in the Official Gazette, make such provisions, not inconsistent with the provisions of this Act, as appears to it to be necessary or expedient for removing the difficulty:

 

Provided that no such order shall be made under this section after the expiry of a period of three years from the commencement of this Act.

 

(2) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament.

 

  1. Act to have overriding effect. – Subject to the provisions of Schedule A, the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SCHEDULE A

  1. Statutes, provisions whereof, shall have to comply with the requirements of this Act

 

 

  1. a) Sections 43A, 69, 69B, 72 and 72A of the Information Technology Act, 2000.

 

  1. c) Sections 28, 29, 30, 31, 32 and 33 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
  2. d) Section 5(2) of the Indian Telegraph Act, 1885

 

  1. f) Section 21 of the Prevention of Money Laundering Act, 2002
  2. g) The Census Act, 1948

 

  1. Statutes, provisions whereof shall not be required to comply with the provisions of this Act

 

  1. The Representation of the People Act, 1951
  2. The Right to Information Act, 2005

 

 

 

 

 

FINANCIAL MEMORANDUM

 

  1. Clause 33(1) provides for establishment of the Privacy Commission which shall be a body corporate having perpetual succession and a common seal with power to acquire, hold and dispose of property and sue or be sued with an office as determined under Clause 41.

 

  1. Clause 33(1) provides that the Privacy Commission shall consist of a Chief Privacy Commissioner and six other members as Privacy Commissioners.

 

  1. Sub-clause 7 of clause 34 makes provision for salaries and allowances payable to the Chief Privacy Commissioner and allowances or remuneration payable to the Privacy Commissioners.

 

  1. Clause 37 provides for the appointment of a secretary, officers and other employees of the Privacy Commission,

 

  1. Clause 38 provides that the expenditure for the Privacy Commission shall be incurred from the Consolidated Fund of India. The Bill, therefore, if enacted, would involve expenditure from the Consolidated Fund of India. The Bill, if enacted, would involve a recurring expenditure of about rupees six hundred crore per annum. A non-recurring expenditure of about rupees one hundred and twenty five crore is also likely to be involved.

 

 

 

 

 

STATEMENT OF OBJECTS AND REASONS

 

Our country is at the threshold of a new technological revolution, marrying welfare with programmes of digitization for the quick and effective delivery of government services and benefits from various schemes. For this process, ranging from electronic banking to the transfer of subsidies, vast amounts of data are collected from our citizens, the integrity of which must be protected. This data can be used for seemingly innocuous purposes such as targeted advertising but also for provision of essential services such as ration, credit, insurance, and more, while unprotected and in the wrong hands, it could also cause damage to the interests of the individual.

 

Beyond its commercial exploitation there is also an inherent equation of power when a person or entity possesses data and information concerning another individual or groups of individuals. Today, most such interactions are unregulated and put the users of internet and technological services at risk, and this risk will only grow with more and more digitization and as technological involvement in the delivery of services to citizens develops.

 

Many concerns arise from the absence of a comprehensive data protection and privacy statute which provides rights to individuals in a data governed world. This has been recognized by past efforts of the Government of India notably by the Report of the Group of Experts on Privacy chaired by Justice A.P. Shah, Former Chief Justice, Delhi High Court. Drawing on the recommendations of this expert group, global best practices and also the unique factors that exist locally, this Data Privacy And Protection Bill aims to provide a comprehensive law to protect privacy and data collected from our citizens.

 

This bill puts a person in control of his/her own data and further permits them to make an informed choice concerning its use. The Bill further provides an industry friendly model of co-regulation that aims to foster a higher degree of certainty for the private sector. The concerns of government are also sought to be addressed with a balanced provision for interception and access, making special provisions to safeguard the security of the state. The aims and objectives of the bill are sought to be implemented by an autonomous privacy commission.

 

The Data Privacy and Protection Bill, 2017 aims to protect and promote our constitutional ideals in a networked, increasingly digitized society.

 

Therefore, this Bill.

 

SHASHI THAROOR

 New Delhi; July 2, 2017

 

 

NOTES ON CLAUSES

 

CHAPTER I

Preliminary

Clause 1 contains the title of the proposed legislation – the Data Privacy And Protection Act, 2017. This legislation takes individuals’ rights to the protect and control their identities and information concerning them to be necessary entailments of the right to life and personal liberty guaranteed in Article 21 of the Constitution. Recognizing the various circumstances in which offshore transfers of data pertaining to Indian residents may occur and with a view to enabling the preservation and defence of their right to privacy, this clause also enables the provisions of this legislation to have effect outside India.

 

Clause 2 seeks to define words and expressions used in the proposed legislation. It specifically defines the types of data, and the various uses it can be put to.

 

Clause 3 enumerates various principles that ought to guide the working of this legislation. This legislation recognizes the utility of data to governments and commercial actors alike, and is intended to ensure that data subjects are treated as owners of information pertaining to them. It also acknowledges both that privacy is indispensable to democratic life, and that international law, including human rights treaties, oblige India to preserve democracy by limiting intrusions into privacy to those which are necessary and proportional. In order to secure this aim, this legislation envisages the establishment of a competent, well-funded and independent regulator, called the Privacy Commission.

 

CHAPTER II

Right to Privacy

 

Clause 4 codifies the right to privacy necessarily implicit in Article 21 of the Constitution into statute, and mandates that all handling of data, interception and other types surveillance be undertaken strictly in terms of this legislation. A failure to comply with these requirements will be visited with civil and criminal consequences as detailed in Chapter VI.

 

Clause 5 excepts data handling for two purposes from the rule in clause 4 that all data must be handled in terms of this legislation alone: (1) personal or family use of one’s own data and (2) surveillance of one’s own residence. These exceptions are intended to preserve the autonomy and enhance the privacy of data subjects in their homes and family lives.

 

CHAPTER III

Protection of Personal Data

 

Clause 6 seeks to enumerate conditions precedent to rendering consent, as drap contracts efined in cl. 2(j), effective for the purposes of this legislation. Similar concerns as those raised by the yawning disproportionalities in bargaining power of the consumer and the service provider that arise in standard form contracts such as those for insurance arise in nearly all contracts which enable the collection of data. Given that consent in the digital age has been reduced to mere formality by the advent of clickwrap contracts, this position seeks to rehabilitate the data subject as a party who has genuine and meaningful autonomy concerning the contexts and ways in which data about her are collected, stored, used and disseminated.

 

Sub-clause 1 imports the meaning given to ‘free consent’ in the Indian Contract Act, 1872, which contains the various grounds on which consent could be vitiated, into this legislation.

 

Sub-clause 2 sets up a default rule as to prior consent. Exceptions to this rule are codified in cl.8.

Sub-clause 3 attempts to ensure that consent obtained data subjects is verifiably voluntary. It does so by making it necessary for consent to be indicated affirmatively and for it to be reduced to writing, and by disallowing practices that disallow easy withdrawal of that consent.

 

Sub-clause 4 requires contracts to be drafted in language that a lay individual can easily comprehend. Given that these will be standard form contracts, it attempts to enforce this requirement by making the contra proferentem rule, by which contracts are read against the interest of the draftsman (who will be the data controller or processor, typically) in case of ambiguity, expressly applicable them.

 

Sub-clause 5 codifies the principle of purpose limitation, by requiring that consent be sought for clearly demarcated purposes, and thus excluding omnibus or infinite consent from the purview of effective consent.

 

Clause 7 explains the requirements for lawful data collection and use under this legislation. It implements the effective consent requirement, expressly limits permissible collection to cases where it is necessary to achieve a stated purpose, lists the elements of a complete notice required to ensure that the data subject is informed in accordance with cl. 6 (4), and requires data destruction on the withdrawal of consent.

 

Clause 8 contains a list of three exceptions to the rule under cl. 6 (2), by which all consent must be obtained prior to collection and handling of data.

 

Clause 9 seeks to undo the prevalent practice of data retention for unspecified lengths of time, even after the purpose for which the data was initially collected has lapses. It does so by limiting the duration for which data may be retained to the ife of the purpose for its collection, and instituting a data destruction requirement after that period is completed. Subject to the requirements of proportionality and anonymisation, there are three exceptions to this rule: (1) where effective consent is obtained for the retention, (2) where it is required as evidence in court, and (3) where a statute requires continued retention for one of the reasons specified in sub-clause (3). By operation of clauses 24 and 32, these provisions are made applicable to data collected in the course of interception and surveillance as well.

 

Clause 10 concerns the standards to be observed when processing personal data. Data processing, like collection, is to be limited to its specified purpose, and altered purposes require fresh effective consent to be obtained. The rule as to purpose limitation may not apply in case of the four exceptions contained in sub-clause 4, which include the maintenance of public safety and the preservation of law and order.

 

Clause 11 enumerates the obligations that attend the collection and use of personal data. All possible measures to ensure the integrity and secrecy of  databases are required to be taken, all persons who come on contact with data are placed under a duty of secrecy and confidentiality in respect of it, and are obligated to report breaches of the standards set down in this Chapter to the statutory regulator upon becoming aware of any such breach

 

Clause 12 requires that any transfers of data from controllers to processors be under an agreement that meets, as a minimum standard, all the requirements of this legislation, and continues to hold the person making such a transfer liable to the data subject.

 

Clause 13 concerns the conditions to be satisfied for lawful disclosures of personal data. It provides that data may only be disclosed with the effective consent of the data subject, and specifies the contents of the notice that must be communicated to the data subject prior to obtaining this consent and restates the requirement in cl. 12 that disclosures by which data is transferred must be by agreement that meets the standards enumerated in this legislation.

 

Clause 14 requires that all records of personal data be kept accurate, and confers on data subjects the affirmative right to call for records pertaining to them and demand corrections in cases of inaccuracy and destruction where the purpose of the collection or use has lapsed.

 

Clause 15 makes special provisions in respect of sensitive personal data, requiring that collection and processing be with effective consent and limited to its purpose, that retention be for no longer than is strictly necessary and that no disclosures of or about records of sensitive data be made in any circumstances.

 

Clause 16 makes special provisions in respect of intelligence organisations. Intelligence agencies under the state operate with great opacity in India, and this provision attempts to subject them to the oversight of the Privacy Commission and to the rigours of this legislation to the extent that they are involved in the secret – and thus far, unregulated – collection, processing and disclosure of vast amounts of sensitive and ordinary personal data.

 

CHAPTER IV

Interception of Communications

 

Clause 17 provides that interception must be undertaken only where necessary and with prior authorization, unless emergent circumstances in terms of cl. 19 arise. Its provisions are intended to supercede the other applicable provisions in statute and delegated legislation including those contained in the Indian Telegraph Act, 1885 and the Information Technology Act, 2000.

 

Clause 18 lays down standards for procedural and substantive legality of interception. It intends to strike a fair balance between interception targets’ right to privacy in their communications and the state’s interest in public safety and law and order on the other by providing for narrow and closely overseen channels for interception. Substantively, it requires that all interception be undertaken as a last resort to achieve a clearly specified and lawful purpose, through means which are limited and proportionate to that purpose. Procedurally, it requires that all interception be warranted by a written and reasoned order of an authority separate and independent from those seeking to intercept, and be undertaken only by officers of the government who are specifically authorised to do so.

 

Clause 19 permits the Home Secretary to warrant interception by a reasoned order in the exceptional cases where there is an imminent and grave threat to security of the state or to public order. Such an order may operate for no longer than 7 days, and its particulars, along with a copy of its contents must be furnished to the Chief Privacy Officer within that time. This provision is intended to be used as sparingly as possible.

 

Clause 20 attempts to limit privacy invasions caused by surveillance and foster proportionality, by placing a cap on the length of any given instance of surveillance to 60 days, and requiring a review upon application of the reasons for continuing surveillance.

 

Clause 21 requires, as a general rule, that targets of interception be notified of the fact of such surveillance and of the lengths of time for which they were surveilled. This provision recognizes the dangers to fundamental rights, including privacy and those contained in Article 19 of the Constitution, and to democratic order posed by secret interception. Being that knowledge of a violation of one’s rights is a necessary prerequisite to pursuing a redressal, this provision attempts to create a clear avenue for targets of interception to access judicial remedies where necessary.

 

Clause 22 places all those involved with interception under a duty of confidentiality and secrecy, and requires that all possible measures be taken in advance to ensure that fruits of interception remain secret.

 

Clause 23 bars the disclosure of the fact, duration and fruits of all interception, except in cases where such a disclosure is necessary to prevent, investigate or prosecute cognizable offences, including those that threaten the security of the state or public order.

                       

Clause 24 contains a mandatory data destruction requirement and a standard for the storage of the fruits of interception. Per the data destruction requirement, fruits of interception may not be held 180 days after the interception has ended, unless a written and reasoned order to the contrary is obtained. The standard for storage of any data resulting from interception is the same as is provided for in ordinary cases under cl. 9.

 

CHAPTER V

Surveillance

Clause 25 provides that all surveillance must comply with the provisions of Chapter V of this legislation. Further, it bans the rampant, unregulated practice of dragnet surveillance as being irrevocably incompatible with standards of necessity, proportionality that any invasion into fundamental rights must satisfy both at international human rights law and under the Indian Constitution.

 

Clause 26 lays down standards for procedural and substantive legality of state surveillance. It intends to strike a fair balance between surveillance targets’ right to privacy in their communications and the state’s interest in public safety and law and order on the other by providing for narrow and closely overseen channels for surveillance. Substantively, it requires that all state surveillance be undertaken as a last resort to achieve a clearly specified and lawful purpose, through means which are limited and proportionate to that purpose. Procedurally, it requires that all state surveillance be warranted by a written and reasoned order of an authority separate and independent from those seeking to surveil, and be undertaken only by officers of the government who are specifically authorised to do so.

 

Clause 27 sets up the default rule that surveillance may not be undertaken by private entities, even in public places in the recognition that privacy inheres in persons rather than in places or objects alone. 

 

Clause 28 attempts to limit privacy invasions caused by surveillance and foster proportionality, by placing a cap on the length of any given instance of surveillance to 60 days, and requiring a review upon application of the reasons for continuing surveillance.

 

Clause 29 requires, as a general rule, that targets of surveillance be notified of the fact of such surveillance and of the lengths of time for which they were surveilled. This provision recognizes the dangers to fundamental rights, including privacy and those contained in Article 19 of the Constitution, and to democratic order posed by secret surveillance. Being that knowledge of a violation of one’s rights is a necessary prerequisite to pursuing a redressal, this provision attempts to create a clear avenue for targets of surveillance to access judicial remedies where necessary.

 

However, this clause also recognizes that investigations into grave threats to national security and the like may justify denying targets, such as those verifiably involved in continuing terrorist activity at a national scale, of their right to notification of surveillance. This denial must always be for reasons and a time period recorded in advance, so that on the expiry of the relevant, the target’s right to be notified revives.

 

Clause 30 places all those involved with surveillance under a duty of confidentiality and secrecy, and requires that all possible measures be taken in advance to ensure that fruits of surveillance remain secret.

 

Clause 31 bars the disclosure of the fact, duration and fruits of all surveillance, except in cases where such a disclosure is necessary to prevent, investigate or prosecute cognizable offences, including those that threaten the security of the state or public order.

 

Clause 32 contains a mandatory data destruction requirement and a standard for the storage of the fruits of surveillance. Per the data destruction requirement, fruits of surveillance may not be held 180 days after the surveillance has ended, unless a written and reasoned order to the contrary is obtained. The standard for storage of any data resulting from surveillance is the same as is provided for in ordinary cases under cl. 9.

 

CHAPTER VI

The Privacy Commission

 

Clause 33 sets up a Privacy Commission, the statutory regulator under this legislation, set up under the Central government but intended to operate autonomously. It attempts to set up a regulator with a fairly balanced composition headed by a retired Judge of the Supreme Court. Members of the Commission would be drawn from persons having legal or technical expertise with privacy and data protection matters, through a transparent selection process which would include civil society representation.

 

Clause 34 sets out the terms of office, conditions of service and emoluments dye to members of the Privacy Commission. Inter alia, it precludes the appointment of any person having financial interests in data protection, caps the number of terms to two terms of 5 years each and provides for a cooling off period of 5 years before members can undertake other appointments under the Central Government.

 

Clause 35 specifies the grounds for removal of members of the Privacy Commission and specifies the cases in which such removal must be preceded by an inquiry.

 

Clause 36 details the functions of the Privacy Commission, provides that it will operate by simple majority, pass written and reasoned orders and allows it the power of review over its own decisions. It also renders the Commission accountable to Parliament, and treats the Commission as a legal person capable of suing and being sued.

 

Clause 37 concerns staffing of the Privacy Commission. It requires that a Secretary be appointed by the Central Government under the Chief Privacy Commissioner. It also allows for the Central Government to appoint other employees, as necessary.

 

Clause 38 provides that members and employees of the Privacy Commission will be paid from the Consolidated Fund of India.

 

Clause 39 provides that defects in the constitution of the Privacy Commission or of appointment of its members do not themselves constitute a ground for impugning proceedings conducted by the Commission.

 

Clause 40 deems members and employees of the Privacy Commission public servants in terms of the Indian Penal Code, 1860.

 

Clause 41 requires that the Privacy Commission’s offices be located in New Delhi or, if the Chief Privacy Commission so directs after consulting with the Central Government, any other place.

 

Clause 42 permits the Privacy Commission to determine the procedures to be followed by and before it, subject only to the qualification that they comply with the requirements of natural justice. This clause affords the Commission the flexibility to tailor processes to the end of most effectively realizing the object of this legislation.

 

Clause 43 contains provisions relating to the collection of evidence which are intended to ensure that the Privacy Commission is fully empowered to conduct inquiries effectively. It is equipped with the same powers as would vest in civil courts while trying suits, and is empowered to authorize searches in terms of section 100 of the Code of Criminal Procedure, 1973. Where information is not produced or is produced improperly, sections 175 to 180 and 228 apply.

 

Clause 44 allows the Privacy Commission to decide matters before it on a majority, and renders these decisions binding. It also empowers the Privacy Commission to direct compliance with this legislation, and to pay compensation or impose penalties in case of non-compliance.

 

Clause 45 empowers the Privacy Commission with an effective power of enforcement of its decisions under cl. 44, by deeming it to be a civil court under the Code of Criminal Procedure, 1973 and proceedings conducted by it to be judicial proceedings under the Indian Penal Code, 1860.

 

CHAPTER VI-A

Regulation by Data Controllers and Data Processors

 

Clause 46 enables data controllers and processors to contribute to the design of the rules and standards that would govern them through public consultations with the Privacy Commission. It is enacted in the awareness that given the rate of technological obsolescence, inter alia, ensuring that any code of conduct is current and alive to pragmatic concerns confronted by data controllers and processors is critical to its effectiveness. In accordance with Clause 47, codes formulated under this clause may not narrow the Privacy Commission’s field.

 

 

Clause 47 encourages standard-setting around data protection practices by processors and controllers themselves in the form of professional codes. The Privacy Commission will make effective such codes by their registration. In keeping with the objects of this legislation, self-regulatory codes must properly protect personal data in order to be recognized.

 

Clause 48 provides that the breadth of the Privacy Commission’s powers and functions cannot be limited by any code formulated or recognized under this chapter.

 

CHAPTER VII

Offences and penalties

Clause 49 levies civil penalties for handling data in a manner inconsistent with this legislation. In addition, with a view to deterrence, where a violation of this legislation is accompanied by intent or negligence, criminal liability also accrues. Penalties where sensitive personal data is at issue are enhanced over those that would apply where personal data is involved.

 

Clause 50 levies civil penalties in all  case of contraventions of this legislation in the course of intercepting communications, and creates criminal offences where the contravention is accompanied by intent or negligence, with a view to deterrence.

           

Clause 51 levies civil penalties in all  case of contraventions of this legislation in the course of surveillance, and creates criminal offences where the contravention is accompanied by intent or negligence, with a view to deterrence.

 

Clause 52 treats abettors as being alike to principal offenders under this chapter.

 

Clause 53 provides that companies as well as all individuals through whom the offence was committed will be liable for contraventions of this legislation.

 

Clause 54 provides that offences under this legislation are cognizable and non-bailable, with a view to signaling their seriousness.

 

Clause 55 makes all non-compliance with this legislation, other than those instances covered by specifically enumerated offences contained within it, liable to civil penalties.

 

Clause 56 provides that punishments for contraventions of this legislation do not exclude other action in terms of it from being undertaken.

 

 

 

 

CHAPTER VIII

Miscellaneous

 

Clause 57 empowers the Central Government to make rules, specifies the matters on which such rules can be made and the duration within which it is to be laid before Parliament, and saves actions taken under rules that are subsequently modified or annulled before such a modification or annulment.

 

Clause 58 contains an ouster of the jurisdiction of subordinate courts in disputes arising under the provisions of this legislation.

 

Clause 59 confers immunity upon the government and the regulator and its officers from civil and criminal liability when they are working this legislation in good faith.

 

Clause 60 allows the Central Government to make provisions in order to remove any difficulties to putting this legislation into effect for a period of 3 years from its commencement.

 

Clause 61 contains a non-obstante clause that would give the proposed legislation over and above any conflicting others. Exceptions to this rule are contained in Schedule A.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

MEMORANDUM REGARDING DELEGATED LEGISLATION

 

Clause 57 of the Bill empowers the Central Government to make rules for carrying out the purposes of this Bill. As the rules will relate to matters of detail only, the delegation of legislative power is of a normal character.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Source:
Link to the video: