The document summarizes key aspects of India's Personal Data Protection Bill, 2018. It discusses the bill's objectives to protect individual privacy and regulate how personal data is collected and processed. It outlines important definitions like personal data, sensitive personal data, and roles of data fiduciaries, processors and principals. It describes the bill's scope, lawful grounds for processing data, rights of individuals, and obligations of entities processing data, including transparency, security safeguards, impact assessments, and restrictions on sensitive data and cross-border transfers. It also discusses penalties for non-compliance and oversight by an independent Data Protection Authority.
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
General Data Protection Regulation or GDPRNupur Samaddar
General Data Protection Regulation or GDPR,he way companies across the world will handle their customers' personal information and creating strengthened and unified data protection for all individuals within the EU.
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
General Data Protection Regulation or GDPRNupur Samaddar
General Data Protection Regulation or GDPR,he way companies across the world will handle their customers' personal information and creating strengthened and unified data protection for all individuals within the EU.
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptxVijay Dalmia
The Digital Personal Data Protection Act, 2023 (DPDP Act) is a significant development in Indian data protection. Here's a concise overview:
**Personal Data and Processing:**
- "Personal data" under DPDP Act refers to any data identifying an individual.
- "Processing" includes various operations, like collection and storage.
**Data Fiduciary and Data Processor:**
- "Data Fiduciary" determines data processing purposes.
- "Data Processor" processes data on behalf of a Data Fiduciary.
**Coverage:**
- DPDP Act covers those processing personal data, excluding personal or domestic purposes.
**Applicability:**
- Applies when processing occurs within or outside India related to offering goods/services within India.
**Permitted Processing:**
- Personal data can be processed with consent or under legitimate uses outlined in DPDP Act.
**Consent:**
- Consent should be clear, informed, and obtained through affirmative action.
**Notice:**
- A notice is mandatory before collecting personal data.
- Fresh notice required if processing begins before DPDP Act commencement.
**Data Fiduciary Obligations:**
- Appoint Data Processor via valid contract.
- Ensure data completeness, accuracy, and security.
- Erase data when purpose is fulfilled.
- Implement technical and security measures.
- Report breaches to Data Protection Board.
- Establish grievance redressal mechanism.
- Publish contact information of Data Protection Officer.
**Significant Data Fiduciary:**
- Conduct periodic data protection impact assessments.
- Appoint Data Protection Officer and independent data auditor.
**Data Protection Board:**
- An enforcement body established by the Central Government.
- Appeals go to Telecom Disputes Settlement and Appellate Tribunal.
**Consent Manager:**
- Facilitates consent management through an accessible platform.
- Registered with Data Protection Board.
**Data Principal Rights:**
- Right to access personal data.
- Right to correction, erasure, and grievance redressal.
- Right to nominate and withdraw consent.
**Cross-Border Data Transfers:**
- Generally allowed, but Central Government can restrict specific countries/territories.
**Penalties:**
- Non-compliance may result in penalties up to INR 250 Crores (approx. US$ 3,01,00,000).
**Compliance Timeframe:**
- No specific timeframe provided; companies should proactively prepare for DPDP Act compliance.
This summary provides a concise overview of the DPDP Act's key provisions and obligations.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
Draft Bill on the Protection of Personal DataRenato Monteiro
Presentation given at the DataGuidance´s webinar "Brazil: Towards Privacy Compliance", about the Brazlian Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) issued in January 2015, which introduced concepts such as Data Protection Officer and Binding Corporate Rules.
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
The long-awaited Personal Data Protection Bill was finally passed by the Indonesian legislative on 20 September 2022 after initiating the prioritised legislative program three years ago. This legislative milestone would make it the first law to set comprehensive rules regarding personal data protection. The finalized bill is still due for approval from the President before it is enacted as law
The Personal Data Protection Bill, 2019 as introduced in Lok Sabha has been referred to a Joint Parliamentary Committee of both the Houses, under the Chairperson of Smt. Meenakshi Lekhi (New Delhi) M.P. for examination and Report.
It has been decided to seek views and suggestions on the Bill from individuals and associations/bodies concerned.
This is critical review of the same and suggestions submitted to JPC
On August 3, 2023, the Government of India, introduced the fifth iteration of India's proposed personal data protection
legislation, i.e., the Digital Personal Data Protection Bill, 2023 (DPDP Bill) in Parliament. Previously, in December 2022,
the Ministry of Electronics and Information Technology had released a draft version of the bill (2022 Draft), inviting
public comments thereto.
Once in force, the DPDP Bill aims to amend and omit some of the
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptxVijay Dalmia
The Digital Personal Data Protection Act, 2023 (DPDP Act) is a significant development in Indian data protection. Here's a concise overview:
**Personal Data and Processing:**
- "Personal data" under DPDP Act refers to any data identifying an individual.
- "Processing" includes various operations, like collection and storage.
**Data Fiduciary and Data Processor:**
- "Data Fiduciary" determines data processing purposes.
- "Data Processor" processes data on behalf of a Data Fiduciary.
**Coverage:**
- DPDP Act covers those processing personal data, excluding personal or domestic purposes.
**Applicability:**
- Applies when processing occurs within or outside India related to offering goods/services within India.
**Permitted Processing:**
- Personal data can be processed with consent or under legitimate uses outlined in DPDP Act.
**Consent:**
- Consent should be clear, informed, and obtained through affirmative action.
**Notice:**
- A notice is mandatory before collecting personal data.
- Fresh notice required if processing begins before DPDP Act commencement.
**Data Fiduciary Obligations:**
- Appoint Data Processor via valid contract.
- Ensure data completeness, accuracy, and security.
- Erase data when purpose is fulfilled.
- Implement technical and security measures.
- Report breaches to Data Protection Board.
- Establish grievance redressal mechanism.
- Publish contact information of Data Protection Officer.
**Significant Data Fiduciary:**
- Conduct periodic data protection impact assessments.
- Appoint Data Protection Officer and independent data auditor.
**Data Protection Board:**
- An enforcement body established by the Central Government.
- Appeals go to Telecom Disputes Settlement and Appellate Tribunal.
**Consent Manager:**
- Facilitates consent management through an accessible platform.
- Registered with Data Protection Board.
**Data Principal Rights:**
- Right to access personal data.
- Right to correction, erasure, and grievance redressal.
- Right to nominate and withdraw consent.
**Cross-Border Data Transfers:**
- Generally allowed, but Central Government can restrict specific countries/territories.
**Penalties:**
- Non-compliance may result in penalties up to INR 250 Crores (approx. US$ 3,01,00,000).
**Compliance Timeframe:**
- No specific timeframe provided; companies should proactively prepare for DPDP Act compliance.
This summary provides a concise overview of the DPDP Act's key provisions and obligations.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
Draft Bill on the Protection of Personal DataRenato Monteiro
Presentation given at the DataGuidance´s webinar "Brazil: Towards Privacy Compliance", about the Brazlian Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) issued in January 2015, which introduced concepts such as Data Protection Officer and Binding Corporate Rules.
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
The long-awaited Personal Data Protection Bill was finally passed by the Indonesian legislative on 20 September 2022 after initiating the prioritised legislative program three years ago. This legislative milestone would make it the first law to set comprehensive rules regarding personal data protection. The finalized bill is still due for approval from the President before it is enacted as law
The Personal Data Protection Bill, 2019 as introduced in Lok Sabha has been referred to a Joint Parliamentary Committee of both the Houses, under the Chairperson of Smt. Meenakshi Lekhi (New Delhi) M.P. for examination and Report.
It has been decided to seek views and suggestions on the Bill from individuals and associations/bodies concerned.
This is critical review of the same and suggestions submitted to JPC
On August 3, 2023, the Government of India, introduced the fifth iteration of India's proposed personal data protection
legislation, i.e., the Digital Personal Data Protection Bill, 2023 (DPDP Bill) in Parliament. Previously, in December 2022,
the Ministry of Electronics and Information Technology had released a draft version of the bill (2022 Draft), inviting
public comments thereto.
Once in force, the DPDP Bill aims to amend and omit some of the
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
2. Why The Bill?
The data protection grew out of public concern about personal privacy in the face of rapidly
developing computer technology.
It works in two ways :
i. Gives certain rights to individual.
ii. Obligate those who record and use personal information, to be open about that use.
In JusticeK. S. Puttaswamy (Retd.)& Anr. v. Unionof India& Ors. (W.P. (Civil) No. 494 of 2012)
The SC has recognized right to privacy as a fundamental under Article 21 of the constitution.
Appointed Justice BN Srikrishna committee, which submitted the draft of Personal Data Protection
Bill, 2018 (“the bill”) to Meity on 27 July 2018 along with the Committee Report (“the report”).
3. Personal Data Protection Bill, 2018
Three broad perspective to data protection are:
Laissez faire followed in US (constitutional understanding of liberty and freedom )
GDPR in EU (upholding dignity of an individual)
Data protection averting national security risks articulated by China (privileges of the collective over
the individual)
Important Terms
“Personal Data” shall mean all data relating to a natural person including data from which an
individual may be identified or identifiable, either directly or indirectly.
‘Processing’ is defined broadly as the performance of operations on Personal Data and will include,
inter alia, collection, storage, retrieval, usage, disclosure, transfer, structuring, alignment or
combination, indexation, and erasure.
4. Continued…
Sensitive Personal Data shall include passwords, financial data, health data, official identifier, sex life,
sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex
status, caste, tribe, religious or political beliefs or affiliations of an individual,
The DPA will be given the residuary power to notify further categories in accordance with the criteria
set by law.
Data fiduciary: any person, including the State, a company, any juristic entity or any individual who
alone or in conjunction with others determines the purpose and means of processing of personal
data;
Data principal: the natural person to whom the personal data belongs to (an individual, a Hindu
undivided family, a company, firm, state, juridical person).
Data processor: any person, including the State, a company, any juristic entity or any individual who
processes personal data on behalf of a data fiduciary, but does not include an employee of the data
fiduciary.
5. Applicability
The law will cover processing of personal data by both public and private entities. The bill administers
all processing of personal data:
i. within India.
ii. by state, non-state or foreign entities, within India.
iii. by data fiduciaries or data processors not present within India but having connection with any
business in India.
Exception: The bill is not applicable to anonymized data, this exclusion will not extend to mere de-
identification, a potentially reversible process where identifiers have been removed, masked, or
replaced with unique codes.
6. 1. Personal information must be fairly and lawfully processed.
2. Personal information must be processed for limited purposes.
3. Information regarding data processing must be notified to Data principle.
4. Such Notification must be easily comprehensible and in multiple languages where necessary.
5.Personal information must be adequate, relevant and not misleading.
It mostly incorporates obligation of Data fiduciary, much like GDPR:
7. 6. Personal information must be accurate and up to date.
7. Personal information data must not be kept longer than is necessary.
8. Personal information data can be transferred to other countries only when
authorized by the state.
9. Personal data processing should be in compliance with the Bill.
Continued…
8. Section7: Lawful processing
•Free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872
•Informed, having regard to whether the data principal has notified of his/her data that is being
processed
•Specific, having regard to whether the data principal can determine the scope of consent in respect of
the purposes of processing
•Clear, having regard to whether it is indicated through an affirmative action that is meaningful in a
given context
CONSENT
Section 12
•Explicit consent is a must in case of collection or processing of sensitive personal data
•Compliance of section 12 and
•Informed and draws attention of Data principle to the purpose of processing data
•Clear, having regard to whether it is meaningful without recourse to inference from conduct in a
context
•Specific, weather data principles given a choice to separately providing consent to data
processing
EXPLICIT
CONSENT
Section 18
9. Section7: Lawful processing
Chapter 3: Grounds for Processing Of Personal Data
The Bill allows processing of data by fiduciaries if consent is provided. However, in certain
circumstances, processing of data may be permitted without consent of the individual.
These grounds include:
i. if necessary for any function of Parliament or state legislature, or if required by the state for
providing benefits to the individual,
ii. if required under law or for the compliance of any court judgment,
iii. to respond to a medical emergency, threat to public health or breakdown of public order, or,
iv. for reasonable purposes specified by the Authority, related to activities such as fraud detection,
debt recovery, and whistle blowing.
10. Section7: Lawful processing
Chapter 4: Grounds For Processing Of Sensitive Personal Data
With explicit consent by data principle and Allows for processing data in following grounds without
any consent in cases :
a. which require 'explicit consent of the principal, as explained under section 12 of the bill’.
b. necessary for any function of Parliament or state legislature, or, if required by the state for
providing benefits to the individual, or
c. required under law or for the compliance of any court judgment.
d. for prompt action during medical emergency, incident of public threat or any breakdown of any
public order.
11. Personal Data And Sensitive Personal
Data Of Children
Section 23
Data Fiduciaries are required to implement appropriate mechanisms for age verification and parental
consent before Processing Personal Data of Children (persons below the age of 18 years) based on
volume, proportion and possibility of harm to children arising out of processing of personal data.
Data fiduciaries who operate commercial websites or online services or who process large volumes of
personal data of children are classified as Guardian Data Fiduciaries.
They shall be barred from profiling, tracking, or behavioral monitoring of, or targeted advertising
directed at, children and undertaking any other processing of personal data that can cause significant
harm to the child.
EXCEPTION: Guardian data fiduciary are providing counseling or child protection services to a child.
12. Data Principal Rights
Right to confirmation and access for every data that is being processed. (Section 24)
Right to correction: Principals may request the fiduciaries for any correction, completion or up-gradation
of data, if required, denial of which has to be substantiated with reasonable justification. The fiduciary has
to update the third party of the correction/up-gradation of personal data. (Section 25)
Right to Data Portability (Section 26) : Receive the personal data in a structured, commonly used and
machine-readable format:
i. Which such data principal has provided to the data fiduciary;
ii. which has been generated in the course of provision of services or use of goods by the data fiduciary;
or
iii. which forms part of any profile on the data principal, or which the data fiduciary has otherwise
obtained.
Exception:
(a) processing is necessary for functions of the State;
(b) processing is in compliance of law; or
(c) such compliance would reveal a trade secret of any data fiduciary or would not be technically feasible.
13. Right to be forgotten (Section 28):
The data principal may restrict or prevent continuing disclosure of personal data, in cases where the
a) Applicability is determined by Adjudicating officer. (Section 68)
b) Restriction of disclosure of personal data overrides the right to freedom of speech and expression
and the right to information of any citizen.
Continued…
14. Transparency And Accountability Measures
Transparency (Section 29):
Data Fiduciary is obligated to implement policies and measures to anticipate, identify and avoid
harm to Data Principal. Data Fiduciary must comply with the following (Section 29):
1. categories of collecting and the manner of collection of personal data.
2. the purposes for which personal data is generally processed.
3. any exceptional purpose of processing data that creates risk of significant harm.
4. the existence of and procedure for the exercise of data principal rights.
5. the existence of a right to file complaints to the Authority.
15. 6. where applicable, any rating in the form of a data trust score that may be accorded to the
data fiduciary under section 35;
7. where applicable, information regarding cross-border transfers of personal data that the data
fiduciary generally carries out;
Security Safeguards to be taken by Data fiduciaries as well as data principles.
Personal Data Breach The data fiduciary shall notify the Authority of any personal data breach
relating to any personal data processed by the data fiduciary where such breach is likely to
cause harm to any data principal.
The notification to Data principle shall be sent only on directions given by DPA.
This shifts the burden of deciding the materiality of breaches from the Data Fiduciaries to DPA.
Continued…
16. Data Protection impact Assessment - A data protection impact assessment has to be undertaken if
the data fiduciary intends to undertake any new processing technologies or large scale profiling or
use sensitive PD or other processing which carries a risk of significant harm to data principals.
The authority shall, after the assessment, direct the fiduciary accordingly to cease or continue the
processing.
Record Keeping and Audits - Accurate and up-to-date records of important operations in the data
life-cycle have to be maintained by the data fiduciary.
The data fiduciary has to conduct an annual audit of its policies and processing of PD by an
independent data auditor, who will evaluate the compliance of the data fiduciary with the bill.
Significant Data Fiduciaries – The DPA shall notify certain data fiduciaries as significant fiduciaries
based on the volume and sensitivity of Personal Data Processed.
They are subject to enhanced obligations such as impact assessment, registration, audit, and
appointment of a Data Protection Officer (DPO).
Foreign Data Fiduciaries carrying out any processing must appoint an India based DPO.
In any event, every Data Fiduciary must have a Grievance Redressal Officer.
Continued…
17. Significant Data Fiduciaries – The DPA shall notify certain data fiduciaries as significant fiduciaries
based on the volume and sensitivity of Personal Data Processed.
They are subject to enhanced obligations such as impact assessment, registration, audit, and
appointment of a Data Protection Officer (DPO).
Foreign Data Fiduciaries carrying out any processing must appoint an India based DPO.
In any event, every Data Fiduciary must have a Grievance Redressal Officer.
Continued…
18. Critical Personal Data - Critical Personal Data as categorized by DPA, can be stored only on Indian
servers. [Section 40(2)]
Cross-Border Transfer – Personal data (except sensitive personal data) may be transferred outside
India under certain conditions. These include: (i) where the central government has prescribed that
transfers to a particular country are permissible, or (ii) where the Authority approves the transfer in a
situation of necessity. [Section 41]
Exemptions – The Bill provides exemptions from compliance with its provisions, for certain reasons
including:
i. state security,
ii. prevention, investigation, or prosecution of any offence, or
iii. personal, domestic, or journalistic purposes. Chapter IX of the Bill
Transfer Of Personal Data Outside India
19. Independent body called the Data Protection Authority of India.
Establishment of Independent Appellate Tribunals.
Wide range of duties of DPA such as identifying additional categories of SPD and grounds for
Processing Personal Data; mandating breach notifications to Data Principals; prescribing various
codes of practice including for notice, transparency, security standards, de-identification and
anonymization, contractual clauses and inter-group schemes for cross-border transfer;
Powers of DPA:
a) calling for information;
b) conducting inquiries;
c) issuing codes of practice; and
d) issuing directions to Data Fiduciaries or data processors. These directions may range from
restricting operations to prohibiting cross-border data flows. The DPA is also conferred search and
seizure powers and powers of attachment of property to recover penalties.
RegulatoryAuthorities
20. Civil Penalties: For violation of provisions under transparency , monetary penalty shall 5-15 crore
rupees or 2% -4% of the total worldwide turnover of the Data Fiduciary in its preceding financial year,
whichever is higher, depending on the severity of the case.
Criminal Penalties: Imprisonment (ranging from 3 to 5 years) is prescribed for persons who
knowingly, intentionally, or recklessly obtain, disclose, transfer or sell Personal Data (or SPD) provided
that such acts result in harm to a Data Principal.
A new offense has been proposed for knowingly reversing de-identification
Compensation – The Bill also provides for any data principal who has suffered harm as a result of any
violation of any provision under this Act, by a data fiduciary or a data processor, shall have the right
to seek compensation from the data fiduciary or the data processor. (Section 74)
Offences And Penalties
21. The Bill proposes amendments in certain laws:
omission of 43A and Section 87 of the Information Technology Act, 2000, and
amendment in Section 8 of the IT Act, 2000 and the Census Act, 1948.
Bill provides minimum data protection standards for all data processing in the country. In the event
of inconsistency, the standards set in the data privacy law will apply to the processing of data.
The Committee recommended amendments to the Aadhaar Act, 2016 to bolster its data protection
framework Section 111 and 112 of the Bill
AmendmentsTo Other Laws
22. Sought extensive changes in the mechanism of existing data protection regime in India.
Personal data has been treated as a trust and not as a property.
The Act has provided wider discretion to the Data Protection Authority.
Since the law does not have retrospective effect, it is unclear as to how the processing of personal
data collected before the law comes into force, will be governed.
Localization Of Data: To meet this expectation, companies would need to spend huge amounts on
setting up local servers, among other things.
How the Right to be forgotten, Right to access, and other rights being extended to data principals will
be exercised. has not be dealt
Observations