On whom the Bill will be applicable?
The Bill is applicable on processing of personal data by
What are the authorities appointed under this Bill?
The Authority appoints the Adjudicating Officer. The Central Government prescribes manner and terms of appointment, jurisdiction of Adjudicating Officers etc.
Chairperson: present or former Judge of the Supreme Court or Chief Justice of a High Court
Member: has held the post of Secretary to the Government of India or any equivalent post in the Central Government for a period of not less than two years or a person who is well versed in this field of data protection
The Central Government prescribes manner and terms of appointment, removal of chairman or members of Appellate Tribunal.
What is "personal data"?
What is "sensitive personal data"?
"Sensitive personal data" means such personal data, which may, reveal, be related to, or constitute— (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data as notified by the Central Government after consultation with the Authority and the sectoral regulator concerned under S. 15 of the Bill.
What is "personal data breach"?
Under what conditions the processing of data is allowed?
"Processing" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
Data can be processed by:
If data fiduciary is processing the data:
There are further obligations on the data fiduciary.
What is the nature of consent?
(a) after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
(b) in clear terms without recourse to inference from conduct in a context; and
(c) after giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.
On whom the burden of proof lies for valid consent?
Under Section 11(5) of the Bill, the data fiduciary has the burden of proof that the consent has been given by the data principal for processing of the personal data.
What are the special provisions for child?
Data fiduciary shall process personal data of a child :
Exception: It is not applicable for the guardian data fiduciary providing exclusive counselling or child protection services to a child.
The Data Protection Authority of India shall, classify any data fiduciary, as guardian data fiduciary, who—
There are added obligations of the guardian data fiduciary or of such modified form to the data fiduciary offering counselling or child protection services to a child, as the Authority may by regulations specify, are. It shall be barred from profiling, tracking or behaviouraly monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.
What are the rights of data principal?
(a) receive the following personal data in a structured, commonly used and machine-readable format of the personal data provided, the data which has been generated in the course of provision of services or use of goods by the data fiduciary; or the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained; and
(b) have such personal data as referred above transferred to any other data fiduciary in the format referred to in that clause.
Exception to (e): No such right if processing is necessary for functions of the State or in compliance of law or order of a court under section 12; or compliance with the such request would reveal a trade secret of any data fiduciary or would not be technically feasible.
Pre-condition: Only after an order of the Adjudicating Officer made on an application filed by the data principal and unless it is shown that the right or interest of the data principal overrides the right to freedom of speech and expression and the right to information of any other citizen.
The data principal may apply for the review of that order to the Adjudicating Officer.
Any person aggrieved by an order made under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.
If the data fiduciary agrees with (b), (c) or (d) then, the same shall be notified to all relevant entities or individuals to whom such personal data may have been disclosed by the data fiduciary.
If the data fiduciary does not agree with (b), (c) or (d), then it shall provide adequate justification in writing for rejecting the application. If the data principal is not satisfied with the justification it may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the data principal.
What are the transparency and accountability measures for data fiduciary?
What are the safeguards provided for "social media intermediary"?
"Social media intermediary" is an intermediary who:
The Central Government, in consultation with the Authority will notify as a 'significant data fiduciary' on basis of following parameters:
Impact of above notification: It shall now enable the users who register their service from India, or use their services in India, to voluntarily verify their accounts in such manner as may be prescribed.
What are "significant data fiduciary"?
The Authority on the basis of following factors notifies "significant data fiduciary":
Added Obligations for "significant data fiduciary":
[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]