Miscellaneous
Section 35: Protection of action taken in good faith
Legal protection is provided for actions taken under this Act.
Such protection extends to:
The Central Government.
The Board.
The Chairperson of the Board.
Any Member, officer, or employee of the Board.
No suit can be filed against these persons.
No prosecution can be initiated against them.
No other legal proceedings can be brought against them.
This protection applies only to acts done or intended to be done in good faith.
The acts must be under the purview of the provisions of this Act or the rules made under it.
Section 36: Power to call for information
The Central Government is empowered to seek information.
The purpose of seeking such information must be connected with this Act.
The information may be required from the Board , a Data Fiduciary or an intermediary.
The Central Government may call for such information as it considers necessary.
The Board, Data Fiduciary, or intermediary is required to furnish the information so called for.
Section 37: Power of Central Government to issue directions
37(1).
Action may be initiated at the level of the Central Government.
Such action may be taken either by the Central Government itself or by any officer specially authorised by it.
The trigger for such action is a reference made in writing by the Board.
The reference from the Board must state the following:
(a).
The Board must have imposed a monetary penalty on a Data Fiduciary.
The imposition must have occurred more than once.
Specifically, penalties must have been imposed in two or more instances.
This information must be formally communicated.
Such communication is made by way of an intimation from the Board.
The intimation serves as a basis for further action by the Central Government.
(b).
The Board may make a recommendation to the Central Government.
The recommendation must be made in the interests of the general public.
The recommendation may be to block access by the public.
The blocking relates to access to certain information.
The information may be generated , transmitted , received , stored or hosted.
Such information must be contained in a computer resource.
The computer resource must enable the Data Fiduciary to carry on its activities.
The activities must relate to offering goods or services.
Such goods or services must be offered to Data Principals.
The offering must take place within the territory of India.
This recommendation forms the basis for possible blocking action.
Before taking any blocking action, the Data Fiduciary must be given an opportunity of being heard.
After hearing the Data Fiduciary, the Central Government or authorised officer must be satisfied that such action is necessary or expedient.
The necessity or expediency must be in the interests of the general public.
Reasons for taking such action must be recorded in writing.
Upon such satisfaction, an order may be passed.
By such order, any agency of the Central Government or any intermediary may be directed to block access by the public.
Alternatively, they may be directed to cause such information to be blocked for public access.
The blocking applies to information that enables the Data Fiduciary to continue its activities relating to goods or services within India.
37(2).
A direction may be issued under 37(1).
Such direction may be addressed to an intermediary.
Every intermediary who receives such a direction is bound by it.
Compliance with the direction is mandatory.
The intermediary has no discretion to ignore or refuse the direction once received
37(3).
For the purposes of this section:
The meaning of these expressions have been derived from the Information and Technology Act, 2000.
Computer Resource.
Information Resource.
Intermediary.
Accordingly, these expressions must be interpreted consistently with the Information Technology Act, 2000.
Section 38: Consistency with other laws
38(1).
This Act does not operate in isolation.
The provisions of this Act are in addition to other laws.
The Act does not override or replace other laws.
It does not take away the operation of any other law.
All other laws that are currently in force continue to apply.
Compliance with this Act is required alongside compliance with other applicable laws.
38(2).
A situation may arise where there is a conflict between laws.
The conflict may be between a provision of this Act and a provision of another law.
In the event of such conflict, priority is given to this Act.
The provision of this Act will prevail over the conflicting provision.
The overriding effect applies only to the extent of the conflict.
Any part of the other law that does not conflict will continue to operate normally.
Section 39: Bar of Jurisdiction
Certain matters are placed exclusively within the authority of the Board.
Civil courts are barred from entertaining any suit or proceeding in respect of such matters.
The bar applies where the Board is empowered to act under the provisions of this Act.
No civil court can assume jurisdiction over those matters.
In addition, courts and other authorities are restricted from granting injunctions.
No injunction may be granted against any action already taken under this Act.
No injunction may also be granted against any action proposed to be taken under this Act.
The restriction applies to actions taken or to be taken in exercise of powers under this Act.
Section 40: Power to make rules
40(1).
The Central Government is empowered to make rules.
Such rules must be made for carrying out the purposes of this Act.
The rules must be consistent with the provisions of this Act.
The rules cannot override or contradict the Act.
The rules must be made by way of a notification.
Before making the rules, the condition of previous publication must be satisfied.
Previous publication allows for transparency before the rules take effect.
40(2).
The rule-making power given earlier is broad in nature.
This power is not limited only to general matters.
The specific matters listed below are only illustrative in nature.
Listing these matters does not restrict the overall scope of the rule-making power.
The Central Government may frame rules on all of the matters listed.
It may also frame rules on any one or more of those matters.
(a).
Rules may be framed on how a notice is to be given.
The notice must be given by the Data Fiduciary and addressed to the Data Principal.
The rules may prescribe the manner in which such notice shall inform the Data Principal.
The notice must comply with the requirements under Section 5(1).
(b).
Rules may be framed regarding the manner of giving notice.
Such notice must be given by the Data Fiduciary to the Data Principal.
The rules may prescribe how the notice shall inform the Data Principal.
The notice must comply with the requirements laid down under Section 5(2).
(c).
Rules may be framed relating to Consent Managers.
Such rules may prescribe the manner of accountability of a Consent Manager.
The rules may also prescribe the specific obligations of a Consent Manager.
These accountability requirements and obligations must align with Section 6(8).
(d).
Rules may be framed regarding the registration of Consent Managers.
Such rules may prescribe the manner in which a Consent Manager is to be registered.
The rules may also lay down the conditions relating to such registration.
These provisions must be in accordance with Section 6(9).
(e).
Rules may be framed identifying specific governmental offerings.
Such offerings may include a subsidy , benefit , service , certificate , licence or a permit.
These are the subsidy, benefit, service, certificate, licence, or permit for which personal data may be processed.
Such processing must be in accordance with Section 7(b).
(f).
Rules may be framed regarding intimation of a personal data breach.
Such intimation must be given to the Board.
The rules may prescribe the form in which the intimation is to be made.
The rules may also prescribe the manner in which the intimation is to be given.
These requirements must align with Section 8(6).
(g).
Rules may be framed to prescribe a time period.
The time period relates to the specified purpose for processing personal data.
Upon expiry of this time period, the specified purpose is deemed to no longer be served.
The prescription of this time period must be in accordance with Section 8(8).
Different time periods may be prescribed depending on the context, as permitted under the Act.
(h).
Rules may be framed regarding publication of contact details.
The contact details relate to the Data Protection Officer.
The rules may prescribe the manner in which such business contact information is to be published.
The publication requirement must comply with Section 8(9).
(i).
Rules may be framed regarding the process of obtaining consent.
The consent referred to must be verifiable consent.
The rules may prescribe the manner in which such verifiable consent is to be obtained.
This manner must comply with the requirements under Section 9(1).
(j).
Rules may be framed regarding the process of obtaining consent.
The consent referred to must be verifiable consent.
The rules may prescribe the manner in which such verifiable consent is to be obtained.
This manner must comply with the requirements under Section 9(1).
(k).
Rules may be framed relating to the Data Protection Impact Assessment.
Such rules may cover matters other than those expressly specified.
These matters must form part of the overall process of conducting a Data Protection Impact Assessment.
The rule-making power applies specifically to Section 10(2)(c)(i).
(l).
Rules may be framed relating to obligations of a Significant Data Fiduciary.
Such rules may prescribe additional measures to be undertaken.
These measures are in addition to those expressly mentioned in the Act.
The measures must be undertaken by a Significant Data Fiduciary.
The rule-making power applies to Section 10(2)(c)(iii).
(m).
Rules may be framed regarding how a request is to be made.
The request must be made by a Data Principal.
The request is to be made to the Data Fiduciary.
The rules may prescribe the manner in which such request is to be submitted.
The request relates to obtaining information.
The information concerns the personal data of the Data Principal.
The request may also relate to any other information connected with processing of such personal data.
These requirements must comply with Section 11(1).
(n).
Rules may be framed regarding requests for erasure.
The request must be made by a Data Principal.
The request is to be made to the Data Fiduciary.
The rules may prescribe the manner in which such request is to be submitted.
The request must be for erasure of the Data Principal’s personal data.
These requirements must be in accordance with Section 12(3).
(o).
Rules may be framed prescribing a time period.
The time period relates to responding to grievances.
Such grievances must be raised under Section 13(2).
The obligation to respond lies with the Data Fiduciary.
The Data Fiduciary must respond within the prescribed period.
(p).
Rules may be framed regarding nomination by a Data Principal.
The nomination may be made in favour of another individual.
The rules may prescribe the manner in which such nomination is to be made.
The nomination must comply with Section 14(1).
(q).
Rules may be framed prescribing standards.
The standards relate to processing of personal data.
These standards apply where an exemption is claimed.
The exemption must be under Section 17(2)(b).
Processing must comply with the prescribed standards to qualify for the exemption.
(r)
Rules may be framed regarding appointments to the Board.
Such rules may prescribe the manner of appointment.
The appointments relate to the Chairperson of the Board.
They also relate to the other Members of the Board.
The appointment process must comply with Section 19(2).
(s).
Rules may be framed regarding remuneration and service conditions.
Such rules may prescribe the salary of the Chairperson and other Members of the Board.
The rules may also prescribe allowances payable to them.
In addition, the rules may cover other terms and conditions of service.
These matters must be in accordance with Section 20(1).
(t).
Rules may be framed regarding authentication.
The authentication relates to orders issued by the Board.
It also relates to directions issued by the Board.
It further covers instruments issued by the Board.
The rules may prescribe the manner in which such authentication is to be carried out.
These requirements must comply with Section 23(1).
(u).
Rules may be framed regarding staffing of the Board.
Such rules may prescribe the terms of appointment.
They may also prescribe the conditions of service.
These terms and conditions apply to officers of the Board.
They also apply to employees of the Board.
The rule-making power is exercised in accordance with section 24.
(v).
Rules may be framed regarding techno-legal measures.
Such measures are to be adopted by the Board.
The rule-making power applies to Section 28(1).
(w).
Rules may be framed regarding additional matters.
Such matters relate to the powers of the Board.
The relevant power is under Section 28(7)(d).
These matters are those not specifically listed elsewhere.
(y).
Rules may be framed regarding appeals.
Such rules may prescribe the procedure to be followed.
The procedure relates to dealing with an appeal.
The appeal must be one filed under Section 29(8).
(z).
The rule-making power is not limited to the matters specifically listed earlier.
Rules may be made for any other matter under the Act.
Such matter may be one that is required to be prescribed.
It may also be a matter that is permitted to be prescribed.
Rules may also be made where the Act contemplates that provision may be made by rules.
Section 41: Laying of rules and certain notifications
This requirement applies to:
Rules made under Section 16.
Notifications issued under Section 42.
Such rules and notifications must be laid before each House of Parliament.
This must be done as soon as possible after the rule or notification is made.
The laying must take place while Parliament is in session.
The total period for which the rule or notification must lie before Parliament is thirty days.
These thirty days may fall within one single session or two or more successive sessions.
Parliament is given the power to review the rule or notification.
If, before the expiry of the session immediately following the session or sessions in which it was laid:
Both Houses agree to make a modification or
Both Houses agree that the rule or notification should not be made or issued.
Then the rule or notification will thereafter have effect:
Only in the modified form or not have any effect at all, as the case may be.
However, any such modification or annulment will not affect the validity of anything already done under that rule or notification before such change.
Section 42: Power to amend Schedule
42(1).
The Central Government is empowered to amend the Schedule.
Such amendment must be made by way of a notification.
This power is subject to a specific restriction.
No notification can increase any penalty specified in the Schedule beyond a fixed limit.
The limit is capped at not more than twice the amount originally specified.
The comparison must be made with the penalty amount as it stood when the Act was originally enacted
42(2).
An amendment may be made through a notification under 42(1).
Such amendment is treated as if it were enacted as part of this Act itself.
The amendment does not require a separate legislative enactment.
The amendment comes into force on the date specified in the notification.
From that date onwards, the amended provision has full legal effect under the Act.
Section 43: Power to remove difficulties
43(1).
A situation may arise where difficulty is faced in implementing the Act.
Due to such difficulty , the provision may not be given effect.
In such a situation, the Central Government is empowered to act.
The Central Government may issue an order to address the difficulty.
The order must be published in the Official Gazette.
Through such order, the Central Government may make provisions to remove the difficulty.
These provisions must be inconsistent with the provisions of the Act.
The provisions must appear necessary or expedient to the Central Government.
43(2).
The power to issue an order for removing difficulties is time-bound.
The Central Government cannot exercise this power indefinitely.
No such order can be made after a period of three years.
The three-year period is calculated from the date of commencement of this Act.
After expiry of this period, the power to issue difficulty-removal orders ceases.
43(3).
Any order made under this section to make provisions is subject to parliamentary oversight.
Such order must be placed before Parliament.
The order must be laid before each House of Parliament.
This must be done as soon as possible after the order is made.
Section 44: Amendments to certain Acts
44(1).
An amendment is made to Section 14 of the Telecom Regulatory Authority of India Act, 1997.
The provisions contained in Section 14(c)(i) & Section 14(c)(ii) are removed.
In place of those sub-clauses, new sub-clauses are substituted.
The substituted sub-clauses are:
(i). The Appellate Tribunal under the Information Technology Act, 2000;
(ii). The Appellate Tribunal under the Airports Economic Regulatory Authority of India Act, 2008; and
(iii). The Appellate Tribunal under the Digital Personal Data Protection Act, 2023.
As a result, these three Appellate Tribunals are now expressly included Section 14(c).
44(2).
The Information Technology Act, 2000 is amended.
The amendments are carried out in the following manner:
(a). Section 43A of the Information Technology Act, 2000 is omitted.
(b). In section 81, in the proviso:
After the words and figures “The Patents Act, 1970”:
The words and figures “or the Digital Personal Data Protection Act, 2023” are inserted.
(c) Section 87(2)(ob) is omitted.
These changes modify existing data protection–related provisions to align with the Digital Personal Data Protection Act, 2023.
44(3).
An amendment is made to the Right to Information Act, 2005.
The amendment is with respect to section 8 of that Act.
Section 8(i)(j) is amended and removed.
A new clause (j) is substituted in its place.
The substituted clause (j) reads as:
“Information which relates to personal information;”
As a result, clause (j) now expressly covers information relating to personal information.
