Special Provisions

Written By BareMinLaw

Section 16. Processing of Personal Data outside India

16(1).

  • The Central Government has the power to impose restrictions.

    1. Such restrictions relate to the transfer of personal data.

    2. The transfer in question is by a Data Fiduciary.

    3. The purpose of the transfer is processing of personal data.

    4. The transfer may be to a country or territory outside India.

  • The Central Government may specify such country or territory by way of a notification.

  • Once notified, personal data cannot be transferred for processing to such country or territory.

16(2).

  • This section does not override all other laws.

  • Any law that is currently in force in India still continues to apply.

  • The protection applies where:

    1. Such law provides a higher degree of protection to personal data.

    2. Such law imposes stricter restrictions on the transfer of personal data outside India.

  • These higher protections or stricter restrictions may relate/apply to:

    1. Any category of personal data.

    2. Any Data Fiduciary.

    3. Any specific class of Data Fiduciaries.

  • In such cases, the stricter or more protective law will prevail over this section.

Section 17. Exemptions

17(1).

  • Certain provisions of the Act are excluded in specific situations.

    1. From Chapter II, all provisions are excluded except 8(1) & 8(5).

    2. In addition to this, the provisions of Chapter III are also excluded.

    3. Section 16 is likewise excluded.

  • These exclusions operate only in situations that are specified below:

  • (a).

    1. These exclusions apply where the processing of personal data is necessary.

    2. The necessity must be for enforcing a legal right or a legal claim.

  • (b).

    1. These exclusions also apply where personal data is processed by a body in India.

    2. Such body may be a court , a tribunal or any other body entrusted by law.

    3. The body must be entrusted with performing:

      1. A judicial function.

      2. A quasi-judicial function.

      3. A regulatory function.

      4. A supervisory function.

    4. The processing of personal data must be necessary for the performance of such function.

  • (c).

    1. These exclusions also apply where personal data is processed in the interest of law enforcement.

    2. Such processing may be necessary for:

      1. Prevention of an offence.

      2. Detection of an offence.

      3. Investigation of an offence.

      4. Prosecution of an offence.

    3. The exclusion also applies where the processing relates to a contravention of any law.

    4. The law in question must be one that is currently in force in India.

  • (d).

    1. These exclusions also apply where personal data relates to Data Principals who are not within the territory of India.

    2. The personal data is processed pursuant to a contract.

    3. The contract must be entered into with a person outside the territory of India.

    4. The processing must be carried out by a person who is based in India.

    5. In such cross-border contractual arrangements, the excluded provisions do not apply.

  • (e).

    1. These exclusions also apply where processing of personal data is necessary for corporate restructuring activities.

    2. Such activities may include a scheme of compromise or arrangement.

    3. They may also include a merger or an amalgamation of two or more companies.

      1. Processing may be necessary for reconstruction of a company.

      2. Reconstruction may take place by way of demerger or otherwise.

      3. Processing may also relate to transfer of the undertaking of one or more companies to another company.

      4. The restructuring may involve division of one or more companies.

    4. Such scheme, merger, amalgamation, reconstruction, transfer, or division must be approved by:

      1. A court or tribunal or any other authority competent to approve it under any law currently in force.

  • (f).

    1. These exclusions also apply where processing of personal data is necessary for financial recovery–related purposes.

      1. The processing must be for ascertaining financial information.

      2. It must also relate to identifying assets and liabilities.

      3. The information must concern a person who has defaulted on payment.

      4. The default must be in respect of a loan or advance.

      5. The loan or advance must have been taken from a financial institution.

    2. Such processing is permitted only if it complies with provisions governing disclosure of information or data.

    3. These disclosure requirements must be under any other law currently in force.

Explanation

  • For the purposes of this section:

  • The expression Default is the same as the one assigned to it in Section 3(12) of the Insolvency and Bankruptcy Code, 2016.

  • The expression Financial institution is the same as the one assigned to it in Section 3(14) of the Insolvency and Bankruptcy Code, 2016.

  • Accordingly, both expressions must be interpreted in line with the definitions under the Insolvency and Bankruptcy Code, 2016.

Illustration:

  • X is an individual who takes a loan from Y, which is a bank.

  • The loan requires X to make monthly repayment instalments.

  • X fails to pay a monthly instalment on the date on which it becomes due.

  • This failure amounts to a default in repayment.

    1. Because of the default, Y is permitted to process the personal data of X.

    2. The purpose of such processing is to ascertain X’s financial information.

    3. The processing may also be done to identify X’s assets and liabilities.

  • This processing is linked specifically to recovery and assessment following the default.

17(2).

  • In certain situations, the provisions of this Act do not apply to the processing of personal data.

  • (a).

    1. Such exclusion applies where personal data is processed by an instrumentality of the State.

    2. The instrumentality must be one that is notified by the Central Government.

    3. The notification must be issued in the interest of:

      1. Sovereignty and integrity of India.

      2. Security of the State.

      3. Friendly relations with foreign States.

      4. Maintenance of public order.

      5. Preventing incitement to any cognizable offence relating to any of these interests.

    4. The exclusion also extends to the processing of personal data by the Central Government itself.

    5. This applies where the personal data is furnished to the Central Government by such notified instrumentality of the State.

  • (b).

    1. Such exclusion applies where personal data Personal data may be processed for certain specific purposes.

    2. These purposes include research , archiving and statistical purposes.

      1. Such processing is permitted only where the personal data is not used to take any decision specific to a Data Principal.

      2. The processing must not result in decisions affecting an individual Data Principal.

      3. The processing must be carried out in accordance with prescribed standards.

    3. These standards are those that may be prescribed under the law.

    4. Compliance with these standards is a condition for such processing.

17(3).

  • The Central Government has the power to issue a notification.

  • While issuing such notification, the Central Government must consider:

    • The volume of personal data processed.

    • The nature of personal data processed.

  • Based on this assessment, the Central Government may notify certain Data Fiduciaries or to a specific class of such Data Fiduciaries.

    1. Such class may include startups.

    2. Once notified, certain provisions of the Act will not apply to those Data Fiduciaries.

    3. The provisions that will not apply are:

      1. Section 5.

      2. Section 8(3) & Section 8(7).

      3. Section 10.

      4. Section 11.

    4. This exemption is limited only to the provisions specifically mentioned above.

Explanation:

  • For the purposes of this section the term start-up refers to certain types of business entities.

  • It may be a:

    1. Private limited company.

    2. A Partnership firm.

    3. A Limited liability partnership.

  • Provided such entity is incorporated in India.

  • The entity must be eligible to be and be recognised as a start-up.

    1. The recognition must be in accordance with prescribed criteria.

    2. The recognition must follow the process notified by the concerned department.

  • The concerned department is the one to which matters relating to start-ups are allocated within the Central Government.

17(4).

  • Under cases where personal data is being processed by the State or any instrumentality of the State:

  • Certain provisions of the Act are excluded.

  • Section 8(7) shall not apply to such processing.

  • Section 12(2) & 12(3) shall also not apply to such processing.

  • The additional exclusion applies only when:

    1. The processing is for a purpose that does not involve making any decision about the Data Principal.

    2. If the processing does not affect or impact the Data Principal, this condition is satisfied.

    3. In such cases, the State or its instrumentalities are also exempt.

17(5).

  • The Central Government is given a temporary power under this Act.

    1. This power can be exercised only within a limited time window.

    2. The time window is before the expiry of five years from the date on which this Act comes into force.

  • Within this period, the Central Government may issue a notification.

  • Through such notification, the Central Government may declare that certain provisions of this Act will not apply.

  • The exemption may be granted to:

    1. A specific Data Fiduciary.

    2. A class of Data Fiduciaries.

  • This exemption is not permanent.

  • The notification must specify the period for which the provision of the Act will not apply.

  • After the specified period ends, the exempted provisions will apply unless further action is taken under the law.

BareMinLaw https://bareminlaw.com
Previous

Rights and Duties of the Data Principal
Next

Data Protection Board- Powers, Functions and Procedures