1. Short title, extent and commencement.—

(1) This Act may be called the Personal Data Protection Act, 2018.

(2) It extends to the whole of India.

(3) The provisions of Chapter XIV of this Act shall come into force on such date, as the Central Government may by notification appoint and the remaining provisions of the Act shall come into force in accordance with the provisions in that Chapter.

2. Application of the Act to processing of personal data.—

(1) This Act applies to the following—

(a) processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and
(b) processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.

(2) Notwithstanding anything contained in sub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —

(a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(b) in connection with any activity which involves profiling of data principals within the territory of India.

(3) Notwithstanding anything contained in sub-sections (1) and (2), the Act shall not apply to processing of anonymised data.

3. Definitions.—In this Act, unless the context otherwise requires, —

(1) “Aadhaar number” shall have the meaning assigned to it under clause (a) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016);

(2) “Adjudicating Officer” means an officer of the adjudication wing under section 68;

(3) “Anonymisation”in relation to personal data, means the irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, meeting the standards specified by the Authority.

(4) “Anonymised data” means data which has undergone the process of anonymisation under sub-clause (3) of this section;

(5) “Appellate Tribunal” means the tribunal notified under Chapter XII of this Act;

(6) “Authority” means the Data Protection Authority of India established under Chapter X of this Act;

(7) “Automated means” means any equipment capable of operating automatically in response to instructions given for the purpose of processing data;

(8) “Biometric data” means facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;

(9) “Child” means a data principal below the age of eighteen years;

(10) “Code of Practice” means a code of practice issued by the Authority under section 61;

(11) “Consent” means consent under section 12;

(12) “Data” means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means;

(13) “Data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;

(14) “Data principal” means the natural person to whom the personal data referred to in sub- clause (28) relates;

(15) “Data processor” means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary;

(16) “De-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;

(17) “Disaster” shall have the same meaning assigned to it under clause (d) of section 2 of the Disaster Management Act, 2005 (53 of 2005);

(18) “Explicit consent” means consent under section 18;

(19) “Financial data” means any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a data principal or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history;

(20) “Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

(21) “Harm” includes—

(i) bodily or mental injury;

(ii) loss, distortion or theft of identity;

(iii) financial loss or loss of property,

(iv) loss of reputation, or humiliation;

(v) loss of employment;

(vi) any discriminatory treatment;

(viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal;

(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or

(x) any observation or surveillance that is not reasonably expected by the data principal.

(22) “Health data” means data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services.

(23) “Intersex status” means the condition of a data principal who is—

(i) a combination of female or male;

(ii) neither wholly female nor wholly male; or

(iii) neither female nor male.

(24) “Intra-group schemes” means schemes approved by the Authority under section 41;

(25) “Journalistic purpose” means any activity intended towards the dissemination through print, electronic or any other media of factual reports, analysis, opinions, views or documentaries regarding—

(i) news, recent or current events; or

(ii) any other information which the data fiduciary believes the public, or any significantly discernible class of the public, to have an interest in;

(26) “Notification” means a notification published in the Official Gazette and the term “notify” shall be construed accordingly;

(27) “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal;

(28) “Person” means—

(i) an individual,

(ii) a Hindu undivided family,

(iii) a company,

(iv) a firm,

(v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and

(vii) every artificial juridical person, not falling within any of the preceding sub- clauses;

(29) “Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information;

(30) “Personal data breach” means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to, of personal data that compromises the confidentiality, integrity or availability of personal data to a data principal;

(31) “Prescribed” means prescribed by rules made by the Central Government under this Act;

 (32) “Processing”in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

(33) “Profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interest of a data principal;

(34) “Re-identification” means the process by which a data fiduciary or data processor may reverse a process of de-identification;

(35) “Sensitive Personal Data” means personal data revealing, related to, or constituting, as may be applicable—

(i) passwords;

(ii) financial data;

(iii) Health Data

(iv) official identifier;

(v) sex life;

(vi) sexual orientation;

(vii) biometric data;

(viii) genetic data;

(ix) transgender status;

(x) intersex status;

(xi) caste or tribe;

(xii) religious or political belief or affiliation; or

(xiii) any other category of data specified by the Authority under section 22.

(36) “Significant data fiduciary” means a data fiduciary notified by the Authority under section 38;

(37) “Significant harm” means harm that has an aggravated effect having regard to the nature of the personal data being processed,the impact, continuity, persistence or irreversibility of the harm;

(38) “Specified” means specified by regulations made by the Authority under this Act and the
term “specify” shall be construed accordingly;

(39) “State” shall, unless the context otherwise requires, have the same meaning assigned to itunder Article 12 of the Constitution;

(40) “Systematic activity” means any structured or organised activity that involves an element of planning, method, continuity or persistence;

(41) “Transgender status” means the condition of a data principal whose sense of gender does not match with the gender assigned to that data principal at birth, whether or not they have undergone sex reassignment surgery, hormone therapy, laser therapy, or any other similar medical procedure.