Section 40 Indian Data Protection Act 2019

Sandbox for encouraging innovation, etc

40. (1) The Authority shall, for the purposes of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest, create a Sandbox.

(2) Any data fiduciary whose privacy by design policy is certified by the Authority under sub-section (3) of section 22 shall be eligible to apply, in such manner as may be specified by regulations, for inclusion in the Sandbox created under sub-section (1).

(3) Any data fiduciary applying for inclusion in the Sandbox under sub-section (2) shall furnish the following information, namely:

(a) the term for which it seeks to utilise the benefits of Sandbox, provided that such term shall not exceed twelve months;

(b) the innovative use of technology and its beneficial uses;

(c) the data principals or categories of data principals participating under the proposed processing; and

(d) any other information as may be specified by regulations. (4) The Authority shall, while including any data fiduciary in the Sandbox, specify

(a) the term of the inclusion in the Sandbox, which may be renewed not more than twice, subject to a total period of thirty-six months;

(b) the safeguards including terms and conditions in view of the obligations under clause

(c) including the requirement of consent of data principals participating under any licensed activity, compensation to such data principals and penalties in relation to such safeguards; and (c) that the following obligations shall not apply or apply with modified form to such data fiduciary, namely:

(i) the obligation to specify clear and specific purposes under sections 4 and 5;

(ii) limitation on collection of personal data under section 6; and

(iii) any other obligation to the extent, it is directly depending on the obligations under sections 5 and 6; and

(iv) the restriction on retention of personal data under section 9.