Reidentification and processing of deidentified personal data
82. (1) Any person who, knowingly or intentionally
(a) re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or
(b) re-identifies and processes such personal data as mentioned in clause
(a), without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both.
(2) Nothing contained in sub-section (1) shall render any such person liable to any punishment under this section, if he proves that
(a) the personal data belongs to the person charged with the offence under sub-section (1); or
(b) the data principal whose personal data is in question has explicitly consented to such re-identification or processing as per the provisions of this Act.