DATA PROTECTION BOARD OF INDIA

[Mr. M. GOVINDARAJAN]

Data Protection Act

The Central Government enacted ‘The Digital Personal Data Protection Act, 2023’  (‘Act’ for short) vide Notification dated 11.08.2023 to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The Act protects digital personal data (that is, the data by which a person may be identified) by providing for the following:

• The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
• The rights and duties of Data Principals (that is, the person to whom the data relates);and
• Financial penalties for breach of rights, duties and obligations.

The Act seeks to achieve the following-

• Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
• Enhance the Ease of Living and the Ease of Doing Business; and
• Enable India’s digital economy and its innovation ecosystem.

The Act is based on the following seven principles-

1. 1. The principle of consented, lawful and transparent use of personal data;
   2. The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
   3. The principle of data minimization (collection of only as much personal data as is necessary to serve the specified purpose);
2. 4. The principle of data accuracy (ensuring data is correct and updated);
   5. The principle of storage limitation (storing data only till it is needed for the specified purpose);
3. 6. The principle of reasonable security safeguards; and
   7. The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).

The Bill provides for following rights to the individuals-

• The right to access information about personal data processed;
• The right to correction and erasure of data;
• The right to grievance redressal; and
• The right to nominate a person to exercise rights in case of death or incapacity.

Data Protection Board

Section 18 of the Act provides for the establishment of a Board to be called as ‘Data Protection Board of India’ (‘Board’ for short) by the Central Government by Notification.  The said Board of shall be a body corporate, having perpetual succession and a common seal, with power to acquire, hold and dispose of property both immovable and movable  and to contract and shall by the name, sue or to be sued.

The headquarters of the Board shall be as notified by the Central Government.

Composition

The Board shall consist of a Chairman and such number of other Members as may be notified and appointed by the Central Government. 

Qualification

The Chairperson and other Members shall be a person of ability, integrity and standing who possesses special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board, and at least one among them shall be an expert in the field of law.

Tenure

The Chairperson and other Members shall hold office for a term of two years and

shall be eligible for re-appointment.

Disqualification

A person shall be disqualified for being appointed and continued as the Chairperson or a Member, if she—

• has been adjudged as an insolvent;
• has been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude;
• has become physically or mentally incapable of acting as a Member;
• has acquired such financial or other interest, as is likely to affect prejudicially her functions as a Member; or
• has so abused her position as to render her continuance in office prejudicial to the public interest.

The Chairperson or Member shall not be removed from her office by the Central Government unless she has been given an opportunity of being heard in the matter.

Resignation

The Chairperson or a Member may resign from her office by giving notice to the Central Government in writing.  The date of effect of such resignation will be the date on which the Central Government permits her to relinquish office, or upon expiry of a period of 3months from the date of receipt of such notice, or upon a duly appointed successor entering upon her office, or upon the expiry of the term of her office, whichever is earliest.

Vacancy

A vacancy caused by the resignation or removal or death of the Chairperson or any other Member, or otherwise, shall be filled by fresh appointment in accordance with the provisions of this Act.

Restriction on Members

The Chairperson and any other Member shall not, for a period of one year from the date on which they cease to hold such office, except with the previous approval of the Central Government, accept any employment, and shall also disclose to the Central Government any subsequent acceptance of employment with any Data Fiduciary against whom proceedings were initiated by or before such Chairperson or other Member.

Powers of the Chairperson           

The Chairperson shall perform the following functions-

• general superintendence and giving direction in respect of all administrative matters of the Board;
• authorize any officer of the Board to scrutinize any intimation, complaint,
• reference or correspondence addressed to the Board; and
• authorize performance of any of the functions of the Board and conduct any of its proceedings, by an individual Member or groups of Members and to allocate proceedings among them.

Functions and powers of the Board

The following are the functions and powers of the Board-

• on receipt of an intimation of personal data breach to direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act;
• on a complaint made by a Data Principal in respect of a personal data breach or a breach in observance by a Data Fiduciary of its obligations in relation to her personal data or the exercise of her rights under the provisions of this Act, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, to inquire into such breach and impose penalty as provided in this Act;
• on a complaint made by a Data Principal in respect of a breach in observance by a Consent Manager of its obligations in relation to her personal data, to inquire into such breach and impose penalty as provided in this Act;
• on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act; and
• on a reference made by the Central Government in respect of the breach in observance of the provisions of sub-section (2) of section 37 by an intermediary, to inquire into such breach and impose penalty as provided in this Act.

The Board may, after giving the person concerned an opportunity of being heard and after recording reasons in writing, issue such directions as it may consider necessary to such person, who shall be bound to comply with the same.

The Board may, on a representation made to it by a person affected by a direction

issued above or on a reference made by the Central Government, modify, suspend, withdraw or cancel such direction and, while doing so, impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.

Consent Manager

Section 2(g) of the Act defines the expression ‘Consent Manager’ as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

Data Fiduciary

Section 2(i) of the Act defines the expression ‘data fiduciary’ as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

Data Principal

Section 2(j) of the Act defines the expression ‘data principal’ as the individual to whom the personal data relates and where such individual is-

• a child, includes the parents or lawful guardian of such a child;
• a person with disability, includes her lawful guardian, acting on her behalf.

Procedure

On receipt of the complaint the Board will decide as to whether there are sufficient grounds to proceed with an inquiry.  If there are insufficient grounds then the Board shall close the proceedings after recording the reasons for the same.  If there are sufficient grounds to proceed with inquiry then the Board shall record the reasons for the same.  The Board shall conduct such inquiry following the principles of natural justice and shall record reasons for its actions during the course of such inquiry.

In the process of the inquiry the Board shall have the same powers as are vested in a Civil Court under the Code of Civil Procedure, 1908 in respect of the following matters-

• summoning and enforcing the attendance of any person and examining her on oath;
• receiving evidence of affidavit requiring the discovery and production of documents;
• inspecting any data, book, document, register, books of account or any other document; and
• such other matters as may be prescribed.

The Board may require the services of any police officer or any officer of the Central Government or a State Government to assist it for the purposes inquiry and it shall be the duty of every such officer to comply with such requisition.

During the course of the inquiry, if the Board considers it necessary, it may for reasons to be recorded in writing, issue interim orders after giving the person concerned an opportunity of being heard.

On completion of the inquiry and after giving the person concerned an opportunity of being heard, the Board may for reasons to be recorded in writing, either close the

proceedings or proceed for imposing penalties.  At any stage after receipt of a complaint, if the Board is of the opinion that the complaint is false or frivolous, it may issue a warning or impose costs on the complainant.

Appeal

Section 29 of the Act provides that any aggrieved person may file appeal against the order of the Board before the Telecom Disputes and Settlement and Appellate Tribunal within a period of 60 days from the date of receipt of the order in such form and paying such fee and in the prescribed manner.    The Appellate Tribunal may entertain an appeal after the expiry of 60 days if it is satisfied that there was sufficient cause for not preferring the appeal within the said 60 days. 

On receipt of an appeal the Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against.  The appeal filed before the Appellate Tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within 6 months from the date on which the appeal is presented to it.  Where any appeal could not be disposed of within the period of 6 months, the Appellate Tribunal shall record its reasons in writing for not disposing of the appeal within that period.  In respect of appeals filed under the provisions of this Act, the Appellate Tribunal shall, as far as practicable, function as a digital office, with the receipt of appeal, hearing and pronouncement of decisions in respect of the same being digital by design.

Mediation

If the Board is of the opinion that any complaint may be resolved by mediation, it

may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agreed upon, or as provided for under any law for the time being in force in India.

Penalty

If the Board determines on conclusion of an inquiry that breach of the provisions

of this Act or the rules made there under by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.

While determining the amount of monetary penalty to be imposed, the Board shall have regard to the following matters, namely-

• the nature, gravity and duration of the breach;
• the type and nature of the personal data affected by the breach;
• repetitive nature of the breach;
• whether the person, as a result of the breach, has realized a gain or avoided any loss;
• whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
• whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
• the likely impact of the imposition of the monetary penalty on the person.