New Independent “Data Protection Board” to Evaluate Non-Compliance With Draft Data Protection Law

Key takeaways: 

• Data Protection Authority replaced by Data Protection Board of India.
• The digital-by-design Board will determine non-compliance with the law and impose financial penalties.
• Criminalisation of lapses and non-compliance “avoided” in the draft.
• “Independent” body’s affairs to be managed by a “chief executive” appointed by the Centre.
• Little clarity as of yet on the Board’s composition, members, or selection procedures.

Cases of non-compliance with the Digital Personal Data Protection Bill, 2022 (DPDP Bill), and subsequent financial penalties, will be determined by the newly-established Data Protection Board of India, says a draft of the law released today. 

The independent Board replaces the Data Protection Authority (DPA)—mentioned in previous drafts of data protection laws—as the apex institution ensuring compliance with India’s data protection law. 

The law is muted on the exact nature of the Board’s independence, stating that its strength, composition, selection process, and terms and conditions of appointment, service, and removal may be “as (..) prescribed”. However, the “chief executive” entrusted with managing the Board’s affairs “shall be such individual as the Central Government may appoint”. 

Digital by design, the decisions taken by the body also enjoy some immunity from legal proceedings. “No suit, prosecution or other legal proceedings shall lie against the Board or its Chairperson, Member, employee or officer for anything which is done or intended to be done in good faith under the provisions of this Act,” adds the draft law. 

“Financial penalty has been prescribed as the deterrent for non-compliance. Criminalisation of lapses and non-compliance has been avoided,” adds the Ministry in an explanatory note. On the flip side, provisions to award compensation to affected parties are missing from the draft. 

Advertisement. Scroll to continue reading.

The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until December 17th, 2022. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.

The draft DPDP Bill is the fourth iteration of India’s much-awaited data protection law. The Bill’s predecessor—the Data Protection Bill, 2021—was withdrawn by the Indian government in August, making way for this “modern” successor. Developed after perusing similar laws from Singapore, Australia, the European Union, and the United States, it seeks to provide for digital personal data processing that “recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes”. 

Duties of the Data Protection Board of India

What the 2022 Bill says: The Board’s main function is to determine non-compliance with the Bill and accordingly impose penalties. However, the Centre may assign the Board other functions under the Bill’s provisions or any other law via an order published in the gazette. 

Bands of penalties under the DPDP Bill, 2022.

The Board will take action on the basis of a complaint made by an affected person, a reference made by the Central or State governments, a court’s directions, or a data principal’s non-compliance with Section 16 of the Act outlining their duties. 

The Board may issue directions to persons when necessary, who will be bound to comply with them. These will be issued after giving a person the reasonable opportunity to be heard, and recording the reasons for the order in writing. These orders may be modified, suspended, withdrawn, or cancelled based on the Board’s own motion or a representation made to it. After this, it will impose conditions it deems fit. 

In the event of a personal data breach, the Board may also direct the data fiduciary to adopt urgent measures to remedy the breach or mitigate any harm caused to data principals.

What the 2018 Bill said: “[The Data Protection Authority will] Protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness of data protection,” states the Bill. The DPA also has to:

• Monitor and enforce the Act’s application;
• Specify reasonable purposes for personal data processing, when undertaking a data protection impact assessment is necessary, and residuary categories of sensitive personal data;
• Take prompt action during data security breaches;
• Maintain a database of significant data fiduciaries (along with their ‘data trust score’ indicating their compliance, and specified criteria for assigning the same);
• Certify data auditors and maintain a database of their details;
• Examine data audits, and take action if needed;
• Categorise and issue registration certificates to significant data fiduciaries;
• Monitor cross-border data flows;
• Issue codes of practice on best practices for data protection to facilitate compliance with the Act;
• Promote public awareness on data protection, and awareness among data fiduciaries on their responsibilities under the Act;
• Monitor technological and commercial practices that may affect data protection;
• Promote research and innovation in data protection;
• Advise the Central and State governments on data protection measures that must be undertaken to protect personal data, as well as relevant international instruments on the same;
• Specify fees and charges to carry out the Act;
• Receive complaints under the Act;
• Call for information to conduct inquiries into data fiduciaries (and publish public reports on their outcome).

What the 2019 Bill said: The main duties largely remained the same, however, they were slightly refined. Some provisions were removed, such as:

• Specify reasonable purposes for personal data processing, when undertaking a data protection impact assessment is necessary, and residuary categories of sensitive personal data;
• Specifying criteria for the “data trust score”;
• Issuing registration certificates to significant data fiduciaries;
• Advising the Central and State governments on relevant international instruments for data protection.

Some were modified: for example, the DPA now has to take prompt action during personal data breaches, as opposed to “data security breaches”.

What the 2021 Bill said: The main duties largely remain the same, however, some were slightly refined, while others were added. For example, the DPA has to:

Advertisement. Scroll to continue reading.

• Take prompt action during data breaches, as the Joint Parliamentary Committee’s (JPC) 2021 Bill covered both non-personal and personal data.
• A new related duty was added, namely “monitoring, testing and certification by an appropriate agency authorized by the Central Government (..) to ensure integrity of hardware and software on computing devices to prevent any malicious insertion that may cause data breach”. This is because both software and hardware-linked data breaches are on the rise, surmised the JPC. The DPA must be empowered to create a framework for testing hardware and software to prevent breaches and protect privacy, surmised the JPC.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Composition of the Board

What the 2022 Bill says: The strength and composition of the Board, as well as terms and conditions of appointment and services, will be according to “such as may be prescribed”. 

However, it is clear that the Chief Executive managing the Board will be appointed by the Central government on terms it has determined. 

The Board will also comprise other officers and employees whose terms of appointment and service will be prescribed. When acting in pursuance of the Act’s provisions, the Board’s Chairperson, members, officers, and employees will be deemed to be public servants (as per Section 21 of the Indian Penal Code).

What the 2018 Bill said: The DPA will consist of a Central government-appointed Chairperson and six whole-time members. They should have at least ten years of experience in data protection, IT laws, and related subjects. The members will serve 5-year terms (served until they reach the age of 65). They cannot be reappointed.

What the 2019 Bill said: A Central government-appointed Chairperson and not more than six whole-time members, of which one will be qualified and experienced in law. The members will serve 5-year terms (served until they reach the age of 65). They cannot be reappointed.

What the 2021 Bill said: The Bill clarified and specified the language on the legal expert mentioned in the previous draft, stating that the DPA would be comprised of “a Central government-appointed Chairperson and not more than six whole-time members, of which one shall be an expert in the area of law, having such qualifications and experience, as may be prescribed“. The appointment term, retirement age, and reappointment provisions remain the same.

Advertisement. Scroll to continue reading.

Selection Process for Board Members

What the 2022 Bill says: The selection process of the Board will be according to procedures “as may be prescribed”. 

What the 2018 Bill said: The DPA members will be appointed by a Selection Committee comprising:

• The Chairperson: either the Chief Justice of India, or a Supreme Court Judge nominated by the Chief Justice;
• The Cabinet Secretary;
• An “expert of repute”, to be nominated by the Chief Justice of India, or a Supreme Court Judge nominated by the Chief Justice, in consultation with the Cabinet Secretary.

What the 2019 Bill said: The Bill adopted a bureaucratic approach, with the Selection Committee solely comprised of secretary-level bureaucrats:

• The Cabinet Secretary (Chairperson);
• Secretary of the Central Legal Affairs Ministry or Department;
• Secretary of the Central Electronics and Information Technology Ministry or Department.

What the 2021 Bill said: Aside from bureaucrats, the JPC pushed for the inclusion of technical, legal, and academic experts in the Selection Committee, which would now comprise:

• The Cabinet Secretary (Chairperson);
• Members:
  • Attorney General of India;
  • Secretary of the Central Legal Affairs Ministry or Department;
  • Secretary of the Central Electronics and Information Technology Ministry or Department;
  • A Centre-nominated independent expert from the fields of data protection, information technology, data management, data science, data security, cyber and Internet laws, public administration, or related subjects;
  • A Centre-nominated Director of any of the Indian Institutes of Technology;
  • A Centre-nominated Director of any of the Indian Institutes of Management.

Powers of the Board

What the 2022 Bill says: Chapters or sections on the Board’s specific “powers” while performing its duties are not explicitly demarcated. However, they broadly are:

• Initiating proceedings: The Board can authorise proceedings for complaints raised by individuals, members, or groups of members. It will first determine if there are sufficient grounds to proceed with an inquiry. If these do not exist, the proceedings will be closed and reasons for doing so recorded in writing; otherwise, they carry on.  
• Deciding method of resolution: The Board may direct the affected parties to resolve the matter through mediation or other processes in cases where it believes the “complaint may more appropriately be resolved” through these methods. 
• Conducting inquiries: The Board may inquire into the affairs of any person to determine if they are in compliance with the Act. The inquiry will follow the principles of natural justice. During the inquiry, which should be completed at the earliest, the Board has powers to “summon and enforce the attendance of persons, examine them on oath and inspect any data, book, document, register, books of account or any other document”. The Board and its officers will not prevent access to any premises or take into custody items which may adversely affect a person’s day-to-day functioning. The Board may require the assistance of a police officer or any officer of the Central Government or a State Government to assist it, and it is their duty to comply with this requisition. To prevent non-compliance during the inquiry, the Board may issue interim orders after giving persons a reasonable opportunity to be heard. The reasons for doing so must be recorded in writing. 
• Deciding outcomes: The Board may issue a warning or impose a cost on the complainant if it determines that a complaint is “devoid of merit” at any stage after receiving it. Once an inquiry has concluded, if the Board determines that non-compliance is “insignificant”, it may close the inquiry for reasons recorded in writing. If the non-compliance is “significant” it may proceed to impose penalties as under Section 25. 
  • All persons involved are bound by the Board’s orders. They will be enforced as if they were a Civil Court decree. For this purpose, the Board has all the powers of a civil court (as under the Code of Civil Procedure, 1908). 
  • Any Board order can be appealed at the High Court within sixty days of it being pronounced. 
  • “No civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act,” notes the law.  

• Reviewing orders: “The Board may review its order (..) on a representation made to it, or on its own, and for reasons to be recorded in writing, modify, suspend, withdraw or cancel any order issued under the provisions of this Act,” states the draft. It then may impose conditions that it sees fit that will come into effect after the order is reviewed.  
• Voluntary undertakings: The Board may accept voluntary undertakings related to any compliance matter under the Act from any person at any stage. These may include “an undertaking to take specified action within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicize the voluntary undertaking”. If the Board accepts the undertaking, proceedings will be barred “under the provisions of this Act as regards the contents of the voluntary undertaking”. If a person fails to comply with the undertaking, the Board may impose penalties after giving them a reasonable opportunity to be heard. 
• Imposing financial penalties for non-compliance: Penalties are specified in Schedule 1 of the Bill, and should not exceed Rs. 500 crore in each instance. Penalties will be determined by considering:
  • Nature, gravity, and duration of non-compliance;
  • Type of nature of personal data affected;
  • Repetitive nature of non-compliance;
  • Whether non-compliance has resulted in a person’s gain, or avoidance of loss;
  • Whether the person took action to mitigate the effects and consequences of non-compliance, and the timeliness and effectiveness of these steps;
  • Whether the imposed penalty is proportionate and effective to achieve compliance with the Act and deter non-compliance;
  • The likely impact of the penalty on the person.

The Centre also has the power to amend the Schedule by notification, under Section 27(1), although “no such notification shall have the effect of increasing a penalty specified in Schedule 1 to more than double of what was specified in Schedule 1 when this Act was originally enacted”.

What the 2018 Bill said: Three broad powers are described, namely —

• • Power to issue directions to data processors and fiduciaries: The DPA can issue directions which they are bound to comply with. However, the data processor or fiduciary must first be given a reasonable opportunity to be heard.
  • Power to call for information: The DPA can request information from a data processor or fiduciary through a written notice. The DPA can authorise the search and seizure of premises on specific grounds. 
  • Power to conduct inquiry: Via a notice specifying the “scope of the inquiry” among other things, the DPA can conduct inquiries if it believes a data processor or fiduciary’s activities harm data principal interests, or violate the Act’s provisions. One of the members, appointed as an “Inquiry Officer”, will inquire and report to the DPA on the case.
    • In case of violations, potential actions that can be taken by the DPA include:
      • Issuing a warning or reprimand;
      • Requiring the accused to cease and desist the unlawful activities, or modify their business model;
      • Temporarily suspending business activities;
      • Suspending or canceling licenses granted to a significant data fiduciary, or discontinuing cross-border data flows;
    • An aggrieved data fiduciary or processor can appeal an order at an Appellate Tribunal.

• Penalties: The DPA will have a separate adjudicatory wing to award compensation and impose penalties described in Chapter 9 of the Bill. The Centre will prescribe the number of “Adjudicating Officers” deciding these cases, their qualifications, terms of employment, and jurisdiction. It will also prescribe the procedure for adjudication and other requirements it deems fit. The officers should be of ability, integrity, and standing, and have at least seven years of professional experience in constitutional law, cyber and internet laws, information technology law and policy, data protection and related subjects. Action will be taken after giving the person the reasonable chance to be heard. Orders can be appealed at an Appellate Tribunal. A Recovery Officer may be appointed if a person fails to pay their penalty or compensation amounts—they will recover the amount. 

What the 2019 Bill said: The provisions on the three broad powers (the powers to issue directions, call for information, and conduct inquiry) largely remained the same, barring a few changes:

• Under the powers to conduct an inquiry:
  • The provision to specify a scope of inquiry in the written notice was removed;
  • The Authority or Inquiry Officer were vested with civil court powers, including discovery and examination of documents, summons, and examination under oath.
• The language for search and seizure changed: Now, the Inquiry Officer can approach a Centre-designated court to issue a search and seizure order.
• Penalties: Provisions largely remained the same. However, “the amount of any penalty imposed or compensation awarded under this Act, if not paid, may be recovered as if it were an arrear of land revenue,” noted the Bill. The Recovery Officer provision was removed. 

What the 2021 Bill said: The provisions were largely unchanged, barring a few:

• For search and seizure, the Inquiry Officer can only approach a designated court with a search and seizure request after obtaining prior approval from the DPA.
  • A safeguard mechanism like this is required to strengthen the Inquiry Officer “when he undertakes duties in this regard”, the JPC noted.
• Under the power to call for information, the DPA can also specify the manner in which a data fiduciary should provide the information.
• When ordering an inquiry, the scope of the inquiry has to be specified in the notice.
• For actions post-inquiry, the language shifted from “requiring” data fiduciaries to cease and desist or follow DPA orders, to “directing” them.

Selected Public Response

The 2021 Bill

Put non-personal data regulation on the backburner: Speakers at the event argued that for now, non-personal data is not a priority, with others arguing that it demands separate regulation from personal data.

“Bizarre” appointments: “No disrespect to anyone, [but] I cannot fathom what the director of the IIM will bring into this discussion,” said Alok Prasanna Kumar at a MediaNama event earlier this year. People should be chosen based on qualifications, not their designations, he added.

The 2019 Bill

Priorities: The DPA “has an adjudicatory function, a legislative function (drafting the regulations), an executive function (enforcing the regulations), and an advisory function (making recommendations to the government),” speakers at a MediaNama event noted. It needs to prioritise which to focus on at different stages of its operations, a point raised in 2018 too.

Capacity issues: Some proposed the ideas of State-level DPAs to stem potential floods of complaints, with others arguing that this could lead to “equally incompetent DPAs, and that may be worse”.

Advertisement. Scroll to continue reading.

Read More

• BREAKING: India Releases Digital Personal Data Protection Bill, 2022
• A Complete Guide To The Data Protection Bill, 2021
• A Complete Guide To The Personal Data Protection Bill, 2019

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Read More

• Data Protection Bill 2021: How India’s Data Protection Authority Will Be Set Up And Work
• A Complete Guide To The Data Protection Bill, 2021
• A Complete Guide To The Personal Data Protection Bill, 2019
• MP Amar Patnaik On Non-Personal Data: Different DPAs Would Impede Protection Of Citizens’ Rights #NAMA
• Data Protection Bill: How Should The DPA Be Set Up And What Functions Should It Have #NAMA
• #NAMA: Data Protection Authority’s Independence And Powers Under The Personal Data Protection Bill 2019