Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
The Data Protection Board of India, included in India’s Digital Personal Data Protection Bill, 2023 (DPDP Bill), tabled in parliament today, will be the apex body responsible for investigating and penalising non-compliance with the bill through fines.
Read the Bill Summary here.
First proposed in the 2022 iteration of the data protection law, the Board will be the first port of call for complaints by data principals on personal data breaches, on data controllers breaching their obligations towards the data principal’s personal data, or on the data principal’s exercising of their rights under the bill. It will also respond to references by governments or courts. The Board further responds to complaints by data principals on consent managers breaching their obligations to the principal’s personal data. It will also respond when intimated of consent managers breaching any registration conditions.
The Board may also respond to specific references by the Indian government on intermediaries breaching the government’s blocking orders under section 37, inquire into such breach and impose penalty.
The Board can direct urgent remedial and mitigation measures during personal data breaches, conduct inquiries into complaints, and impose penalties as high as Rs. 250 crore for non-compliance. However, while the bill allows the Board to modify, suspend, withdraw, or cancel its orders on request, it does not discuss compensating victims of non-compliance. Persons aggrieved by the Board’s orders can appeal to an Appellate Tribunal, defined in the bill as the Telecom Disputes Settlement and Appellate Tribunal established under the TRAI Act, 1997. The Tribunal’s decisions can be penultimately appealed before the Supreme Court of India.
Article continues below ⬇, you might also want to read:
- Here’s How India’s Digital Personal Data Protection Bill Threatens Right To Information
- How India’s Digital Personal Data Protection Bill impacts children’s privacy and access
- India’s Digital Personal Data Protection Bill, 2023: What privacy rights do individuals have?
The “independent” and “digital-by-design” body will also be staffed by members with experience in “data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board”. At least one should be a legal expert, while all members are deemed to be public servants under the law.
However, crucially, the Board’s Chair and other members will be directly appointed by the Indian government, raising past concerns over its objectivity first highlighted when it was proposed in last November’s Digital Personal Data Protection Bill, 2022. The number of Board members, and the manner of their appointment, will be notified by the government on currently unspecified grounds.
In the 2022 iteration, only the Board’s Chair was specifically appointed by the Centre, while other members could join according to unspecified terms and conditions. Speaking at MediaNama‘s event on that draft, lawyer Rishab Bailey remained concerned about the Board’s independence. “It’s not ideal because the government is regulated by this board. We should have an independent committee for selection,” he pointed out.
The government also has powers to require the Board, or any data controller or intermediary to furnish information it calls for. The Indian government, or its authorised officers, after giving a data controller an opportunity to be heard, can also order any government agency or intermediary to block public access to information in the “interests of the general public”. This can only happen if the government (or officer) receives two kinds of references from the Board. One, intimating it of penalties being imposed on a data controller more than twice.Two, if the reference, in the “interests of the general public”, advises blocking public access to information transmitted on any computer resource enabling the data controller to offer goods or services to data principals in India. Intermediaries are bound to comply with such blocking orders.
The DPDP Bill, 2023 also restricts civil courts from entertaining suits on matters the Board is empowered to adjudicate on under the Bill. “No injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power under the provisions of this Act,” the Bill adds. Notably, the Board has been vested with the powers of a civil court under the bill. Its actions can’t be invalidated by vacancies in the Board, defects in its constitution and a member’s appointment, or any procedural irregularities that do not affect the case’s merit.
What powers does the Data Protection Board of India have?: The Board will operate according to procedures “as may be prescribed” by the Indian government. Aside from conducting inquiries, the Board can also recommend mediation or accept voluntary undertakings to resolve complaints. If it does act, it can:
- Authorise proceedings on complaints: It can determine if there are sufficient grounds to proceed with an inquiry (if there aren’t, it will close the case through written orders);
- Inquire into complaints: It may inquire into the affairs of persons to determine their compliance with the data protection law. Inquiries will follow the principles of natural justice, and reasons for the Board’s actions should be recorded throughout the inquiry. The Board may issue interim orders during the enquiry if needed;
- Investigate evidence and persons: The Board is vested with the same powers as a civil court under the Code of Civil Procedure, 1908, in terms of summoning persons, examining them under oath, receiving evidence, examining documents, and other matters that “may be prescribed”. The Board and its officers shouldn’t prevent access to a premises or take into custody items that affect a person’s day-to-day functioning.
- Requisition support: The Board can request the services of a police officer of Central/State officer during the investigation—they are duty-bound to comply with the requisition;
- Issue final orders and impose penalties: On concluding the hearing, the Board may close the complaint—it can also issue warnings and costs on complainants at any stage if it finds the complaint to be frivolous or false. If the complaint checks out, and the breach of the bill’s provisions is significant, it will impose financial penalties as per those listed out in the Schedule of the DPDP Bill, which will be credited to the Consolidated Fund of India. Penalties will be based on:
- The gravity, nature, and duration of the breach;
- The type and nature of personal data affected;
- The breach’s “repetitive nature”;
- Whether persons realised gains, or avoided losses as a result of the breach;
- Whether the person took actions to mitigate the breach’s effects and consequences, and the timeliness and effectiveness of the steps;
- Whether the financial penalty is proportionate and effective in securing compliance with the bill and deterring breaches of its provisions;
- The impact of the penalty on the person.
- What’s a voluntary undertaking?: The Board can accept one on any of the Bill’s provisions at any stage of the proceedings from any person—it can “include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking.” After accepting the undertaking, and with the consent of the person who submitted it, the Board may vary the terms initially presented. Once the undertaking is accepted, this constitutes a bar on the Board’s proceedings. However, if a person fails to adhere to the undertaking’s accepted terms, then after giving them a hearing, this may be deemed to be a breach of the act, liable to penalised under the bill.
How can the Board’s decisions be appealed?: People aggrieved by the Board’s decisions and orders can appeal to the Appellate Tribunal, which is vested with the powers of a civil court. The bill defines the Tribunal as the pre-existing Telecom Disputes Settlement and Appellate Tribunal, established under Section 14 of the Telecom Regulatory Authority of India Act, 1997 (TRAI Act). Appeals should be filed within sixty days of receipt of the order—they should be filed (along with a fee) in a manner yet to be prescribed.
- Intersections with appellate process under telecom laws: The Tribunal will deal with appeals according to procedures yet to be prescribed, and without prejudice to Sections 14A and 16 of the TRAI Act. Section 14A lists out the application procedures for appealing to the Telecom Disputes Settlement and Appellate Tribunal, while Section 16 lays out the telecom tribunal’s powers and procedures. The bill also includes an amendment to Section 14(c) of the 1997 Act, which otherwise empowers the telecom tribunal to exercise jurisdiction, powers and authority conferred on appellate tribunals mentioned in the IT Act, 2000, and the Airports Economic Regulatory Authority of India Act, 2008. The amendment adds the tribunal established under the data protection bill to this list.
- Process for filing appeals: The Tribunal may hear appeals after the time window of sixty days if it is satisfied that there was sufficient reason to do so. All appeals should be dealt with expeditiously and within six months of being received. If this isn’t possible, the Tribunal should record the reasons for the same in writing.
- Deciding on appeals: After receiving the appeal, the Tribunal will give all parties equal opportunities to be heard—after which it will pass orders, either modifying, confirming, or setting aside the contested order. The Tribunal will send a copy of each of its decisions to the Board and the relevant parties.
- Powers of Appellate Tribunal: Orders passed by the Tribunal will be executed as if a civil court decree. Notwithstanding that, the Appellate Tribunal can transfer any of its orders to civil courts with local jurisdiction. The court should execute the order as it was decreed by the court itself.
- Appealing the Appellate Tribunal’s decisions: If an appeal is filed against the Appellate Tribunal’s decision, Section 18 of the Telecom Regulatory Authority of India Act, 1997 applies. Section 18 specifies conditions for appealing the Tribunal’s orders at the Supreme Court of India. Appeals can be filed on non-interlocutory orders of the Tribunal if on one or more of the grounds of Section 100 of the Code of Civil Procedure, 1908. Section 18 adds that appeals cannot be filed against the Tribunal’s orders made with the parties’ consent. Appeals should also be made within ninety days of receiving the order, although the Supreme Court may entertain the appeal afterwards if it is satisfied that there were sufficient grounds to do so.
Devolution of the role of India’s proposed data protection regulator
The three draft data protection laws released before 2022 all included a “Data Protection Authority”, responsible for receiving complaints, taking action during breaches, advising states on data protection practices, and much more. Commentators at the time had criticised this approach, noting that the DPA had a mix of regulatory, advisory, and executive functions, which was too broad a mandate. People also questioned the DPA’s capacity to perform all these roles. These responsibilities have been significantly diluted in the 2022 and 2023 versions—where the Board’s primary responsibility is investigating and acting on non-compliance with the bill.
2018: “[The Data Protection Authority will] Protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness of data protection,” states the Bill. Among a laundry list of other responsibilities, the DPA had to monitor and enforce the Act’s application, take action during data breaches, advise governments on personal data protection practices, receive and inquire into complaints, monitor cross-border data flows, and register and track significant data fiduciaries.
2019: While the DPA’s main duties largely remained the same, they were slightly refined. Some provisions were removed, such as advising governments on data protection, registering data fiduciaries, and specifying reasonable purposes for personal data processing, among others.
2021: The main duties largely remain the same, with exceptions. For example, the DPA had to take prompt action during data breaches, as the Joint Parliamentary Committee’s (JPC) 2021 Bill covered both non-personal and personal data. It also had to address hardware and software-linked breaches by “ensuring integrity of hardware and software on computing devices to prevent any malicious insertion that may cause data breach”.
2022: This law introduced the Data Protection Board of India, where its main function was determining non-compliance with the Bill and accordingly imposing penalties. However, the Centre may assign the Board other functions under the Bill’s provisions or any other law via an order published in the gazette. The kinds of complaints it would take action on are the same as in the 2023 bill, as are its powers and duties.
Powers of the data regulator
The powers of the Data Protection Authority and the Data Protection Board of India are not dissimilar—in short, both bodies can open investigations, call for evidence, and impose decisions and penalties. However, what the 2022 and 2023 bills skip out on is procedural detail. For example, the 2018 and 2021 bills specified that when the DPA conducts an inquiry, it should detail the investigation’s ‘scope of inquiry’ through a notice. In short: the 2022 and 2023 versions leave much of the Board’s procedure “to be prescribed” by the government at a later date.
2018: The DPA could issue directions to data processors and fiduciaries, call for information, and conduct inquiries. Potential actions that could be taken by the DPA included issuing a warning or reprimand; requiring the accused to cease and desist the unlawful activities, or modify their business model; temporarily suspending business activities; suspending or cancelling licences granted to a significant data fiduciary, or discontinuing cross-border data flows. The DPA would also have a separate adjudicatory wing to award compensation and impose penalties described in Chapter 9 of the Bill. The Centre will prescribe the number of “Adjudicating Officers” deciding these cases, their qualifications, terms of employment, and jurisdiction.
2019: The provisions on the three broad powers largely remained the same, however, the provision to specify a scope of inquiry in the written notice was removed. The Authority or Inquiry Officer aiding its investigations were vested with civil court powers, including discovery and examination of documents, summons, and examination under oath.
2021: The provisions were largely unchanged, however, Inquiry Officer’s could only approach courts with search and seizure requests after receiving the DPA’s approval, a safeguard that the JPC thought was necessary. When ordering an inquiry, the scope of the inquiry had to be specified in the notice.
2022: Chapters or sections on the Board’s specific “powers” while performing its duties are not explicitly demarcated. However, they broadly are initiating proceedings, and conducting inquiries following the principles of natural justice. The Board can also direct the affected parties to resolve the matter through mediation or other processes if it believes this is preferable, and could also accept voluntary undertakings. Finally the Board can decide outcomes, such as dismissing the complaint if devoid of merit, closing the complaint if non-compliance is insignificant, or imposing penalties. The Board was vested with civil court powers, while its decisions could be appealed before High Courts within 60 days. Penalties imposed could not be more than Rs. 500 crore in each instance.
Composition of the data protection regulator
Like its predecessor from 2022, the 2023 bill is unclear about the number of members serving the Board. However, it is more specific on their areas of expertise and appointment terms (two years), echoing the details of the 2018, 2019, and 2021 draft. What’s missing currently is the terms of service of the Board’s members, which are yet to be prescribed.
2018: The DPA will consist of a Central government-appointed Chairperson and six whole-time members. They should have at least ten years of experience in data protection, IT laws, and related subjects. The members will serve 5-year terms (served until they reach the age of 65). They cannot be reappointed.
2019: A Central government-appointed Chairperson and not more than six whole-time members, of which one will be qualified and experienced in law. The members will serve 5-year terms (served until they reach the age of 65). They cannot be reappointed.
2021: The Bill clarified and specified the language on the legal expert mentioned in the previous draft, stating that the DPA would be comprised of “a Central government-appointed Chairperson and not more than six whole-time members, of which one shall be an expert in the area of law, having such qualifications and experience, as may be prescribed“. The appointment term, retirement age, and reappointment provisions remain the same.
2022: The strength and composition of the Board, as well as terms and conditions of appointment and services, will be according to “such as may be prescribed”. However, it is clear that the Chief Executive managing the Board will be appointed by the Central government on terms it has determined. The Board will also comprise other officers and employees whose terms of appointment and service will be prescribed.
Selecting regulator members
All we know about the selection process in the 2023 bill is that the government will be appointing these experts, although who will be doing this remains unclear. Although this is similar to the 2022 bill’s approach, it sharply departs from the 2018, 2019, and 2021 versions, which were granular about how the Data Protection Authority would be selected.
2018: The DPA members will be appointed by a Selection Committee comprising the Chairperson (either the Chief Justice of India, or a Supreme Court Judge nominated by the Chief Justice); the Cabinet Secretary; an “expert of repute” (to be nominated by the Chief Justice of India, or a Supreme Court Judge nominated by the Chief Justice, in consultation with the Cabinet Secretary).
2019: The Bill adopted a bureaucratic approach, with the Selection Committee solely comprised of secretary-level bureaucrats: the Cabinet Secretary (Chairperson); Secretary of the Central Legal Affairs Ministry or Department; Secretary of the Central Electronics and Information Technology Ministry or Department.
2021: Aside from bureaucrats, the JPC pushed for the inclusion of technical, legal, and academic experts in the Selection Committee, which would now comprise the Cabinet Secretary (Chairperson) and six members. The members were the Attorney General of India; Secretary of the Central Legal Affairs Ministry or Department; Secretary of the Central Electronics and Information Technology Ministry or Department; a Centre-nominated independent expert from the fields of data protection, information technology, data management, data science, data security, cyber and Internet laws, public administration, or related subjects; a Centre-nominated Director of any of the Indian Institutes of Technology; a Centre-nominated Director of any of the Indian Institutes of Management.
2022: The selection process of the Board will be according to procedures “as may be prescribed”.
Note (August 7, 3:35 pm): Updated the third para, which earlier referred to provisions under section 36 of the Act. This was done after the government corrected the Bill to state section 37 in page 14, line 30 of the Bill.
Note: The headline was changed on August 3 at 6:50 PM for clarity.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!