Rajeev Chandrasekhar talks about next steps for the Data Protection Board of India

The Data Protection Board (DPB) of India will have tremendous amounts of disclosure and transparency requirements, said Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, during an interview with CNBC-TV18. Chandrasekhar was asked about the next steps for India’s data protection laws in terms of the DPB while discussing India’s digital advancements.

What is the DPB? As per the Digital Personal Data Protection Act, 2023, the DPB will be the apex body that investigates and penalises non-compliance with the provisions of the Act through fines. Chandrasekhar describes the Board as an adjudicating body whose appeals lie with the TDSAT, which will be chaired by a retired Supreme Court judge. For more information on the DPB, read here.

Board to be comprised of youths: Chandrasekhar said that over the transition period, the rules as mentioned in the Act have to be enacted, the Board has to be notified. Rather than “only retired government or retired judges,” the Minister said the government is looking for young lawyers who will “give 2-5 years of their life to serve in these types of institutions that are modern, very fundamental institutions.”

Article continues below ⬇, you might also want to read:

• Response To Rajeev Chandrasekhar’s Comments On The Data Protection Act
• Scope Of Data Protection Board Under India’s Digital Personal Data Protection Bill
• EU Data Protection Board To Launch Taskforce On Action Taken By Italy Against OpenAI’s ChatGPT
• India’s Data Protection Law Will Have Different Timelines For Compliance For Different Types Of Entities

Why it matters: Although Chandrasekhar may call the DPB a “narrow” part of the data protection law, it is an important body for a user to ensure their grievance is addressed. It is also important to understand how the government plans to make rules on other topics that have been labelled “as may be prescribed” in the law.

Other things the government has to do to enact the data protection law

The law had received many criticisms for its “as may be prescribed sections” that gave a to-do list to the central government after the Bill was passed. The creation of the DPB was one of those things. Here are the rest:

• Details of the notice for consent sent to users, including how a user may make a complaint to the DPB.
• Obligations of the consent manager as well as their technical, operational, financial and other conditions.
• Rules based on which government authorities can decide the subsidies, benefits, services, certificates, licences or permits for which a user’s personal data can be ‘legitimately used.’
• Rules as per which an entity will notify the DPB and the user about a data breach.
• Timeframe within which a user can say that the specific purpose of processing their data has been served and thus needs to be deleted.
• How an entity is to share business contact information of a Data Protection Officer or any relevant authority figure with the user.
• How entities can ask a child or a disabled person’s parent/ guardian to consent to the processing of their ward’s personal data.
• Conditions under which an entity does not require a parent’s consent for processing data or use it for targeted advertising.
• Rules to specify what factors need to be considered by a significant entity when making its Data Protection Impact Assessment.
• Additional measures to be undertaken by a significant entity.
• Details of the request based on which a user can ask an entity for a summary of the personal data processed and a list of entities with whom it is shared.
• Additional information that is relevant to the processing of a user’s data by an entity.
• Details of the request based on which a user can ask that their data be erased.
• Timeframe within which a entity or consent manager has to respond to a user grievance.
• How a user can nominate another person to exercise their rights in case of death/ incapacity.
• Standards by which certain processing of personal data can be exempt from the provisions of this Act.
• Salary, allowances and other terms and conditions of service for the Board’s Chairperson and other members.
• Method to authenticate the Board’s decisions and orders.
• Terms and conditions to appoint officers and employees that the Board deems necessary.
• Form, manner and fee of an appeal made against the Board’s order or direction.
• Procedure to be followed by an Appellate Tribunal to address the appeal.
• Security practices and procedures to protect data.
• Definition of sensitive personal data or information.