Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
The Indian government on August 3, 2023, introduced the Digital Personal Data Protection (DPDP) Bill, 2023 [PDF copy] in the lower house of the parliament, Lok Sabha.
A data protection law has been in the works since 2017, when the Supreme Court, in the landmark Puttaswamy judgment, ruled that privacy is a fundamental right of Indian citizens, putting the government under the obligation to pass legislation to protect this right. The DPDP Bill, 2023, is the fifth iteration of India’s draft data protection law.
The DPDP Bill was introduced in Lok Sabha amidst protests from the MPs of the opposition parties who criticised its various provisions and demanded that it be referred to a parliamentary committee for further examination and recommendations.
Note: The DPDP Bill contains many provisions that have a clause saying “as may be prescribed” or its equivalence. This essentially gives the government the power to issue rules later on to elaborate on these provisions. Consequently, the following summary also has “as may be prescribed” appearing in many sections.
Key Definitions in the DPDP Bill
Personal data: “Any data about an individual who is identifiable by or in relation to such data.”
Digital personal data: “Personal data in digital form.”
Data Fiduciary: “Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.”
Processing: “A wholly or partly automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”
Data Principal: “The individual to whom the personal data relates, and where such individual is:
- a child, includes the parents or lawful guardian of such a child; and
- a person with disability, includes her lawful guardian, acting on her behalf.”
Data Processor: “Any person who processes personal data on behalf of a Data Fiduciary.”
- an individual;
- a Hindu Undivided Family;
- a company;
- a firm;
- an association of persons or a body of individuals, whether incorporated or not;
- the State;
- every artificial juristic person, not falling within any of the preceding sub-clauses.
Personal data breach: “Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”
Applicability of the DPDP Bill
1. Processing of personal data collected within the territory of India when the data is collected in digital form or is collected in non-digital form and digitised subsequently.
2. Processing of digital personal data outside of India, if the processing is in connection with any activity related to offering of goods or services to users within the territory of India.
3. Does not apply to personal data
- made or caused to be made publicly available by the user (for example, if an individual, while blogging her views, has publicly made available her personal data on social media, then processing of that data won’t come under these regulations, the Bill illustrates);
- processed by an individual for any personal or domestic purpose;
- made available by any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
What are the obligations of Data Fiduciaries?
1. Personal data can only be processed with consent or for certain legitimate uses: Data Fiduciaries can only process personal data for lawful purposes for which the Data Principal has given consent or for certain legitimate uses prescribed in the Bill. The processing must be in accordance with the provisions of the Digital Personal Data Protection Act (henceforth referred to as the Act).
2. Showing notice and obtaining consent: When seeking consent, Data Fiduciaries must present a notice to the user. If a user has given consent before the commencement of this Act, the Data Fiduciary should give this notice “as soon as it is reasonably practicable.”
- Details to show in notice: The notice must inform users in clear and plain language what personal data will be collected and the purpose for processing this personal data. Additionally, the notice must inform users how they can exercise their rights under the Act and the manner in which they can file a complaint to the Data Protection Board of India. Notably, the notice does not have to mention which third parties the data might be shared with.
- Free, specific, informed, affirmative: The consent must “be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.” For example, if a telemedicine app seeks a user’s consent for a) the processing of her personal data for making available telemedicine services and b) accessing her mobile phone contact list, and the user gives consent for both, the consent shall only be limited to a) because contact list details are not required to provide telemedicine services, the Bill illustrates.
- Contact details of Data Protection Officer or other officer: When seeking consent, the contact details of a Data Protection Officer (for significant data fiduciaries) or any other contact person (for other fiduciaries) must be mentioned.
- Withdrawal of consent: Users should have the right to withdraw consent at any time with the same ease as they were able to give consent. The Data Fiduciary can stop providing the services that it was earlier providing if those services can only be provided based on the processing of personal data that the user had consented to. Furthermore, Data Fiduciaries must, within a reasonable time, ensure that their Data Processors stop processing the personal data of the concerned user unless the Data Processors can continue to do so under other legal grounds.
- Consent Manager: The Data Principal can “give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.” Consent Managers are accountable to the users and must be registered with the Data Protection Board of India. Consent Managers will be subject to technical, operational, financial, and other conditions “as may be prescribed.”
- Proof of burden lies with the Data Fiduciary: If challenged in the courts, Data Fiduciaries will have to prove that a notice was given and consent was obtained to carry out the processing of personal data if consent was the legal basis for processing the personal data.
- Cannot seek consent for infringing this Act: Data Fiduciaries cannot seek consent for anything that will infringe provisions of this Act. For example, Fiduciaries cannot seek consent from users asking them to waive their right to file a complaint with the Data Protection Board.
4. Legitimate use cases that don’t require consent: A Data Fiduciary can process personal data without obtaining user consent for the following “legitimate uses”:
- Voluntary provision of data: If the user voluntarily provides their personal data to the Data Fiduciary for a specified purpose and has not indicated to the Data Fiduciary that they do not consent to the use of their personal data. For example, when a user shares their mobile number with a shop to receive the bill, the shop can process the personal data for the purpose of sending a receipt, the Bill illustrates.
- For the State to perform its function under any law, provide services, issue licenses, etc.: For the state or its agencies to perform any function under any law or in the interest of sovereignty and integrity of India or security of the State ot provide any subsidy, service, benefit, certificate, license, or permit to the Data Principal. The user must have, however, previously consented to the processing of her personal data by the State for any of the above purposes or such personal data must already be available to the government in digital or non-digital form. For example, if a pregnant woman enrols herself to avail of the government’s maternity benefits and gives consent to provide her personal data for availing of such benefits, she has also agreed to the processing of her personal data for the purpose of determining her eligibility to receive benefits under any other government program, the Bill illustrates.
- Court orders: “For compliance with any judgment or decree or order issued under any law.”
- Medical emergency: “For responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual.”
- Epidemics: “For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health”.
- Disasters: “For taking measures to ensure the safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order.”
- Employment: “For the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.”
5. Preventing and notifying personal data breaches: A Data Fiduciary must “protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.” In case of a data breach, the Data Protection Board and each affected Data Principals must be notified in such manner “as may be prescribed.”
6. Erasure of personal data: Data Fiduciaries must erase the personal data once the user withdraws their consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, unless retention is necessary for compliance with any law. The Data Fiduciaries must also ensure that the Data Processors involved erase the data.
The purpose is no longer being served, if the Data Principal, for such time period “as may be prescribed,” does not:
- approach the Data Fiduciary for the performance of the specified purpose;
- exercise any of her rights in relation to such processing.
For example, if a user hires the services of a car-selling website to sell their car and the sale is concluded, then the personal data shared by the user with the website must be deleted because the purpose is served, the Bill illustrates. However, if legally required to maintain the data for other reasons, the entity can continue to retain data as per provisions of other laws. Banks, for example, have to maintain data of their clients for a period of 10 years beyond the closing of accounts.
7. Maintaining the accuracy of data: If the personal data processed by a Data Fiduciary is likely to be used to make a decision that affects the Data Principal or if the data is going to be shared with another Data Fiduciary, then the Data Fiduciary should ensure the “completeness, accuracy and consistency” of the personal data.
8. Appointing a Data Protection Officer or contact person: Data Fiduciaries must publish the business contact information of a Data Protection Officer or a person who is able to answer questions that a user might have about the processing of their personal data. For Significant Data Fiduciaries it’s Data Protection Officers, for others it can be any other officer. These details should be published in the format “as may be prescribed.”
9. Grievance redressal mechanism: Data Fiduciaries must “establish an effective mechanism to redress the grievances of Data Principals.”
10. Can appoint Data Processor only under a valid contract: A Data Fiduciary may involve a Data Processor to process personal data on its behalf only under a valid contract.
11. Implement technical and organisational measures to adhere to the Act: A Data Fiduciary should implement “appropriate technical and organisational measures to ensure effective observance of the provisions of this Act.”
What are the obligations of Significant Data Fiduciaries?
The government has the power to notify any class of Data Fiduciaries (or any specific Data Fiduciary) as Significant Data Fiduciaries and subject them to additional obligations, in addition to the ones outlined above.
The government will notify the criteria for Significant Data Fiduciaries based on the following factors:
- the volume and sensitivity of personal data processed;
- risk to the rights of the Data Principal;
- potential impact on the sovereignty and integrity of India;
- risk to electoral democracy;
- security of the State;
- public order.
Any entity classified as a Significant Data Fiduciary is required to:
1. Appoint a Data Protection Officer who will represent Data Fiduciary under the provisions of this Act and be based in India. This Officer will be responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary and serve as the point of contact for the user grievance redressal mechanism.
2. Appoint an Independent Data Auditor to carry out a data audit and evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act.
3. Undertake Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act, and other measures “as may be prescribed.” Data Protection Impact Assessment is defined as “a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed.”
4. Other measures: Any other measures in relation to the purposes of this Act “as may be prescribed.”
What are the obligations of Data Fiduciaries processing children’s data?
A Data Fiduciary processing data of a child (defined as anyone under the age of 18) or a person with a disability who has a lawful guardian, must:
1. Obtain verifiable consent from parent or guardian: Obtain verifiable consent of the parent of the child or the lawful guardian before processing any personal data of the person, in such manner “as may be prescribed.”
2. Cause no harm to the child: Not undertake any processing of personal data that is “likely to cause any detrimental effect on the well-being of a child.”
3. Not engage in targeted advertising or behavioural monitoring: Not undertake “tracking or behavioural monitoring of children or targeted advertising directed at children.”
4. Some Data Fiduciaries could have a lower age threshold or be exempted: If the government is satisfied that a Data Fiduciary has ensured that the processing of personal data of children is done in a manner that is “verifiably safe”, then the government can exempt the fiduciary from (1) and (3) for children above a certain age (in effect, lowering the 18-year-old threshold that applies to everyone else).
5. Other Exemptions: Additionally, (1) and (3) shall not be applicable to “such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed.”
What are the rights and duties of Data Principals?
1. Right to access information about personal data: The user has the right to request from a Data Fiduciary:
- A summary of their personal data which is being processed by the Data Fiduciary and the processing activities undertaken by the Data Fiduciary with respect to such personal data.
- The identities of any other Data Fiduciaries and Data Processors with whom the personal data has been shared along with a description of what personal data.
- Any other information, related to the personal data of the user and its processing, “as may be prescribed.”
An exemption to the last two points is applicable if a Data Fiduciary shares personal data with any other Data Fiduciary authorised by law to obtain such personal data “for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.”
2. Right to correction of personal data: The user has the right to request for:
- correction of misleading or inaccurate personal data;
- completion of incomplete personal data; and
- updating personal data.
The request for correction should be made in the format “as may be prescribed.”
3. Right to erasure of personal data: Users can request for the erasure of their personal data which must be complied with by the Data Fiduciary unless retention is necessary for the purpose for which it was processed or for compliance with any law for the time being in force. The request for erasure should be made in the format “as may be prescribed.”
Notably, the above three rights only apply in cases where the user has given consent or has voluntarily provided data to a Data Fiduciary (other legitimate use grounds don’t apply).
4. Right of grievance redressal: Users have the right to “readily available means of grievance redressal provided by a Data Fiduciary or a Consent Manager”, which can be exercised by users in respect to the Data Fiduciary or Consent Manager’s obligations or the users’ rights under the provisions of this Act.
The Data Fiduciary or Consent Manager should respond to grievances within such period “as may be prescribed.” The user can escalate their grievance to the Data Protection Board only after exhausting their options with the Data Fiduciary or Consent Manager first.
5. Right to nominate: A user has the right to nominate any other individual, who shall, in the event of death or incapacity of the user, exercise the rights of the user. The nomination can be in such manner “as may be prescribed.”
6. Duties of Data Principals:
- Users must comply with all applicable laws while exercising rights under the provisions of this Act.
- Users should not impersonate others while providing their personal data for a specified purpose.
- Users should not suppress any material information while providing their personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities.
- Users should not register a false or frivolous grievance or complaint with a Data Fiduciary or the Data Protection Board.
- Users should only furnish information that is verifiably authentic while exercising the right to correction or erasure.
What are the rules on cross-border data transfers?
Data Fiduciaries can transfer personal data for processing to any country or territory outside India except to such country or territory outside India the Central Government notifies.
This law, however, does not override any other laws “that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India.” (This means RBI’s and SEBI’s data localisation mandate will continue to apply for the sectors they regulate).
What are the exemptions to the government?
The Central Government can issue a notification exempting any “instrumentality of the State” from the provisions of this Act in the interests of the:
- sovereignty and integrity of India;
- security of the State;
- friendly relations with foreign States;
- maintenance of public order; or
- preventing incitement to any cognizable offence relating to any of the above.
The Central Government is also exempted from the Bill while processing any personal data that an exempted instrumentality may furnish to it.
Additionally, the government and its instrumentalities can retain personal data for an unlimited period of time regardless of whether the purpose for which data was collected has been served or not and users don’t have the right to request erasure of their personal data collected by the government or its instrumentalities.
The government also doesn’t have to allow for correction, completion or updating of personal data by a Data Principal if the processing is for a purpose that does not include making a decision that affects the Data Principal.
What are the other exemptions?
1. Exemptions for startups and certain classes of Data Fiduciaries by notification: The Central Government has the power to issue a notification exempting certain Data Fiduciaries or a class of Data Fiduciaries, “including startups”, based on the volume and nature of personal data they process, from the following provisions of the Bill:
- Section 5 (issuing notice before seeking consent);
- Sub-sections 3 (ensuring accuracy and completeness of personal data) and 7 (erasing personal data after the purpose is served) of section 8;
- Sub-sections 1 (obtaining verifiable parental consent before processing a child’s data and 3 (no behavioural tracking of children or targeted advertising directed at children) of section 10 (obligations when processing personal data of children);
- Section 10 (Obligations of Significant Data Fiduciaries);
- Section 11 (Data Principal’s right to information about personal data).
2. Exemptions to any provision for a certain period of time: Within five years from the date of commencement of this Act, the Central Government may issue a notification declaring any provision of this Act shall not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be specified in the notification.
3. Exemptions for certain use cases: The Bill exempts entities from provisions of Chapter 2 (obligations of Data Fiduciaries) except sub-section 1 and 5 (provision related to securing data) of Section 8; Chapter 3 (rights and duties of Data Principals); and Section 16 (transfer of personal data outside India) of this Act when:
- Enforcing any legal right or claim: “The processing of personal data is necessary for enforcing any legal right or claim.”
- By courts or tribunals: “The processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function.”
- Law enforcement purposes: “Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India.”
- Personal data of those outside India: “Personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.”
- Mergers and amalgamations: “The processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force.”
- Debt recovery: “The processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force.” For example, if a person takes a loan from a bank and defaults on their monthly instalment, the bank may process the personal data of the individual for ascertaining her financial information and assets and liabilities, the Bill illustrates.
4. Exemption for research and statistical purposes: The Act does not apply to the processing of personal data “necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.”
What is the Data Protection Board of India?
Establishment of the Data Protection Board of India (DPBI): The Central Government will establish the Data Protection Board of India (henceforth referred to as the Board) by issuing a notification.
- Type of entity: The Board “will be a corporate body having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, to contract. and shall sue or be sued.”
- Headquarters: The location of the Board’s headquarters shall be at such place as the Central Government may notify.
Composition of the Board: The Board will consist of a Chairperson and other Members, who will be appointed by the Central Government “in such manner as may be prescribed.”
- Qualification of Members: The Chairperson and every other Member should be a “be a person of ability, integrity and standing who possesses special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board, and at least one among them shall be an expert in the field of law.”
- Allocation of responsibilities by Chairperson: The Chairperson will have the powers to allocate proceedings among individual Members or groups of Members authorised to conduct proceedings in accordance with the provisions of this Act.
- Tenure of members: The Chairperson and every other Member can hold office for a term of two years and shall be eligible for re-appointment.
- Removal of Board members: The Central Government can, after giving an opportunity to be heard, remove from office any Chairperson or other Member if they have:
- been adjudged as insolvent;
- become physically or mentally incapable of acting as a Member;
- acquired such financial or other interest, as is likely to affect prejudicially their functions as a Member;
- been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude;
- abused their position as to render her continuance in office prejudicial to the public interest.
- Employment after holding office: After ceasing to hold office, the Chairperson and any other Member should not, for a period of one year, accept any employment, with any Data Fiduciary against whom proceedings were initiated by the Board, unless they have the Central Government’s approval for the same. They also should disclose to the Central Government any subsequent acceptance of such employment post the one-year period.
Validity of the Board’s actions: No act or proceeding of the Board is invalid merely because of:
- any vacancy in or any defect in the constitution of the Board;
- any defect in the appointment of a person acting as the Chairperson or other Member of the Board;
- any irregularity in the procedure of the Board, which does not affect the merits of the case.
Employees of the Board:
- Officers and employees: The Board can, with the previous approval of the Central Government, appoint officers and employees whose terms and conditions of appointment and service will be prescribed.
- Public servants: The Chairperson, Members, officers, and employees of the Board will be deemed as public servants (as defined in section 21 of the Indian Penal Code).
Funding for the Board: For setting up and functioning of the Board, the government estimates about Rs 25 crore towards initial capital expenditure and Rs 10 crore annually for recurring expenditure. This expenditure will be incurred out of the Consolidated Fund of India.
Article continues below ⬇, you might also want to read:
What are the functions of the Board?
1. Inquire and impose a penalty based on complaints: If the Board receives a complaint from a user a reference from the government or a direction from a court concerning any breach by a Data Fiduciary or a Consent Manager in observance of their obligations or in the exercise of the user’s rights, the Board can inquire into the breach and impose a penalty. The procedure to be followed for such inquiries is detailed in the next section.
2. Address personal data breaches: In the event of a personal data breach, the Board can direct the Data Fiduciary to adopt any urgent remedial or mitigation measures, inquire into the breach, and impose a penalty.
3. Issue directions: The Board may issue directions after giving the concerned persons a reasonable opportunity to be heard and after recording its own reasons in writing. The Board also can also modify, suspend, withdraw, or cancel any direction it has issued.
What procedure should investigations by the Board follow?
- The Board should function as an “independent body” and “employ such techno-legal measures as may be prescribed.”
- The Board should function as a “digital office” with “the receipt of complaints and the allocation, hearing and pronouncement of decisions in respect of the same being digital by design, and adopt such techno-legal measures as may be prescribed.”
- The Board can take action based on a complaint received from an affected user, on a reference by the government, or in compliance with court directions. It can authorise the conduct of proceedings by individual Members or groups of Members.
- If there are sufficient grounds for inquiry, the Board must record the reasons in writing and launch an inquiry into the affairs of the concerned person to ascertain whether they are complying with the Act or not. If there are no sufficient grounds for inquiry, the Board must record the reasons in writing and close the proceeding.
- The Board must follow the principles of natural justice when inquiring and shall record reasons for its actions during the course of such inquiry.
- The Board has the same powers as are vested in a civil court under the Code of Civil Procedure, 1908. This means the Board will have powers to summon and enforce the attendance of persons, examine them on oath, and inspect any data, book, document, register, books of account, or any other document. These powers can also be expanded in subsequent rules “as may be prescribed.”
- The Board or its officers cannot prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person.
- The Board can seek the services of any police officer or any officers of the government to assist it and it is the duty of every such officer to comply with such requests.
- The Board can issue interim orders if it considers it necessary with the reasons for the same recorded in writing.
- If the Board concludes that non-compliance by a person is not significant, it may, for reasons recorded in writing, close such inquiry. If the Board determines that the non-compliance by the person is significant, it can issue financial penalties as allowed under this Act or advise the Central Government to block content hosted by the entity that is in non-compliance (you can find more details on penalties and blocking powers below).
- At any stage after receipt of a complaint, if the Board determines that the complaint is devoid of merit, it may issue a warning or impose costs on the complainant.
- Every person shall be bound by the orders of the Board.
Appealing orders by the Board and alternative solutions to disputes
Appeal against Board orders in Appellate Tribunal: Any person aggrieved by an order of the Board can file an appeal before the Telecom Disputes Settlement and Appellate Tribunal (established under section 14 of the Telecom Regulatory Authority of India Act, 1997) within sixty days from the date of the order “in such form and manner and shall be accompanied by such fee as may be prescribed.”
The Appellate Tribunal will deal with an appeal in accordance with such procedure as may be prescribed.
After hearing the parties to the appeal, the Appellate Tribunal may pass orders confirming, modifying or setting aside the order issued by the Board. This should be done within six months and if cannot be, the Appellate Tribunal should record its reasons in writing.
An order passed by the Appellate Tribunal will be treated as as a decree of a civil court, and for this purpose, the Appellate Tribunal will have all the powers of a civil court. The Appellate Tribunal can also transmit any order made by it to a civil court having local jurisdiction.
An order by the Appellate Tribunal can be appealed at the Supreme Court as per section 18 of the Telecom Regulatory Authority of India Act, 1997.
Alternate Dispute Resolution: “If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon, or as provided for under any law.”
Voluntary undertaking: The Board can accept voluntary undertakings from entities at any stage of its inquiry. Such voluntary undertaking may include an undertaking to take specified action within a specified time, or refrain from taking specified action, and or publicizing such undertaking. The Board can request for the terms of the undertaking to be modified. If the undertaking is finally accepted by the Board, any ongoing relevant proceedings against the concerned entity must be barred and no penalties can be imposed unless the terms of the undertaking are not complied with by the entity.
What are the penalties for non-compliance?
Applicable penalties according to the Schedule of the Bill:
- Failure to take reasonable security safeguards to prevent personal data breach: Up to ₹250 crores.
- Failure to notify the Board and affected Data Principals of a personal data breach: Up to ₹200 crores.
- Non-fulfilment of obligations in relation to processing data of children: Up to ₹200 crores.
- Non-fulfilment of obligations of Significant Data Fiduciary: Up to ₹150 crores.
- Violation of user duties: Up to ₹10,000.
- Breach of any term of voluntary undertaking accepted by the Board: Penalty up to the extent applicable for the breach in respect of which the proceedings against the entity were instituted.
- For any other breaches of this Act: Up to ₹50 crores.
The Board gets to determine the quantum of penalty: If the non-compliance by a person is deemed significant by the Board, the Board can determine the quantum of financial penalty to issue as long as it adheres to the Schedule published by the government. To determine the amount, the Board should consider the following factors:
- the nature, gravity, and duration of the breach;
- the type and nature of the personal data affected by the breach;
- repetitive nature of the breach;
- whether the person, as a result of the breach, has realised a gain or avoided any loss;
- whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
- whether the financial penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act;
- the likely impact of the imposition of the financial penalty on the person.
Penalties go to the Consolidated Fund of India: “All sums realised by way of penalties imposed by the Board under this Act shall be credited to the Consolidated Fund of India.”
Power to amend the amount of penalties: The Central Government has the power to amend the Schedule prescribing the penalties by issuing a notification. But the Schedule cannot be modified by the government to exceed double what was specified in it when this Act was originally enacted (which would put the max at ₹500 crores as the Bill currently stands). The amendment must be presented to the parliament for debate after it’s notified.
What are the other miscellaneous provisions?
Power of the Central Government to block access to content on advice from the Board: In case of repeated imposition of penalties against an entity or in the “interests of the general public”, the Board can advise the Central Government to block access “to any information generated, transmitted, received, stored or hosted, in any computer resource” that enables such Data Fiduciary to carry out its business in India.
The Central Government, after giving the Data Fiduciary an opportunity to be heard and for reasons recorded in writing, can order any agency of the Central Government or any intermediary to block access to such information belonging to that Data Fiduciary.
The terms “computer resource”, “information” and “intermediary” will have the meanings defined in the Information Technology Act of 2000.
Power of Central Government to make rules: The Central Government has the power to issue notifications to make rules to carry out the purposes of this Act. Rules can be issued for all parts of the Act that have a provision saying, “as may be prescribed.” These rules don’t need to presented before the parliament.
Notifications and rules can also be issued for notifying countries to which transfers of personal data are prohibited and for amending the schedule of penalties, but these two notifications must be laid before the parliament (can be laid post notification), while it is in session, for a total period of thirty days. The parliament can decide to amend the notification or rule pertaining to these two aspects.
Power of Central Government to call for information: The Central Government can, for the purposes of this Act, require the Board and any Data Fiduciary to furnish such information as the government may call for.
Protection from liability for action taken in good faith: No suit, prosecution or other legal proceedings can lie against the Central Government, the Board, its Chairperson and any Member, officer or employee of the Board for anything that is done or intended to be done in good faith under the provisions of this Act.
Bar of jurisdiction on courts: No civil court will have the jurisdiction to entertain a suit in respect of any matter for which the Board is empowered under the provisions of this Act and no court or authority can grant injunction in respect of any action taken under the provisions of this Act.
Amendments to RTI Act: The Bill modifies Section 8(1)(j) of the Right to Information Act, 2005.
This section says that the Indian state is not obliged to disclose personal information under the RTI Act that has no relationship to any public interest or activity, or which causes the unwarranted invasion of the individual’s privacy, unless the Central or State Public Information Officer, or the appellate authority, determines that the “larger public interest justifies the disclosure of such information”. The section further adds that information that cannot be denied to the Parliament or to a State Legislature will not be denied to an individual person.
The DPDP Bill, 2023, amends Section 8(1)(j) of the RTI Act to merely state that “the Indian state is not obliged to disclose information which relates to personal information,” essentially removing the power of the Public Information Officer or an appellate authority to override this, thus diluting to the power of citizens to seek information under the RTI Act.
Power to remove any difficulties: If any difficulty arises in giving effect to the provisions of this Act, the Bill allows the government to, within 3 years of the Act going into effect, issue an order to add provisions to the Act to remove the difficulties as long as the new provisions are not inconsistent with the existing provisions of the Act. Any such changes must be presented to the parliament.
Update (10 August, 8:45 am): Removed references to what happens next in the intro as the Bill has been passed in the Lok Sabha and Rajya Sabha.
Update (22 August, 5:25 pm): Updated the “Power of Central Government to make rules” section to clarify that rules only need to be presented before parliament in two instances, not for all rules.