Skip to main content

First Impressions: The Digital Personal Data Protection Act

The current version of this post with footnotes in PDF is available here: [GoogleDocs]


WORKING DRAFT

v1, August 2023



Anomalies and Ambiguities

A Reading of India’s 2023 Digital Personal Data Protection Law


NANDITA SAIKIA

Contents

Introduction

1. Digital Personal Data

2. Data Principals

3. Data Processing and Data Breaches

4. The Location of Processing

5. Those who Process Personal Data

6. Permissible Processing at Will

7. Managing Consent for Processing

8. Withdrawing Consent for Processing

9. Individuals Requesting Their Data

10. DPDPA Exemptions

Appendix: DPDPA Povisions

re The Data Protection Board

re Penalties (Annotated Chapter)


Introduction

[Note: This document has been shared only for the purpose of academic discussion. It is not legal advice and should not be relied upon for any purpose. It has not been proofed, and it may not be accurate or complete.]


The Digital Personal Data Protection Act, 2023, (referred to as the 'DPDPA' in this document) received presidential assent on August 11, 2023, becoming Act No. 22 of 2023. The statute, which is to come into force upon notification in the official gazette, possibly on different dates for different provisions, is primarily meant to 'provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes' according to its preamble.

The statute attempts to balance three interests which are not always entirely harmonious: the protection of individuals' digital personal data, the ease of doing business, and the accomplishment of state objectives. (In fact, individuals have a duty not to suppress any material information while providing their personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities.)

Left to itself, the DPDPA provides a framework allowing for optimal outcomes to be reached in theory but whether it will ultimately succeed in its ostensible aims depends, in large measure, on what the rules framed under its aegis will say.

Like most statutes, the DPDPA is intended to function in conjunction with subordinate legislation which is in consonance with it. The words 'as may be prescribed' repeatedly appear in the statute, and Section 2(v) states that 'prescribed' means 'prescribed by rules made under this Act' leaving no doubt that a great deal is to be left to the rules.

That said, the DPDPA contains a number of definitions in Section 2 although the definitions are intended to apply to the statute 'unless the context otherwise requires' which accords some interpretational flexibility to the statute or, depending on how one looks at it, some interpretational uncertainty to it. 

Occasionally, the definitions effectively act as meta-definitions clarifying the meanings of words used in other definitions. For example, the term 'person' appears in the statute in a number of different contexts but, each time, it harkens back to the definition in Section 2(s) with a 'person' defined to include an individual, a Hindu undivided family, the State as defined by Article 12 of the Constitution of India, and any artificial juristic person including a company, a firm, an association of persons or a body of individuals, whether incorporated or not).

In essence, the DPDPA envisages the personal data of individuals (called 'Data Principals') being processed for and sometimes by 'Data Fiduciaries' who may occasionally qualify as 'Significant Data Principals'. 'Data Processors' may carry out the actual data processing and, if consent is required for personal data processing or if data principals have concerns, 'Consent Managers' and, if data fiduciaries are 'Significant Data Fiduciaries', 'Data Protection Officers' step in to smoothen out issues. The DPDPA also envisages the creation of a Data Protection Board of India established by the Central Government, referred to as the 'Board' in the statute, to support the implementation of the statute and help address grievances; it devotes three chapters (reproduced in the Appendix of this document) to its functioning and to dispute resolution in general. This breathless recapitulation of the statute entirely elides the nuance in its text.

It appears that the coming into force of Section 44 of the DPDPA will make the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, which have shaped the field since they were issued in 2011, defunct; the 2011 Rules were issued in exercise of the powers conferred by Sections 43A and 87(2)(ob) of the Information Technology Act, 2000, and Section 44 of the DPDPA has the effect of omitting both of these provisions from the Information Technology Act. It follows that subordinate legislation issued under the aegis of provisions which are no longer in force cannot themselves continue to remain in force. As such, upon coming into force, the DPDPA will be the primary law governing digital personal data.

Possibly recognising the power differentials that can exist between data fiduciaries and data principals, Section 8(1) categorically requires each data fiduciary to be responsible for complying with the statute and the rules thereunder 'in respect of any processing undertaken by it or on its behalf by a Data Processor' regardless of whether or not data principals carry out their statutory duties, and 'irrespective of any agreement to the contrary'. In other words, data fiduciaries cannot either contract out of their responsibilities or shrug them off by claiming that data principals have not performed their duties. Amongst other duties enumerated in Section 15, data principals have a duty to comply with the provisions of all the applicable laws while exercising rights under the DPDPA.

The statute also seems to follow a rough duty-right formula. For example, while data fiduciaries are required to establish effective mechanisms to redress the grievances of data principals, data principals have a duty not to register false or frivolous grievances or complaints with Data Fiduciaries or the Board. 'At any stage after receipt of a complaint, if the Board is of the opinion that the complaint is false or frivolous, it may issue a warning or impose costs on the complainant.'

Given the granularity in the statute, compliance checklists are, by and large, meaningless unless they are bespoke lists drafted keeping in mind factors such as the identity and nature of the data fiduciaries involved, the category to which the relevant data principals belong, the purpose for which personal data is to be processed and the intended location of processing. 

The statute itself does not assume that implementing its provisions will be without hiccoughs. 'The Central Government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for., and for three years after the commencement of the statute, if 'any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order published in the Official Gazette, make such provisions not inconsistent with the provisions of this Act as may appear to it to be necessary or expedient for removing the difficulty'.

This document, very much a work in progress at this stage, comprises a largely intratextual reading of the DPDPA which, largely ignoring the provisions relating to dispute resolution and the functioning of the Board, attempts to explore what the statute says… with limited success. The tale of the DPDPA appears to be one of ambiguities and anomalies in part due to the statute leaving so much to be determined by subordinate legislation and in part due to its drafting often being less than a model of clarity.

References to 'Sections' in this document are references to Sections of the DPDPA unless otherwise stated, and the term 'Section' has been used to refer to the various provisions of the statute even though the statute itself occasionally uses the term 'Clause'.

  1. Digital Personal Data

The question of what constitutes digital personal data is perhaps best answered by a cumulative reading of three definitions in the DPDPA: those of 'data', 'digital data', and 'digital personal data'.

2(h). 'data' means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;

2(t). 'personal data' means any data about an individual who is identifiable by or in relation to such data;

2(n). 'digital personal data' means personal data in digital form; 

Thankfully, the definition of 'data' is reasonably clear although the definition of 'personal data' is not as clear: it speaks of 'data about an individual who is identifiable by or in relation to such data'. An individual being identifiable by data indicates that the individual could be named in the relevant 'data' to make it 'personal data' or that the 'data' could drop a large enough number of hints to make it possible to identify an individual it referred to. Given that both these options are covered by the words 'any data about an individual who is identifiable by [....] such data', it is entirely unclear why the statute includes the words 'or in relation to' in the part omitted by the quote in this sentence or what purpose the words 'or in relation to' are intended to serve in Section 2(t).

  1. Data Principals

The individual referred to in Section 2(t) defining 'personal data' as 'any data about an individual who is identifiable by or in relation to such data' is, in fact, a 'data principal' per Section 2(j) — in circular fashion, the latter provision defines a 'data principal' to mean 'the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf'. The definition of a 'data principal' is expository and illustrative (rather than being categorical and definitive), and has the astounding effect of potentially allowing an unspecified number of people not only to act on behalf of two classes of individuals — minors and persons with disabilities — but also to take their place. In the case of persons with disabilities, this is without reference to the nature or severity of their disability or their competence to contract.

In addition to the statute itself allowing for people to step into the shoes of data principals in certain cases, data principals also have 'the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal' with 'incapacity' referring to the relevant data principals' inability to exercise their rights under the DPDPA or its rules due to unsoundness of mind or infirmity of body.

  1. Data Processing and Data Breaches

Section 2(x) of the DPDPA defines 'processing' in relation to personal data to mean 'a wholly or partly automated operation or set of operations performed on digital personal data' and then goes on to say that it 'includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction'.

Section 2(h) which defines 'data' recognises that data can be processed by human beings or by automated means. However, ultimately, it is only the processing of digital personal data by means that are at least partially automated which constitutes 'processing' within the scope of the definition of the term in Section 2(x) although, strangely enough, the provision recognises 'processing' in relation to personal data as the performance of at least partially automated operations on digital personal data. It isn't at all clear what this is intended to mean. Presumably, one must be satisfied knowing that without automation, there is no data processing recognised by Section 2(x) which occurs, and, without such recognition, Section 3, which describes what sorts of data processing the DPDPA applies to, cannot even come into play — regardless of what operation is conducted, and regardless of where it is conducted — since without there being any automation at all in the conduct of a data processing operation, it would falter at the threshold of Section 3 and likely fail to fall within the scope of the statute.

Data fiduciaries must protect personal data in their possession or under their control, including in respect of any processing undertaken by them or on their behalf by Data Processors, by taking reasonable security safeguards to prevent personal data breach. Although the statute itself does not explain what it means by 'reasonable security safeguards', it is possible that subordinate legislation will do so; Section 40(2)(z) to frame rules consonant with the statute on 'any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules'.

In addition to this specific requirement, data fiduciaries must also 'implement appropriate technical and organisational measures to ensure effective observance of' the provisions of the DPDPA and its rules.

Should personal data be breached, data fiduciaries must intimate the Board and each affected data principal in the prescribed manner. Once it is intimated that personal data has been breached, the Board may 'direct any urgent remedial or mitigation measures', inquire into the breach, and impose a statutory penalty provided by the DPDPA.

Through an amendment to the Information Technology Act, 2005, via the DPDPA, data principals would not be entitled to any compensation in relation to their data being breached — penalties may be payable but the DPDPA states that those penalties would be credited to the Consolidated Fund of India.

  1. The Location of Processing

The statute applies beyond India although the manner in which it operates differs within India and abroad. If the conduct of an operation for the purpose of processing data crosses the automation-erected threshold of Section 3 and does not fall within the scope of any of the exceptions in the provision, the applicability of the DPDPA is determined with regard to the type of data being processed, the context in which data is processed, and the territory of processing.

Within India, under Section 3(a) and subject to the provisions of the statute itself, the DPDPA applies to the processing of digital personal data regardless of whether personal data is collected in non-digital form and digitised subsequently or whether personal is collected in digital form right at the outset i.e. as digital personal data. 

Although the Central Government may, by notification, restrict the transfer of personal data by data fiduciaries for processing to a specific country or territory outside India, Section 16 suggests that personal data can ordinarily be processed outside India unless there are sectoral legal restrictions in other laws which provide 'for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof' — presumably, despite drafting ambiguities, the 'restriction' referred to in the provision applies to transfers of personal data outside India rather than to data fiduciaries outside India.

Pertinently, Section 38(1) states that the DPDPA supplements other laws in force rather than derogating from them, and Section 38(2) states: 'In the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict.' It isn't obvious that these two sub-sections of Section 38 are consistent with each other.

Further, Section 81 of the Information Technology Act, the IT Act, states that the provisions of the IT Act 'shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force. Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 (14 of 1957) or the Patents Act, 1970 (39 of 1970)'.

Section 44(2)(b) of the DPDPA amends Section 81 of the IT Act but only to the extent of adding 'or the Digital Personal Data Protection Act, 2023' after 'the Patents Act, 1970' in its proviso leaving clauses in both Section 38(2) of the DPDPA and Section 81 of the IT Act which accord overriding privilege to the statutes in which each of them are placed. It is entirely unclear how they are meant to be read harmoniously, especially considering that there are likely to be a number of areas in which the two statutes deal with substantially the same subject matter, unless a straightforward assessment is made based on the assumption that the latter statute will always prevail. Such an assessment could, however, lead to unintended consequences as time goes by and as new statutes are added to the country's corpus juris. 

In any case, under the DPDPA, notifications which restrict cross-border data transfers must be laid before both houses of parliament and, if both houses agree, within the 30-day timeframe contemplated by the statute, that a specific notification either should not have been issued or should be modified, that notification shall cease to have effect or have effect in modified form, as the case may be, from the date the houses so agree without prejudice to the validity of any act performed while the original form of the notification was in force.

Beyond India, under Section 3(b) and subject to the provisions of the statute itself, the DPDPA applies to the processing of digital personal data (and not, it appears, of non-digitised personal data, giving rise to an inconsistency between Sections 3(b) and 16) in connection with any activity related to offering of goods or services to data principals in India. 

There is no provision which says that it is immaterial whether or not data is collected in digital form when processing is to take place beyond India although, it could perhaps be argued that such a provision would be as unnecessary in relation to data processing beyond India as it arguably is to data processing in India since Section 2(n) in any case defines 'digital personal data' to mean 'personal data in digital form' without reference to its initial mode of collection.

  1. Those who Process Personal Data

The answer to whose personal data will be processed is easier to answer than the question of who will undertake the processing.

The statute appears to envisage personal data processing being conducted for data fiduciaries but not by data fiduciaries or, at any rate, not necessarily by them. It defines data fiduciaries to mean persons 'who alone or in conjunction with other persons' determine 'the purpose and means of processing of personal data', and goes on to state that certain data fiduciaries or classes thereof may be designated as 'significant data fiduciaries' by the Central Government via notification under Section 10 'on the basis of an assessment of such relevant factors as it may determine, including—(a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order'.

In essence, significant data fiduciaries must, in addition to complying with all the demands made of data fiduciaries by the statute, also each appoint a Data Protection Officer and an independent data auditor. A Data Protection Officer must be an individual based in India. There are no comparable mandates regarding who may act as an independent data auditor so, presumably, both individuals and juristic persons may do so regardless of where they are based. That said, both Data Protection Officers and independent data auditors must carry out the functions which Section 10(2) of the DPDPA assigns to them:

10(2). The Significant Data Fiduciary shall— (a) appoint a Data Protection Officer who shall— (i) represent the Significant Data Fiduciary under the provisions of this Act; (ii) be based in India; (iii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and (iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act; (b) appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and (c) undertake the following other measures, namely:— (i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; (ii) periodic audit; and (iii) such other measures, consistent with the provisions of this Act, as may be prescribed.

Each data fiduciary must publish, in the prescribed manner, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer, on their behalf, questions which data principals may raise about the processing of their personal data.

The DPDPA envisages the actual processing of personal data being conducted by data processors which it defines as persons who process personal data on behalf of data fiduciaries indicating, by the use of the words 'on behalf of', that where data processors are involved, data processing is outsourced rather than carried out in-house by data fiduciaries. Whether this indication is intentional or meant to be effective and to truly segregate data fiduciaries and data processors is an open question. It would probably be prudent to assume that the implicit segregation is no more than a drafting anomaly, and that data processing may be carried out in-house by data fiduciaries.

Section 8(2) allows data fiduciaries to 'engage, appoint, use or otherwise involve' data processors for the purpose of processing personal data on their behalf 'for any activity related to offering of goods or services to data principals only under a valid contract'. The provision excludes activities which do not involve providing goods and services to data principals, and, as such, could potentially exclude activities such as certain kinds of research from its scope meaning that, if a data fiduciary were having personal data processed for purposes which did not involve providing goods and services to the relevant data principals, the statute would not require the data fiduciary to compulsorily enter into a valid contract for personal data processing. This, too, may simply be a drafting anomaly and prudence would suggest that data fiduciaries enter into clear and valid contracts with data processors for the processing of personal data.

Section 4 allows persons (without specifying if the persons must be data fiduciaries or data processors) to process the personal data of data principals only in accordance with the provisions of the DPDPA and for a lawful purpose (meaning any purpose which is not expressly forbidden by law) either with the consent of the data principal or for 'certain legitimate uses' recognised by the statute in Section 7. Section 4 appears in 'Chapter II: Obligations of Data Fiduciary' so perhaps one can reasonably safely assume that the persons referred to in Section 4 who may process personal data include data fiduciaries.

The assumption that data fiduciaries may process personal data directly is buttressed by Section 7 which begins by saying that 'a Data Fiduciary may process personal data of a Data Principal' in circumstances which it goes on to describe. The construction 'a data fiduciary may process or have processed' in relation to personal data processing is alien to the DPDPA although the statute implies that the phrase is embedded in its underlying rationale and, that being the case, it is likely that the statute intends to have obligations relating to personal data processing apply to whoever is responsible for it either by the performance of data processing operations or by instigating their performance.

Additionally, if the 'personal data processed by a Data Fiduciary is likely to be— (a) used to make a decision that affects the Data Principal; or (b) disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency'.

  1. Permissible Processing at Will

As a general rule, personal data processing requires the consent of the relevant data principals. However, Section 7 lists a number of circumstances in which the consent of data principals is not required to process their personal data. By and large, these exceptions are for state purposes, to comply with judicial decisions, to protect those making disclosures required of them by law, to take steps to address health issues and various disasters, and to protect employers. 

And, even where consent is required to process personal data, there exists a loophole: data fiduciaries may process personal data which has been voluntarily provided to them by data principals both for the purposes which data principals have agreed to and 'in respect of which' data principals have not refused consent. The use and placement of the words 'in respect of which' in the provision makes it ambiguous — it could potentially mean, in effect, that once a data fiduciary legally acquires a data principal's personal data, they can process it in whatever manner they choose unless the data principal has forbidden them to do so. The words could also, far more legitimately, simply mean that data fiduciaries may process personal data voluntarily acquired from data principals in ways that are incidental to the specified purpose which data principals have previously agreed to (unless data principals have forbidden such use) without being required to approach data principals for each operation involving the incidental processing of personal data ancillary to the specified purpose.

Either way, Section 7 is worth reading in its entirety, and has been reproduced here without its accompanying illustrations.

7. A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— 

(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.

(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–(i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or (ii) such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.

(c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; 

(d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; 

(e) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; 

(f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; 

(h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. Explanation.— For the purposes of this clause, the expression 'disaster' shall have the same meaning as assigned to it in clause (d) of section 2 of the Disaster Management Act, 2005; or 

(i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.

There are also special provisions in the DPDPA to protect the interests of minors. Data fiduciaries cannot legally process personal data in ways that are likely 'to cause any detrimental effect on the well-being' of minors, or, unless permitted by subordinate legislation possibly only in relation to minors above a certain age, undertake either tracking or behavioural monitoring of children or targeted advertising directed at children.

  1. Managing Consent for Processing

If personal data cannot be legally processed without consent, it follows that consent must be obtained to process personal data. For good measure, the DPDPA states that the consent granted by data principals must signify an agreement to their data being processed for specified purposes set out by data fiduciaries going no further than to allow the processing of personal data necessary for the specified purposes. In other words, presumably, data fiduciaries cannot legitimately conduct fishing expeditions to collect personal data just in case it might be useful some time; all personal data collected must be necessary for the specified purposes.

Although the statute accords a degree of protection to data principals, it also imposes a duty on them to ensure that they do not impersonate other persons while providing their personal data for a specified purpose.

In general, data principals whose personal data is to be processed may consent to the processing of their own personal data although, unless otherwise prescribed possibly only in relation to minors above a certain age, Section 9(1) requires data fiduciaries to obtain verifiable consent, in a manner which may be prescribed, from the lawful guardians of those persons with disabilities who have lawful guardians as well as from the parents or lawful guardians, as the case may be, of children.

Data principals may 'give, manage, review or withdraw' their consent to data fiduciaries for the processing of their personal data through, the statute insists, 'an accessible, transparent and interoperable platform', with their single point of contact being a person known as a 'consent manager' acting on their behalf who is registered with the Board. Although the Board may look into registration irregularities, statute does not delve into who would be eligible to register as a consent manager or how consent managers would perform their obligations and be held accountable, leaving the decision to subordinate legislation but, given the definition of 'person' in Section 2(s), a consent manager could potentially be, amongst others, an individual, a Hindu undivided family, the State as defined by Article 12 of the Constitution of India, or any artificial juristic person including a company, a firm, an association of persons or a body of individuals, whether incorporated or not. By itself, the statute does not specify if consent management must be outsourced to third parties by data fiduciaries or consent management can be handled in-house, so to speak.

Should data principals develop grievances in respect of acts or omissions of data fiduciaries or consent managers regarding the performance of their obligations in relation to the data principals' own personal data or the exercise of data principals' rights under the DPDPA, Section 13(1) states that they 'shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager'. Data fiduciaries and consent managers must respond to grievances within a certain time after they are received although the statute leaves the timeframe for a response to be sent out to subordinate legislation allowing for the possibility of different timeframes being set down for different classes of data fiduciaries. Once the opportunity to redress grievances by approaching data fiduciaries and consent managers directly is exhausted, data principals may approach the Board to address grievances.

All of this, of course, means that to obtain the consent of data principals to process their personal data, data fiduciaries must inform data principals, by way of notices accompanying or preceding requests for consent (or as soon as reasonably practicable in cases where data principals have granted consent before the date of commencement of the DPDPA), what personal data they want to process, and why they want to process it. They should, it appears, limit their requests for consent to requests to process only such personal data as is necessary for the purposes which they specify in their notices to data principals, that is, the 'specified purposes'. Additionally, Sections 5(1)(ii) and (iii) also require data fiduciaries to inform data principals how to withdraw consent, and how to raise grievances both directly with the concerned data fiduciaries and consent managers as well as with the Board. 

Without this basic information being provided, the consent given by data principals to data fiduciaries to permit the processing of their personal data cannot be 'free, specific, informed, unconditional and unambiguous with a clear affirmative action', as the statute requires even though a caveat in Section 5(2)(b) allows data fiduciaries to continue processing personal data until consent for processing is withdrawn in cases where data principals have granted consent before the date of the commencement of the DPDPA. Grants of consent which constitute an infringement of the statute, its subordinate legislation, or any other law in force are invalid to the extent of such infringement.

Strangely, Section 5(3) requires data fiduciaries to give Data Principals the option to access the contents of these notices in English or any language specified in the Eighth Schedule to the Constitution. This provision does not specify the language of the notices themselves but limits the languages of mechanisms to access to the notices — it isn't at all clear why this is the case. Even if it is read to mean that the notices themselves must be in the specified languages, courtesy this provision, the notices could potentially be in languages comprehensible to only a small fraction of data principals.

The DPDPA appears to treat these informational notices associated with consent separately from requests for consent themselves. However, in Section 6(3), it uses almost the same linguistic formulation in relation to requests for consent as it does for notices associated with consent adding only that requests for consent must be in clear and plain language. Also, requests for consent must provide 'the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights' under the statute.

  1. Withdrawing Consent for Processing

Consent for consent-based personal data processing can be withdrawn at any time by data principals with 'the ease of doing so' required to be comparable to the ease with which such consent was given'. Once consent is withdrawn, 'the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal' unless such processing without consent is required or authorised under the provisions of the DPDPA, its subordinate legislation or any other law in force in India. 

Strangely, in what appears to be a drafting anomaly, the provision only requires data fiduciaries to cause their data processors to stop processing the personal data of data principals who have withdrawn consent and not to stop processing data themselves. This is, however, a technicality and one can assume that a purposive interpretation of the provision would require data fiduciaries to both stop processing personal data themselves and to stop data processors acting on their behalf from doing so upon the withdrawal of consent for such processing. Such a purposive interpretation of Section 6(6) is supported by Section 8(7) which requires data fiduciaries to erase the personal data of data principals upon the latter withdrawing consent and to cause their data processors to erase the personal data as they have made available to the data processors for processing 'unless retention is necessary for compliance with any law for the time being in force'. Since it would not be possible for data fiduciaries to process personal data which they have erased, they would necessarily also have to stop processing such data themselves.

However, the construction of Section 8(7) leaves much to be desired. It states: 'A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— (a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and (b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor'. Although one can sense what it intends to convey, upon close reading, it appears that once 'it is reasonable to assume that the specified purpose [for which data fiduciaries have informed data principals that personal data will be processed] is no longer being served', it is only data fiduciaries have an obligation to erase personal data under this provision.

Section 8(8) then clarifies when the 'specified purpose' mentioned in Section 7(a) will 'be deemed to no longer be served' by stating that such an eventuality will occur if a data principal neither approaches the data fiduciary, that is, initiates contact with the data fiduciary in person or by way of communication in electronic or physical form, for the performance of the specified purpose nor exercises any of their rights in relation to such processing for, in both cases, 'such time period as may be prescribed' possibly with different time periods being prescribed for different classes of data fiduciaries and for different purposes.

A purposive interpretation of Section 8(7) would probably suggest that in cases of consent-based data processing, unless legally required, personal data can be retained only by data fiduciaries and data processors for as long as they need to retain personal data for the processing that the data principals have agreed to although that date may be brought forward to whenever the relevant data principals withdraw consent presumably for data processing as the statute does not appear to separately contemplate consent for data retention — although this is not quite what Section 8(7) literally says, it is likely an interpretation which cannot fall foul of it.

Section 12 which also deals with erasure in part, however, does not appear to be entirely in consonance with Section 8(7). Under Section 12, in cases where they have previously consented, including per Section 7(a), to having their personal data be processed, data principals have the right to have such personal data erased, corrected, completed or updated 'in accordance with any requirement or procedure under any law for the time being in force'. Data principals must 'furnish only such information as is verifiably authentic, while exercising the right to correction or erasure' under the DPDPA or its rules.

Under Section 12(3), upon receiving requests in the prescribed manner from data principals to erase their personal data in such circumstances, data fiduciaries must erase the data unless it is necessary to retain it for the specified purpose or to comply with any law. Further, under Section 12(2), data fiduciaries must correct, complete or update the personal data of data principals if they so request — unlike in the case of erasing data, there is no mention of data principals needing to use a prescribed form to request that personal data be corrected, completed or updated in Section 12(2) although such forms could well be introduced to the law by subordinate legislation.

The provision in Section 12 enabling personal data to be retained for the specified purpose despite a request for erasure having been made appears to directly contradict the provision in Section 8 which speaks of personal data being erased once 'it is reasonable to assume that the specified purpose is no longer being served'. It is unclear how both of these provisions can operate simultaneously.

Whatever the case though, data principals bear the consequences of withdrawing consent, and withdrawal does not affect the legality of pre-withdrawal consent-based personal data processing. 

  1. Individuals Requesting Their Data

Upon making a request in the prescribed manner to data fiduciaries to whom they have previously granted consent, including consent as referred Section 7(a), to process personal data, Section 11 States that data principals have the right to obtain a summary of the personal data which is being processed by data fiduciaries (although it is unclear whether this is restricted to data being processed by fiduciaries themselves or whether it extends to data being processed for them too), and, unless the sharing is with another data fiduciary 'authorised by law to obtain such personal data' pursuant to a written request it has made to prevent, detect, investigate, prosecute, or punish offences or cyber incidents, data principals may also request and obtain, the names of data processors and other data fiduciaries with whom personal data may have been shared along with a description of the personal data so shared by the data fiduciaries originally granted consent, and any other prescribed information related to the data principals' personal data and its processing.

There has hitherto been statutory provision allowing individuals to seek personal data through the 2005 Right to Information Act, the 'RTI Act'. However, through a provision which not only keeps citizens from going on fishing expeditions to uncover other people's personal data but also potentially keeps them from accessing their own personal data, the DPDPA changes Section 8(1)(j) of the RTI Act to read: 'Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen information which relates to personal information.' The seeming prohibition on seeking any personal data including one's own seems entirely inconsistent with Section 11 of the DPDPA.

That said, the non obstante clause at the beginning of the rehashed version of Section 8(1)(j) of the RTI Act, like its predecessor, only applies to the other provisions of the RTI Act itself. So, one could read Section 11 of the DPDPA harmoniously with Section 8(1)(j) of the RTI Act, to mean that citizens cannot access personal data through the RTI Act which they would not be entitled to access via the DPDPA. If all the other conditions required by the RTI Act were met, such a construction of the law would enable citizens to access their own personal data through the RTI Act without being at the mercy of how those assessing their RTI applications understood the term 'public interest', always an unstable and inexact term. 

(At the time it was enacted, Section 8(1)(j) of the RTI Act read: 'Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen, information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information'.)

The question of how Section 8(1)(j) of the RTI Act will be interpreted, however, remains open not least because, read together, the two subsections of Section 38 of the DPDPA which deals with 'consistency with other laws' suggest that the DPDPA both supplements and supersedes other statutes; there is no indication of how it realises these two disparate and seemingly contradictory positions simultaneously although, perhaps, one could read the provision to mean that where the tenor of two laws is compatible, they build upon each other, and, that, in other cases, the DPDPA supersedes other laws.

The amendment to the RTI Act has the potential to make it easier for people to seek their own data in cases which fall within its scope but whether that potential will be realised depends largely on how it is interpreted in conjunction with Section 11 of the DPDPA.

  1. DPDPA Exemptions

It is worth treading carefully: the DPDPA does not apply to vast swathes of activity (including processing) which could occur in relation to personal data. It also allows the Central Government to issue notifications for five years after the commencement of the statute declaring that any of its provisions shall not apply to such data fiduciaries or classes thereof for specified lengths of time. 

Section 17(2), buried in the depths of the statute, grants a wholesale exemption from the statute to personal data processing not only by instrumentalities of the state notified by the Central Government in 'the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these' and 'by the Central Government of any personal data that such instrumentality may furnish to it' but also, it appears, by the state, its instrumentalities, and anyone else if personal data processing is conducted in accordance with prescribed standards, is not used to make decisions specific to the individuals whose data is processed, and is necessary for research, archiving or statistical purposes. It is not difficult to suspect that a vast array of data processing operations could somehow be defined so as to be pigeonholed within the scope of these exemptions.

Sections 8(7) and 12(3) dealing with the erasure of personal data by data fiduciaries and, if 'processing is for a purpose that does not include making of a decision that affects the Data Principal', and Section 12(3) which enables data principals to correct, complete, or update their personal data simply do not apply in respect of processing by the State or any of its instrumentalities.

Except for two general obligations requiring data fiduciaries to comply with the DPDPA and the rules made under it even if they enter into contrary contracts with data principals and to take reasonable security measures to prevent breaches of personal data in their possession or control, Chapter II detailing the obligations of data fiduciaries, CHAPTER III detailing the rights and duties of data principals, and Section 16 dealing with the processing of personal data outside India shall not apply, the statute says, where:

(a) the processing of personal data is necessary for enforcing any legal right or claim; 

(b) the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; 

(c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; 

(d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; 

(e) the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and 

(f) the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. 

Section 5 dealing with notices that data fiduciaries must generally provide to data principals to obtain valid consent to process their data, Section 8(3) requiring data fiduciaries to ensure the completeness, accuracy and consistency of personal data which is likely either to be used to make decisions affecting data principals or disclosed to other data fiduciaries, Section 8(7) dealing with the retention and erasure of personal data by data fiduciaries and their data processors, Section 10 dealing with the additional obligations imposed upon significant data fiduciaries, and Section 11 dealing with data principals' right to access information about personal data may all not apply to data fiduciaries or specific classes thereof, including startups, if the Central Government issues a notification to that effect having regard to the volume and nature of personal data processed.

Further, Section 3 of the DPDPA provides that, subject to the provisions of the statute itself, the DPDPA shall not apply to—(i) personal data processed by an individual for any personal or domestic purpose; and (ii) personal data that is made or caused to be made publicly available by—(A) the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available'.

Instead of simply assuming that the DPDPA applies to personal data processing, it appears that it would be prudent to double-check whether it does actually apply, in whole or in part, to the specific data processing operations one has in mind. Although this document does not continually use the formulation 'except in cases where the DPDPA or the relevant provisions of the statute do not apply', all the rights and obligations of the various stakeholders involved are subject to broad statutory exemptions including those which may be set out in subordinate legislation.

Appendix: DPDPA Provisions

re The Data Protection Board 

2. Definitions. In this Act, unless the context otherwise requires,— (a) 'Appellate Tribunal' means the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997; [....] (e) “Chairperson” means the Chairperson of the Board; [....] (m) “digital office” means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode; [....] (o) “gain” means— (i) a gain in property or supply of services, whether temporary or permanent; or (ii) an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration; (p) “loss” means— (i) a loss in property or interruption in supply of services, whether temporary or permanent; or (ii) a loss of opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration; [....] (q) “Member” means a Member of the Board and includes the Chairperson; [....] (w) “proceeding” means any action taken by the Board under the provisions of this Act; [....]

35. Protection of action taken in good faith. No suit, prosecution or other legal proceedings shall lie against the Central Government, the Board, its Chairperson and any Member, officer or employee thereof for anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder. 

39. Bar of jurisdiction. No civil court shall have the jurisdiction to entertain any suit or proceeding in respect of any matter for which the Board is empowered under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power under the provisions of this Act.

37. Power of Central Government to issue directions. (1) The Central Government or any of its officers specially authorised by it in this behalf may, upon receipt of a reference in writing from the Board that— (a) intimates the imposition of monetary penalty by the Board on a Data Fiduciary in two or more instances; and (b) advises, in the interests of the general public, the blocking for access by the public to any information generated, transmitted, received, stored or hosted, in any computer resource that enables such Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within the territory of India, after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it is necessary or expedient so to do, in the interests of the general public, for reasons to be recorded in writing, by order, direct any agency of the Central Government or any intermediary to block for access by the public or cause to be blocked for access by the public any such information. (2) Every intermediary who receives a direction issued under sub-section (1) shall be bound to comply with the same. (3) For the purposes of this section, the expressions “computer resource”, “information” and “intermediary” shall have the meanings respectively assigned to them in the Information Technology Act, 2000.


CHAPTER V: DATA PROTECTION BOARD OF INDIA

18. Establishment of the Board. (1) With effect from such date as the Central Government may, by notification, appoint, there shall be established, for the purposes of this Act, a Board to be called the Data Protection Board of India. (2) The Board shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued. (3) The headquarters of the Board shall be at such place as the Central Government may notify.

19. Composition and qualifications for appointment of Chairperson and Members. (1) The Board shall consist of a Chairperson and such number of other Members as the Central Government may notify. (2) The Chairperson and other Members shall be appointed by the Central Government in such manner as may be prescribed. (3) The Chairperson and other Members shall be a person of ability, integrity and standing who possesses special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board, and at least one among them shall be an expert in the field of law.

20. Salary, allowances payable to and term of office. (1) The salary, allowances and other terms and conditions of service of the Chairperson and other Members shall be such as may be prescribed, and shall not be varied to their disadvantage after their appointment. (2) The Chairperson and other Members shall hold office for a term of two years and shall be eligible for re-appointment.

21. Disqualifications for appointment and continuation as Chairperson and Members of Board. (1) A person shall be disqualified for being appointed and continued as the Chairperson or a Member, if she— (a) has been adjudged as an insolvent; (b) has been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude; (c) has become physically or mentally incapable of acting as a Member; (d) has acquired such financial or other interest, as is likely to affect prejudicially her functions as a Member; or (e) has so abused her position as to render her continuance in office prejudicial to the public interest. (2) The Chairperson or Member shall not be removed from her office by the Central Government unless she has been given an opportunity of being heard in the matter.

22. Resignation by Members and filling of vacancy. (1) The Chairperson or any other Member may give notice in writing to the Central Government of resigning from her office, and such resignation shall be effective from the date on which the Central Government permits her to relinquish office, or upon expiry of a period of three months from the date of receipt of such notice, or upon a duly appointed successor entering upon her office, or upon the expiry of the term of her office, whichever is earliest. (2) A vacancy caused by the resignation or removal or death of the Chairperson or any other Member, or otherwise, shall be filled by fresh appointment in accordance with the provisions of this Act. (3) The Chairperson and any other Member shall not, for a period of one year from the date on which they cease to hold such office, except with the previous approval of the Central Government, accept any employment, and shall also disclose to the Central Government any subsequent acceptance of employment with any Data Fiduciary against whom proceedings were initiated by or before such Chairperson or other Member.

23. Proceedings of Board. (1) The Board shall observe such procedure in regard to the holding of and transaction of business at its meetings, including by digital means, and authenticate its orders, directions and instruments in such manner as may be prescribed. (2) No act or proceeding of the Board shall be invalid merely by reason of— (a) any vacancy in or any defect in the constitution of the Board; (b) any defect in the appointment of a person acting as the Chairperson or other Member of the Board; or (c) any irregularity in the procedure of the Board, which does not affect the merits of the case. (3) When the Chairperson is unable to discharge her functions owing to absence, illness or any other cause, the senior-most Member shall discharge the functions of the Chairperson until the date on which the Chairperson resumes her duties.

24. Officers and employees of Board. The Board may, with previous approval of the Central Government, appoint such officers and employees as it may deem necessary for the efficient discharge of its functions under the provisions of this Act, on such terms and conditions of appointment and service as may be prescribed.

25. Members and officers to be public servants. The Chairperson, Members, officers and employees of the Board shall be deemed, when acting or purporting to act in pursuance of provisions of this Act, to be public servants within the meaning of section 21 of the Indian Penal Code.

26. Powers of Chairperson. The Chairperson shall exercise the following powers, namely:— (a) general superintendence and giving direction in respect of all administrative matters of the Board; (b) authorise any officer of the Board to scrutinise any intimation, complaint, reference or correspondence addressed to the Board; and (c) authorise performance of any of the functions of the Board and conduct any of its proceedings, by an individual Member or groups of Members and to allocate proceedings among them.


CHAPTER VI: POWERS, FUNCTIONS AND PROCEDURE TO BE FOLLOWED BY BOARD

27. Powers and functions of Board. (1) The Board shall exercise and perform the following powers and functions, namely:— (a) on receipt of an intimation of personal data breach under sub-section (6) of section 8, to direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act; (b) on a complaint made by a Data Principal in respect of a personal data breach or a breach in observance by a Data Fiduciary of its obligations in relation to her personal data or the exercise of her rights under the provisions of this Act, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, to inquire into such breach and impose penalty as provided in this Act; (c) on a complaint made by a Data Principal in respect of a breach in observance by a Consent Manager of its obligations in relation to her personal data, to inquire into such breach and impose penalty as provided in this Act; (d) on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act; and (e) on a reference made by the Central Government in respect of the breach in observance of the provisions of sub-section (2) of section 37 by an intermediary, to inquire into such breach and impose penalty as provided in this Act. (2) The Board may, for the effective discharge of its functions under the provisions of this Act, after giving the person concerned an opportunity of being heard and after recording reasons in writing, issue such directions as it may consider necessary to such person, who shall be bound to comply with the same. (3) The Board may, on a representation made to it by a person affected by a direction issued under sub-section (1) or sub-section (2), or on a reference made by the Central Government, modify, suspend, withdraw or cancel such direction and, while doing so, impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.

28. Procedure to be followed by Board. (1) The Board shall function as an independent body and shall, as far as practicable, function as a digital office, with the receipt of complaints and the allocation, hearing and pronouncement of decisions in respect of the same being digital by design, and adopt such techno-legal measures as may be prescribed. (2) The Board may, on receipt of an intimation or complaint or reference or directions as referred to in sub-section (1) of section 27, take action in accordance with the provisions of this Act and the rules made thereunder. (3) The Board shall determine whether there are sufficient grounds to proceed with an inquiry. (4) In case the Board determines that there are insufficient grounds, it may, for reasons to be recorded in writing, close the proceedings. (5) In case the Board determines that there are sufficient grounds to proceed with inquiry, it may, for reasons to be recorded in writing, inquire into the affairs of any person for ascertaining whether such person is complying with or has complied with the provisions of this Act. (6) The Board shall conduct such inquiry following the principles of natural justice and shall record reasons for its actions during the course of such inquiry. (7) For the purposes of discharging its functions under this Act, the Board shall have the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, in respect of matters relating to— (a) summoning and enforcing the attendance of any person and examining her on oath; (b) receiving evidence of affidavit requiring the discovery and production of documents; (c) inspecting any data, book, document, register, books of account or any other document; and (d) such other matters as may be prescribed. (8) The Board or its officers shall not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person. (9) The Board may require the services of any police officer or any officer of the Central Government or a State Government to assist it for the purposes of this section and it shall be the duty of every such officer to comply with such requisition. (10) During the course of the inquiry, if the Board considers it necessary, it may for reasons to be recorded in writing, issue interim orders after giving the person concerned an opportunity of being heard. (11) On completion of the inquiry and after giving the person concerned an opportunity of being heard, the Board may for reasons to be recorded in writing, either close the proceedings or proceed in accordance with section 33. (12) At any stage after receipt of a complaint, if the Board is of the opinion that the complaint is false or frivolous, it may issue a warning or impose costs on the complainant.


CHAPTER VII: APPEAL AND ALTERNATE DISPUTE RESOLUTION

29. Appeal to Appellate Tribunal. (1) Any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal. (2) Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. (3) The Appellate Tribunal may entertain an appeal after the expiry of the period specified in sub-section (2), if it is satisfied that there was sufficient cause for not preferring the appeal within that period. (4) On receipt of an appeal under sub-section (1), the Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. (5) The Appellate Tribunal shall send a copy of every order made by it to the Board and to the parties to the appeal. (6) The appeal filed before the Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally within six months from the date on which the appeal is presented to it. (7) Where any appeal under sub-section (6) could not be disposed of within the period of six months, the Appellate Tribunal shall record its reasons in writing for not disposing of the appeal within that period. (8) Without prejudice to the provisions of section 14A and section 16 of the Telecom Regulatory Authority of India Act, 1997, the Appellate Tribunal shall deal with an appeal under this section in accordance with such procedure as may be prescribed. (9) Where an appeal is filed against the orders of the Appellate Tribunal under this Act, the provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997 shall apply. (10) In respect of appeals filed under the provisions of this Act, the Appellate Tribunal shall, as far as practicable, function as a digital office, with the receipt of appeal, hearing and pronouncement of decisions in respect of the same being digital by design.

30. Orders passed by Appellate Tribunal to be executable as decree. (1) An order passed by the Appellate Tribunal under this Act shall be executable by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the powers of a civil court. (2) Notwithstanding anything contained in sub-section (1), the Appellate Tribunal may transmit any order made by it to a civil court having local jurisdiction and such civil court shall execute the order as if it were a decree made by that court.

31. Alternate dispute resolution. If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon, or as provided for under any law for the time being in force in India.

32. Voluntary Undertaking. (1) The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28. (2) The voluntary undertaking referred to in sub-section (1) may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking. (3) The Board may, after accepting the voluntary undertaking and with the consent of the person who gave the voluntary undertaking vary the terms included in the voluntary undertaking. (4) The acceptance of the voluntary undertaking by the Board shall constitute a bar on proceedings under the provisions of this Act as regards the contents of the voluntary undertaking, except in cases covered by sub-section (5). (5) Where a person fails to adhere to any term of the voluntary undertaking accepted by the Board, such breach shall be deemed to be breach of the provisions of this Act and the Board may, after giving such person an opportunity of being heard, proceed in accordance with the provisions of section 33. 

re Penalties (Annotated Chapter)

CHAPTER VIII: PENALTIES AND ADJUDICATION 

33. Penalties. (1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule [reproduced below]. (2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:— (a) the nature, gravity and duration of the breach; (b) the type and nature of the personal data affected by the breach; (c) repetitive nature of the breach; (d) whether the person, as a result of the breach, has realised a gain or avoided any loss; (e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action; (f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and (g) the likely impact of the imposition of the monetary penalty on the person.




[Note: The Central Government may, by notification, amend the Schedule as long as it does not more than double the originally-enacted quantum of any penalty in it. Such notifications shall have effect as if enacted in the statute itself and shall come into force as soon as they are issued although they must be laid before both houses of parliament and, if both houses agree, within the 30-day timeframe contemplated by the statute, that a specific notification either should not have been issued or should be modified, that notification shall cease to have effect or have effect in modified form, as the case may be, from the date the houses so agree without prejudice to the validity of any act performed while the original form of the notification was in force.]

34. Crediting sums realised by way of penalties to Consolidated Fund of India. All sums realised by way of penalties imposed by the Board under this Act, shall be credited to the Consolidated Fund of India. 

[Note: Section 34 of the DPDPA is supported by an amendment to the Information Technology Act via Section 44(2)(a) of the DPDPA which simply omits Section 43A of the IT Act which made bodies corporate liable to pay compensation to persons affected by their failure to protect data.]


References

  1.  Section 1(1), DPDPA.

  2.  Section 15(c), DPDPA.

  3.  Section 2(zb), DPDPA.

  4.  Section 2(c), DPDPA.

  5.  Chapters V, VI, VII, DPDPA.

  6.  Section 15(a), DPDPA.

  7.  Section 8(10), DPDPA.

  8.  Section 15(d), DPDPA.

  9.  Section 28(12), DPDPA.

  10.  Section 36, DPDPA.

  11.  Section 43(2), DPDPA.

  12. Section 43(3), DPDPA: Every order made under Section 43(1) must be laid, as soon as may be after it is made, before each House of Parliament.

  13.  Section 43(1), DPDPA.

  14.  Section 2(f), DPDPA; “child” means an individual who has not completed the age of eighteen years

  15.  Section 14(1), DPDPA.

  16.  Section 14(2), DPDPA.

  17.  Section 8(5), DPDPA.

  18.  Section 8(4), DPDPA.

  19.  Section 8(6), DPDPA.

  20.  Section 27(1)(a), DPDPA.

  21.  See Chapter VIII, in particular Section 34, reproduced in the Appendix with notes.

  22.  Section 3(a), DPDPA.

  23.  Section 16(1), DPDPA.

  24.  Section 41, DPDPA.

  25.  Section 3(b), DPDPA.

  26.  Section 2(i), DPDPA.

  27.  Sections 2(z) and 10(1), DPDPA.

  28.  Section 10(2), DPDPA.

  29.  Sections 10(2)(a) and 2(l), DPDPA.

  30.  Section 8(9), DPDPA.

  31.  Section 2(k), DPDPA.

  32.  Section 4(2), DPDPA.

  33.  Sections 4(1) and 2(d), DPDPA.

  34.  Section 8(3), DPDPA.

  35.  Section 9(2), DPDPA.

  36.  Section 9(4), DPDPA.

  37.  Section 9(5), DPDPA.

  38.  Section 9(3), DPDPA.

  39.  Section 6(1), DPDPA.

  40.  Section 15(b), DPDPA.

  41.  Section 9(4), DPDPA.

  42.  Section 9(5), DPDPA.

  43.  Section 6(8), DPDPA.

  44.  Sections 2(g), 6(7), 6(9), DPDPA.

  45.  Section 27(1)(d), DPDPA : 'The Board shall exercise and perform the following powers and functions, namely:— [....] on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act [....]'

  46.  Sections 6(9), 40(2)(c), 40(2)(d), DPDPA.

  47.  Section 2(zb), DPDPA.

  48.  Section 13(2), DPDPA.

  49.  Sections 13(3) and 27(1)(c), DPDPA ..

  50.  Section 5(2)(a), DPDPA.

  51.  Section 5(1)(i), DPDPA.

  52.  Sections 5(1)(i) and 6(1), DPDPA.

  53.  Section 6(2), DPDPA.

  54.  Section 6(4), DPDPA.

  55.  Section 6(6), DPDPA.

  56.  Section 8(11), DPDPA.

  57.  Section 12(1), DPDPA.

  58.  Section 15(e), DPDPA.

  59.  Section 12(2), DPDPA.

  60.  Section 6(5), DPDPA.

  61.  Section 7(a), DPDPA: A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.

  62.  Section 11(2), DPDPA.

  63.  Section 11(1), DPDPA.

  64.  Section 44(3), DPDPA.

  65.  Section 17(5), DPDPA.

  66.  Section 17(4), DPDPA.

  67.  Section 8(1), DPDPA.

  68.  Section 8(5), DPDPA.

  69.  Section 17(1), DPDPA.

  70.  As defined in Section 3(12), Insolvency and Bankruptcy Code, 2016.

  71.  As defined in Section 3(14), Insolvency and Bankruptcy Code, 2016.

  72.  Section 17(3) Explanation, DPDPA: 'For the purposes of this sub-section, the term 'startup' means a private limited company or a partnership firm or a limited liability partnership incorporated in India, which is eligible to be and is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government.'

  73.  Section 17(3), DPDPA.

  74.  Section 3(c), DPDPA.

  75.  Section 44(1) of the DPDPA amends Section 14 of the Telecom Regulatory Authority of India Act, 1997, which provides the statutory basis for the establishment of an Appellate Tribunal to be known as the Telecom Disputes Settlement and Appellate Tribunal (or 'TDSAT', as it is generally referred to), to extend its jurisdiction to the DPDPA, and enable Section 2(a) which defines the Appellate Tribunal under the DPDPA as TDSAT to be effective.

  76.  Section 42(1), DPDPA.

  77.  Section 42(2), DPDPA.

  78.  Section 41, DPDPA.




This post is by Nandita Saikia and was first published at IN Content Law.