The DPDP Act 2023: What lies ahead for the businesses?

In August 2023, India introduced the Digital Personal Data Protection Act (DPDP Act) as a replacement for the withdrawn Personal Data Protection Bill of 2019. This new legislation aims to establish guidelines for processing personal data while maintaining a balance between privacy and lawful data use. The DPDP Act consists of 44 provisions and penalties, and it will be implemented in phases through official notifications. It abolishes certain existing data protection rules and introduces the Data Protection Board of India (DPBI) as an independent regulator responsible for enforcement and oversight. The Act adheres to fundamental data processing principles, leaving detailed regulations to be specified through rule-making. The Data Protection Board of India (or Board) is an independent body that is responsible for enforcing the DPDP Act. The Board will be responsible for issuing guidelines and regulations to clarify the provisions of the DPDP Act and will have the power to investigate complaints, impose penalties, and issue compliance orders. 

The Data Protection Board of India: An Overview 

The Data Protection Board of India or the Board will be set up by the Central Government through a notification on a chosen date. It will be a legal entity with an ongoing existence, a common seal, and the ability to own and manage property. It can also make contracts and can be involved in legal actions under its given name. The Board will comprise a Chairperson and six Members appointed by the Central Government, with expertise in law, information technology, or public administration, serving for five years, who will be eligible for reappointment, with salary, allowance, and other conditions of service. Disqualifications for Chairperson or Member include insolvency, a conviction for a morally turpitude-related offense, incapacity, prejudicial financial interests, or position abuse; removal requires prior opportunity for a hearing. Resignations and vacancies lead to new appointments. A one-year restriction on post-service employment applies, subject to Central Government approval.

 What are the powers of the Chairperson?

• To oversee and guide all administrative aspects of the Board. 
• Empower a Board officer to review notifications, complaints, inquiries, or messages directed to the Board. 
• Delegate Board functions and proceedings to individual Members or groups of Members and distribute responsibilities among them. 

What are the powers, functions, and procedures to be followed by the Board? 

The Board, upon receiving information of a data breach or violation, can give direct actions to fix the breach, investigate it, and apply penalties as applicable. To effectively perform its duties according to the DPDP Act, the Board can provide the person concerned with a chance to present their viewpoint and thereby issue necessary directions as it may deem necessary, and they must follow these instructions. The Board may also modify, suspend, withdraw, or cancel a given direction if requested by an individual affected by directions issued or on a reference made by the Central Government and, while doing so, impose such conditions as it may deem fit, for the modification, suspension, withdrawal or cancellation to take effect. 

The Board will act as an independent body and aim to function digitally whenever possible. It should handle complaints and process decision-making, digitally, using technological and legal measures as directed.  Upon receiving reports, complaints, references, or instructions, it may take action as per the provisions of this act. On finding insufficient reasons to proceed, it can close the request and record the decision in writing or otherwise, can look into a person’s activities to confirm whether they are following or have followed the rules of this act. The board will document the reasons for this decision in writing. 

The Board has powers similar to a civil court under the code of civil procedure, which include summoning people to testify, receiving affidavits for the discovery of documents, inspecting data and books of account or any other document. It must conduct an inquiry on principles of natural justice, and shall not disrupt day-to-day work by preventing entry or taking custody of any equipment item of a person. The Board must record the reasons for its actions during the investigation. It may request police or officials of the state or central government to assist in these investigations, and it shall be the duty of every officer to comply with the request. After the inquiry and giving a chance to the person to be heard, the Board may close the case or proceed to apply penalties as applicable, explaining reasons in writing. The Board can accept a voluntary commitment related to Act compliance during proceedings.

If the Board, upon investigation, finds a complaint baseless, can warn or impose costs on the complainant. 

How can a party appeal for alternate dispute resolution? 

The Appellate Tribunal allows individuals dissatisfied with the Board’s orders or directions to appeal for grievances. This appeal must be made within sixty days of receiving the order while adhering to prescribed procedures and fees. The Appellate Tribunal may still consider appeals submitted after this period if valid reasons exist. After receiving an appeal, the Appellate Tribunal listens to the involved parties and makes decisions, which might confirm, modify, or overturn the original decision and share copies of its orders with both the Board and the parties in the appeal. It reviews cases promptly, with the aim of finalizing them within six months of submission. If delays occur, reasons for such should be recorded in writing. If appeals are made against the Tribunal’s decisions, the rules of section 18 of the Telecom Regulatory Authority of India Act, 1997* are applicable. The Tribunal strives to work digitally for these appeals, managing submissions, hearings, and decisions digitally whenever possible. The Appellate Tribunal can send its orders to a local civil court to enforce the order as if it were a decree made by that court. 

If the Board believes that a complaint could be settled through mediation, it can instruct the involved parties to try resolving the issue with a mediator they both agree on or as dictated by existing Indian laws. 

What are the penalties and Adjudication under the DPDP Act?

The DPDP Act provides for a range of penalties for violations of the Act, such as fines, imprisonment, and debarment from processing personal data. The funds collected as penalties under this Act will be deposited into the Consolidated Fund of India. While deciding the amount of monetary penalty, the Board may consider:

1. The nature, severity, and duration of the breach. 
2. The type and character of the personal data impacted by the breach. 
3. Whether the breach is a recurring  
4. Whether the person gained benefits or avoided losses due to the breach. 
5. Whether the person took steps to mitigate the consequences of the breach, the promptness, and the effectiveness of such actions. 
6. the necessity to ensure adherence to the Act’s provisions and to discourage breaches. 
7. The potential impact of imposing the monetary penalty on the person. 

With the change in legislation, it is important that businesses stay compliant and ensure there are no breaches leading up to penalties. At Anzen, we are well-equipped to handle the changes for the Data Fiduciaries and the Data Processors. We review and assess your current key applications and databases handling personal data, create required documentation, and revise existing Data privacy policies as per the new guidelines. This includes formulating new data processing agreements with third parties and vendors and deploying technologies for enhancing data protection. We also organize training and awareness programs to ensure the new changes are well integrated into your business processes. Stay tuned with us for more updates.