This article is part of a six-part series on the operational impacts of India's DPDPA. The full series can be accessed here.
Published: October 2023
Navigate by topic
While India's Digital Personal Data Protection Act is not yet in effect, the government has indicated a phased implementation and enforcement of the act in the coming months. Discussions among various stakeholders are ongoing and the government plans to hold several consultations to finalize upcoming rules for implementation.
Considering forthcoming enforcement, organizations are quickly gearing up to be compliant, and the government is facing the equally daunting task of ensuring the necessary measures, checks and balances are in place to effectuate a smooth implementation.
The DPDPA is far more exhaustive than the existing data protection framework covered under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. As a result, like with the implementation of any new legislation, organizations are likely to face several changes.
One is the lack of clarity on the time frame for implementation. Despite the government's indicated time frame, privacy professionals, especially at larger organizations, may desire more clarity. They will need to understand further compliance requirements that could be imposed, how and when such provisions will take effect, and the extent to which they should edit existing privacy programs before taking significant steps to transition.
Heavy compliance costs, both in terms of manpower and resources, are another major cause of concern, especially for smaller organizations that may need to onboard technology and resources to ensure compliance. Organizations will likely also need to update technology or procure software to aid in compliance with several of the act's requirements, like data portability, consent mechanisms and provision of the right to data erasure.
Many of these requirements become even more challenging for organizations that use emerging technologies, like artificial intelligence and blockchain, as part of business offerings where personal data is inadvertently processed.
Authority and grievance redressal process
Any grievance raised by a data principal in relation to data processing must first be addressed by the internal grievance redressal mechanism adopted by a data fiduciary. If this fails, the Data Protection Board of India is vested with the powers to receive and investigate complaints raised by data principals.
The data protection board, established as an independent supervisory authority under the act, will serve as a "digital office," the first of its kind in India. The board is proposed to be led by a chairperson and will have government-appointed members serving two-year renewable terms.
The board has been bestowed broad powers to initiate inquiries, investigate complaints, impose fines and penalties, and take other actions as required upon receiving a complaint from a data principal, consent manager, the government or an intimation from the data fiduciary itself. The board has also been granted the power to refer disputing parties to mediation and accept voluntary undertakings from data fiduciaries to take, or refrain from certain actions, as settlement. The act, however, does not confer the board with any lawmaking powers to issue directions or regulations.
Broad powers of the government
The government has been granted broad powers and discretion to stipulate rules, prescribe the manner and timelines for data fiduciaries to respond to requests from data principals, authorize details relating to data-breach notifications, adopt delegated legislation, formulate the requirements of valid notice for obtaining a data principal's consent for processing data, and other actions required for implementation.
Besides the foregoing, the act also empowers the government to request access to any information from a data fiduciary, any entity processing personal data, an intermediary (as defined by the IT Act) or from the board. This authority is extremely broad and is subject to fewer restrictions than those provided for under the existing IT Act and SPDI Rules. Further, the government is also empowered to order or direct any government agency and intermediary to block information from public access "in the interests of the general public," after the board sanctions the concerned data fiduciary at least two times and advises the government to issue such an order.
While the board has been granted the powers of a civil court under the Code of Civil Procedure, 1908, with respect to the powers to summon and enforce the attendance of any person, receive affidavits, require discovery and produce and inspect documents, the act expressly forecloses individuals' access to civil courts for relief under the law. It will be interesting to see how this interplays with the Supreme Court decision that found citizens have a fundamental right to privacy under Article 21 of India's constitution. The act instead grants any person aggrieved by an order of the board the right to file an appeal before the Telecom Disputes Settlement and Appellate Tribunal.
While the TDSAT derives authority from the Department of Telecommunications, the Ministry of Electronics and Information Technology spearheaded the adoption of the act. Accordingly, given that the TDSAT was originally set up to handle disputes pertaining to telecommunications and information technology — in contrast to the board which is proposed to be constituted purely to regulate the processing of digital personal data in India — the act's appeals process begs the question of whether the TDSAT is the right appellate body to handle data privacy appeals.
Further, while Section 43A of the IT Act will be repealed when the DPDPA comes into effect, the rest of the IT Act's provisions remain in force. As a result, in case of a data breach where multiple provisions of the IT Act are triggered, a data principal or any impacted party may indulge in forum shopping by seeking recourse from tribunals/authorities that are most likely to provide favorable outcomes. This may lead to confusion and conflict among affected parties and regulatory authorities.
That said, the Cyber Appellate Tribunal, which was the appellate body under the IT Act for certain notified matters, was merged with the TDSAT in 2017. Accordingly, the TDSAT may be the logical choice to entertain appeals of decisions passed by the board. This, however, does not address the concern that the primary role of the TDSAT has historically been to serve as the appellate body for telecom disputes.
The DPDPA stipulates varying penalty amounts depending on the violation. A data fiduciary may be fined a penalty of INR50 crore (approximately USD6 million) for breach of any provision of the act or the implementing rules for which no specific penalty is stipulated, and up to INR250 crore (approximately USD30 million) for failure to fulfill the obligation to take reasonable security safeguards to prevent a personal data breach.
The act also sets out general parameters that may be considered to determine the appropriate penalty, such as the nature, gravity and duration of the breach type and nature of personal data affected, the repetitive nature and implications of the breach, among others. Under Section 43A of the IT Act, a company breaching its obligations in respect of personal data, thereby causing wrongful loss or gain, is liable to pay damages to the affected individual. The data principal's right to receive compensation has been done away with under the act. However, given that the board has been granted extensive powers to issue directions to discharge its functions under the act, including the powers vested in a civil court, it is unclear whether such powers extend to granting compensation to data principals.
Further, the government retains broad powers to implement additional rules. Accordingly, it remains to be seen whether any rules or directions related to compensation of data principals will be implemented when the act comes into effect.
Additionally, unlike the E.U. General Data Protection Regulation and the California Consumer Privacy Act, the DPDPA permits the board to levy penalties on data principals, to ensure they do not take undue advantage of any noncompliance under the law that may be attributable to their own action. The board can prescribe a penalty of up to INR10,000 (approximately USD120) on a data principal if they fail to perform duties stipulated under the act.
Way forward and conclusion
The enforcement provisions laid down under the DPDPA are a significant upgrade from the existing data protection framework in India and are well-balanced in approach. The act, on one hand, allows businesses to continue with less operational challenges, but on the other, deters data processing entities from allowing data breaches to occur.
While organizations will need to take concrete steps — such as updating privacy policies, notifying data principals, and updating third party contracts with vendors and service providers — one key challenge the government may need to address is the act's impact on organizations regulated by different authorities and the interplay between sector-specific regulations.
While the act stipulates that in case of any conflict between its provisions and any other law, the act prevails, given that most regulators today prescribe terms around data localization and data security, the government must examine any similar or conflicting obligations stipulated under different laws regulated by different authorities, as well as clarify what would be viewed as a repeal and what would be a supplemental obligation imposed by the sectoral regulator.
That apart, harmonizing the terms of the DPDPA with the GDPR and laws of other jurisdictions will be crucial, as businesses grow, to ensure India meets the adequacy standards necessary to facilitate smooth cross-border data processing.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.