India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”), as recently published in the gazette (but not yet in force), provides a multilayered mechanism for redressing grievances and resolving disputes.
The entities which determine the purpose and means of processing personal information (“data fiduciaries”) have certain obligations towards specific individuals who are related to, or are identifiable by, such information (“data principals”). Some of these obligations correspond with the latter’s statutory rights – including in respect of access to an effective grievance redressal mechanism provided by the former.
In the first place, the ‘notice’ that a data fiduciary is required to provide data principals with, accompanying or preceded by a request for consent in respect of processing personal data, must contain specific information – including a reference to the fact that data principals have a right to grievance redressal, as well as a description of the ways in which they can complain to the Data Protection Board of India (the “DPBI”). Involving government-appointed subject-matter experts and techno-legal measures under the auspices of a ‘digital office’, the DPBI will have powers of a civil court in respect of issuing summons, enforcing attendance, examining on oath, receiving evidence and inspecting data.
In essence, a data fiduciary is required to protect the personal data in its possession or control (including data processed by a third party on its behalf pursuant to contractual arrangements or otherwise) by taking reasonable security safeguards to prevent unauthorized processing and/or accidental disclosures which may amount to a personal data breach. If and when a breach nonetheless occurs, the data fiduciary needs to inform the DPBI and each affected data principal about it – irrespective of any materiality threshold (i.e., even if the breach is minor or relates to non-sensitive data). After receiving such intimation, the DPBI may direct urgent remedial or mitigation measures, as well as inquire into the breach and impose penalties, as required.
Separately, a data principal may make a complaint to the DPBI about such breach, or with respect to the non-performance of necessary obligations. The DPBI’s powers may also get triggered further to governmental reference or court directions. While the data fiduciary must respond to grievances within a stipulated period, data principals on their part first need to exhaust the avenue of grievance redressal under the mechanism established by the data fiduciary or the consent manager, as applicable, before approaching the DPBI.
After giving the concerned entity an opportunity of being heard, the DPBI may issue binding directions (which need to be complied with). In parallel, the DPBI will decide if sufficient grounds exist to warrant an inquiry into the matter – before closing or continuing with such proceedings on that basis. In the event of an affirmative determination, the DPBI will examine the affairs of the entity based on principles of natural justice and check for compliance. In each step, the DPBI will maintain a record of written and reasoned findings. While interim orders may be issued during the inquiry process, the DPBI may end up finding a significant breach of the Act’s provisions. In that case, after giving the entity another chance to defend itself, a suitable monetary penalty may be imposed within the framework of the Act’s schedule – which, in turn, lists out fines going up to INR 2.5 billion for each breach (for now) without providing an aggregate cap.
Nevertheless, while determining the penalty amount, the DPBI will consider a few factors, such as the nature, gravity and duration of the breach; the type and nature of the personal data so affected; whether the breach was repetitive; if the perpetrator made gains or avoided a loss as a result; whether the entity in question took any actions to mitigate the consequential effects of such breach, as well as the promptness and efficacy of such actions; whether the proposed penalty is proportionate and effective in terms of future compliance and deterrence; as well as the likely impact of such penalty on the obliged entity.
Alternatively, the DPBI may direct the disputants towards ADR processes, including through the use of a party-appointed mediator via mutual agreement. Further, the DPBI may accept a voluntary undertaking (or a consensually modified version of it) from the offending entity in respect of future compliance, including publicized assurances connected with action or inaction in this regard. Once accepted, such undertakings will constitute a bar on proceedings. However, if the assuring entity fails to adhere to the terms of such undertaking, that failure will be deemed to be a breach by itself.
If aggrieved by the DPBI’s orders or directions, an appeal may be filed within 60 days before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) – the decision of which, required to be made in six months’ time, is further appealable before the Supreme Court of India.
Like the DPBI, the TDSAT, too, is intended to function as a digital office and have the powers of a civil court in respect of appeals. Further, the TDSAT can execute its orders as decrees, while its hearings and decisions remain ‘digital by design’. Irrespective, the TDSAT may transmit such orders to a local civil court for the purpose of execution.
This insight has been authored by Deborshi Barat (Counsel) he can be reached at dbarat@snrlaw.in for any questions. A version of this insight was first published by The Hindu Businessline on September 24, 2023. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.
© 2023 S&R Associates