The Digital Personal Data Protection Act, 2023 ("DPDPA") establishes a multi-tier oversight mechanism and a penalty framework to enforce accountability among data fiduciaries. In the eighth edition of the Prism series, we delve into the enforcement mechanisms and penalties for non-compliance under DPDPA. DPDPA requires that the data principal must first exhaust the grievance redressal mechanism provided by the data fiduciary or consent manager and then approach the Data Protection Board of India ("Board"), if not resolved by the data fiduciary/consent manager. We analyse the powers and functions of the Board, its complaints resolution procedure and factors for imposing penalties. In the latter section of the Prism, we compare enforcement and penalty provisions across major data protection laws, such as the General Data Protection Regulation ("GDPR"), California Consumer Protection Act ("CCPA") and Singapore's Personal Data Protection Act ("PDPA").
Data Protection Board of India
The Board under DPDPA, will be an independent corporate entity empowered to enforce the DPDPA, adjudicate on complaints related to data protection violations, impose penalties, and provide guidance on the implementation of data protection laws.
The Board members serve renewable 2 (two) year terms, and post-tenure employment with any data fiduciaries previously overseen is restricted to avoid conflicts of interest. The chairperson holds administrative authority, including assigning responsibilities, managing administrative matters, and delegating functions among members. In the chairperson's absence, the senior-most member assumes these duties.
The members, officers, and employees of the Board are classified as public servants under the Bharatiya Nyaya Sanhita, 2023, which subjects them to specific accountability standards while discharging their regulatory duties. Its core responsibilities include:
- Response to personal data breaches: remedial and mitigation measures: On receiving notification of a personal data breach, the Board is empowered to direct urgent remedial or mitigation measures to address the breach immediately. Following this, the Board may conduct an inquiry into the breach and, if warranted, impose penalties.
- Handling complaints and references:
- Data principal complaints: If a data principal submits a complaint about a personal data breach, or a failure by a data fiduciary to meet its obligations, the Board is authorised to conduct an inquiry and, where appropriate, impose penalties.
- Consent manager complaints: The Board may also inquire into and penalise any breach by a consent manager regarding its obligations towards a data principal's personal data.
- Breach of registration conditions: In the event of a breach of any registration condition by a consent manager, the Board has the authority to investigate and impose penalties as it is vested with the powers of a civil court.
- Intermediary breaches: The Board may investigate breaches of Section 37 (2) (Power of Central Government to issue directions) by an intermediary based on a reference from the Central Government and impose penalties as stipulated in DPDPA.
- Issuance and modification of directions; directive powers: For effective enforcement, the Board may issue directions necessary for compliance. These directions are binding, and the Board must provide an opportunity for the concerned party to be heard, along with documented reasons for the directive.
Upon receiving a representation from an affected party or a referral from the Central Government, the Board holds the power to modify, suspend, withdraw, or cancel issued directions. In doing so, the Board can impose conditions it deems appropriate, specifying the terms under which the modification or cancellation is effective.
This consolidated framework establishes the Board as a pivotal entity in the enforcement of data protection compliance, enabling prompt responses to breaches, robust oversight of obligations, and clear mechanisms for modifying and enforcing compliance directives.
Complaints and Resolution
The procedural framework of the Board is structured to allow for systematic handling of data breaches and complaints. Below is a step-by-step breakdown:
Additional factors:
- The Board functions as a digital office, managing the receipt, hearing, and resolution of complaints entirely online, implementing techno-legal measures as necessary.
- During the inquiry, the Board abides by principles of natural justice, meticulously documenting each action taken to ensure transparency.
- To effectively discharge its responsibilities, the Board is vested with the powers of a civil court. Additionally, the Board has the authority to inspect relevant documents and records.
- The Board avoids impeding daily business activities, refraining from seizing premises or equipment essential for operations during inquiries.
- The Board may request assistance from police or government officers to carry out its investigations, and such officers are legally obliged to comply.
- To discourage abuse of the complaint process, the Board may issue warnings or impose costs on complainants if a complaint is deemed false or frivolous.
- "Appellate Tribunal" means the Telecom Disputes Settlement and Appellate Tribunal established under Section 14 of the Telecom Regulatory Authority of India Act, 1997.
Alternative Mechanisms
- Mediation: The Board may recommend mediation if it believes a complaint can be resolved amicably. Parties are encouraged to engage with mutually agreed mediators or follow relevant Indian mediation laws, promoting collaborative solutions to disputes.
Mediation is an alternative dispute resolution process where a neutral third party, known as a mediator, assists the disputing parties in reaching a mutually acceptable agreement. The mediator does not make a decision but facilitates communication, helping parties find common ground and solutions voluntarily. The Code of Civil Procedure, 1908 allow courts to refer cases for mediation when they see the potential for an amicable settlement. Since the Board is vested with powers similar to that of civil courts, the Board may also refer cases to mediation where it deems fit.
- Voluntary Undertakings: The Board can accept voluntary undertakings from individuals to ensure compliance with the DPDPA at any stage of a proceeding. These undertakings may include commitments to take specific actions or refrain from certain behaviours. The Board can modify the terms with mutual consent. While a voluntary undertaking can halt further proceedings on the related issues, failure to comply is treated as a breach of DPDPA, allowing the Board to initiate enforcement actions after giving the individual a chance to be heard. This process fosters compliance and accountability among stakeholders.
Penalties under DPDPA
Under the DPDPA, if the Board determines that a significant breach of DPDPA or its rules has occurred, it may impose a monetary penalty after providing the individual with an opportunity to be heard. In assessing the appropriate penalty, the Board considers several factors to ensure that penalties are proportional and effective in deterring future violations.
These factors include:
The penalties for specific breaches are as follows:
Breach of provisions of the DPDPA or rules made thereunder | Penalty |
---|---|
Breach of security safeguards under Section 8(5) | Up to INR 250,00,00,000 |
Failure to notify the Board or affected data principal of a breach under Section 8(6) | Up to INR 200,00,00,000 |
Breach of obligations concerning children under Section 9 | Up to INR 200,00,00,000 |
Breach of obligations for significant data fiduciaries under Section 10 | Up to INR 150,00,00,000 |
Breach of duties of data principal under Section 15 | Up to INR 10,000 |
Breach of voluntary undertakings accepted by the Board under Section 32 | Penalties vary based on the breach |
Any other violations of the DPDPA or its rules | Up to INR 50,00,00,000 |
Under Section 37 of the DPDPA, the Central Government is empowered to block public access to information held by a Data Fiduciary that has been subject to monetary penalties for violations of data protection regulations, in 2 (two) or more instances. This action is initiated upon a formal recommendation from the Board. Importantly, the data fiduciary is afforded an opportunity to respond before any blocking order is issued, ensuring a degree of procedural fairness. Compliance with such directives is mandatory for intermediaries, with terms clearly defined in alignment with the Information Technology Act, 2000, highlighting the intersection of data protection and regulatory enforcement.
All sums collected as penalties will be credited to the Consolidated Fund of India.
The Consolidated Fund of India is the main fund of the Indian Government, where all revenues received (like taxes), loans raised, and money received in repayment of loans are deposited. It's essentially the government's primary financial reservoir, set up under Article 266(1) of the Indian Constitution.
Comparison with Global Data Protection Laws
The table below compares enforcement and penalty provisions across the DPDPA, GDPR, CCPA, and PDPA, highlighting key differences in penalty scope, criteria for fines, appeal mechanisms, and revenue allocation.
CONCEPT | DPDPA | GDPR | CCPA | PDPA |
---|---|---|---|---|
Enforcement body | Data Protection Board of India | Data Protection Authorities in each European Union member State (supervisory authorities) | Direct CCPA/ (California Consumer Privacy Act) issues will be referred to the California Privacy Protection Agency as the main enforcement authority. The California Attorney General's office is involved mainly in data breach consumer suits or significant oversight cases | Personal Data Protection Commission |
Maximum penalty amount | Up to INR 250,00,00,000 for security breaches, unauthorised processing, and non-compliance (per the DPDPA's Schedule) | Up to Euro 20,000,000 or 4% of global annual turnover, whichever is higher | Fines up to USD 7,500 per intentional violation and USD 2,500 per unintentional violation | Up to SGD1,000,000 for each breach |
Appeal process | Appeals against Board's decisions can be made to the Appellate Tribunal, with further appeal options under the Telecom Regulatory Authority of India Act, 1997 for unresolved cases | Right to judicial appeal against penalties before national courts | No specific provision mentioning the appeal process. | Appeals against penalties may be submitted to the Data Protection Appeal Committee |
Alternate dispute resolution | The Board may recommend mediation for complaints that may be resolved without further litigation | Alternative dispute resolution ("ADR") mechanisms available at the discretion of national supervisory authorities | Does not specify ADR mechanisms directly within its provisions | No specific ADR; enforcement handled by the Personal Data Protection Commission |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.