Data Privacy Newsletter – The Data Protection Board Of India : Nov 2023

The Data Protection Board of India

A recent media report stated that the Ministry of Electronics, and Information Technology (MeitY) has appointed the current joint secretary, Mr Sanket S Bhondve, as the Officer on Special Duty (OSD) for setting up of the Data Protection Board under the Digital Personal Data Protection Act 2023 (the “DPDP Act”). According to the report, the OSD will collaborate with MeitY’s Cyber Laws and Data Governance Division to facilitate the formation of the Data Protection Board.

What is the Data Protection Board of India?

The Data Protection Board of India (the “Board”) will be the newly established regulatory body as per Section 18 of the DPDP Act. The Board’s primary function is to ensure enforcement of the provisions of the DPDP Act. Equipped with powers equivalent to those of courts and enforcement agencies, the Board is empowered to investigate, enforce, and impose penalties for violations.

The Board will be composed of members possessing expertise in various fields, including but not limited to “data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation, or techno-regulation, or in any other field deemed valuable to the Board” in the opinion of the Central Government.

Key highlights of the Board

The key features of the Board include:

Digital Office: The Board is designed to be entirely digital, with the entire process of handling complaints, proceedings, and regulatory actions managed through a website-based platform.

User-Friendly Approach: The forthcoming rules will incorporate techno-legal measures to simplify the processes of filing, hearing, and resolution of complaints.

Primary Recourse: The Board acts as a first recourse point for individuals reporting personal data breaches, organizations and consent managers failing in their obligations, or concerns related to individuals exercising their rights.

Independent Authority: Functioning as an independent body, the Board is endowed with powers equivalent to courts, enabling it to enforce the provisions outlined in the DPDP Act.

Collaboration with Cyber Security: The Board is anticipated to work collaboratively with existing cybersecurity regulators such as the Computer Emergency Response Team (CERT-In) and other enforcement agencies.

Official Requests: The Board is given the responsibility for responding to requests from government authorities or courts/tribunals.

Appeal Process: Decisions made by the Board can be appealed before the Telecom Disputes Settlement and Appellate Tribunal, with the final appeal resting with the Supreme Court of India.

Alternate Dispute Resolution: The Board is vested with the authority to instruct the parties involved in a dispute to seek resolution through the process of mediation.

Penalties: The Board possesses the authority to impose substantial penalties, with the upper limit set at INR 250 Crores for non-compliance with the provisions of the DPDP Act.

Penalty structure under the DPDP Act

Under the DPDP Act, the Board has the power to prescribe hefty financial penalties that will be calculated as per the following identified factors such as (i) nature, gravity, duration of the breach, (ii) type and nature of personal data (iii) recurrence, (iv) mitigation efforts taken and (v) proportionate and effective penalty. 

The maximum penalties for each type of violation are listed below, multiple violations may increase the maximum penalties that may be imposed.

Stay tuned for updates, detailed breakdown, and practical guidance on the Digital Personal Data Protection Data Privacy Act, 2023.