India is awaiting the notification of the DPDPA Rules after taking into consideration the public comments. According to some indications the Government may release the notification some time in the beginning of April 2025.
Many companies are waiting for the notification to start their compliance activities but it must be remembered that the first set of rules to come into effect are the rules related to the setting up of the Data Protection Board(DPB). The rules will only enable setting up a “Search committee” which is an action point to the MeitY. Once the two Search Committees are in place, one under the Chairmanship of the Cabinet Secretary will go into the selection of the Chairman and the other will go into the selection of the members. We expect that the Government may start with a Board with atleast 2 members in addition to the Chairman.
It will be only after the DPB comes into existence that necessary infrastructure such as setting up a secretariat, a Website, etc may be undertaken.
It is possible that MeitY may quickly set up,
- Committee to specify restrictions on transfer of personal data from India to outside India for processing or from outside India for processing in India.
- Officer/s to be designated under Section 17(2) to determine what data can be processed by the State or an Instrumentality of the State in the interest of sovereignty and integrity of India or security of State etc to whom the provisions of the Act shall not apply.
- Persons authorized under different laws which empowers the State or an instrumentality of the state is empowered to process data for performance of any function under the law or for disclosure of information for fulfilling any obligation under the law.
- Officer of MeitY designated for carrying out assessment for notifying any Data Fiduciary or Class of Data Fiduciaries as Significant Data Fiduciaries.
- Any other Official specifically designated to provide clarifications on the Act and the Rules
Once these measures are undertaken, there will be a digital office of the DPB supported by the members of the Board and a group of employees as well as one or more committees and officers who will constitute a “National DPDPA Governance Body” .
In this context it is interesting to compare this with the framework of regulatory functionaries set up under GDPR.
Under GDPR every member state has set up a “Supervisory Authority” (SA) and the EU has also set up a EDPB (European Data Protection Board) with all the supervisory authorities being members of the EDPB.
While the SA s are entrusted with the responsibility of monitoring and supervising the implementation of GDPR in their respective Member States, EDPB will be supervising the consistency in application of GDPR and other larger policy issues.
EDPB publishes guidelines from time to time on various issues related to GDPR implementation including clarifications on GDPR obligations, Rights of Data Subjects, Data Breach Notification, Cross Border Transfers etc. These supplement the recitals published as part of the GDPR which itself is reasonably elaborate compared to DPDPA.
The SA will have the following tasks under Article 57 of GDPR.
- Monitor and enforce the application of this Regulation;
- Promote public awareness
- Advise, the government, and other institutions and bodies on legislative and administrative measures
- Promote the awareness of controllers and processors of their obligations under this Regulation;
- Provide information to any data subject concerning the exercise of their rights
- Handle complaints lodged by a data subject,
- Cooperate with, other supervisory authorities
- Conduct investigations on the application of this Regulation,
- Monitor relevant developments,
- Adopt standard contractual clauses r
- Establish and maintain a list in relation to the requirement for data protection impact assessment
- Give advice on the processing operations
- Encourage the drawing up of codes of conduct
- Encourage the establishment of data protection certification mechanisms and of data protection seals and marks
- Carry out a periodic review of certifications issued
- Draft and publish the requirements for accreditation of a body for monitoring codes of conduct
- Conduct the accreditation of a body for monitoring codes of conduct
- Authorise contractual clauses and provisions
- Approve binding corporate rules
- Contribute to the activities of the Board;
- Keep internal records of infringements of this Regulation and of measures taken and
- Fulfil any other tasks related to the protection of personal data.
As we can observe, this is a comprehensive list of responsibilities assigned to the SA. Correspondingly powers are also vested with them including for carrying out investigations, obtaining access to any premises of a controller or processor including any data processing equipment etc besides the power to issue directives and impose penalties.
In comparison, in India the powers of the DPB is limited and most of the above policy decisions have to be taken by the MeitY and the Committees or Officers designated for the purpose.
The powers of the Indian DPB will be restricted to the following.
(a) on receipt of an intimation of personal data breach, to direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act;
(b) on a complaint made by a Data Principal on a Data Fiduciary or a Consent Manager, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, to inquire into such breach and impose penalty as provided in this Act;
(c) on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act; and
(d) on a reference made by the Central Government on a breach by an “Intermediary”, to inquire into such breach and impose penalty as provided in this Act.
The DPB in India will therefore essentially be an “Adjudication Body” to inquire and impose penalties.
While the DPB will have the general powers to conduct Inquiries without being bound by the Civil Procedure code and under the principles of natural justice, it cannot take into custody any equipment or prevent access to any premises.
The DPB can take the assistance of the Police when required for its investigation.
The decisions of DPB may be appealed to the TDSAT and thereafter to the Supreme Court.
While GDPR mentions that there is a right to remedy for the Data Subjects, such compensation has to be claimed from the competent Courts. In DPB there is no mention of the compensation to the Data principal but remedies are available under ITA 2000.
Since the power of DPB is limited to adjudication, most of the policy related clarifications need to come from the MeitY itself through the officers designated for the purpose.
Since any clarification arising from the MeitY will have the force of law, every advisory may be considered a legal prescription and may be questioned in a Court of Law.
Given the nature of litigations in India, we can expect that as and when any circular comes out of MeitY, a battery of lawyers will be trying to find some loophole under which it can be challenged.
To prevent such frivolous litigations, DPDPA Rules has left many issues for interpretation by the industry itself. Since every Data Fiduciary is a “Trustee” and is responsible to take care of the interest of the Data Principal, the legal responsibility to interpret the law lies with the data fiduciary himself.
All Data Fiduciaries need to therefore have adequate documentation and consultation to justify whatever stand they take about their compliance measures.
Naavi
