The Data Protection Board of India: Its Powers and Functions

On 7^th August 2023, the Lower House of the Indian Parliament, i.e., the Lok Sabha, passed the Digital Personal Data Protection Act2023 (DPDP). India now stands two steps away from finally having a comprehensive data privacy framework in place, with passing in Rajya Sabha and subsequent presidential assent as future steps towards it. While Introducing the Actin Lok Sabha, the Indian Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, remarked that “There’s this environment of big companies, small companies, and technology companies essentially creating business models by misusing and exploiting digital personal data of citizens. That’s something this Actintends to address.”

This blog will throw light upon the regulatory and adjudicatory body created under the aegis of the DPDP Bill, 2023, i.e., the Data Protection Board of India. It will discuss its composition, Term, Power, and procedure to state the importance of its role in the Indian Privacy Framework.

Also, read DPDP v. GDPR.

Composition & Qualification

The Indian government has been given the authority to establish the Data Protection Board of India as stated in Section 18 of the DPDP Bill, 2023. For this provision, the Board will be treated as a corporate body.

Section 19 of the DPDP Bill, 2023, provides details about the composition of the DPB. Outlines the qualifications required to serve as its Chairperson and members. It specifies that the appointment of the Chairperson will be at the discretion of the Central Government. As per this requirement, one member must have legal expertise in matters.

Remuneration & Term

The Board members will have a term of two years, as stated in Section 20 of the DPDP Bill, 2023. This provision also permits the possibility of being reappointed. Additionally, this section outlines grounds, for removing a Board member from their position, such as insolvency, conflict of interest, etc.

Powers & Functions

1. Section 26 of the DPDP Bill, 2023, outlines the responsibilities assigned to the Chairperson. According to this section:
2. The Chairperson is responsible for making decisions on matters within the Board.
3. The Chairperson has the authority to assign any board member to investigate any complaints received by the Board.
4. The Chairperson is authorized to preside over meetings.

Section 27 of the DPDP Bill, 2023, defines the powers and functions of the DPB. It grants the Board with authority to carry out and perform the following powers and functions;

1. Monitoring compliance with laws in case the Board receives any communication regarding a data breach. Suppose the DPB finds the concerned entity to be in breach of the Act. In that case, this Act has the authority to not only address imminent mitigation of remedial issues but also to impose penalties as per its provisions.
2. If the DPB receives any complaint, it can direct Data Fiduciaries to comply with legal requirements regarding the protection of personal data of Data Principals. If the DPB finds that the concerned entity is in breach of the Act, it can issue a penalty as per the provisions of this Act.
3. If any complaint is received, direct Consent Managers to comply with legal requirements regarding the protection of personal data of Data Principals. If the DPB finds the concerned entity to be in breach of the Act, then it shall issue a penalty per the provisions of this Act.
4. It shall allow the person concerned to hear per the natural law principles. If the DPB finds the concerned entity to be in breach of the Act, then it is empowered to issue a penalty per the provisions of this Act.
5. If any complaint is received, instruct Intermediaries to comply with legal requirements concerning the protection of personal data of Data Principals. If the DPB finds the concerned entity in breach of the Act, it has the authority to issue a penalty per the provisions of this Act.
   

Procedure

Section 28 of the DPDP Act2023 lays out the procedure to be followed by the DPB. It states that:

• The DPB shall function as a digital office as far as possible. All stages, from receiving complaints and conducting hearings to pronouncing rulings, shall be designed with a digital approach, and techno-legal measures shall be adopted to ensure the realization of this digital process.
• If any correspondence or complaint regarding a breach of the law is received, the DPB shall act in accordance with Section 27.
• The DPB shall decide upon whether the situation meets the standard required to go further with an inquiry.
• The DPB is required to write reasons in writing in case it decides that the case does not merit further inquiry.
• The DPB is required to write reasons in writing in case it decides that the case merits further inquiry.
• The DPB is required to conduct such an inquiry in light of the principles of natural justice.
• The DPB is granted the same powers as a Civil Court under the Code of Civil Procedure (CPC), 1908. It includes:

1. Issuing summons and examining people on oath
2. Receiving an affidavit that mandated the production of documents
3. Inspecting data, documents, and registers.
4. Other similar matters as provided.

• The DPB shall take the aid of any Central or State government police officer if required.
• The DPB shall issue interim orders if required. These orders can only be issued post, allowing the concerned person to be heard.
• The DPB post completion of inquiry shall proceed per Section 33 or close the proceedings depending upon its decision
• The DPB shall issue costs to the complainant if the allegation is found to be frivolous or malicious.
  

Also read, How will the DPDP Actaffect businesses’ data collection and processing practices?

Conclusion

India is now just a few steps away from having a comprehensive data privacy and protection legislative framework in place. It is crucial to start well, and this legislation, despite its shortcomings, is a very promising starting point for the Privacy framework in the Indian Jurisdiction. The creation of the Data Protection Board of India will significantly streamline the adjudication of non-compliance issues with the privacy law. The establishment of this Board not only centralized administrative and monitoring tasks but also reduced the burden on the already over-burdened Judiciary.

Summarizing, the Data Protection Board of India has huge potential to shape and formulate a robust data privacy landscape in the country. For its effective functioning, it is crucial that the DPB’s functioning aligns with the global best practices and strikes a balance between the protection rights of individual citizens and facilitating data-driven innovation in India.

Reach out to Tsaaro. If your business needs help complying with privacy regulations, our specialists are here to help. Send an email to info@tsaaro.com to get in touch.