PART III
This blog post is a continuation of Part I and Part II for India’s new Data Protection Law: Simply Put. The first part refers to the concept and Data Fiduciaries. This second part deals with the rights, duties & exemptions of data principal, advisory on processing of children’s data and cross border transfer. This third part describes the establishment of Data Protection Board and the penalties to be imposed on violating the said Act.
Introduction
Data Protection Board of India.[1]
The Central Government, under the Act, will set up the Data Protection Board of India (“Board”), which shall be a body corporate having the powers to direct urgent and remedial mitigation measures in the event of Personal Data breach or contravention of any section of the Act. The Act has conferred on the Board the same powers as that of a civil court for discharging its functions as per the Code of Civil Procedure, 1908.
Key functions of the Board include monitoring compliance and imposing penalties, directing Data Fiduciaries to take necessary measures in the event of a data breach, and hearing grievances made by affected persons. Board members will be appointed for two years and will be eligible for re-appointment.
Any appeal made from the order of the Board shall lie before the Telecom Dispute Settlement and Appellate Tribunal (“TDSAT”) which is established under the Telecom Regulatory Authority of India Act, 1997. Any party aggrieved by the order of TDSAT, can file an appeal to the Supreme Court of India.
Penalties[2]
The Act has given the Board the authority to impose penalties and fines ranging from ₹10,000 to ₹250 crores. The Board, while determining the fine amount will consider factors such as the nature, seriousness, duration of the breach, type of Personal Data affected, any gains or losses from the breach, and how the fine imposed would be a deterrent.
The Act does not impose any criminal liability or imprisonment on the person or entity responsible for the breach of Personal Data. This may certainly to some extent make the law less powerful because criminalization of any wrongful act compels everyone to adhere to the rules. When such actions are no longer considered criminal, the strength of the law might diminish. But, given the decriminalization, high monetary fines and penalties are warranted.
However, the Central Government, on the request of the Board, can still instruct the appropriate agencies to shut down the apps or services of the entity involved in the breach. This, coupled with high fines, means Data Fiduciaries could experience major business disruptions due to their repeated non-compliance with the provisions of the Act.
Penalties, as given in the Schedule of the Act, for failure to have reasonable measures and notify the Board about the breaches, have maximum penalty stipulations and not minimum penalties. The actual penalty imposed could also be of ₹ 10,000. Also, the Central government may amend these limits at their option and keep increasing the maximum threshold.
Unless a minimum threshold is provided, the protection seems to be meaningless. But given the existing laws, the limits imposed are a step in the right direction. Though they could have moved in the direction of General Data Protection Regulation (“GDPR”), linking it to revenue or business turnover making the law equal in application to all Data Fiduciaries, such limits do seem preposterous for smaller businesses.
In Sum
The Act marks a major step towards data privacy. It covers all kinds of data, focuses on clear consent, and sets up a Board to monitor data breach issues. However, there are still worries about possible breach of the fundamental right of privacy due to exceptions being given for State data Processing, particularly on the basis of national security as well as exemptions for employers in the name of preventing corporate espionage. However, this might result in the collection, Processing, and retention of more data than is genuinely necessary.
The Act still leaves certain crucial aspects unexplained, such as the specific role of a “Consent Manager” and the procedure for addressing grievances. Much of the finer details are deferred to rules that are anticipated to be introduced by the government.
Also, in a recent update, the Minister of State for Electronics and Information Technology Mr. Rajeev Chandrasekhar has said that the highly awaited and detailed rules will be notified by the government by the end of January 2024. Much of the air will be cleared once these rules come into force.
According the list provided under Section 40(2) of the Act, around 25 rules will have to be notified by the government in order to properly whip into shape the Act and its application. But it cannot be said that this list provided under the Act is totally exhaustive. This implies that much is still on the horizon.
Furthermore, considering that each rule will be separately notified, corporates will have some leeway to navigate and ensure compliance.
– Archana Balasubramanian, Partner with Vineet Lathiya, Associate
For Part I, Click Here.
For Part II, Click Here.
[1] Section 18 and 27 of the Act
[2] Section 33 and Schedule of the Act.
COMMERCIAL LAW BLOG 
Leave a comment