The Data Protection Board of India: Its Powers and
Functions :
On 7th August 2023, the Lower House of the Indian Parliament, i.e., the Lok Sabha, passed the Digital Personal Data Protection Act 202385 (DPDP). India now stands two steps away from finally having a comprehensive data privacy framework in place, with
passing in Rajya Sabha and subsequent presidential assent as future steps towards it. While Introducing the Actin Lok Sabha, the Indian Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, remarked that “There’s this environment of big companies, small companies, and technology companies essentially
creating business models by misusing and exploiting digital personal data of citizens. That’s something this Actintends to address.” This blog will throw light upon the regulatory and adjudicatory body created under the aegis of the DPDP Bill, 2023, i.e., the Data Protection Board of India. It will discuss its composition, Term, Power, and procedure to state the importance of its role in the Indian Privacy Framework.
Composition & Qualification :
The Indian government has been given the authority to establish the Data Protection Board of India as stated in Section 18 of the DPDP Bill, 2023. For this provision, the Board will be treated as a corporate body. Section 19 of the DPDP Bill, 2023, provides details about the composition of the DPB. Outlines the qualifications required to serve as its Chairperson and members. It specifies that the appointment of the Chairperson will be at the discretion of the Central Government. As per this requirement, one member must have legal expertise in matters.
Remuneration & Term :
The Board members will have a term of two years, as stated in Section 20 of the DPDP Bill, 2023. This provision also permits the possibility of being reappointed. Additionally, this section outlines grounds, for removing a Board member from their position, such as insolvency, conflict of interest, etc.
Powers & Functions :
- Section 26 of the DPDP Bill, 202386, outlines the responsibilities assigned to the Chairperson. According to this section:
- The Chairperson is responsible for making decisions on matters within the Board.
- The Chairperson has the authority to assign any board member to investigate any complaints received by the Board.
- The Chairperson is authorized to preside over meetings. Section 27 of the DPDP Bill, 202387, defines the powers and functions of the DPB.
It grants the Board with authority to carry
out and perform the following powers and functions;
- Monitoring compliance with laws in case the Board receives any communication regarding a data breach. Suppose the DPB finds the concerned entity to be in breach of the Act. In that case, this Act has the authority to not only address imminent mitigation of remedial issues but also to impose penalties as per its provisions.
- If the DPB receives any complaint, it can direct Data Fiduciaries to comply with legal requirements regarding the protection of personal data of Data Principals. If the DPB
finds that the concerned entity is in breach of the Act, it can issue a penalty as per the provisions of this Act. - If any complaint is received, direct Consent Managers to comply with legal requirements regarding the protection of personal data of Data Principals. If the DPB finds the concerned entity to be in breach of the Act, then it shall issue a penalty per the provisions of this Act.
- It shall allow the person concerned to hear per the natural law principles. If the DPB finds the concerned entity to be in breach of the Act, then it is empowered to issue a penalty per the provisions of this Act.
- . If any complaint is received, instruct Intermediaries to comply with legal requirements concerning the protection of personal data of Data Principals. If the DPB finds the concerned entity in breach of the Act, it has the authority to issue a penalty per the provisions of this Act.
Procedure :
Section 28 of the DPDP Act 2023 lays out the procedure to
be followed by the DPB. It states that88:
• The DPB shall function as a digital office as far as possible. All stages, from receiving complaints and conducting hearings to pronouncing rulings, shall be designed with a digital approach, and techno-legal measures shall be adopted to
ensure the realization of this digital process.
• If any correspondence or complaint regarding a breach of the law is received, the DPB shall act in accordance with Section 27.
• The DPB shall decide upon whether the situation meets the standard required to go further with an inquiry.
• The DPB is required to write reasons in writing in case it decides that the case does not merit further inquiry.
• The DPB is required to write reasons in writing in case it decides that the case merits further inquiry.
• The DPB is required to conduct such an inquiry in light of the principles of natural justice.
• The DPB is granted the same powers as a Civil Court under the Code of Civil Procedure (CPC), 1908.
