The newly minted Digital Personal Data Protection Act, 2023 (DPDP Act) has an inbuilt multilayered mechanism for addressing grievances.

Data fiduciaries — entities which determine the purpose and means of processing personal information — have certain obligations towards the data principals who are related to/ identifiable by such information. Some of the former’s obligations correspond with the latter’s statutory rights — including access to a grievance redressal mechanism.

According to the Act, while requesting for consent, a data fiduciary must provide notify data principals with specific information that includes a reference to this right of grievance redressal, as well as a description of how to make a complaint to the Data Protection Board of India (DPBI). The DPBI will have the powers of a civil court involving government-appointed subject-matter experts under the auspices of a ‘digital office’.

Essentially, a data fiduciary is required to protect the personal data in its possession (including data processed by a third party on its behalf) by taking reasonable security safeguards to prevent unauthorised processing, accidental disclosures and other incidents that may constitute a breach. If and when a breach occurs, the data fiduciary needs to inform the DPBI and each affected data principal about it, even if the breach is a minor one or relates to non-sensitive data. After receiving such intimation, the DPBI may direct urgent remedial or mitigation measures, as well as inquire into the breach and impose penalties. 

A data principal may also make a separate complaint to the DPBI about data breaches or non-performance of obligations. While the data fiduciary must respond to grievances within a stipulated period, data principals need to exhaust all avenues of redressal before approaching the DPBI.

Once the case reaches the DPBI, it gives an entity the opportunity of being heard after which the Board may issue binding directions. In parallel, the DPBI will also decide if there are sufficient grounds to warrant an inquiry before closing or continuing with such proceedings. If yes, the DPBI will examine the affairs of the entity based on principles of natural justice. In each step, the DPBI will maintain a record of written and reasoned findings. Interim orders may be issued during this process. 

After giving the entity another chance to defend itself, a monetary penalty, going up to ₹250 crore for each breach, with no aggregate cap, may be imposed.

While determining the quantum of penalty, the Board will consider factors such as the nature, gravity and duration of the breach; the type and nature of the personal data affected; whether the breach was repetitive; if the perpetrator made gains or avoided a loss; whether the entity in question took any actions to mitigate the effects of breach, as well as the promptness and efficacy of such actions; whether the proposed penalty is proportionate and effective in terms of future compliance and deterrence; as well as the likely impact of such penalty on the obliged entity.

The DPBI may also direct the disputants towards mediation. A voluntary undertaking from the offending entity may be accepted in respect of future compliance. However, any failure to adhere to the terms of that undertaking will be deemed to be a breach.

And, if one is aggrieved by the order/direction from the DPBI itself, an appeal may be filed within 60 days before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) — the decision of which is further appealable before the Supreme Court. Like the DPBI, the TDSAT is intended to function as a digital office, bearing the powers of a civil court.

(The writer is a lawyer with S&R Associates, a law firm)