A well-equipped data protection board is a must for enforcing digital privacy laws, experts say

Legal professionals point out that the DPBI, established as a quasi-judicial body under the DPDP Act, needs trained technical and legal professionals, as well as institutional independence, to manage complex investigations and ensure effective compliance.

They also point to significant gaps in the framework, including a lack of clarity over the board’s operational structure and the absence of provisions on criminal liability and compensation in cases of data breaches.

The DPDP Law of 2023 imposes fines of up to $250 crore for violations, but experts emphasize that clear guidelines and strong institutional support are essential for effective implementation.

The DPBI, established under section 18(1) of the Act, acts as a quasi-judicial body to resolve disputes between individuals and data platforms accused of non-compliance. With civil court powers, the board can investigate violations, impose sanctions and resolve disputes.

Appeals from its decisions can reach the Telecommunications Disputes Settlement and Appellate Tribunal (TDSAT) and ultimately the Supreme Court.

“To strengthen the applicability of the DPDP Act and its rules, the government must focus on institutional and operational improvements,” said Akshayy S. Nanda, partner at Saraf and Partners.

Also read: Mint Explainer: The Digital Personal Data Protection Act, its rules and obstacles

“The board must be equipped with technical and legal professionals trained to handle complex investigations and enforce compliance effectively. In addition, sufficient budgetary support is needed to ensure that it fulfills its functions within quick timeframes, especially given the rapid evolution of the digital economy,” he added.

Ankit Sahni, partner at Ajay Sahni & Associates, emphasized that the board’s independence and provision of qualified experts are crucial to building credibility and ensuring fairness in law enforcement.

The DPB is intended to act as a quasi-judicial body to investigate non-compliance and impose sanctions. Appeals against its decisions will be filed before the Appellate Tribunal, the TDSAT, according to Arya Tripathy, partner at Cyril Amarchand Mangaldas.

However, the DPDP Rules provide limited information on the operationalization of the DPB and Court of Appeal provisions. Hopefully, these details will emerge through the consultation phase and the final rules will bring more clarity, experts say.

Also read: Privacy Law Raises Complications When Verifying Parents’ Identities

Need for criminal liability and compensation mechanisms.

Some legal experts believe that adding criminal liability to data fiduciaries could act as a stronger deterrent in cases of fraud, negligence or willful default that cause serious harm to people.

“Criminal liability provisions in cases of serious data breaches could go a long way in ensuring stricter compliance,” said Nazneen Ichhaporia, partner at ANB Legal.

Ichhaporia also highlighted gaps in the current framework, particularly the lack of compensation mechanisms for data controllers whose personal data is compromised. He urged regulators to address this issue to protect people’s rights more effectively.

Also read: DPDP draft rules raise concerns over parental consent, national security checks

On January 3, the government published draft rules for public consultation under the Digital Personal Data Protection Law (DPDP), proposing various compliance measures.

These include mandatory identity verification for parents before minors under 18 can join online platforms, localization of personal data in India, with exemptions for certain countries notified by the government, and exceptional powers for the Center accesses or retains personal data in matters related to national affairs. security without notifying the affected persons.

“To navigate compliance effectively, data fiduciaries must take a proactive approach, starting with robust data governance frameworks, comprehensive privacy impact assessments, and a culture of compliance at all organizational levels. Safeguards such as encryption, pseudonymization and regular audits are essential to mitigate risks. It is equally essential to invest in training programs and ensure that consent mechanisms are clear, specific and informed,” suggests Goldie Dhama, Partner, Deloitte India.

Also read: India’s digital data protection rules: a story of rights and wrongs

The role of the judiciary in shaping law enforcement

Legal experts highlighted the crucial role of courts in clarifying ambiguities in the law and ensuring fairness.

Ankit Sahni of Ajay Sahni & Associates said judicial interpretation will help establish procedural standards and balance the application of rules with constitutional rights. The courts can also act as a check against possible overreach or lack of compliance by the board.

“Judicial precedents will significantly shape the application of the DPDP Law, ensuring consistency, fairness and accountability. By balancing the rights of data principals with the operational needs of data fiduciaries, the courts will strengthen the legitimacy and effectiveness of the framework of data protection of India”. Akshayy S. Nanda of Saraf and Partners added.

The Digital Personal Data Protection (DPDP) Act, 2023 was formed through more than a decade of deliberations, starting with the AP Shah Justice Committee’s 2011 report recommending privacy legislation.

The need for a data protection law gained momentum following the 2017 Supreme Court ruling that recognized privacy as a fundamental right. Several drafts were proposed before the final version was approved by Parliament on August 9, 2023 and received presidential approval on August 11, 2023. The Law introduces strict rules for data protection, establishes the Data Protection Board and imposes severe sanctions to ensure compliance. and responsibility.

Also read: Privacy first: India cannot afford any further delays in notifying data protection rules