CHAPTER 5: COMPLIANCE FRAMEWORK

Data Protection Board of India

The Data Protection Board, which has taken the place of the previous Bills' Data Protection
Authority of India (or "DPAI"), appears to be more of a quasi-judicial organization by nature.
The DPAI's position was very similar to that of the European Union's Data Protection
Commissioner, although it was more involved in advising the Union Government on important
policy choices including cross-border data transfers. The provision has become increasingly
Union Government-focused, and the 2022 Bill appears to extend this authority even further. The
Data Protection Board of India seems to be less emancipated as compared to the prior body.

The Data Protection Bill, 2022, in a troubling move, promotes the notion of tribunalization,
which India's legal system must depart from. It establishes the Data Protection Board giving it
sole control over all legal issues relating to the Bill's contents. Additionally, it expressly
disclaims civil court authority in the process. Although the idea of establishing a dedicated
tribunal to handle data privacy matters seems appealing, it overlooks some significant problems.

First of all, by giving the executive arm more power, tribunalization inevitably lowers the status
of the court. This poses a challenge to the power separation clause in the constitution as well as
the very historically significant background of where the Indian society is now, where the
judiciary system is in risk of losing all autonomy from the administration.

Secondly, India has not had a promising performance with tribunals in practice, despite the court
being weighed down by pending cases. India's tribunals have subpar facilities and a worse track
record of performance. For instance, the Central Information Commission is presently
undergoing a grave staffing shortages and pending cases crisis. As a result, cases filed presently
do not come up for first hearing for at least two years after they are filed, and Officials are unable
to send any cases for a second hearing, choosing instead to quickly decide and wrap up the
matter without respect to whether or not justice is actually served.

Thirdly, the Data Protection Board's membership and structure, the selection procedure, the
policies and terms of appointments and operation, and the dismissal of its chairman and other
members are all subject to delegated legislation, which is left up to the government's prerogative.
Without sufficient direction from the legislative, the administration will overly reliant on the
regulations that it creates. Justice B.N. Srikrishna expressed his concern on the matter during the
conference that the Data Protection Authority will turn into "a puppet of the government and will
have no independence." He emphasized the necessity of a strong and impartial Data Protection
Authority, as envisioned in the draft's 2018 revision.
A proposed Data Protection Board has significantly diluted the regulating entity. It shall be
established and constituted under certain restrictions, "as may be prescribed," and lacks authority
and independence.  There are doubts as to how such a board will properly compel public
authorities to comply with the mandates. It becomes a bigger question in the light that most of
the electronic data of citizens is handled by some or the other ministry or organization of the
government. The same branch deciding upon laws goes against a just principle.

Another issue that the bill has created is that the credentials of the Board members are not
specified in the Draft Bill. It is advisable that the Board should consist of at least one entity from
the judicial domain and one from the technical field for each decision since the Board is planned
to undertake an adjudicative role. An inclusion of members from both the domains will make
sure that rules, guidelines and everyday working is in accordance with the advancements in
technology and under the rule of law.

Another problematic aspect associated with the Data Protection Board is that no time frame has
been provided for the inquiry mechanism by the board. It leave the stakeholders muddled with
questions as to when shall the inquiry be completed. It leaves open ended questions and
outcomes and needs to be looked after in the subsequent draft.

Regarding the kind of orders that the Board may issue, there is no clear direction. While the use
of mitigating measures by the individual is one of the considerations the Board would consider
when assessing a penalty, it is unclear what specific mitigation measures may be used. Before
issuing final orders for the imposition of a fine, several laws provide regulatory and adjudicatory
agencies to issue rectification notes and orders for conformance. The kinds of orders that the
Board may issue should also be listed in the Draft Bill for better clarity.

Though there is a noteworthy move that has been involved in this aspect. The scraping of an
appellate tribunal and introduction of clause where appeal shall be preferred to the High Court is
an appreciable attempt. The 60 days window that has been talked of also creates sufficient level
of satisfaction and creates a trust factor. But this creates a new question before us. Will there be a
board in every state, appeal against which can be taken to the respective High Court or will the
appeal lie in a separate court.

Alternative Dispute Mechanism

The Bill provides a mechanism for the Data Protection Board to decide whether grievances may
be handled more effectively through mediation or other alternative conflict resolution
procedures, and it establishes a procedure for referring those complaints to such processes. This
is a step in the right direction toward supporting Alternative Dispute Resolution in the country.

But we need a more elaborated and in depth explanation of how the process or mechanism is
bound to work or be undertaken. Introducing a rather new concept in a novice law definitely will
need its own share of brushing up and eye for precision. To ensure that the parties choosing the
Alternative Dispute Resolution procedure are fully informed about the process that will be
followed, it will be essential for the Data Protection Board of India to issue a set of rules. A
similar method may be found in the EUGDPR, where Article 65 allows for derogation in the
event that Alternative Dispute Resolution is permitted.

Voluntary Undertaking
The Proposed Law also introduces the concept of ‘voluntary undertaking. The Board may accept
a voluntary undertaking in respect of any matter related to compliance with provisions of
Proposed Law from any person at any stage. The Bill appears to encourage prompt
acknowledgment and correction of shortcomings through the issuance of a voluntary undertaking
since it places a strong emphasis on allowing compliance.

But what we need to keep in mind while going forward in this direction is that the concept of
voluntary undertaking must be transparent and just specially in cases where both the parties in
the dispute are similarly placed.

Another issue that arises at this point of time is that whether every instance of voluntary
undertaking shall be publicized or specific instances of voluntary undertaking shall be made
public. The bill needs to clarify on this point.

Financial Penalty
The Bill establishes monetary fines between INR crore and INR 250 crore with a maximum of
INR 500 crore for each offence.  This contrasts with a previous proposal for a more convoluted
fee based on a percentage of the relevant international revenue. Although the Bill specifies
procedures for evaluating fines, there is still a chance that the Board may feel compelled to
adhere to the given numerical level rather than recognizing it as a legitimate cap.

The failure to adhere to the responsibilities under the draft bill relating to data breaches carries
the most severe penalties. The Bill, in contrast to the former Editions, does not mandate the
reimbursement of damages to data principals whose private information has been exposed. To
that end, the Bill requires data principals to refrain from filing a fictitious or baseless complaint
or claim with a data fiduciary or the Data Protection Board and from providing misleading
information when applying for any certificate, services, unique identification number, identity
proof, address proof, etc. The data principals may be fined up to INR 10,000 for any similar
violations.  The Proposed Law, in contrast to earlier versions, does not allow impacted data
owners to claim damages for violations by data fiduciaries. This could discourage people from
seeking expensive resolution before the Board. The Act needs to mandate that the Board issues
guidelines for determining the severity of sanctions (to bring in transparency). The Board's
judgments should also be made accessible to the general people.