º¬Ðß²ÝÉçÇø

º¬Ðß²ÝÉçÇø Digital Personal Data Protection Act, 2023 (DPDP), is finally a reality, therefore litigation under this new law is inevitable. It becomes imperative for entities to prepare for the challenges that may lie ahead.

Privacy v data protection

Right to privacy embodies a large number of rights and values. On the other hand, data protection is a right ordained by way of a statute, relating to one¡¯s digital identity.

Given that the right to privacy has been recognised as a fundamental right under article 21 of the Constitution of India, one could assume that a large number of cases alleging violation of this fundamental right are filed before various high courts under article 226, or directly before the Supreme Court under article 32. A combination of violation of data protection rights and the right to privacy can only be invoked against the state where ¡°legitimate use for processing of personal data by state (and thereby its instrumentalities)¡± is questioned.

For instance, a remedy for processing personal data, originally collected for the purposes of providing subsidies and benefits but subsequently used to seek feedback from citizens on initiatives during elections and thereby influence voters, may lie before the jurisdictional high court or the Supreme Court. But, such a writ jurisdiction cannot be invoked against private entities for enforcement of the right to privacy. For remedies against private entities, statutory rights guaranteed under the DPDP will need to be enforced and the mechanism provided under the act must be adhered to.

Data Protection Board

A Data Protection Board (DPB) is vested with a limited mandate to direct mitigation and remedial measures to inquire into a personal data breach and impose penalties. However, the DPB can only pick up cases under the following circumstances: (1) receipt of intimation of a personal data breach; (2) complaint by a data principal; (3) reference by the central or state governments; (4) directions of the court; and (5) failure by an intermediary to comply with the directions of the central government.

A bare reading of circumstances would indicate that the DPB lacks suo moto powers i.e. powers to be able to pick up cases on their own, should they find a practice that contravenes provisions of the DPDP. Authorities such as the Competition Commission of India (CCI) and even the Central Consumer Protection Authority have been empowered to take such suo moto cognisance of certain practices that affect the public or sector/market at large.

Suo moto powers enable an authority such as the DPB to bridge the gap between the law and technology, and also portrays a proactive functionality of the DPB.

Appellate tribunal

The Telecom Disputes Settlement and Appellate Tribunal (TDSAT) has been appointed as the appellate tribunal under the DPDP. Unlike other legislations where there are separate tribunals specifically dealing with an area of law, the TDSAT deals with, among others, telecoms, airport tariffs, Aadhar (individual identification number) and cybercrimes, and will now also handle disputes under the DPDP as an appellate body.

The tribunal structure in India, despite its best intentions to provide faster resolution of disputes involving experts, has faced enormous opposition with mounting vacancies and pendency.

Dispute strategies

Since the DPDP is a specialised law, most disputes will end up going through the mechanism provided under the act, i.e. the DPB, and after that the appellate route of the tribunal and Supreme Court.

However, there could also be a hybrid model under different circumstances and different players within the DPDP, i.e. data fiduciary/data processor approaching the high court or even the Supreme Court seeking directions to be issued to the DPB.

Another situation to invoke the writ jurisdiction of the high court or Supreme Court directly, both by the data principal/data fiduciary, against orders of the DPB, are cases involving violations of the principles of natural justice.

Sectoral harmony

Certain unfair trade practices like coercive consent and cancellation trickery also violate the DPDP. There is a need to regulate such practices beyond the consumer protection perspective. In such a scenario, it is imperative for the Consumer Protection Authority and DPB to work together. The Central Consumer Protection Authority, set up under the Consumer Protection Act, 2019, also provides a platform for data principals to protect their rights. This authority does not merely isolate itself to protecting the rights of the consumers, but also provides compensation for the damages caused to consumers.

This remedy is currently not available under the DPDP (and therefore the DPB), so data principals (consumers) approach the Consumer Protection Authority for grievance redressal. Sectoral harmony will ensure that consumers/data principals are not left without any adequate remedy.

Cross-border disputes

While it is unclear as to the manner and the method that will be adopted by the DPB to adjudicate cross-border disputes, internationally various jurisdictions have adopted methods to ensure compliance and a breach of such compliance would then be targeted by the authority, constituted for the purposes of such breach.

To mitigate the compliance costs of cross-border data transfer, India can adopt a similar approach to that of the UK and US, which is an extension of the EU-US data privacy framework. The UK and EU have implemented country-specific data privacy frameworks with other countries in which they have a large number of companies. This framework comes with additional compliances to ensure that cross-border data meets the requirements of both countries to avoid further litigation.

Advocacy

Advocacy is one effective method to create awareness among the general public, as well as the businesses regarding the rights, obligations and functioning of the DPB under the DPDP. Certain specialised authorities like the CCI and Telecom Regulatory Authority of India (TRAI), have specific provisions (and thereby a separate wing within the authority) to conduct campaigns and create awareness about the law.

Additionally, consultation papers on data protection compliance would help businesses to process data with a better understanding of law. Conducting training programmes and certification courses on the DPDP and its rules would ensure better compliance. Finally, in line with the TRAI¡¯s Consumer Outreach Programme, introducing comparable outreach initiatives under the DPDP Act to address the grievances of data principals would be highly advantageous. These programmes could greatly improve compliance and strengthen the protection of individuals¡¯ data rights.

10 recommendations

• Establish a separate tribunal to deal with matters under the DPDP. Failing that, the government should look at creating special high court benches for direct appeals from orders of the DPB.
• Grant restricted suo moto powers to the DPB to strike a balance between innovation and privacy.
• A privacy framework with additional compliance in the case of cross-border data transfers for specific jurisdictions.
• Businesses based in India and present solely in India are relatively new to the concept of data protection. Therefore, a strict enforcement of the DPDP without active advocacy may not be the best strategy to implement the law. Continuous monitoring, compliance mechanisms and reporting that ultimately points to penalties for contraventions might be more effective.
• Penalties alone may not be an effective deterrent for companies operating on a large scale. Cease and desist orders, a ban on the application/website, and cancelling licences for repeated contraventions might lead to effective implementation of the law and achieve the ultimate purpose of the law.
• Empower the DPB to issue advance rulings on queries or questions of law that pose challenges to the industry.
• Enable the DPB to provide guidance on the minimum threshold of seriousness to claim non-material damages.
• Mandating data localisation by the government should not impede the companies¡¯ operational and fiscal efficiency due to the cost of establishing local data storage centres. Only in the case of a lack of stringent data protection laws would it be sound for the government to mandate data localisation.
• The DPDP does not provide for compensation to data principals. This must be included as part of the act.
• Power to issue guidelines and clarifications must be provided to the DPB. This power must stem from the act itself.