DPDP Act: The grievance redressal process
- September 25, 2023
- Posted by: OptimizeIAS Team
- Category: DPN Topics
No Comments
DPDP Act: The grievance redressal process
Subject : Polity
Section: Legislation in news
Key Points:
- Data fiduciaries have certain obligations towards the data principals including access to a grievance redressal mechanis.
- The recently enacted Digital Personal Data Protection Act, 2023 (DPDP Act) has an inbuilt multilayered mechanism for addressing grievances.
- According to the Act, while requesting for consent, a data fiduciary must provide data principals with specific information that includes a reference to this right of grievance redressal, as well as a description of how to make a complaint to the Data Protection Board of India (DPBI).
- The DPBI will have the powers of a civil court involving government-appointed subject-matter experts under the auspices of a ‘digital office’
- A data fiduciary is required to protect the personal data in its possession (including data processed by a third party on its behalf) by taking reasonable security safeguards to prevent unauthorised processing, accidental disclosures and other incidents that may constitute a breach.
- The redressal system:
- If and when a breach occurs, the data fiduciary needs to inform the DPBI and each affected data principal about it, even if the breach is a minor one or relates to non-sensitive data.
- After receiving such intimation, the DPBI may direct urgent remedial or mitigation measures, as well as inquire into the breach and impose penalties.
- The data principals may also make a separate complaint to the DPBI about data breaches or non-performance of obligations.
- While the data fiduciary must respond to grievances within a stipulated period, data principals need to exhaust all avenues of redressal before approaching the DPBI.
- Once the case reaches the DPBI, it gives an entity the opportunity of being heard after which the Board may issue binding directions.
- In parallel, the DPBI will also decide if there are sufficient grounds to warrant an inquiry before closing or continuing with such proceedings. If yes, the DPBI will examine the affairs of the entity based on principles of natural justice.
- In each step, the DPBI will maintain a record of written and reasoned findings. Interim orders may be issued during this process.
- After giving the entity another chance to defend itself, a monetary penalty, going up to ₹250 crore for each breach, with no aggregate cap, may be imposed.
- If one is aggrieved by the order/direction from the DPBI itself, an appeal may be filed within 60 days before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) — the decision of which is further appealable before the Supreme Court. Like the DPBI, the TDSAT is intended to function as a digital office, bearing the powers of a civil court
Terms “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. They are entities which determine the purpose and means of processing personal information, “Data Principal” means the individual to whom the personal data relates. “Digital office” means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode; |