The Digital Personal Data Protection Act, 2023

Explanation of Section 1:

Section 1 of the Digital Personal Data Protection Act provides the introductory and commencement details of the Act. 

Here’s an explanation of each sub-section:

1. Title and Name of the Act:

• Sub-section (1) states that the Act is to be known as the “Digital Personal Data Protection Act, 2023.” This is the official title and name of the legislation.

2. Commencement Date:

• Sub-section (2) specifies that the Act will come into effect on a date determined by the Central Government through an official notification published in the Official Gazette. This means that the Act becomes legally operational and enforceable on the date mentioned in the notification.
• Additionally, the sub-section allows for different dates to be appointed for the commencement of different provisions of the Act. In such cases, any reference within the Act to the commencement of the Act itself should be understood as a reference to the commencement of the specific provision in question.

In summary, Section 1 of the Digital Personal Data Protection Act provides the formal name of the Act and outlines the process by which the Act will become effective, including the potential for different provisions to come into force on different dates.

Explanation of Section 2:

Refer Act for Definitions

Explanation of Section 3:

Section 3 of the Digital Personal Data Protection Act outlines the scope of application of the Act, defining the circumstances under which the Act will apply to the processing of personal data. Let’s break down each sub-section:

a) Application to Processing of Digital Personal Data within India:

• Sub-section (a) states that the Act applies to the processing of digital personal data within the territory of India.
• The Act covers situations where personal data is collected in digital form, as well as cases where personal data is collected in non-digital form and subsequently digitized.

b) Extraterritorial Application to Processing of Digital Personal Data:

• Sub-section (b) extends the application of the Act beyond India’s borders.
• The Act also applies to the processing of digital personal data outside the territory of India if such processing is linked to any activity related to offering goods or services to Data Principals (individuals to whom the data pertains) within the territory of India.
• This provision reflects the Act’s intention to regulate data processing activities of entities based outside India that target Indian individuals.

c) Exemptions from Application:

• Sub-section (c) specifies two categories of personal data processing that are exempt from the Act’s application: (i) Personal data processed by an individual for personal or domestic purposes is not covered by the Act. This recognizes the need for privacy in everyday personal activities. (ii) Personal data that is made publicly available either by the Data Principal (the individual to whom the data relates) or by any other person under a legal obligation in India to make such data publicly available is also exempt from the Act. This acknowledges situations where data is intentionally made public or when disclosure is required by law.

In summary, Section 3 defines the geographical and contextual scope of the Digital Personal Data Protection Act, specifying when and where the Act applies to the processing of digital personal data and outlining exemptions from its application.

Explanation of Section 4:

In this section, the guidelines for processing personal data are outlined. 

A person is permitted to process the personal data of a Data Principal, which refers to an individual whose personal data is being processed, in strict compliance with the provisions specified in this Act and for a purpose that is considered lawful. 

Such lawful purposes encompass situations where the Data Principal has provided explicit consent for data processing or when the processing falls within specific legitimate uses. To clarify, “lawful purpose” pertains to any purpose that is not explicitly prohibited by the law.

Explanation of Section 5:

Section 5 of the Digital Personal Data Protection Act outlines the procedures and requirements related to obtaining consent from a Data Principal (an individual to whom personal data pertains) for processing their personal data. 

Let’s break down the provisions: 

1. Consent Request and Notice:

• When a Data Fiduciary (an entity determining the purpose and means of personal data processing) seeks consent from a Data Principal under section 6 of the Act, they are obligated to provide a notice along with or before the consent request.
• This notice must inform the Data Principal about the following:
  (i) The specific personal data that is proposed to be processed. (ii) The purpose for which this personal data will be processed. (iii) How the Data Principal can exercise their rights as outlined in sub-section (4) of section 6 and section 13 of the Act. (iv) The procedure through which the Data Principal can lodge a complaint with the Data Protection Board (referred to as the “Board” in the Act). The exact procedure for making complaints will be defined by regulations.

2. Pre-existing Consent:

• If a Data Principal had already given their consent for personal data processing prior to the Act coming into effect, the following steps are required:
  (a) The Data Fiduciary must promptly provide a notice to the Data Principal, containing the same information as mentioned above:  (i) The personal data that has been processed. (ii) The purpose for which the personal data has been processed. (iii) How the Data Principal can exercise their rights under sub-section (4) of section 6 and section 13. (iv) The method by which the Data Principal can file a complaint with the Board.
• (b) The Data Fiduciary is allowed to continue processing the personal data unless the Data Principal chooses to withdraw their consent. In essence, this section emphasizes the importance of informing Data Principals about the personal data being processed, the purposes for processing, their rights, and the procedure for filing complaints with the Board. For pre-existing consent, the Data Fiduciary is required to retrospectively provide the necessary information to the Data Principal and may continue processing unless consent is withdrawn.

It’s important to note that the specific procedures and details regarding notices, consent, and complaints will be further defined by the regulations and guidelines established under the Act.

Explanation of Section 6:

Section 6 of the Digital Personal Data Protection Act focuses on the concept of consent and outlines various aspects related to obtaining and withdrawing consent for the processing of personal data. Let’s break down each sub-section:

1. Nature of Consent:

• Consent given by the Data Principal (individual to whom personal data pertains) must meet specific criteria:
  • It should be given freely, meaning without coercion or pressure.
  • It should be specific and relate to a clearly defined purpose.
  • The Data Principal should be informed about the processing of their personal data and understand its implications.
  • Consent should be unconditional and not subject to unrelated conditions.
  • It should be unambiguous, involving a clear and affirmative action that signifies agreement.
  • Consent should be limited to the personal data necessary for the specified purpose of processing.

2. Invalidation of Consent:

• If any part of the consent infringes upon the provisions of the Act, its rules, or any other applicable law, that specific part of consent will be considered invalid only to the extent of the infringement.

3. Request for Consent:

• Consent requests made under the Act or its rules must be presented to the Data Principal in clear and plain language.
• The Data Principal should have the option to access the request in either English or any language specified in the Eighth Schedule to the Constitution.
• Contact details of a Data Protection Officer (DPO), if applicable, or another authorized person from the Data Fiduciary should be provided for communication regarding the exercise of the Data Principal’s rights.

4. Right to Withdraw Consent:

• If personal data processing is based on the consent of the Data Principal, they have the right to withdraw their consent at any time.
• The process of withdrawing consent should be as easy as giving it initially.

5. Consequences of Withdrawal:

• If a Data Principal withdraws their consent, the consequences of such withdrawal are the Data Principal’s responsibility.
• The withdrawal of consent does not affect the legality of processing personal data that occurred based on the consent before its withdrawal.

6. Obligation to Cease Processing:

• If a Data Principal withdraws their consent, the Data Fiduciary and its Data Processors must cease processing the Data Principal’s personal data within a reasonable timeframe.
• However, there are exceptions where processing without consent may still be required or authorized under the Act, its rules, or other applicable laws.

7. Consent Manager:

• A Consent Manager is an intermediary registered with the Board who facilitates the giving, management, review, and withdrawal of consent by the Data Principal.
• The Consent Manager acts on behalf of the Data Principal and is accountable to them.

8-9. Registration of Consent Manager:

• Consent Managers must be registered with the Board according to prescribed technical, operational, financial, and other conditions.

10. Proof of Consent:

• If a question arises in a proceeding regarding the basis of processing personal data through consent, the Data Fiduciary must demonstrate that the Data Principal was provided with proper notice and gave their consent in accordance with the Act and its rules.

In summary, Section 6 outlines the principles and processes related to obtaining, withdrawing, and managing consent for the processing of personal data, emphasizing transparency, clarity, and the Data Principal’s control over their data.

Explanation of Section 7:

Section 7 of the Digital Personal Data Protection Act enumerates the various permissible purposes for which a Data Fiduciary (an entity processing personal data) can process the personal data of a Data Principal (an individual to whom the data pertains). Here’s an explanation of each sub-section:

a) Specified Purpose and Voluntary Consent:

• A Data Fiduciary can process the personal data of a Data Principal for the specified purpose for which the Data Principal voluntarily provided their personal data to the Data Fiduciary. This processing can occur as long as the Data Principal has not indicated their lack of consent to the use of their personal data for that purpose.

b) State and its Instrumentalities:

• Personal data can be processed by the State and its instrumentalities to provide or issue subsidies, benefits, services, certificates, licenses, or permits as prescribed.
• This is subject to two conditions: (i) The Data Principal must have previously consented to the processing of their personal data by the State or its instrumentalities for the specified purposes. (ii) The personal data must be available in digital form or digitized from databases, registers, books, or other documents maintained by the State or its instrumentalities and notified by the Central Government.
• Processing should adhere to the standards defined by the Central Government’s policy or any existing law governing personal data.

c) State Functions and National Security:

• Personal data can be processed for the performance of functions by the State or its instrumentalities under Indian laws or in the interest of India’s sovereignty, integrity, or national security.

d) Legal Obligations and Disclosure:

• Personal data can be processed to fulfill obligations under existing Indian laws, where individuals or entities are required to disclose information to the State or its instrumentalities.
• This processing must comply with the provisions related to information disclosure in the respective laws.

e) Legal Judgments or Orders:

• Personal data can be processed to comply with judgments, decrees, or orders issued under Indian laws or foreign laws related to contractual or civil claims.

f) Medical Emergency:

• Personal data can be processed in response to a medical emergency that poses a threat to the life or immediate health of the Data Principal or another individual.

g) Epidemics and Public Health:

• Processing can occur to provide medical treatment or health services to individuals during epidemics, disease outbreaks, or other threats to public health.

h) Disaster or Public Order:

• Personal data can be processed to ensure the safety of, provide assistance or services to, individuals during disasters or breakdowns of public order.

i) Employment and Safeguarding:

• Personal data can be processed for employment-related purposes or to safeguard employers from losses or liabilities. This includes preventing corporate espionage, maintaining confidentiality of trade secrets, intellectual property, classified information, and providing services or benefits to employee Data Principals.

Overall, Section 7 outlines the permissible uses of personal data by Data Fiduciaries, ensuring that processing is aligned with various legal and security considerations while respecting the rights and privacy of Data Principals.

Explanation of Section 8:

Section 8 of the Digital Personal Data Protection Act outlines the responsibilities and obligations of a Data Fiduciary (an entity processing personal data) with respect to processing and protection of personal data. Here’s an explanation of each sub-section:

1. Overall Responsibility:

• Regardless of any agreement or failure on the part of the Data Principal (individual to whom personal data pertains) to fulfill their duties under the Act, a Data Fiduciary is accountable for complying with the provisions of the Act and its rules concerning any processing conducted by the Data Fiduciary or on its behalf by a Data Processor.

2. Engaging Data Processors:

• A Data Fiduciary is allowed to engage a Data Processor (an entity processing personal data on behalf of a Data Fiduciary) for processing personal data related to offering goods or services to Data Principals, but only through a valid contract.

3. Ensuring Data Quality:

• When personal data processed by a Data Fiduciary is likely to be used for making decisions affecting the Data Principal or disclosed to another Data Fiduciary, the Data Fiduciary must ensure that the data is complete, accurate, and consistent.

4. Implementing Measures:

• A Data Fiduciary is required to establish appropriate technical and organizational measures to effectively adhere to the Act and its rules.

5. Security Safeguards:

• A Data Fiduciary must safeguard personal data in its possession or under its control, including data processed by Data Processors, by implementing reasonable security measures to prevent personal data breaches.

6. Personal Data Breach Intimation:

• In case of a personal data breach, the Data Fiduciary must inform the Data Protection Board and each affected Data Principal about the breach in the manner prescribed by regulations.

7. Data Erasure:

• Unless retention is necessary for compliance with the law, a Data Fiduciary must erase personal data when the Data Principal withdraws consent or when it’s reasonable to assume that the specified purpose for processing is no longer being served. The Data Fiduciary must also ensure that Data Processors erase personal data provided to them.

8. Deeming Purpose No Longer Served:

• The purpose mentioned in sub-section 7(a) (erasing personal data) is considered no longer served if the Data Principal doesn’t approach the Data Fiduciary for performance of the purpose and doesn’t exercise their rights in relation to the processing for a prescribed period. Different time periods can be prescribed for various classes of Data Fiduciaries and purposes.

9. Publishing Contact Information:

• A Data Fiduciary, if applicable, must publish the business contact information of a Data Protection Officer or a person who can address questions raised by Data Principals about the processing of their personal data.

10. Grievance Redressal Mechanism:

• A Data Fiduciary must establish an effective mechanism for addressing the grievances of Data Principals.

11. Approach by Data Principal:

• This sub-section clarifies that a Data Principal is considered not to have approached the Data Fiduciary for the specified purpose if there’s no initiation of contact with the Data Fiduciary in person or through electronic or physical communication.

In summary, Section 8 places significant responsibilities on Data Fiduciaries to ensure compliance, data quality, security, and grievance redressal, ultimately safeguarding the rights and interests of Data Principals in the processing of their personal data.

Explanation of Section 9:

Section 9 of the Digital Personal Data Protection Act pertains to the processing of personal data related to children and persons with disabilities. This section establishes safeguards and restrictions to ensure the protection and well-being of individuals who may be more vulnerable in the context of data processing. Let’s break down each sub-section:

1. Verifiable Consent of Parents or Lawful Guardians:

• Before processing the personal data of a child or a person with a disability who has a lawful guardian, the Data Fiduciary (entity processing the data) must obtain verifiable consent from the parent or lawful guardian.
• The manner of obtaining this consent will be specified in the regulations.
• The term “consent of the parent” includes the consent of a lawful guardian when applicable.

2. Well-being of Children:

• A Data Fiduciary is prohibited from processing personal data in a way that is likely to cause any detrimental effect on the well-being of a child.

3. Restrictions on Tracking and Advertising:

• A Data Fiduciary is prohibited from engaging in tracking or behavioral monitoring of children or conducting targeted advertising directed at children.

4. Exceptions and Prescribed Classes:

• The requirements of sub-sections (1) and (3) regarding consent and tracking/advertising restrictions are subject to exceptions.
• The Act allows for the possibility of certain classes of Data Fiduciaries or specific purposes to be prescribed, along with associated conditions, where these restrictions may not apply.

5. Exemption from Obligations Based on Safety Measures:

• The Central Government has the authority to exempt a Data Fiduciary from the obligations specified in sub-sections (1) and (3) if it is satisfied that the Data Fiduciary’s processing of personal data of children is conducted in a verifiably safe manner.
• The exemption would specify the age above which the Data Fiduciary is no longer subject to the obligations outlined in sub-sections (1) and (3) regarding consent and tracking/advertising restrictions.

In summary, Section 9 aims to protect children and persons with disabilities by establishing rules for obtaining consent from parents or lawful guardians, ensuring the well-being of children during data processing, and prohibiting certain types of tracking and advertising targeted at children. It also provides flexibility for certain categories of Data Fiduciaries and purposes, as well as the possibility of exemption based on verifiable safety measures.

Explanation of Section 10: 

Section 10 of the Digital Personal Data Protection Act focuses on the concept of “Significant Data Fiduciaries,” which are entities processing a significant volume of sensitive personal data. This section outlines the criteria and obligations for such entities. Let’s break down each sub-section:

1. Identification of Significant Data Fiduciaries:

• The Central Government has the authority to designate certain Data Fiduciaries or classes of Data Fiduciaries as “Significant Data Fiduciaries” based on an assessment of various relevant factors, which may include:
  • Volume and sensitivity of personal data processed.
  • Risk to the rights of Data Principals (individuals to whom the data pertains).
  • Potential impact on the sovereignty and integrity of India.
  • Risk to electoral democracy.
  • Security of the State.
  • Maintenance of public order.

2. Obligations of Significant Data Fiduciaries:

Significant Data Fiduciaries, once identified, are subject to specific obligations: 

(a) Appointment of Data Protection Officer (DPO): – A DPO must be appointed by the Significant Data Fiduciary. – The DPO’s responsibilities include representing the Significant Data Fiduciary under the Act, being based in India, reporting to the Board of Directors or similar governing body, and serving as the point of contact for grievance redressal mechanisms. 

(b) Appointment of Independent Data Auditor: – A significant Data Fiduciary must appoint an independent data auditor to conduct data audits. – The data auditor evaluates the significant Data Fiduciary’s compliance with the Act’s provisions. 

(c) Other Measures: – Significant Data Fiduciaries are required to take several other measures: (i) Periodic Data Protection Impact Assessment (DPIA): – This involves a process that describes Data Principals’ rights and the purpose of processing their personal data. – It assesses and manages risks to Data Principals’ rights and includes other prescribed matters. (ii) Periodic Audit: – Regular audits must be conducted to evaluate compliance with the Act’s provisions. (iii) Additional Measures: – Significant Data Fiduciaries must undertake other measures consistent with the Act, as prescribed.

In essence, Section 10 aims to ensure enhanced data protection for individuals by imposing specific obligations on entities that are identified as Significant Data Fiduciaries based on their volume of sensitive personal data processing and potential impact on various aspects of society and governance. These obligations include appointing a Data Protection Officer, conducting data audits, and implementing other protective measures.

Explanation of Section 11:

Section 11 of the Digital Personal Data Protection Act grants certain rights to Data Principals (individuals whose personal data is being processed) regarding their data and its processing by Data Fiduciaries (entities processing the data). This section outlines the specific rights and conditions under which these rights apply. 

Let’s break down each sub-section:

1. Right to Obtain Information from Data Fiduciary:

• Sub-section (1) establishes the Data Principal’s right to obtain certain information from the Data Fiduciary to whom they have given consent for the processing of their personal data.
• To exercise this right, the Data Principal can make a request to the Data Fiduciary in the manner prescribed by regulations.
• The information that the Data Principal has the right to obtain includes: (a) A summary of the personal data being processed by the Data Fiduciary, along with details of the processing activities carried out by the Data Fiduciary in relation to that personal data. (b) The identities of other Data Fiduciaries and Data Processors with whom the personal data has been shared by the Data Fiduciary, along with a description of the shared personal data. (c) Any other information related to the personal data and its processing, as prescribed by regulations.

2. Exemption for Sharing of Personal Data for Legal Purposes:

• Sub-section (2) introduces an exemption for certain situations where personal data is shared by the Data Fiduciary with other Data Fiduciaries authorized by law to obtain such data.
• This exemption applies specifically to the information requested under clause (b) or clause (c) of sub-section (1).
• The sharing of personal data is exempt from the requirements of providing information under sub-section (1) when such sharing is carried out in response to a written request made by another Data Fiduciary. This request must be for the purpose of preventing, detecting, investigating offenses or cyber incidents, or for the prosecution or punishment of offenses.
• Essentially, this exemption recognizes the need for data sharing for legal and law enforcement purposes.

In summary, Section 11 of the Digital Personal Data Protection Act empowers Data Principals with the right to request certain information about their personal data and its processing from the Data Fiduciaries. It also provides an exemption for sharing personal data with other authorized Data Fiduciaries for specific legal purposes.

Explanation of Section 12:

Section 12 of the Digital Personal Data Protection Act outlines the rights of Data Principals (individuals whose personal data is being processed) regarding the accuracy, completeness, updating, and erasure of their personal data. This section provides the Data Principal with the ability to rectify inaccurate or incomplete data and request the deletion of their personal data under certain conditions. 

Let’s break down each sub-section:

1. Right to Correction, Completion, Updating, and Erasure:

• Sub-section (1) establishes the Data Principal’s right to correction, completion, updating, and erasure of her personal data for which she has previously given consent, including consent under clause (a) of section 7.
• This right must be exercised in accordance with any requirement or procedure stipulated by any applicable law.

2. Obligations of Data Fiduciary for Correction, Completion, and Updating:

• Sub-section (2) outlines the obligations of the Data Fiduciary upon receiving a request from a Data Principal for correction, completion, or updating of her personal data.
• The Data Fiduciary is required to: (a) Correct inaccurate or misleading personal data. (b) Complete incomplete personal data. (c) Update personal data to ensure its accuracy and relevance.

3. Right to Erasure of Personal Data:

• Sub-section (3) establishes the Data Principal’s right to request the erasure (deletion) of her personal data from the Data Fiduciary’s records.
• To exercise this right, the Data Principal must make a request to the Data Fiduciary in the manner prescribed by regulations.
• Upon receiving such a request, the Data Fiduciary is obligated to erase the Data Principal’s personal data, unless the retention of the data is necessary for the specified purpose or for compliance with any applicable law.
• This provision ensures that individuals have the ability to have their personal data removed from records in certain circumstances.

In summary, Section 12 of the Digital Personal Data Protection Act grants Data Principals the right to request the correction, completion, updating, and erasure of their personal data. The Data Fiduciary is obliged to fulfill these requests in accordance with the provisions of the Act and any relevant laws. 

Explanation of Section 13:

Section 13 of the Digital Personal Data Protection Act grants Data Principals (individuals whose personal data is being processed) the right to seek grievance redressal in relation to any actions or omissions of a Data Fiduciary or Consent Manager concerning their personal data and the exercise of their rights under the Act. This section outlines the process and conditions for addressing grievances. Let’s break down each sub-section:

1. Right to Grievance Redressal:

• Sub-section (1) establishes the Data Principal’s right to have accessible and effective means of grievance redressal provided by a Data Fiduciary or Consent Manager.
• This right applies to any actions or omissions of the Data Fiduciary or Consent Manager related to the Data Principal’s personal data or the exercise of her rights under the Act and its associated rules.

2. Obligation to Respond to Grievances:

• Sub-section (2) outlines the obligation of the Data Fiduciary or Consent Manager to respond to grievances raised by Data Principals.
• The Data Fiduciary or Consent Manager is required to provide a response within a timeframe prescribed by regulations, starting from the date of receipt of the grievance.
• The prescribed timeframe may vary for different classes of Data Fiduciaries.

3. Exhaustion of Grievance Redressal Opportunity:

• Sub-section (3) stipulates that the Data Principal is required to utilize the opportunity for redressing her grievance through the means provided by the Data Fiduciary or Consent Manager (as outlined in sub-sections 1 and 2) before approaching the Data Protection Board (referred to as the “Board”).
• In other words, the Data Principal must attempt to resolve the grievance through the internal grievance redressal mechanism provided by the Data Fiduciary or Consent Manager before seeking resolution from the Board.

In summary, Section 13 of the Digital Personal Data Protection Act ensures that Data Principals have access to mechanisms for addressing grievances related to the processing of their personal data and their rights under the Act. Data Fiduciaries and Consent Managers are obligated to respond to these grievances within a prescribed timeframe. Data Principals are required to attempt resolution through these internal mechanisms before approaching the Data Protection Board. 

Explanation of Section 14:

Section 14 of the Digital Personal Data Protection Act provides Data Principals (individuals whose personal data is being processed) with the right to nominate another individual to exercise their rights in the event of their death or incapacity. This section ensures that the rights granted to Data Principals under the Act continue to be protected even if they are no longer able to exercise those rights themselves. 

Let’s break down each sub-section:

1. Right to Nominate Another Individual:

• Sub-section (1) establishes the Data Principal’s right to nominate another individual to act on their behalf.
• This nomination is in the context of situations where the Data Principal either passes away or becomes incapacitated (unable to exercise their rights) due to unsoundness of mind or infirmity of body.
• The nomination must be made in the manner prescribed by regulations.

2. Definition of “Incapacity”:

• Sub-section (2) provides a definition for the term “incapacity.”
• In this context, “incapacity” refers to the inability of the Data Principal to exercise their rights under the provisions of the Act or its associated rules due to unsoundness of mind or infirmity of body.

In summary, Section 14 of the Digital Personal Data Protection Act grants Data Principals the right to nominate another individual who can exercise their rights on their behalf in case of death or incapacity. This provision ensures that even in such circumstances, the protection of personal data and the rights of Data Principals are upheld under the Act and its rules. 

Explanation of Section 15:

Section 15 of the Digital Personal Data Protection Act outlines the duties that a Data Principal (individual whose personal data is being processed) is required to perform while exercising their rights under the provisions of the Act. These duties are aimed at ensuring the responsible and ethical use of personal data. 

Let’s break down each duty:

1. Duty to Comply with Applicable Laws:

• Sub-section (a) specifies that the Data Principal must comply with all relevant and applicable laws that are currently in force while exercising their rights under the Act.
• This duty emphasizes the importance of adhering to legal requirements when engaging with the provisions of the Act.

2. Duty to Provide Accurate Information:

• Sub-section (b) requires the Data Principal to provide accurate and truthful personal data for a specified purpose.
• The Data Principal is not allowed to impersonate another person while providing personal data.

3. Duty to Provide Complete Information to Authorities:

• Sub-section (c) mandates that the Data Principal must not suppress any material information while providing personal data for documents such as unique identifiers, proofs of identity, or proofs of address issued by the State or its instrumentalities.
• This duty ensures that official documents and records contain complete and accurate information.

4. Duty Regarding Grievance and Complaints:

• Sub-section (d) states that the Data Principal should refrain from registering false or frivolous grievances or complaints with a Data Fiduciary (entity processing personal data) or the Data Protection Board.
• This duty discourages the misuse of grievance mechanisms for illegitimate purposes.

5. Duty to Provide Verifiably Authentic Information:

• Sub-section (e) requires the Data Principal to furnish only verifiably authentic information when exercising the right to correction or erasure under the Act or its associated rules.
• This duty underscores the importance of providing accurate and genuine information when seeking corrections or erasures of personal data.

In summary, Section 15 of the Digital Personal Data Protection Act outlines several duties that Data Principals are obligated to fulfill while exercising their rights under the Act. These duties contribute to responsible data handling, accurate information provision, and ethical behavior in the context of personal data processing and protection.

Explanation of Section 16:

Section 16 of the Digital Personal Data Protection Act grants the Central Government the authority to restrict the transfer of personal data by a Data Fiduciary (entity processing personal data) to specific countries or territories outside of India through a notification. This provision is aimed at safeguarding the privacy and security of personal data, particularly when it is transferred to foreign jurisdictions. 

Let’s break down each sub-section:

1. Authority to Restrict Data Transfer:

• Sub-section (1) empowers the Central Government to issue a notification that imposes restrictions on the transfer of personal data by a Data Fiduciary to a specific country or territory outside of India.
• This notification could be based on considerations related to data protection, privacy, national security, and other relevant factors.

2. Protection of Existing Laws:

• Sub-section (2) clarifies that the restrictions imposed under this section do not override or affect the applicability of any other law that is currently in force in India.
• If any existing law provides for a higher level of protection or places additional restrictions on the transfer of personal data by a Data Fiduciary outside of India, those provisions will still apply.

In summary, Section 16 of the Digital Personal Data Protection Act allows the Central Government to restrict the transfer of personal data by a Data Fiduciary to certain foreign countries or territories through a notification. However, this provision does not override any existing laws that offer greater protection or impose stricter restrictions on data transfers. The goal is to ensure that the transfer of personal data maintains a balance between privacy concerns and legitimate interests.

Explanation of Section 17:

Section 17 of the Digital Personal Data Protection Act provides exceptions to the application of certain provisions of the Act in specific situations. These exceptions are outlined in various sub-sections, which I’ll explain in detail:

1. Exceptions for Specific Situations (Sub-sections 1-4):

• Sub-section (1) states that certain provisions of Chapter II (except sub-sections 1 and 5 of section 8), along with the provisions of Chapter III and section 16, shall not apply in certain scenarios listed in points (a) to (f).
• Points (a) through (f) outline circumstances where the Act’s provisions are exempted, including when processing personal data is necessary for enforcing legal rights or claims, when processed by courts, for law enforcement purposes, in cases of cross-border contracts, for corporate restructuring, or for financial information purposes.

2. Exemption for State Instrumentalities and Research (Sub-sections 2 and 3):

• Sub-section (2) states that the Act’s provisions do not apply to processing personal data by certain instrumentality of the State that is notified by the Central Government, if it’s in the interest of national security, public order, or foreign relations.
• Sub-section (2)(b) provides an exemption for processing personal data for research, archiving, or statistical purposes, as long as the data is not used to make specific decisions about Data Principals.

3. Exemption for Certain Data Fiduciaries (Sub-section 3):

• Sub-section (3) allows the Central Government to notify specific Data Fiduciaries or classes of Data Fiduciaries, including startups, to whom certain provisions of the Act (sections 5, section 8(3) & 8(7), and sections 10 and 11) shall not apply. This could be based on the volume and nature of personal data processed.

4. Specific Exemptions for State Processing (Sub-section 4):

• Sub-section (4) clarifies that for processing by the State or any instrumentality of the State, certain provisions (section 8(7), section 12(3), and section 12(2) if the purpose doesn’t affect Data Principals) will not apply.

5. Temporary Exemptions (Sub-section 5):

• Sub-section (5) allows the Central Government to declare, through notification, that certain provisions of the Act will not apply to specific Data Fiduciaries or classes of Data Fiduciaries for a specified period, not exceeding five years from the commencement of the Act.

In summary, Section 17 provides a set of circumstances and conditions under which certain provisions of the Digital Personal Data Protection Act are exempted from application. These exemptions are intended to accommodate specific situations, including legal rights enforcement, state instrumentalities, research purposes, corporate activities, and other cases where data processing is essential but subject to different standards or requirements.

Explanation of Section 18: 

Section 18 of the Digital Personal Data Protection Act establishes the Data Protection Board of India as a regulatory body responsible for overseeing and implementing the provisions of the Act. 

Here’s a breakdown of this section:

1. Establishment of the Board (Sub-section 1):

• The Central Government is authorized to establish a regulatory body called the Data Protection Board (DPB) of India. The establishment of the Board will be effective from the date specified in the notification issued by the Central Government.

2. Nature and Juridical Status of the Board (Sub-section 2):

• The Board is constituted as a body corporate with its own legal identity. It has perpetual succession, which means it continues to exist regardless of changes in its members or leadership.
• The Board is granted the power to hold and manage property, both movable (like equipment and vehicles) and immovable (like land and buildings). It also has the authority to enter into contracts.
• The Board has the ability to sue or be sued in its own name, implying it can initiate legal proceedings or be subject to legal actions as an independent entity.

3. Headquarters of the Board (Sub-section 3):

• The primary office or headquarters of the Data Protection Board of India will be located at a place designated by the Central Government. The location of the headquarters will be officially notified by the Central Government.

In essence, Section 18 establishes the Data Protection Board of India as a separate legal entity with the authority to regulate and enforce the provisions of the Digital Personal Data Protection Act. The Board is empowered to handle administrative, regulatory, and legal matters related to data protection and privacy within the country.

Explanation of Section 19:

Section 19 of the Digital Personal Data Protection Act pertains to the composition and appointment of the members of the Data Protection Board of India. 

Let’s break down this section:

1. Composition of the Board (Sub-section 1):

• The Board is composed of two primary categories of members: a Chairperson and other Members.
• The total number of members in the Board, including the Chairperson, is determined by the Central Government, which has the authority to notify the specific number.

2. Appointment of Chairperson and Members (Sub-section 2):

• The process of appointing both the Chairperson and other Members of the Board is carried out by the Central Government.
• The manner in which the appointments are made is prescribed by relevant rules or regulations.

3. Qualifications and Expertise (Sub-section 3):

• The Chairperson and other Members of the Board must possess certain qualifications and expertise:
  • They should be individuals with ability, integrity, and standing in their respective fields.
  • They should have specialized knowledge or practical experience in specific areas, including but not limited to data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or other relevant fields.
  • At least one of the members should be an expert in the field of law.

In summary, Section 19 outlines the structure of the Data Protection Board of India by specifying the composition of the Board, the appointment process for the Chairperson and other Members, and the qualifications and expertise required for these individuals. This ensures that the Board consists of competent and knowledgeable members who can effectively oversee and implement the provisions of the Digital Personal Data Protection Act.

Explanation of Section 20:

Section 20 of the Digital Personal Data Protection Act relates to the terms of service and tenure of the Chairperson and other Members of the Data Protection Board of India. 

Let’s break down this section:

1. Salary, Allowances, and Terms of Service (Sub-section 1):

• The remuneration, allowances, and other terms and conditions of service for both the Chairperson and other Members of the Data Protection Board are determined by regulations or rules.
• Once appointed, these terms and conditions cannot be changed to the disadvantage of the Chairperson and Members during their tenure.

2. Tenure of Office (Sub-section 2):

• Both the Chairperson and other Members of the Board hold office for a specific term of two years.
• After the completion of their initial term, they are eligible for reappointment for subsequent terms.

In summary, Section 20 ensures that the Chairperson and Members of the Data Protection Board of India are provided with appropriate remuneration, allowances, and terms of service, and their conditions of service cannot be worsened once appointed. Additionally, it sets a fixed term of two years for their tenure, with the possibility of reappointment for subsequent terms. This helps establish stability and continuity in the functioning of the Board.

Explanation of Section 21:

Section 21 of the Digital Personal Data Protection Act outlines the disqualifications for being appointed or continuing as the Chairperson or a Member of the Data Protection Board of India. Let’s break down this section:

1. Disqualifications for Appointment (Sub-section 1):The following conditions disqualify a person from being appointed or continuing as the Chairperson or a Member of the Data Protection Board:

(a) Adjudged as an Insolvent: If a person has been declared insolvent by a court, they are disqualified. Insolvency refers to the inability to pay one’s debts.

(b) Turpitude: If a person has been convicted of an offense that, in the opinion of the Central Government, involves moral turpitude, they are disqualified. Moral turpitude refers to behavior that goes against accepted moral standards.

(c) Physical or Mental Incapacity: If a person becomes physically or mentally incapable of performing their duties as a Member, they are disqualified.

(d) Conflicting Financial or Other Interests: If a person acquires a financial or other interest that is likely to adversely affect their functions as a Member, they are disqualified. This is to prevent conflicts of interest.

(e) Abuse of Position: If a person has abused their position in a way that is prejudicial to the public interest, they are disqualified. This is to ensure that individuals with integrity and ethical conduct hold these positions.

2. Opportunity for Hearing (Sub-section 2): The Central Government cannot remove the Chairperson or a Member from office without giving them an opportunity to be heard in the matter. This provision ensures a fair and transparent process before any decision to remove is taken.

In summary, Section 21 establishes specific disqualifications that prevent individuals from being appointed or continuing as the Chairperson or Members of the Data Protection Board. These disqualifications are designed to ensure the integrity, competence, and ethical conduct of those holding these important positions. Additionally, the section guarantees that individuals have the right to be heard before any removal decision is made.

Explanation of Section 22:

Section 22 of the Digital Personal Data Protection Act deals with various aspects related to the resignation, removal, and vacancy of the Chairperson and Members of the Data Protection Board of India. 

Let’s break down this section:

1. Resignation and Effective Date (Sub-section 1): The Chairperson or any other Member of the Data Protection Board has the right to resign by giving written notice to the Central Government. The effective date of the resignation can be determined based on the following conditions:

• Upon receiving permission from the Central Government to relinquish office.
• Upon the expiry of three months from the date of receipt of the resignation notice.
• When a duly appointed successor takes office.
• Upon the expiry of the term of office, if applicable.

2. Filling Vacancies (Sub-section 2): If a vacancy arises due to the resignation, removal, death, or any other reason, it must be filled by a fresh appointment in accordance with the provisions of the Act. This ensures that the Board remains functional and complete.

3. Post-Term Employment and Disclosure (Sub-section 3): After ceasing to hold office as the Chairperson or any other Member, there are certain restrictions and obligations:

• For a period of one year from the date of ceasing office, they cannot accept any employment without the prior approval of the Central Government. This restriction is in place to prevent conflicts of interest and undue influence.
• If they do accept employment with a Data Fiduciary against whom proceedings were initiated by or before the Chairperson or other Member, they must disclose this to the Central Government. This disclosure ensures transparency and accountability in their subsequent employment.

In summary, Section 22 outlines the procedures and conditions related to the resignation, removal, and vacancy of the Chairperson and Members of the Data Protection Board. It includes provisions to ensure a smooth transition, prevent conflicts of interest, and maintain the integrity of the Board’s functioning.

Explanation of Section 23:

Section 23 of the Digital Personal Data Protection Act pertains to the functioning, procedures, and validity of the Data Protection Board of India. 

Let’s break down this section:

1. Procedure and Business of the Board (Sub-section 1): The Board is required to follow a specific procedure when conducting its meetings and transacting its business. This procedure includes the use of digital means for meetings and the authentication of the orders, directions, and instruments issued by the Board. The exact details of the procedure, including authentication methods, will be prescribed by regulations.

2. Validity of Board’s Acts and Proceedings (Sub-section 2): No action or decision taken by the Board shall be considered invalid for the following reasons:

• Vacancy or defect in the constitution of the Board: This means that if there is an empty position on the Board or if there is a technical flaw in how the Board is composed, it will not automatically invalidate its actions or decisions.
• Defect in the appointment of the Chairperson or Member: If there is any issue or error in appointing the Chairperson or a Member, the Board’s actions will not be invalidated as long as the defect does not impact the merits of the case.
• Irregularity in the Board’s procedure: Even if there is an irregularity in the way the Board conducts its procedures, as long as it does not affect the substance or fairness of the case, the actions and decisions of the Board will remain valid.

3. Acting Chairperson in Absence of the Chairperson (Sub-section 3): If the Chairperson of the Board is unable to perform her duties due to absence, illness, or any other reason, the senior-most Member of the Board will temporarily assume the functions of the Chairperson. This ensures the continuity of the Board’s operations even when the Chairperson is temporarily unable to fulfill her responsibilities.

In summary, Section 23 outlines the procedural aspects of the Data Protection Board’s functioning, emphasizes the validity of its actions under certain conditions, and provides for the temporary assumption of the Chairperson’s role in her absence. This ensures the smooth operation of the Board and maintains the integrity of its decisions and actions.

Explanation of Section 24:

Section 24 of the Digital Personal Data Protection Act pertains to the authority of the Data Protection Board of India to appoint officers and employees to assist in carrying out its functions effectively. Let’s break down this section:

Appointment of Officers and Employees:

• The Board, with prior approval from the Central Government, has the power to appoint officers and employees. These individuals will play a crucial role in assisting the Board in its activities and responsibilities under the provisions of the Act.

Efficient Discharge of Functions: The primary purpose of appointing officers and employees is to ensure the efficient discharge of the Board’s functions. This includes activities such as overseeing data protection, enforcing compliance with the Act, investigating grievances and complaints, issuing orders and directions, and other tasks related to data governance and protection.

Terms and Conditions of Appointment: The terms and conditions of appointment and service of the officers and employees will be determined by regulations or rules prescribed by the Board. This may include matters such as remuneration, qualifications, roles, responsibilities, code of conduct, and other relevant details.

In summary, Section 24 grants the Data Protection Board of India the authority to appoint officers and employees to assist in fulfilling its responsibilities effectively. The appointment process, terms of service, and other relevant aspects will be determined through regulations or rules established by the Board, subject to the prior approval of the Central Government. The presence of dedicated officers and employees will contribute to the Board’s ability to carry out its functions smoothly and efficiently.

Explanation of Section 25:

Section 25 of the Digital Personal Data Protection Act defines the legal status of the Chairperson, Members, officers, and employees of the Data Protection Board of India in terms of their classification as “public servants” under the Indian Penal Code. 

Here’s an explanation of this section:

Deemed Public Servants:

• The section states that the Chairperson, Members, officers, and employees of the Data Protection Board of India shall be deemed to be public servants. This classification is deemed or treated as such when they are acting or purporting to act in accordance with the provisions of the Digital Personal Data Protection Act.

Meaning of “Public Servant”: The reference to “public servant” in this context is in accordance with Section 21 of the Indian Penal Code (IPC). A “public servant” under the IPC refers to any person who holds an office or is employed in the service of the Government, and is authorized to perform certain public duties. Public servants are subject to specific legal obligations, rights, and responsibilities outlined in various laws, including the IPC.

Implications of Being Deemed Public Servants:3. By being deemed as public servants under the Digital Personal Data Protection Act, the Chairperson, Members, officers, and employees of the Data Protection Board of India are subject to certain legal provisions that apply to public servants. These provisions include both the legal protections afforded to public servants as well as the liabilities they may face if they misuse their authority or engage in unlawful activities.

In summary, Section 25 clarifies that the Chairperson, Members, officers, and employees of the Data Protection Board of India are considered public servants when they are acting in accordance with the provisions of the Digital Personal Data Protection Act. This classification ensures that they are subject to the legal framework applicable to public servants, as defined by the Indian Penal Code.

Explanation of Section 26:

Section 26 of the Digital Personal Data Protection Act outlines the powers of the Chairperson of the Data Protection Board of India. 

Here’s an explanation of these powers:

General Superintendence and Administrative Direction (Clause a):

• The Chairperson has the authority for the general superintendence and direction of all administrative matters related to the functioning of the Data Protection Board of India. This includes overseeing the overall operation and management of the Board’s administrative functions.

Scrutiny of Intimations, Complaints, and Correspondence (Clause b): The Chairperson has the power to authorize any officer of the Board to scrutinize and examine various communications sent to the Board. This includes intimation, complaints, references, or any correspondence that is addressed to the Board. The authorized officer can review and assess these communications and take appropriate actions as necessary.

Delegation of Functions and Conduct of Proceedings (Clause c): The Chairperson is empowered to delegate specific functions of the Board and to conduct its proceedings. This means that the Chairperson can entrust certain functions or tasks to individual Members or groups of Members within the Board. Additionally, the Chairperson can allocate different proceedings among these Members, allowing them to handle specific matters or cases.

Significance of the Chairperson’s Powers: These powers granted to the Chairperson are crucial for effective leadership and management of the Data Protection Board of India. They enable the Chairperson to oversee administrative matters, ensure the proper handling of communications and complaints, and delegate responsibilities within the Board to ensure efficient and organized operations.

In summary, Section 26 empowers the Chairperson of the Data Protection Board of India with the authority to supervise administrative matters, delegate functions, and manage proceedings within the Board. These powers contribute to the effective functioning and governance of the Board in its role of overseeing data protection matters in India. 

Explanation of Section 27:

Section 27 of the Digital Personal Data Protection Act delineates the powers and functions of the Data Protection Board of India. 

Here’s an explanation of these powers and functions:

Powers and Functions of the Board (Sub-section 1):

1. Personal Data Breach Remediation and Inquiry (Clause a):

• The Board has the authority to direct urgent remedial or mitigation measures in case of a personal data breach that is intimated under sub-section (6) of section 8. This ensures that appropriate actions are taken to address and mitigate the impact of a breach.
• The Board is also empowered to inquire into the details of the personal data breach and has the jurisdiction to impose penalties as specified in the Act.

2. Handling of Complaints (Clauses b and c):

• The Board can initiate an inquiry into a complaint filed by a Data Principal regarding a personal data breach, a breach of obligations by a Data Fiduciary related to personal data or the exercise of data subject rights, or a breach of obligations by a Consent Manager related to personal data.
• In cases of proven breaches, the Board can impose penalties as per the provisions of the Act.

3. Monitoring Consent Managers (Clause d):

• The Board is authorized to investigate and impose penalties if a registered Consent Manager breaches any of the conditions of its registration.

4. Intermediary Compliance (Clause e):

• In cases where an intermediary breaches the provisions of sub-section (2) of section 37 (related to the interception and monitoring of digital communication), the Board has the power to inquire into such breaches and impose penalties as specified in the Act.

5. Issuance of Directions (Sub-section 2):

The Board has the authority to issue directions to individuals or entities for the effective discharge of its functions. These directions may relate to compliance with the Act’s provisions, rectification of breaches, or other necessary actions.

6. Modification, Suspension, Withdrawal, or Cancellation of Directions (Sub-section 3):

The Board can modify, suspend, withdraw, or cancel the directions issued under sub-sections (1) or (2) after considering a representation made by the affected person or upon a reference from the Central Government. The Board can impose conditions while modifying, suspending, withdrawing, or canceling a direction to ensure that the actions taken align with its intended objectives.

In summary, Section 27 grants the Data Protection Board of India the authority to address and inquire into personal data breaches, investigate complaints, monitor Consent Managers, oversee intermediary compliance, issue directions, and modify or revoke those directions when necessary. These powers are essential for the Board to effectively enforce the provisions of the Digital Personal Data Protection Act and ensure data protection in India.

Explanation of Section 28:

Section 28 of the Digital Personal Data Protection Act outlines the functioning and powers of the Data Protection Board of India, particularly with regards to inquiries, proceedings, and its authority in ensuring compliance with the provisions of the Act. 

Here’s an explanation of each subsection:

Digital Functioning and Techno-Legal Measures (Sub-section 1):

1. The Board is expected to function as an independent body.
2. It is encouraged to adopt digital practices, allowing for digital receipt of complaints, digital allocation of cases, digital hearings, and digital pronouncement of decisions.
3. The Board should use techno-legal measures prescribed to facilitate its digital operations. 

Initiating Action (Sub-section 2): 

Upon receiving an intimation, complaint, reference, or directions mentioned in sub-section (1) of section 27, the Board can initiate appropriate actions in accordance with the Act and its rules.

Determination of Inquiry Grounds (Sub-section 3):

The Board evaluates whether there are valid grounds to proceed with an inquiry based on the information received.

Closure of Proceedings (Sub-section 4):

If the Board determines that there are insufficient grounds for an inquiry, it can close the proceedings with recorded reasons.

Commencement of Inquiry (Sub-section 5):

If there are sufficient grounds, the Board initiates an inquiry into an entity’s compliance with the Act’s provisions.

Principles of Natural Justice (Sub-section 6):

The Board conducts the inquiry following principles of natural justice, ensuring a fair and unbiased process. It also documents reasons for its actions during the inquiry.

Powers of a Civil Court (Sub-section 7):

The Board possesses powers akin to a civil court under the Code of Civil Procedure, 1908, for matters such as summoning and examining individuals, receiving evidence, requiring document production, and other prescribed matters.

Access and Custody Limitations (Sub-section 8):

The Board and its officers do not have the authority to prevent access to premises or seize equipment that could adversely affect an entity’s regular operations.

Assistance from Authorities (Sub-section 9):

The Board can enlist the help of police officers or officers from the Central or State Government to assist in its functions. These officers are required to comply with the Board’s requisitions.

Interim Orders (Sub-section 10):

During an inquiry, the Board can issue interim orders if it deems it necessary. However, these orders are issued after allowing the affected person an opportunity to be heard.

Proceeding or Closure (Sub-section 11):

After concluding the inquiry and offering the affected person an opportunity to be heard, the Board may choose to either close the proceedings or proceed in line with section 33 of the Act, which pertains to penalties.

False or Frivolous Complaints (Sub-section 12):

If the Board determines that a complaint is false or frivolous at any stage, it may issue a warning or impose costs on the complainant.

In essence, Section 28 outlines the Board’s procedural powers, actions, and responsibilities related to inquiries, compliance assessment, and the functioning of digital proceedings. It ensures a balanced and fair approach in addressing data protection concerns and breaches under the Act.

Explanation of Section 29: 

Section 29 of the Digital Personal Data Protection Act pertains to the process of appealing against orders or directions issued by the Data Protection Board of India. 

Here’s a breakdown of the key points in this section:

Appeal Process (Sub-section 1):

1. If any person is dissatisfied with an order or direction issued by the Data Protection Board, they can file an appeal before the Appellate Tribunal.

Filing and Time Limit (Sub-section 2):

2. The appeal must be filed within sixty days from the date of receiving the order or direction.

3. The appeal should be submitted in the prescribed form and manner, along with the prescribed fee.

Extension of Time (Sub-section 3):

4. The Appellate Tribunal can consider an appeal even if it’s filed after the sixty-day period, if it finds sufficient cause for the delay.

Adjudication by Appellate Tribunal (Sub-section 4):

5. The Appellate Tribunal, after giving all parties an opportunity to be heard, can decide to confirm, modify, or set aside the order appealed against.

Notification of Orders (Sub-section 5):

6. The Appellate Tribunal is required to send a copy of its order to the Data Protection Board and all parties involved in the appeal.

Timely Disposal (Sub-section 6):

7. The Appellate Tribunal is expected to expedite the appeal process and aim to dispose of the appeal within six months of its submission.

Reasons for Delay (Sub-section 7):

8. If the Appellate Tribunal is unable to dispose of the appeal within six months, it must provide written reasons for the delay.

Procedural Guidelines (Sub-section 8):

9. The Appellate Tribunal’s procedures for dealing with appeals shall be determined in accordance with the prescribed rules. This section also refers to specific provisions in the Telecom Regulatory Authority of India Act, 1997.

Further Appeals (Sub-section 9):

10. If an appeal is made against the orders of the Appellate Tribunal, the provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997, shall apply.

Digital Functioning (Sub-section 10):

11. The Appellate Tribunal is encouraged to function as a digital office, utilizing digital means for receiving appeals, conducting hearings, and pronouncing decisions.

In summary, Section 29 outlines the process for lodging an appeal with the Appellate Tribunal against orders or directions issued by the Data Protection Board. It emphasizes timely resolution, adherence to procedural guidelines, and the adoption of digital practices for efficient functioning.

Explanation to Section 30:

Section 30 of the Digital Personal Data Protection Act outlines the enforceability of orders issued by the Appellate Tribunal under the Act. 

Here’s a breakdown of the key points in this section:

Execution of Orders (Sub-section 1):

1. Any order passed by the Appellate Tribunal under this Act can be executed by the Appellate Tribunal itself as if it were a decree of a civil court.

2. The Appellate Tribunal is vested with all the powers of a civil court to ensure the enforcement of its orders.

Transmission to Civil Court (Sub-section 2):

3. The Appellate Tribunal also has the authority to transmit its order to a civil court with local jurisdiction.

4. Once the order is transmitted, the civil court will execute the order as if it were a decree issued by that court.

In essence, Section 30 empowers the Appellate Tribunal to ensure the execution of its orders as if they were decrees of a civil court. Additionally, it provides an avenue for the transmission of orders to a civil court for execution, if deemed necessary. This reinforces the authority and effectiveness of the Appellate Tribunal’s decisions in matters related to the Digital Personal Data Protection Act.

Explanation of Section 31:

Section 31 of the Digital Personal Data Protection Act deals with the option of mediation for resolving complaints. 

Here’s an explanation of this section:

1. Mediation as a Resolution Method: If the Data Protection Board of India (referred to as the “Board”) believes that a particular complaint can potentially be resolved through mediation, it has the authority to suggest this approach to the parties involved in the dispute.
2. Directing Parties to Attempt Mediation: The Board has the power to direct the parties concerned in a complaint to engage in mediation for attempting to resolve the dispute. Mediation is a process where an impartial third party, known as a mediator, facilitates discussions between the disputing parties with the aim of reaching a mutually acceptable solution.
3. Choice of Mediator: The parties involved in the complaint have the flexibility to mutually agree upon a mediator who will guide the mediation process. Alternatively, the Board may also follow any mediation procedures specified under existing laws in India.
4. Objective of Mediation: The primary objective of mediation is to find a satisfactory resolution to the complaint without the need for formal legal proceedings. The mediator assists the parties in communicating their concerns, interests, and potential solutions in a constructive and confidential environment.
5. Mediation Process: During mediation, the parties have the opportunity to openly discuss their issues, explore possible solutions, and work towards a mutually acceptable outcome. The mediator facilitates these discussions and helps the parties find common ground.
6. Mediation Outcomes: If the parties successfully reach an agreement through mediation, the terms of the agreement are documented in a mediation settlement. This settlement may address the concerns raised in the original complaint and provide a basis for moving forward without resorting to further legal actions.

Overall, Section 31 encourages the use of mediation as an alternative dispute resolution mechanism for resolving complaints related to personal data protection. Mediation offers a flexible and collaborative approach that can help parties avoid the complexities and adversarial nature of formal legal proceedings.

Explanation of Section 32:

Section 32 of the Digital Personal Data Protection Act introduces the concept of a “voluntary undertaking” as a means of resolving matters related to the observance of the provisions of the Act. 

Here’s an explanation of this section:

1. Voluntary Undertaking: A voluntary undertaking is a commitment or promise voluntarily made by a person to the Data Protection Board of India (referred to as the “Board”) in relation to complying with the provisions of the Digital Personal Data Protection Act. This undertaking can be offered by the person at any stage of a proceeding under Section 28.
2. Purpose of Voluntary Undertaking: The purpose of a voluntary undertaking is to provide an alternative approach to addressing non-compliance issues without resorting to formal legal proceedings. It allows the person to take specific actions or refrain from certain actions to rectify the situation and ensure compliance with the law.
3. Scope of Voluntary Undertaking: The content of a voluntary undertaking may include various commitments, such as taking specific corrective actions within a defined time frame or refraining from engaging in certain activities that may be in violation of the Act. Additionally, the voluntary undertaking may also include a provision for publicizing the commitment.
4. Variation of Terms: After the Board accepts a voluntary undertaking and with the consent of the person who gave the undertaking, the terms of the undertaking can be modified or changed as necessary to ensure effective compliance.
5. Effect of Acceptance: Once the Board accepts a voluntary undertaking, it acts as a bar on proceedings under the provisions of the Act specifically related to the contents of the voluntary undertaking. This means that the person who offered the voluntary undertaking will not be subjected to legal action regarding the matters covered by the undertaking, unless an exception mentioned in sub-section (5) applies.
6. Breach of Voluntary Undertaking: If the person who gave the voluntary undertaking fails to adhere to its terms, the breach of the undertaking is treated as a breach of the Act. In such cases, the Board may initiate proceedings under Section 33 against the person. However, before taking action, the person will be given an opportunity to be heard by the Board.

Section 32 provides a mechanism for individuals or entities to proactively address compliance issues by offering voluntary commitments to the Board, which can help avoid formal legal proceedings and promote faster resolution of data protection matters.

 Explanation of Section 33:

Section 33 of the Digital Personal Data Protection Act outlines the process and considerations for imposing monetary penalties in cases of breaches of the provisions of the Act. 

Here’s an explanation of this section:

1. Imposition of Monetary Penalty: If, after conducting an inquiry, the Data Protection Board of India (referred to as the “Board”) determines that a breach of the provisions of the Digital Personal Data Protection Act or the rules made under the Act is significant, it has the authority to impose a monetary penalty on the responsible person. The penalty amount is specified in the Schedule of the Act.
2. Opportunity of Being Heard: Before imposing a monetary penalty, the Board is required to give the person who committed the breach an opportunity to be heard. This ensures that the person has a chance to present their case and provide any relevant information or explanations.
3. Considerations for Determining Penalty Amount: When determining the amount of monetary penalty to be imposed, the Board takes into account several factors, as listed below:
   • Nature, Gravity, and Duration of the Breach: The severity, type, and duration of the breach are considered. A more serious or prolonged breach may lead to a higher penalty.
   • Type and Nature of Personal Data Affected: The sensitivity and nature of the personal data that was compromised or mishandled play a role in assessing the penalty amount.
   • Repetitive Nature of the Breach: If the breach is a recurring or repetitive issue, this may result in a higher penalty.
   • Financial Gains or Avoided Losses: If the person gained financially or avoided losses as a result of the breach, this is taken into account in determining the penalty amount.
   • Mitigation and Timeliness of Action: The actions taken by the person to mitigate the effects of the breach and how timely and effective those actions were will influence the penalty.
   • Proportionality and Deterrence: The penalty should be proportionate to the breach and effective in encouraging compliance with the Act. It aims to deter future breaches by the person and others.
   • Impact on the Person: The likely impact of the monetary penalty on the person, including their ability to pay the penalty, is also considered.
   • Objective of the Penalty: The imposition of a monetary penalty is meant to encourage compliance with the Act, discourage future breaches, and ensure the security and proper handling of personal data.

Section 33 emphasizes a balanced approach to imposing monetary penalties, taking into account various factors to determine a fair and appropriate penalty amount based on the circumstances of the breach and its impact.
Explanation of Section 34: Section 34 of the Digital Personal Data Protection Act pertains to the disposition of the monetary penalties collected as a result of actions taken by the Data Protection Board of India (the “Board”) under the provisions of the Act.  Here’s an explanation of this section:

1. Penalties Imposed by the Board: The section deals specifically with the monetary penalties that the Board has the authority to impose on individuals or entities that breach the provisions of the Digital Personal Data Protection Act.
2. Disposition of Penalty Amounts: According to Section 34, any funds or sums of money that are collected as penalties from those found to be in violation of the Act will be directed to a specific financial account. In this case, all such sums are directed to be credited to the “Consolidated Fund of India.”
3. Consolidated Fund of India: The Consolidated Fund of India is a term used in the context of the country’s financial management. It is a single government account where all revenues received by the government (such as taxes, fees, fines, etc.) and all non-loan capital receipts are credited. Government expenditures are made from this fund, subject to parliamentary approval. It’s essentially the primary account of the government for its revenue receipts and non-debt capital receipts.

In summary, Section 34 ensures that any monetary penalties collected by the Board through its enforcement actions under the Act are directed to the Consolidated Fund of India, which is the designated financial account for government revenues and expenditures. This contributes to the overall financial management of the government and aligns with principles of accountability and transparency in the use of public funds. 

Explanation of Section 35:

Section 35 of the Digital Personal Data Protection Act provides immunity from legal action for certain entities and individuals involved in the implementation and enforcement of the Act. Here’s an explanation of this section:

1. Protection from Legal Proceedings: This section establishes legal protection for specific entities and individuals involved in carrying out their duties under the provisions of the Digital Personal Data Protection Act and the rules made under it.

2. Entities and Individuals Covered: The entities and individuals covered by this immunity include:

• The Central Government: The highest administrative authority in the country.
• The Board: Referring to the Data Protection Board of India established under the Act.
• Chairperson and Members: Individuals appointed to head and serve on the Board.
• Officers and Employees: Personnel working for the Board, including officers and employees appointed to assist in its functioning.

3. Scope of Immunity: The immunity granted by Section 35 applies specifically to actions or decisions taken “in good faith” under the provisions of the Act and the associated rules. This means that as long as the actions or decisions were made honestly and with a genuine intention to carry out the responsibilities of the Act, the individuals and entities covered by this section are protected from legal suits, prosecutions, or other legal proceedings.

4. Limitation of Immunity: It’s important to note that the immunity provided by this section only covers actions taken in good faith under the Act. If there is evidence of malfeasance, misconduct, or actions that are not in line with the Act’s provisions, this immunity would not apply.

In summary, Section 35 safeguards the Central Government, the Board, its Chairperson, Members, officers, and employees from legal consequences for their actions carried out in good faith while implementing and enforcing the Digital Personal Data Protection Act and its associated rules. This protection ensures that these individuals and entities can perform their duties without the fear of legal reprisals, as long as their actions are consistent with the Act’s intentions.

Explanation of Section 36:

Section 36 of the Digital Personal Data Protection Act empowers the Central Government to request information from specific entities for the effective implementation of the Act. 

Here’s an explanation of this section:

1. Central Government’s Authority: The “Central Government” refers to the highest administrative authority in the country. In the context of the Digital Personal Data Protection Act, it holds the responsibility of overseeing and facilitating the enforcement of the Act’s provisions.

2. Purpose of Information Gathering: Section 36 grants the Central Government the authority to collect information from three categories of entities:

• The Board: Referring to the Data Protection Board of India established under the Act.
• Data Fiduciary: An entity that processes personal data on behalf of the Data Principal (individual to whom the data pertains).
• Intermediary: An entity that acts as an intermediary for transmitting, storing, or processing digital data.

3. Nature of Information: The Central Government can request various types of information relevant to the implementation of the Digital Personal Data Protection Act. This information could pertain to the entities’ practices, processes, compliance with the Act’s requirements, or any other relevant details.

4. Authority and Process: The Central Government’s authority to request information is not arbitrary but is limited to the specific purposes of the Act. It is expected that such requests would be made in a structured and procedural manner, and the information sought would be relevant to the Act’s objectives.

In essence, Section 36 allows the Central Government to seek necessary information from the Data Protection Board (the regulatory body established under the Act) and other entities involved in the processing and protection of personal data. This provision enhances the Central Government’s ability to monitor and regulate the implementation of the Act and ensures effective compliance with its provisions.

Explanation of Section 37:

Section 37 of the Digital Personal Data Protection Act outlines the authority of the Central Government to issue directions for blocking access to certain information generated, transmitted, received, stored, or hosted in computer resources. This section is designed to address situations where a Data Fiduciary, an entity processing personal data, has been penalized by the Data Protection Board in multiple instances and where it is deemed necessary in the public interest to restrict access to certain information. 

Here’s a breakdown of the section:

1. Central Government’s Authority: The “Central Government” refers to the highest administrative authority in the country. It has the power to issue directions under this section. The Central Government can also authorize specific officers to carry out these actions on its behalf.

2. Conditions for Issuing Directions: The Central Government can issue directions under this section when it receives a written reference from the Data Protection Board that meets two criteria:

• The Board has imposed monetary penalties on a Data Fiduciary in two or more instances.
• The Board advises, in the interests of the general public, that certain information hosted on computer resources used by the Data Fiduciary in connection with its business activities (such as offering goods or services to Data Principals in India) should be blocked.

3. Blocking Access to Information: If the Central Government is satisfied, based on the criteria outlined above, that it is necessary or expedient in the interests of the general public, it can issue an order directing a relevant agency of the Central Government or an intermediary (an entity that acts as a mediator or facilitator for online communications) to block public access to the specified information. The order will be given in writing and will provide the reasons for the decision.

4. Compliance by Intermediaries: Intermediaries that receive such a direction from the Central Government are legally obligated to comply with it. They must take the necessary steps to block public access to the specified information as directed.

5. Terms and Definitions: The section uses terms and expressions defined in the Information Technology Act, 2000, which is an earlier piece of legislation in India dealing with electronic transactions and digital information. These terms include “computer resource,” “information,” and “intermediary.”

In summary, Section 37 grants the Central Government the authority to issue directions for blocking access to specific information hosted on computer resources when a Data Fiduciary has been penalized multiple times by the Data Protection Board and when such action is deemed necessary in the public interest. This provision is intended to address situations where certain information could be harmful or pose a risk to Data Principals, and it allows for a targeted restriction of public access to mitigate potential harm.

Explanation of Section 38:

Section 38 of the Digital Personal Data Protection Act establishes the relationship between the provisions of the Act and other laws that are currently in force in India. This section clarifies how the Act interacts with existing laws and addresses any conflicts that may arise. 

Here’s an explanation of this section:

1. Supplementary Nature of the Act: Sub-section (1) states that the provisions of the Digital Personal Data Protection Act are intended to be additional to, or complementary with, the existing laws in India. In other words, this Act introduces specific rules and regulations related to digital personal data protection, but it does not nullify or replace other laws that are already in place.
2. Resolution of Conflicts: Sub-section (2) addresses the scenario where there is a conflict between a provision of the Digital Personal Data Protection Act and a provision of any other law that is currently in force. In such cases, the provision of the Data Protection Act takes precedence or prevails to the extent of the conflict. This means that if there is a contradiction or inconsistency between a rule in this Act and a rule in another law, the rule in the Data Protection Act will be followed.

In essence, Section 38 emphasizes that the Digital Personal Data Protection Act does not replace or negate any existing laws, but rather, it operates alongside them. It ensures that the Act’s provisions are effective and enforceable while also maintaining coherence with the broader legal framework of the country. If there is a conflict between the Data Protection Act and another law, the Act’s provisions will prevail in those areas where they conflict.

Explanation of Section 39:

Section 39 of the Digital Personal Data Protection Act deals with the jurisdiction of civil courts and the granting of injunctions with respect to matters falling under the purview of the Data Protection Board. 

Here’s an explanation of this section:

1. Jurisdiction of Civil Courts: This section states that no civil court (regular courts that handle non-criminal cases) has the authority to entertain or hear any lawsuit, legal proceeding, or case related to matters for which the Data Protection Board is empowered under the provisions of the Digital Personal Data Protection Act. In other words, if a dispute or issue arises that falls within the scope of the Act and is subject to the jurisdiction of the Data Protection Board, it cannot be taken up or heard by a civil court.
2. Injunctions: Additionally, this section prohibits any court or other authority from granting an injunction in relation to any action that is taken or is to be taken by the Data Protection Board pursuant to its powers under the Act. An injunction is a court order that restrains or prohibits a party from doing a certain action. This means that no court can issue an injunction to prevent the Data Protection Board from carrying out its duties or exercising its powers under the Act.

In summary, Section 39 is designed to ensure that matters falling under the jurisdiction of the Data Protection Board are exclusively within its domain and that civil courts cannot intervene or grant injunctions in such matters. This provision helps maintain the authority and effectiveness of the Data Protection Board in handling data protection-related issues.

Explanation of Section 40:

Section 40 of the Digital Personal Data Protection Act pertains to the power of the Central Government to make rules for the effective implementation of the Act. It outlines the scope and specifics of these rules that can be created. 

Here’s an explanation of this section:

1. Rule-Making Power of Central Government: The Central Government is authorized to create rules through a notification process, subject to the condition of previous publication. These rules must align with the objectives and provisions of the Digital Personal Data Protection Act and are designed to ensure its effective implementation.
2. Scope of the Rules: The section provides a non-exhaustive list of matters for which rules may be established. These matters cover various aspects of data protection, privacy, and the functioning of the Data Protection Board, including:

(a) Manner of informing Data Principals in the notice provided by Data Fiduciaries (Section 5). 

(b) Accountability and obligations of Consent Managers (Section 6). 

(c) Conditions and registration of Consent Managers (Section 6). 

(d) Processing of personal data for the provision of subsidies, benefits, services, etc. (Section 7). 

(e) Form and manner of notifying personal data breaches to the Board (Section 8). 

(f) Determination of the period for which a specified purpose is deemed no longer being served (Section 8). 

(g) Publishing business contact information of Data Protection Officers (Section 8). 

(h) Standards for obtaining verifiable consent (Section 9). 

(i) Conditions for processing personal data of a child (Section 9). 

(j) Details of the Data Protection Impact Assessment process (Section 10). 

(k) Measures undertaken by Significant Data Fiduciaries (Section 10). 

(l) Procedure for Data Principals to request information about their personal data (Section 11). 

(m) Manner of requesting erasure of personal data by Data Principals (Section 12). 

(n) Time period for response to grievances (Section 13). 

(o) Nomination of individuals by Data Principals (Section 14). 

(p) Standards for processing personal data for exemption (Section 17). 

(q) Process of appointing Chairperson and Members of the Data Protection Board (Section 19). 

(r) Terms and conditions of service for Board Chairperson and Members (Section 20). 

(s) Authentication of orders and directions by the Board (Section 23). 

(t) Appointment and service of Board officers and employees (Section 24). 

(u) Techno-legal measures for the Board’s functioning (Section 28). 

(v) Matters under sub-clause (d) of clause (7) of section 28. 

(w) Form, manner, and fee for filing appeals (Section 29). 

(x) Procedure for dealing with appeals (Section 29). 

(y) Any other matter that requires rules to provide clarity and guidance.

In summary, Section 40 empowers the Central Government to create rules that further specify the details and procedures related to various aspects of data protection, governance, and enforcement as outlined in the Digital Personal Data Protection Act. These rules serve to ensure a comprehensive and coherent framework for the effective implementation of the Act.

Explanation of Section 41:

Section 41 of the Digital Personal Data Protection Act establishes a procedure for the oversight and control of rules and notifications made under specific sections of the Act. The purpose of this section is to ensure transparency, accountability, and parliamentary scrutiny in the process of rule-making and notification issuance. 

Here’s an explanation of this section:

1. Rule and Notification Approval Process: This section applies to rules made and notifications issued under Section 16 and Section 42 of the Act. These rules and notifications pertain to specific matters mentioned in the Act, and they are intended to provide further details, procedures, and guidelines for effective implementation.
2. Laying Before Parliament: When a rule or notification is made or issued under the specified sections, it must be presented to both Houses of Parliament. This presentation, known as “laying before Parliament,” is done as soon as possible after the rule or notification is created.
3. Parliamentary Review Period: The rule or notification is laid before Parliament for a total period of thirty days. This thirty-day period can be comprised of one session of Parliament or two or more successive sessions.
4. Modification or Annulment: During the thirty-day review period, both Houses of Parliament have the authority to review the rule or notification. If either House or both Houses agree that the rule or notification needs modification or should not be made or issued at all, they have the power to propose modifications or annulment.
5. Effect of Agreement on Modification or Annulment: If both Houses agree on any modification to the rule or notification or decide that it should not be made or issued, the rule or notification will thereafter be in effect only in the modified form or not at all, depending on the case.
6. Validity of Previous Actions: Any modification or annulment of the rule or notification does not invalidate any actions or decisions that were taken or made under the original rule or notification before the modification or annulment was agreed upon by Parliament. In other words, actions taken under the rule or notification before the modification or annulment remain valid and effective.

In summary, Section 41 establishes a mechanism for parliamentary oversight and approval of rules and notifications made under specific sections of the Digital Personal Data Protection Act. This process ensures that these rules and notifications are subject to scrutiny and can be modified or annulled by Parliament if deemed necessary, while also ensuring that actions taken under them before modification or annulment remain valid.

Explanation of Section 42:

Section 42 of the Digital Personal Data Protection Act grants the Central Government the authority to amend the Schedule of penalties specified in the Act. This section outlines the process and limitations for making amendments to the penalties listed in the Schedule. 

Here’s an explanation of this section:

1. Amendment of Schedule: The Central Government has the power to amend the Schedule of penalties by issuing a notification. The Schedule contains a list of monetary penalties that can be imposed for various violations of the Act. These penalties serve as a way to deter non-compliance and ensure adherence to the data protection regulations.
2. Restriction on Increasing Penalties: The amendment of the Schedule is subject to a restriction. The notification issued for amending the Schedule cannot increase any penalty specified in it to more than twice the amount that was originally specified when the Act was first enacted. In other words, the Central Government cannot substantially escalate the penalties through this amendment process.
3. Effect of Amendment: Any amendment made to the Schedule through the notification process will be considered a part of the Act itself. This means that the amended penalties will have the same legal weight and authority as if they were originally included in the Act.
4. Effective Date: The amendments introduced through the notification will come into force on the date of the notification itself. This ensures that the updated penalties take effect promptly upon their announcement.

In summary, Section 42 allows the Central Government to modify the penalties specified in the Schedule through a notification process. However, the Government is restricted from excessively increasing the penalties, ensuring a reasonable and controlled adjustment of penalties for violations of the Digital Personal Data Protection Act. The amendments made through this process become an integral part of the Act and take effect immediately upon notification.

Explanation of Section 43:

Section 43 of the Digital Personal Data Protection Act provides the Central Government with the authority to address any difficulties that may arise in implementing the provisions of the Act. This section empowers the government to make necessary provisions to overcome such difficulties. Here’s an explanation of this section:

1. Resolution of Difficulties: If any challenges, obstacles, or uncertainties arise in the implementation or execution of the provisions outlined in the Digital Personal Data Protection Act, the Central Government has the authority to take measures to address these difficulties. The purpose is to ensure the effective and smooth enforcement of the Act’s provisions.
2. Government Order: To address these difficulties, the Central Government can issue an order. This order is published in the Official Gazette, which is an official publication of the government that contains legal notices, notifications, and regulations.
3. Consistency with the Act: The provisions introduced through this order must not be inconsistent with the existing provisions of the Digital Personal Data Protection Act. In other words, the government is authorized to create solutions that complement and align with the objectives and principles of the Act.
4. Time Limit: The government’s power to issue such orders is subject to a time limit. No order under this section can be made after the expiration of three years from the date when the Digital Personal Data Protection Act came into effect. This ensures that any necessary adjustments are made within a reasonable timeframe.
5. Parliament Notification: Every order made by the Central Government under this section must be presented before both Houses of Parliament. This ensures transparency and accountability in the process. The order is to be laid before the Parliament as soon as possible after its issuance.

In summary, Section 43 empowers the Central Government to address any difficulties that may arise during the implementation of the Digital Personal Data Protection Act. The government can issue orders to resolve these difficulties, provided that the provisions introduced are consistent with the Act’s overall objectives. The government’s authority to issue such orders is time-limited, and any orders issued must be presented to Parliament for scrutiny and transparency.

Explanation of Section 44:

Amendments being made to three existing Acts: The Telecom Regulatory Authority of India Act, 1997, the Information Technology Act, 2000, and the Right to Information Act, 2005, as a result of the enactment of the Digital Personal Data Protection Act, 2023. Let’s break down each amendment:

Amendment to the Telecom Regulatory Authority of India Act, 1997 (Section 14):

• This amendment affects Clause (c) of Section 14 of the Telecom Regulatory Authority of India (TRAI) Act, 1997.
• The original sub-clauses (i) and (ii) under Clause (c) are being replaced with new sub-clauses.
• The new sub-clauses specify the Appellate Tribunals under three Acts, including the Digital Personal Data Protection Act, 2023.
• The other two Appellate Tribunals mentioned are under the Information Technology Act, 2000, and the Airports Economic Regulatory Authority of India Act, 2008.

Amendment to the Information Technology Act, 2000:

• Section 43A of the Information Technology Act, 2000 is being omitted. Section 43A dealt with the compensation for failure to protect data.
• In Section 81 of the Information Technology Act, 2000, a proviso is being added to include the Digital Personal Data Protection Act, 2023, along with the Patents Act, 1970.
• In Section 87 of the Information Technology Act, 2000, clause (ob) is being omitted. This clause pertained to powers to make rules by the Central Government for intermediaries.

Amendment to the Right to Information Act, 2005 (Section 8):

• In Section 8 of the Right to Information Act, 2005, there is an amendment to sub-section (1) where clause (j) is being substituted.
• The substituted clause (j) now specifies that the term “information” includes information related to personal information.

In summary, the passage describes amendments made to these existing Acts to incorporate provisions and references related to the Digital Personal Data Protection Act, 2023. The amendments address matters such as the inclusion of the Digital Personal Data Protection Act in relevant sections, the omission of certain provisions from the Information Technology Act, and a clarification regarding the definition of “information” in the Right to Information Act.

Disclaimer: The explanation to the DPDP Act, 2023 provided herein are the views of the author and should be used for education and research purposes only. Legal advice is suggested before taking any action under this Act.