Section 23 DPDPA

Proceedings of Board.


23.1) The Board shall observe such procedure in regard to the holding of and transaction of business at its meetings, including by digital means, and authenticate its orders, directions and instruments in such manner as may be prescribed.

(2) No act or proceeding of the Board shall be invalid merely by reason of—
(a) any vacancy in or any defect in the constitution of the Board;
(b) any defect in the appointment of a person acting as the Chairperson or other Member of the Board; or
(c) any irregularity in the procedure of the Board, which does not affect the merits of the case.

(3) When the Chairperson is unable to discharge her functions owing to absence, illness or any other cause, the senior-most Member shall discharge the functions of the Chairperson until the date on which the Chairperson resumes her duties.

Applicable DPDP Rule 2025

Rule 18: Procedure for Meetings of Board and Authentication of Its Orders, Directions and Instruments

Section 24 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 23 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Statutory Provision and Purpose

Provision: Section 23 of the Digital Personal Data Protection Act, 2023 states:

"Proceedings of Board."

While the section title is succinct, its implications are profound within the framework of the DPDPA 2023. This provision delineates the procedural aspects governing how the Data Protection Board (hereinafter referred to as "the Board") conducts its proceedings, including hearings, investigations, deliberations, and decision-making processes. Establishing clear guidelines for proceedings ensures that the Board operates transparently, fairly, and efficiently, thereby upholding the principles of data protection and privacy.

Purpose:
The primary objective of Section 23 is to provide a structured framework for the Board's operations, ensuring that its proceedings are conducted in a manner that is:

  • Fair and Impartial: Guaranteeing that all parties involved receive a fair hearing and that decisions are made without bias.
  • Transparent: Enhancing public trust by making the Board's processes open and understandable.
  • Efficient: Streamlining procedures to allow timely resolution of data protection issues.
  • Accountable: Ensuring that the Board remains accountable for its actions and decisions through documented and standardized procedures.

Legal Interpretation

1. Nature of the Provision

- Procedural Framework: Section 23 serves as the backbone for the Board's operational procedures, outlining how proceedings should be initiated, conducted, and concluded.

- Regulatory Compliance: It ensures that the Board's actions align with the overarching goals and mandates of the DPDPA 2023, maintaining consistency and legal integrity in its operations.

2. Scope of Proceedings

The provision encompasses various types of proceedings that the Board may engage in, including but not limited to:

  • Complaint Hearings: Addressing grievances filed by data principals or data fiduciaries regarding data protection violations.
  • Investigation Hearings: Conducting detailed examinations into suspected breaches or non-compliance issues.
  • Policy Hearings: Discussing and formulating data protection policies and guidelines.
  • Appeal Hearings: Reviewing appeals filed against the Board's decisions or penalties.

3. Procedure for Hearings

Initiation of Proceedings:

  • Complaint Submission: Proceedings typically begin when a complaint is filed by a data principal or data fiduciary.
  • Notice of Hearing: The Board issues a formal notice to the involved parties, specifying the date, time, and venue of the hearing.

Conducting Hearings:

  • Representation: Both parties have the right to be represented by legal counsel or authorized representatives.
  • Presentation of Evidence: Each party can present evidence, including documents, witness testimonies, and expert opinions, to support their case.
  • Cross-Examination: Parties have the opportunity to question each other's evidence and witnesses to challenge the validity and reliability of the information presented.

Deliberation and Decision-Making:

  • Private Deliberations: After the hearing, Board members may deliberate privately to assess the evidence and arguments presented.
  • Quorum Requirements: Decisions are made when a minimum number of Board members (quorum) are present to ensure balanced and representative deliberations.
  • Voting Procedures: Board members may vote on the outcome, with the majority determining the decision. In cases of a tie, predefined rules (e.g., the Chairperson's vote) apply.

Issuance of Orders and Penalties:

  • Written Orders: Decisions are formalized in written orders detailing the findings, conclusions, and any penalties or directives issued.
  • Communication to Parties: Both parties receive copies of the final orders, ensuring transparency and accountability.

4. Rights of Parties

  • Right to be Heard: Ensuring that both data principals and data fiduciaries have ample opportunity to present their cases and respond to allegations.
  • Right to Representation: Parties can be represented by legal counsel or authorized agents during proceedings.
  • Right to Appeal: Provision for parties to appeal the Board's decisions to higher authorities or tribunals if they believe the decision was unjust or unfounded.

5. Record-Keeping and Reporting

  • Documentation: All proceedings, including submissions, evidence, testimonies, and decisions, are meticulously documented to maintain an accurate record.
  • Confidentiality: Sensitive information is protected, with access restricted to authorized personnel to prevent unauthorized disclosure.
  • Public Reporting: Summarized reports of proceedings and decisions may be published to ensure public transparency without compromising confidential information.

6. Transparency and Accountability

  • Open Hearings: Where appropriate, hearings may be open to the public or media to promote transparency, unless confidentiality is required.
  • Standardized Procedures: Adhering to standardized procedures ensures consistency in how proceedings are conducted and decisions are made.
  • Audit Trails: Maintaining comprehensive records allows for audits and reviews to assess the Board's compliance with procedural standards and legal mandates.

7. Integration with Other Provisions

  • Consistency with Other Sections: Ensuring that the proceedings align with other sections of the DPDPA, such as those detailing the Board's powers, composition, and functions.
  • Interagency Collaboration: Collaborating with other regulatory bodies or law enforcement agencies when proceedings involve cross-jurisdictional or complex data protection issues.

8. Policy Considerations and Safeguards

  • Impartiality Measures: Implementing measures to prevent bias, such as rotating Board members during hearings or recusing members with potential conflicts of interest.
  • Efficiency Protocols: Establishing timelines for each stage of proceedings to prevent unnecessary delays and ensure timely resolution of cases.
  • Ethical Standards: Upholding high ethical standards to maintain the integrity and credibility of the Board's proceedings and decisions.

Illustrations

Illustration 1: Handling a Complaint Hearing

Scenario: Mr. Ajay Singh, a citizen, discovers that E-ShopMart, an e-commerce platform, has been selling his personal data to third-party advertisers without his consent. Feeling aggrieved, he files a complaint with the Data Protection Board.

Application of Section 23:

  1. Complaint Submission:
    • Mr. Singh submits his complaint through the Board's official online portal, detailing the unauthorized data sharing.
  2. Notice of Hearing:
    • The Board reviews the complaint and schedules a hearing, sending formal notices to both Mr. Singh and E-ShopMart, specifying the date, time, and venue.
  3. Conducting the Hearing:
    • Both parties are represented by legal counsel.
    • Mr. Singh presents evidence, including screenshots of data-sharing agreements and emails from E-ShopMart.
    • E-ShopMart counters by presenting their data protection policies and consent forms.
  4. Deliberation:
    • After the hearing, Board members deliberate privately, assessing the validity of the evidence and the adherence to consent requirements.
  5. Decision-Making:
    • The Board finds that E-ShopMart violated data protection norms by sharing Mr. Singh's data without explicit consent.
    • A majority vote determines the decision.
  6. Issuance of Order:
    • The Board orders E-ShopMart to cease unauthorized data sharing practices and imposes a penalty of ₹2 lakhs.
    • E-ShopMart is also directed to inform all affected customers about the breach.
  7. Appeal Process:
    • E-ShopMart, believing the penalty to be excessive, decides to appeal the Board's decision to the Appellate Tribunal as per Section 29.

Illustration 2: Conducting an Investigation Hearing

Scenario: TechNova Pvt. Ltd., a technology company, experiences a data breach compromising the personal information of thousands of users. The incident is reported to the Board, prompting an investigation.

Application of Section 23:

  1. Complaint Intake:
    • Affected users report unauthorized access to their data through the Board's complaint portal.
  2. Scheduling Investigation Hearing:
    • The Board schedules an investigation hearing to examine the breach's circumstances and the company's data protection measures.
  3. Conducting the Hearing:
    • TechNova's Chief Information Officer (CIO) presents the company's cybersecurity protocols and incident response plans.
    • External cybersecurity experts provide testimony on the breach's technical aspects.
  4. Evidence Presentation:
    • Logs, security reports, and breach notifications are presented as evidence.
  5. Deliberation and Decision-Making:
    • The Board evaluates whether TechNova complied with required data protection standards.
  6. Issuance of Order:
    • The Board determines that TechNova failed to implement adequate encryption measures, leading to the breach.
    • A penalty of ₹5 lakhs is imposed, and TechNova is mandated to upgrade its data encryption systems within three months.
  7. Monitoring and Reporting:
    • TechNova is required to submit monthly progress reports detailing the implementation of the prescribed encryption measures.
    • The Board conducts periodic audits to ensure compliance.
  8. Appeal Process:
    • TechNova argues that the breach was due to unforeseen technical failures and not negligence, appealing to the Appellate Tribunal under Section 29 for a reassessment of the penalty.

Illustration 3: Board Deliberation and Decision

Scenario: EduSmart, an online education platform, is suspected of collecting excessive personal data from students without proper consent. A complaint is filed with the Board.

Application of Section 23:

  1. Complaint Submission:
    • A group of students files a complaint alleging that EduSmart collects more data than necessary for educational purposes.
  2. Notice of Hearing:
    • The Board schedules a hearing and notifies both the students and EduSmart.
  3. Conducting the Hearing:
    • Students present testimonies and evidence showing data collection practices.
    • EduSmart presents its data collection policies and justifications for the data gathered.
  4. Deliberation:
    • Board members assess whether EduSmart adheres to data minimization principles as stipulated in the DPDPA.
  5. Decision-Making:
    • The Board concludes that EduSmart oversteps by collecting unnecessary data, violating the DPDPA's data minimization mandate.
  6. Issuance of Order:
    • EduSmart is directed to revise its data collection practices to align with the DPDPA's requirements.
    • A penalty of ₹3 lakhs is imposed for non-compliance.
  7. Monitoring and Reporting:
    • EduSmart must submit quarterly reports on its revised data collection practices.
    • The Board schedules follow-up hearings to ensure compliance.
  8. Appeal Process:
    • EduSmart appeals the penalty, citing the necessity of certain data for educational effectiveness, seeking reconsideration by the Appellate Tribunal.

Illustration 4: Public Hearings for Policy Changes

Scenario: The Board identifies the need to update data protection policies in response to emerging technologies like artificial intelligence (AI) and machine learning (ML). To formulate effective policies, the Board decides to hold public hearings.

Application of Section 23:

  1. Initiation of Public Hearings:
    • The Board schedules a series of public hearings to gather input from stakeholders, including technology experts, industry representatives, consumer rights groups, and the general public.
  2. Notification and Participation:
    • Notices are published outlining the hearing topics, schedules, and participation guidelines.
  3. Conducting the Hearings:
    • Experts present insights on how AI and ML impact data privacy.
    • Industry representatives discuss the practical challenges in implementing robust data protection measures in AI-driven environments.
    • Consumers express their concerns and expectations regarding data privacy in AI applications.
  4. Deliberation and Policy Formulation:
    • The Board consolidates the feedback received during the hearings.
    • Board members deliberate on integrating stakeholder input into the updated data protection policies.
  5. Issuance of New Policies:
    • The Board drafts revised data protection guidelines incorporating best practices for AI and ML technologies.
  6. Publication and Implementation:
    • The updated policies are published for public reference and are made effective after a specified transition period.
  7. Monitoring and Review:
    • The Board monitors the implementation of the new policies, ensuring that they effectively address the challenges posed by emerging technologies.
  8. Appeal Process:
    • Stakeholders dissatisfied with the new policies can appeal to the Appellate Tribunal, seeking further revisions or clarifications as necessary.

Conclusion

Section 23 of the Digital Personal Data Protection Act, 2023 establishes a robust procedural framework for the Data Protection Board, ensuring that its proceedings are conducted in a manner that is fair, transparent, and efficient. By outlining the steps for initiating, conducting, and concluding hearings, as well as defining the rights of parties and mechanisms for accountability, this provision enhances the Board's ability to uphold data protection norms effectively.

Key Highlights:

  • Fair and Impartial Hearings: Ensuring that all parties receive a fair opportunity to present their cases and that decisions are made without bias.
  • Transparent Processes: Enhancing public trust by making the Board's proceedings open and understandable, while maintaining confidentiality where necessary.
  • Efficient Resolution: Streamlining procedures to allow timely resolution of data protection issues, thereby preventing prolonged disputes.
  • Accountability Mechanisms: Implementing checks and balances, including record-keeping and the possibility of judicial review, to maintain the Board's integrity and accountability.
  • Inclusive Policy Formulation: Facilitating public and stakeholder participation in policy-making processes, ensuring that data protection policies are comprehensive and reflective of diverse perspectives.
  • Integration with Broader Framework: Aligning proceedings with other sections of the DPDPA, such as enforcement actions and appeal processes, to create a cohesive and effective data protection ecosystem.

Through the meticulous implementation of the procedures outlined in Section 23, the Data Protection Board can effectively enforce data protection regulations, address grievances, and adapt to emerging data privacy challenges, thereby safeguarding the personal data of individuals and fostering a secure digital environment.

© 2024 Advocate (Dr.) Prashant Mali