35. No suit, prosecution or other legal proceedings shall lie against the Central Government, the Board, its Chairperson and any Member, officer or employee thereof for anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder.
Please keep in mind that this form is only for feedback and suggestions for improvement. Unfortunately, questions will not be answered.
Section 35 of the Digital Personal Data Protection Act, 2023 (India) provides statutory immunity to certain individuals and entities acting under the authority of the Act, so long as their actions are taken in “good faith.” This provision is common in regulatory frameworks and ensures that officials and authorized persons can perform their duties confidently, without constant fear of personal legal repercussions, provided they act honestly and within legal bounds.
Section 35 ensures that no suit, prosecution, or legal proceeding can be initiated against the Central Government, the Data Protection Board, or their officers and authorized representatives for actions performed under the Act’s authority and in good faith.
The protection applies to acts done or intended to be done under the DPDP Act or any rules/regulations made under it. This may include:
So long as these actions are honest, within legal powers, and lack malicious intent, officials are shielded from personal liability.
Section 35 does not grant absolute immunity. The key criterion is “good faith.” Any action taken with corrupt motives, intentional wrongdoing, or clear legal excess would not be protected. If an official deliberately violates the law or acts with malice, they could still face legal consequences.
By protecting well-intentioned officials from personal lawsuits, Section 35 encourages robust enforcement. Without such safeguards, regulators might hesitate to take necessary but challenging steps for fear of personal legal entanglements.
Scenario:
A Data Protection Board officer imposes a significant penalty on a company that
negligently caused a massive data breach.
Application:
If the company tries to personally sue the officer, Section 35 shields the officer
from liability as long as the penalty was imposed lawfully, following due process,
and without malicious intent.
Scenario:
An inspector conducts a compliance audit and issues corrective directions to a Data Processor.
Application:
If the Data Processor attempts a personal lawsuit against the inspector for costs incurred,
Section 35 protects the inspector, provided they acted within their official capacity
and in good faith.
Scenario:
An officer provides guidance on compliance measures, which the Data Fiduciary finds
costly to implement.
Application:
If the Data Fiduciary sues the officer personally, Section 35 protects the officer,
assuming the guidance was given honestly and lawfully, even if it resulted in additional
expenses for the Fiduciary.
Fostering Confidence in Enforcement:
Section 35 ensures that officials can enforce the DPDP Act without undue fear,
promoting stronger compliance and public trust in the regulatory regime.
Balancing Accountability and Protection:
While it shields honest acts, Section 35 does not protect bad faith or corrupt
behavior. Thus, accountability is preserved for egregious misconduct.
Alignment with Established Norms:
Many regulatory laws provide similar “good faith” protections. Section 35 aligns the
DPDP Act with standard governance practices, ensuring consistency and legal harmony.
Section 35 of the DPDP Act, 2023 is a crucial provision that balances the need for vigilant enforcement of data protection laws with the protection of those enforcing them. By granting immunity for actions taken in good faith, it enables officials and the Board to carry out their duties effectively, without the threat of personal litigation hanging over every decision. At the same time, it maintains accountability for actions taken in bad faith, ensuring that the system remains fair, just, and trustworthy.
© 2024 Advocate (Dr.) Prashant Mali