Section 42 DPDPA

Power to amend Schedule.


42.1) The Central Government may, by notification, amend the Schedule, subject to the restriction that no such notification shall have the effect of increasing any penalty specified therein to more than twice of what was specified in it when this Act was originally enacted.

(2) Any amendment notified under sub-section (1) shall have effect as if enacted in this Act and shall come into force on the date of the notification.

Section 43 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 7 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Statutory Provision and Purpose

Provision: Section 42 of the Digital Personal Data Protection Act, 2023 (“DPDPA”) states:

"The Central Government may, by notification, amend the Schedule."

This provision confers upon the Central Government the authority to alter the contents of the Schedule appended to the Act without the need for a formal legislative amendment by Parliament.

Purpose:
The rationale behind this delegated authority is flexibility and responsiveness. Technology, data processing practices, privacy standards, and security threats evolve rapidly. If these evolving contexts are reflected in the Schedule (such as categories of sensitive personal data, thresholds for data fiduciaries, or specific exemptions), the government must have the agility to update these details promptly. Requiring a full legislative amendment for every such change would be slow and potentially hamper the law’s effectiveness. Section 42 thus ensures the statute can remain current and effective over time.

Legal Interpretation

1. Nature of Delegated Legislation

Section 42 establishes a form of delegated legislative power. Although the Schedule forms part of the Act itself, this provision effectively treats it as a domain where finer details can be modified through executive action. This is common in complex regulatory frameworks, where certain aspects—often technical or context-sensitive—need regular updating without altering the core legislative architecture.

2. Scope of the Amendment Power

  • The Central Government’s power is confined to amending the “Schedule” of the Act. It cannot use Section 42 to modify the main body or substantive provisions of the DPDPA.
  • The Schedule typically contains non-fundamental, though significant, details—such as specific categories of data, procedural guidelines, thresholds, or classifications. Thus, any amendments must remain consistent with and within the boundaries of the parent Act.
  • Amendments that contradict the fundamental objectives or principles of the DPDPA (for example, weakening individual privacy rights established in the main Act) could be challenged as ultra vires (beyond the legal authority granted by the Act).

3. Form and Procedure for Amendment

Section 42 provides that amendments shall be made by “notification.” Key implications include:

  • Transparency: The change must be published in the Official Gazette, ensuring the public can access and scrutinize the amendment.
  • Administrative Procedure: While not explicitly stated, good administrative practice would encourage stakeholder consultation or at least a considered decision-making process before notification.
  • Ease and Speed: Using a notification allows the government to react quickly to changes in the digital ecosystem without the delays of parliamentary procedures.

4. Checks and Balances

Though Section 42 does not explicitly mention placing the notification before Parliament, general principles of administrative law and judicial review apply. If a stakeholder believes the government’s amendment is irrational, arbitrary, or contrary to the purposes of the DPDPA, they may seek judicial intervention. The courts can interpret the scope of the delegation and strike down amendments deemed inconsistent with the Act or constitutional principles.

5. Policy Considerations

Granting the executive this power suggests trust in the government’s capacity to remain informed, impartial, and responsive. However, it also increases the responsibility on the government to use this power judiciously. Overly frequent or poorly reasoned amendments risk regulatory uncertainty and could undermine public confidence. Ideally, the government would use Section 42 sparingly, ensuring changes are well-justified, transparent, and consultative.

Illustrations

Illustration 1: Updating Sensitive Personal Data Categories

Imagine the Schedule currently lists certain categories as “sensitive personal data,” such as health or biometric information. Over time, new forms of data—like advanced neural activity data from brain-computer interfaces—may require sensitive classification due to privacy risks. By invoking Section 42, the government can swiftly update the Schedule to include “neural activity data” as a new sensitive category, ensuring the Act remains relevant as technology evolves.

Illustration 2: Adjusting Thresholds for Significant Data Fiduciaries

Suppose the Schedule sets a threshold for what constitutes a “Significant Data Fiduciary”—for instance, entities processing data of over one million individuals. If market conditions change, and one million no longer represents a meaningful threshold due to population growth or the proliferation of data-driven services, the government might use Section 42 to increase this threshold to, say, two million. This keeps the regulatory burden appropriately targeted as data ecosystems scale.

Illustration 3: Refining Exemptions for Research or Non-Profit Activities

If the Schedule provides exemptions for certain research activities, allowing them to process de-identified data without consent under specific conditions, and subsequent experience shows that these conditions are either too lenient (leading to potential misuse) or too restrictive (hindering beneficial research), the government can amend the Schedule. For example, it might tighten security requirements or add an approval step. Section 42 enables such fine-tuning to maintain an appropriate balance between privacy protection and innovation.

Conclusion

Section 42 of the Digital Personal Data Protection Act, 2023 grants the Central Government the authority to adapt the law’s technical and contextual details contained in the Schedule with relative ease. This delegated power aims to ensure the DPDPA remains agile and effective amid fast-paced technological changes. While providing necessary flexibility, it also demands careful exercise, guided by principles of transparency, reasonableness, and fidelity to the statute’s overarching objective of safeguarding personal data and individual privacy rights.

© 2024 Advocate (Dr.) Prashant Mali