Code: Section 27
(1) The Board shall exercise and perform the following powers and functions,
namely:—
(a) on receipt of an intimation of personal data breach under sub-section (6) of
section 8, to direct any urgent remedial or mitigation measures in the event of a
personal data breach, and to inquire into such personal data breach and impose
penalty as provided in this Act;
(b) on a complaint made by a Data Principal in respect of a personal data breach
or a breach in observance by a Data Fiduciary of its obligations in relation to her
personal data or the exercise of her rights under the provisions of this Act, or on a
reference made to it by the Central Government or a State Government, or in compliance
of the directions of any court, to inquire into such breach and impose penalty as
provided in this Act;
(c) on a complaint made by a Data Principal in respect of a breach in observance
by a Consent Manager of its obligations in relation to her personal data, to inquire
into such breach and impose penalty as provided in this Act;
(d) on receipt of an intimation of breach of any condition of registration of a
Consent Manager, to inquire into such breach and impose penalty as provided in this
Act; and
(e) on a reference made by the Central Government in respect of the breach in
observance of the provisions of sub-section (2) of section 37 by an intermediary, to
inquire into such breach and impose penalty as provided in this Act.
(2) The Board may, for the effective discharge of its functions under the provisions of
this Act, after giving the person concerned an opportunity of being heard and after recording
reasons in writing, issue such directions as it may consider necessary to such person, who
shall be bound to comply with the same.
(3) The Board may, on a representation made to it by a person affected by a direction
issued under sub-section (1) or sub-section (2), or on a reference made by the Central
Government, modify, suspend, withdraw or cancel such direction and, while doing so,
impose such conditions as it may deem fit, subject to which the modification, suspension,
withdrawal or cancellation shall have effect.
Explanation of Section 27 DPDP
Section 27 of the Digital Personal Data Protection Act, 2023 defines the core powers and responsibilities of the Data Protection Board of India. It provides the Board with authority to address data breaches, investigate complaints, enforce penalties, and ensure regulatory compliance under the Act.
Key Powers and Functions of the Board
- Direct immediate remedial actions in the event of a personal data breach.
- Inquire into complaints made by Data Principals about data breaches or violations of their rights under the Act.
- Investigate Consent Managers for non-compliance or breach of registration terms.
- Take action based on government or court references regarding breaches by intermediaries.
- Issue binding directions after a hearing and written justification.
- Modify or cancel its directions upon representation or government reference.
These powers enable the Board to act promptly and decisively in matters concerning data protection violations.
Illustration
Example 1: Data Breach by a Company
An e-commerce platform experiences a data breach and notifies the Board under Section 8(6). The Board immediately orders mitigation steps and, after inquiry, imposes a penalty for non-compliance with security obligations.
Example 2: Consent Manager Violating User Rights
A Consent Manager processes personal data without proper consent. A Data Principal files a complaint, and the Board finds the Consent Manager in violation, leading to a financial penalty.
Example 3: Government Reference Against Intermediary
The Central Government refers a case against a digital platform for breaching Section 37(2). The Board investigates and penalizes the intermediary accordingly.
Common Questions and Answers on Section 27 DPDP
1. What situations give the Board jurisdiction under this section?
The Board acts upon breach intimations, complaints by individuals, government or court references, or failure of Consent Managers and intermediaries to fulfill obligations.
2. Can the Board issue binding directions?
Yes. The Board can issue enforceable directions after giving the party an opportunity to be heard and recording the reasoning in writing.
3. Is there a remedy for parties affected by Board directions?
Yes. Affected individuals or entities may request the Board to review, modify, suspend, or withdraw the direction, and the Board can impose conditions while doing so.
4. Are penalties the only action the Board can take?
No. The Board can also issue interim orders, enforce compliance measures, and direct remedial actions in the interest of protecting personal data.
Conclusion
Section 27 of the DPDP Act is central to the enforcement of digital privacy rights in India. It empowers the Data Protection Board to take prompt and effective action in response to personal data breaches and other violations. Through its wide-ranging functions, the Board ensures that individuals’ digital rights are upheld, and non-compliant entities are held accountable.
For more insights and updates on the DPDP Act and Indian data protection laws, explore ApniLaw.
