Introduction: The Digital Personal Data Protection Act, 2023 (Act) introduces a pivotal provision, namely Voluntary Undertaking, as outlined in Section 32 of the Act. This provision empowers individuals and institutions to rectify breaches under the Act voluntarily. In this article, we delve into the intricacies of the Voluntary Undertaking provision.
Voluntary Undertaking –
Sub-section (1) of Section 32 of the Act provides for the submission of voluntary undertaking by a person committing any default under the Act, to the Data Protection Board (“Board”) as established by the Central Government under Section 18 of the Act.
This provision provides that any person or institutions who are in default/breach of complying with the provisions of the Act, may at any stage of the proceeding, voluntarily accept before the Board that they are in breach of the provisions of the Act.
The Board, may then, at its discretion, accept, this voluntary undertaking from such person or institution. A voluntary undertaking is a written commitment by a person or institution who is alleged to have committed a breach under the Act to take specific corrective actions to rectify its default.
One can also compare this to the compounding of offences where the party in default on its own accord admits to the contravention of the provisions of the Act. This will also help in the timely rectification of non-compliance and a step by the Government to decriminalize offence, encourage compliance and promote ease of doing business.
Such an undertaking may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action and or publicising such undertaking. It will be important to see the impact of such publication of undertaking because of data privacy in general and how the investor fraternity will view these undertakings.
Upon acceptance of such undertaking by the Board, any proceedings against the concerned person or institution shall be barred unless such person or institution fail to fulfil their commitment or violate the specified terms of the undertaking. The person or institution, on such breach, shall be proceeded against following the provisions of Section 33 of the Act.
This is similar to undertakings accepted by Personal Data Protection Commission, Singapore (PDPC) that allow organisations to remedy their breach and identify and rectify any inherent systemic weaknesses to maintain ongoing adherence to Personal Data Protection Act, 2012 requirements. The PDPC publishes such undertaking submitted by organisations on its website.
However, the Act does not provide any further clarity on such voluntary undertaking like what are the maximum permissible timelines within which the alleged defaulters are supposed to take action or refrain from taking such action as prescribed by the Board. It also needs to clarify on how such undertakings will be publicised by the Board. It is quite possible, that the Government may clarify these issues in the proposed rules under the Act.
Conclusion: This is a welcome step in ensuring compliance with data privacy laws in countries like India where data privacy is still at a very nascent stage and emphasising on the data fiduciaries in India the significance of data privacy law. More specifically, from foreign investors’ perspective, who consider data privacy as one of the deciding factors in their investments. However, it needs to be seen, how the finer details of this provision are provided by the Government.
The article is written by Mr. Nilesh Javkar – Senior Manager at MMJC.
Author Bio
