LEGAL UPDATE: THE JAN VISHWAS (AMENDMENT OF PROVISIONS) ACT, 2023

The Jan Vishwas (Amendment of Provisions) Act, 2023 (Act), was approved by the President on 11 August 2023. Its enforcement will be determined by the Central Government through notification, with varied dates for amendments in the Schedule. The Act led by the Commerce and Industry Minister, seeks to ease daily life and business operations by amending 183 provisions in 42 Central Acts under 19 Ministries. It aims to decriminalize these provisions for a more business-friendly environment.

BACKGROUND

The Minister of Commerce and Industry spearheading this initiative suggests that the focus might be on creating a more business-friendly environment and fostering a culture of entrepreneurship. By decriminalizing provisions within these Central Acts, the government may intend to encourage risk-taking, innovation and investment by providing greater legal clarity and reducing the fear of unintended legal consequences.

However, while the proposal to decriminalize provisions is aimed at streamlining processes and fostering economic growth, it is important to carefully consider the implications of such amendments. Striking a balance between promoting ease of business and ensuring accountability and responsible conduct is crucial. Some provisions might be related to public safety, consumer protection, environmental safeguards, and more, which need to be assessed thoroughly to prevent any negative consequences. The effectiveness of this legislation would depend on the specifics of the amendments, the clarity of language used, and the mechanisms put in place to ensure that the intended benefits are realized without compromising on the larger interests of society.

PURPOSE OF THE ACT

The Act serves a twofold purpose; one to elevate both the quality of everyday life and second to promote the business environment in the nation. By targeting a wide array of sectors like agriculture, media, health, and the environment, the proposed amendments aim to address outdated or problematic aspects of these Acts. The Act’s intent is to streamline and modernize these regulations, fostering a more business-friendly climate and simplifying the lives of citizens. The Act reflects a comprehensive effort to harmonize legal frameworks with contemporary needs, thereby promoting ease of living and facilitating smoother business operations across diverse sectors.

KEY HIGHLIGHTS

1. Fines and penalties in multiple provisions to increase by ten percent of the minimum amount every three years.

2. A total of 183 provisions across 42 Central Acts, overseen by 19 Ministries/Departments, to be decriminalized.

3. Decriminalization achieved through various methods:

   • Elimination of both imprisonment and/or fines in certain provisions;
     
     
   • Removal of imprisonment while retaining fines in select provisions;
     
     
   • Elimination of imprisonment while increasing fines in specific provisions;
     
     
   • Conversion of imprisonment and fines to penalties in some cases;
     
     
   • Introduction of compounding of offenses in a few provisions;
     

NATURE OF AMENDMENTS

The changes suggested in the Act aim to make certain provisions less focused on punishment by taking actions like eliminating imprisonment and increasing the fines, and introducing penalties or alternatives. These changes aim to streamline punitive measures within the legal framework to achieve desired outcomes.

For example, some of the proposed amendments in the Drugs and Cosmetics Act, 1940 (Drugs and Cosmetics Act) are: the current provisions of Section 27(d) and Section 27A(ii) of the Drugs and Cosmetics Act mandate imprisonment of up to 2 years and a minimum fine of INR 20,000 for spurious cosmetics, adulterated drugs, certain drug and cosmetics-related convictions. Proposed amendments suggest a compounding option for violations, through an addition to Section 32(B) of the Drugs and Cosmetics Act. Similarly, Section 29 of the Drugs and Cosmetics Act provides for penalties for misusing a government analyst's report for drug/cosmetic advertising. The Act proposes to increase the penalty for the above mentioned violation from INR 5,000 to INR 1,00,000. The amendment to Section 30(2) of the Drugs and Cosmetics Act proposes replacing imprisonment with a fine of INR 5,00,000 for subsequent offenses involving the same violation. These changes aim to provide legal clarity and streamline penalties.

Under the proposed amendments to the Trade Marks Act, 1999 (Trade Marks Act), the Act aims to strengthen penalties for specific offenses and introduce two new sections concerning penalties and appeals. It grants authority to a designated officer for adjudication and penalties related to Trade Marks Act violations. Proposed Section 112B outlines the appeal process, requiring the aggrieved party to appeal within 60 days, and the appellate authority to address appeals within 60 days of filing. Additionally, the Act empowers the Central Government to create rules for inquiry and appeals.

Further, under the Customs Act, 1962 (Customs Act) the Commissioner of Customs can request information on goods with false trademarks, and non-compliance results in a fine of INR 10,000. The Act extends this power to the Customs Act authority for penalty imposition and collection.

MHCO Comment:

In conclusion, the Act marks a significant step towards fostering a business-friendly environment and enhancing ease of living. By decriminalizing provisions and introducing streamlined penalties, it aims to encourage innovation, investment, and entrepreneurship. This proactive approach has the potential to boost economic growth and simplify legal processes. However, the challenge lies in striking the right balance between promoting ease of business and ensuring answerability, especially in cases involving public safety and consumer protection. While the Act holds promise for improving the regulatory landscape, careful implementation and monitoring will be crucial to prevent any unintended negative consequences and to maintain societal interests.

The views expressed in this update are personal and should not be construed as any legal advice. Please contact us directly on +91 22 40565252 or legalupdates@mhcolaw.com for any assistance.

 DIGITAL PERSONAL DATA PROTECTION ACT, 2023 – FINALLY NOTIFIED!

Background

Six years after the Supreme Court ruled that the right to privacy falls within the ambit of Article 21 of the Constitution of India in Justice Puttaswamy (Retd) v. Union of India, India has finally enacted the Digital Personal Data Protection Act, 2023 (Act), published in the Gazette of India on 11 August 2023. The Act saw a tumultuous path towards enactment which started with the appointment of a special committee headed by Justice B N Srikrishna followed by the introduction of several drafts and severe criticisms surrounding them. This legal update is prepared with the objective to provide you with a brief overview of the Act and implications on its non-compliance as it is applicable to every organisation (small or large) in India.

Scope and Applicability | Personal Data

The Act defines ``personal data`` as any information that can pinpoint an individual’s identity and processing of personal data entails various activities such as gathering, storing, utilizing, and sharing of such data.

The Act covers the handling of digital personal data in India, whether collected online or offline, as long as it is in digital form. Additionally, the Act applies to processing personal data outside India if it is related to providing goods or services within India.

The Act however does not apply to personal data that is made publicly available by the person to whom such personal data relates; or to any other person who is obligated under any law for the time being in force in India to make such personal data publicly available.

Consent | Data Principal

The Act emphasises that before processing any personal data, a Data Fiduciary, i.e. a person who processes personal data (Data Fiduciary), must take consent from the Data Principal, i.e. the individual to whom the personal data relates (Data Principal). In order to take consent, the Data Fiduciaries must first provide a notice specifying the particular personal data to be collected and the specific purpose for which it will be used (Notice). The consent given by the Data Principal shall be limited only to the extent of the specific purpose as made out in the Notice and any consent taken beyond the specific purpose shall not be considered valid.

A Data Principal may also appoint a consent manager, i.e. a person registered under the Act to act as a single point of contact to enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform (Consent Manager). A Consent Manager shall be accountable to the Data Principal under the Act and a Data Principal shall have a right of redressal of grievances by the Consent Manager.

Further, Data Principals retain the right to revoke their consent at any time upon which the Data Fiduciary shall within a reasonable time cease and cause its data processor, i.e. a person who processes the personal data on behalf of a Data Fiduciary, to cease the processing of the personal data of such Data Principal.

Obligations of Data Fiduciaries

The Act places substantial responsibilities on the Data Fiduciaries. These obligations encompass making reasonable efforts to ensure data accuracy and completeness, establishing security measures to prevent data breaches, promptly notifying both the Data Protection Board of India and affected Data Principal in the event of a breach, and erasing personal data once its intended purpose is fulfilled and legal retention is no longer necessary. Further, if a Data Fiduciary sends personal data to a data processor, the Data Fiduciary is liable for the actions/ inactions of the data processor.

Rights and Duties of Data Principals

The Act further acknowledges the rights of the Data Principals. These rights encompass the ability to obtain information about how their data is being processed, request corrections or erasure of their personal information, nominate a representative in case of incapacity or death, and seek remedies from the Data Fiduciary of any grievance they may have. Certain responsibilities have also been imposed upon the Data Principal such as refraining from making false or unnecessary complaints and providing accurate information.

Cross-border Data Transfer

The Act allows personal data to be transferred beyond India, except to countries which may be specifically notified by the Central Government. This provision however does not restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India.

Significant Data Fiduciaries

Under the Act, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a significant data fiduciary, on the basis of an assessment of relevant factors a such as the volume and sensitivity of personal data being processed, potential risk to the rights of Data Principal, impact on the sovereignty and integrity of India, security of the State and public order. Entities that are notified as significant data fiduciaries have to maintain extra compliances such as conducting independent and periodic data audits and appointing a data protection officer and an independent data auditor to gauge the impact of their actions and ensure compliance with the regulations.

Data Protection Board of India

The Act envisages the appointment of a Data Protection Board of India (Board) to be established through a notification by the Central Government to that effect. The Board shall act as the adjudicating body for any breach of personal data.

Breach of Personal Data

Personal data breach has been defined under the Act as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

1. In case of a breach of personal data, the Data Fiduciary must immediately inform the Board as well as the Data Principal, whose personal data was breached.

2. The Board would then inquire into the breach.

3. If the Board is of the opinion that there are insufficient grounds to proceed with the complaint, it may close the proceedings and impose costs if the Board believes that the complaint was frivolous.

4. If after inquiring into the complaint, the Board believes that there are sufficient grounds to proceed with the complaint, it shall conduct a further investigation into the complaint.

5. After investigating into the complaint, the Board may issue interim orders.

6. If the Board believes that there has been a breach of personal data, the Board may impose a penalty which can range from Rs 10,000 (Indian Rupees Ten Thousand) to Rs 250,00,00,000 (Indian Rupees Two Hundred and Fifty Crores). The specific penalties have been laid down in the Schedule of the Act.

7. While deciding the amount of the monetary penalty, the Board shall look into the following matters:

   • the nature, gravity and duration of the breach;
     
     
   • the type and nature of the personal data affected by the breach;
     
     
   • repetitive nature of the breach;
     
     
   • whether the person, as a result of the breach, has realised a gain or avoided any loss;
     
     
   • whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
     
     
   • whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of the Act; and
     
     
   • the likely impact of the imposition of the monetary penalty on the person.
     

8. Any person aggrieved by the order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days from the date of receipt of Order of the Board, and the TDSAT shall dispose of the appeal within 60 days of the presentation of the appeal. The TDSAT shall have all the powers of a civil court.

9. Additionally, the Board has the power to direct any complaint to be resolved through mediation.

MHCO Comment:

In this age of inevitable digitalisation of all personal information, the Act comes as a welcome move to protect people’s privacy. However, a perusal of the Act shows that the Central Government has been given significant powers such as the powers of exclusion of specific Data Fiduciaries and instrumentalities of the State from the ambit of the Act and to notify a Data Fiduciary as a significant data fiduciary. Concerns about inordinate Executive interference may hence arise and this could alter the effectiveness of the Act. This would also make the Rules to be notified under the Act essential in carving out the operative aspects of the Act.

Further the Act suffers from the practical difficulty of a lack of timeline for the appointment of the Board by the Central Government without which the Act would be remain powerless. It is also very ambitious of the Act to envisage compliance with the heavy obligations imposed upon all the Data Fiduciaries, considering the wide ambit of the term, which would also cover under it the smallest of enterprises such as photocopy stores which receive bulks of personal data on a daily basis. Such obligations also include the establishment of grievance redressal mechanisms by every Data Fiduciary. The severity of the obligations imposed upon the Data Fiduciaries stands further enhanced when the burdensome penalties laid down under the Act are considered. The Act hence has a large feat to accomplish.

The views expressed in this update are personal and should not be construed as any legal advice. Please contact us directly on +91 22 40565252 or legalupdates@mhcolaw.com for any assistance.