Grievance Redressal under the DPDPA
Grievance redressal is a core compliance that every Data Fiduciary must address. Grievance redressal is a right of the Data Principal (i.e. the user) under the DPDPA. The legislative intent to categorise grievance redressal as a right is firmly rooted in iterations of the previous bills. Though the Act does not expressly provide for appointment of a Grievance Officer, firms or entities processing data will likely have to appoint one to comply with the Act.
Right of Grievance Redressal (Section 13)
Grievance redressal is a right of the user. The user must have readily available means of grievance redressal. The use of the term “readily available” may introduce requirements similar to the IT rules or E-commerce rules including:
- Publishing the details of the grievance redressal officer at a prominent place.
- Quick turnaround time for confirmation of receipt of complaint i.e. within 24 hours.
The Draft Rules under DPDPA that were published for consultation introduced similar requirements. Draft Rule 9 prescribed that the Data Fiduciary shall:
- Prominently publish business contact details of Data Protection Officer or any other person who can resolve grievances of the users.
- Mention the details as above in every communication to the user.
Timelines for grievance redressal
Grievance redressal timelines have varied for each iteration of the draft bills. The iterations have successively shortened the timelines for compliance. However, the Act appears to adopt a flexible timeframe accounting for specific requirements of each data fiduciary.
- 2018 Bill – The bill set an upper limit of 30 days for grievance redressal by the Data Fiduciary. This time period started from the date of receipt of the grievance.
- 2019 Bill – The bill retained the 30 day upper limit from the 2018 Bill.
- 2021 Bill – The bill retained the 30 day upper limit from the 2019 Bill.
- 2022 Bill – The bill did not set any time frame for grievance redressal.
- The bill only provides that the Data Fiduciary shall respond to the user’s complaint within a time period of 7 days or less.
- 2023 DPDP Act – The final act dropped all such requirements. It provides that the Data Fiduciary has to address the user’s complaint within such time from the date of receipt of the complaint as prescribed.
- The time frames may differ for each class of Data Fiduciary. This discretion is vested with the executive and will likely be notified through rules or regulations.
When can the user file a complaint with the Data Protection Board
A user can approach the Data Protection Board only once they exhaust the grievance redressal opportunity of the Data Fiduciary.
The DPDPA has dropped the following requirements from the previous bills:
- 2018 Bill: The Bill provided three conditions for the user to approach the Data Protection Authority:
- If the data fiduciary rejects the user’s grievance
- If the user is not satisfied with the manner in which the grievance is redressed
- If the data fiduciary does not resolve the complaint within time
- 2019 Bill: The Bill retained these conditions for approaching the Data Protection Authority.
- 2021 Bill: The Bill retained the conditions for approaching the Data Protection Authority.
- 2022 Bill: The Bill provided two conditions for the user to approach the Data Protection Board:
- If the user is not satisfied with the Data Fiduciary’s response
- If the user receives no response within the prescribed time
The DPDPA does not provide any guidance on whether the user can file a complaint with the Data Protection Board for these reasons. The Act also does not specify whether the grievance redressal mechanism of the data fiduciary includes a mechanism to appeal the decision of the DPO or the Grievance Redressal Officer.
However, the previous iterations as outlined above provided the user recourse to the Data Protection Board as the first appellate authority.
What happens on non-compliance
Non-compliance with grievance redressal timelines or infringement of the right by not providing a grievance redressal mechanism has the following outcomes:
- Preliminary investigation by the Board: On receipt of a complaint, the Data Protection Board will determine if there are sufficient grounds to proceed with an inquiry.
- In case the grounds are insufficient, the Board can close the proceedings, providing reasons in writing.
- Mediation: If the Board is of the opinion that the dispute can be resolved by mediation, it can direct the parties to attempt resolution through mediation.
- Voluntary undertaking: The Data Fiduciary can submit a voluntary undertaking to the Board, assuring compliance with the provisions of the Act.
- Fines: On conclusion of its inquiry, the Data Protection Board may impose a fine of upto Rs. 50 crores on the Data Fiduciary.
- Block access by public: In case of non-compliance leading to imposition of monetary fines on the Data Fiduciary on two or more instances, the Board can recommend the Central government to block the Data Fiduciary’s services.
These compliance requirements are applicable to all Data Fiduciaries.
For a significant Data Fiduciary, the Data Protection Officer can act as the contact point for grievance redressal. Though recourse is available before the first imposition of monetary penalties, it is generally a good practice to be compliant.
Further, any action for non-compliance will negatively affect the Data Fiduciary’s public image.
