DPDPA Sections 35-44: Final Provisions

Introduction - The Framework Beyond Substantive Rights

The concluding sections of the Digital Personal Data Protection Act, 2023 - Sections 35 through 44 - address the operational, transitional, and administrative dimensions that are essential for the Act's implementation but often receive less attention than the substantive rights and obligations in earlier sections. These 'miscellaneous' provisions are anything but miscellaneous - they define the Government's residual powers, the mechanism for blocking intermediaries that facilitate violations, the protection afforded to Board members and officers acting in good faith, the Government's rule-making authority that will flesh out the Act's skeletal framework, the amendments to the Information Technology Act that integrate the DPDPA into India's broader digital governance architecture, and the transitional provisions that bridge the gap between the old regime and the new. For legal practitioners and compliance professionals, these sections are critical because they determine how the DPDPA will be operationalised in practice. The Government's rule-making power under Section 40, in particular, means that many of the Act's most impactful requirements - specific consent standards, breach notification timelines, cross-border transfer conditions, SDF designation criteria - will be determined through subordinate legislation rather than the Act itself.

Section 35 - Government Power to Call for Information and Give Directions

Section 35 grants the Central Government the power to call for information from Data Fiduciaries and give directions to them in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to any cognisable offence relating to these matters. This provision creates a direct channel between the Government and Data Fiduciaries, bypassing the Data Protection Board, for matters of national security and public order. The scope of Section 35 is broad and has been the subject of considerable debate among privacy advocates and civil society organisations. Critics argue that the provision effectively creates an override mechanism that allows the Government to access personal data held by private entities without the safeguards and oversight that the Board's inquiry process under Sections 27 and 28 would provide. Supporters contend that national security considerations necessarily require expedited access mechanisms that cannot be subject to standard regulatory timelines. For businesses, Section 35 creates a compliance obligation to respond to Government information requests and directions within the specified timeframes. Organisations should establish internal protocols for handling Section 35 requests, including escalation to senior management and legal counsel, verification of the request's authenticity and scope, and documentation of the response for audit trail purposes.

• Government can call for information from Data Fiduciaries for national security reasons
• Government can issue directions to Data Fiduciaries in the interest of sovereignty and public order
• The power bypasses the Data Protection Board's standard inquiry process
• Grounds include sovereignty, state security, foreign relations, and public order
• Organisations must establish internal protocols for handling Section 35 requests
• Responses should be documented for audit trail and compliance purposes

Section 36 - Blocking of Intermediaries for Violations

Section 36 empowers the Government to direct the blocking of any intermediary that facilitates the contravention of the DPDPA's provisions. This is a powerful enforcement tool that goes beyond penalties - it can effectively shut down access to a platform or service within India. The blocking power builds on the existing intermediary blocking framework under Section 69A of the Information Technology Act, 2000, which the Government has used to block websites, applications, and online services for various reasons including national security, public order, and prevention of cognisable offences. Under Section 36, the grounds for blocking are specifically tied to DPDPA violations. If an intermediary - whether a social media platform, an e-commerce marketplace, a cloud service provider, or any other digital intermediary - facilitates the contravention of the Act's provisions, the Government can direct its blocking. The threshold for blocking is the facilitation of contravention, not the direct contravention itself, which potentially broadens the scope significantly. For intermediaries and platform operators, this provision creates a significant business risk beyond monetary penalties. The threat of being blocked in India - a market of over 800 million internet users - is a powerful compliance incentive that exceeds even the Rs 250 crore penalty ceiling. Intermediaries should ensure robust content moderation, data processing oversight, and vendor compliance management to minimise the risk of being seen as facilitating DPDPA violations.

Section 37 - Protection of Members and Officers Acting in Good Faith

Section 37 provides immunity to Board members, officers, and employees from suits and legal proceedings in respect of actions taken or purported to be taken in good faith in pursuance of the DPDPA or its rules. This protection is essential for enabling the Board to function effectively - without it, Board members would face personal legal risk for every enforcement action, creating a chilling effect on regulatory activity. The good faith protection covers both actions taken within the Board's jurisdiction and actions that were intended to be within jurisdiction but may have technically exceeded it - the 'purported to be taken' language provides a buffer against jurisdictional challenges targeting individual Board members. However, the protection is not absolute. Actions taken in bad faith - with mala fide intent, personal malice, or corrupt motives - are not protected. Board members who abuse their powers for personal gain or act with deliberate disregard for the law would not be able to claim the Section 37 shield. This qualification ensures accountability while providing the operational protection necessary for effective enforcement. For businesses interacting with the Board, Section 37 means that personal suits against Board members - a tactic sometimes used to delay or obstruct regulatory proceedings - will not be available as a litigation strategy.

Section 38 - Cognizance of Offences

Section 38 establishes the procedural framework for taking cognizance of offences under the DPDPA. This section typically specifies which authority is competent to initiate prosecution proceedings and the conditions under which such proceedings can be initiated. In regulatory frameworks, cognizance provisions usually require that prosecution be initiated only with the sanction or approval of a designated authority - often the Government or the regulatory body itself - to prevent frivolous prosecution and ensure that criminal proceedings are reserved for the most serious violations. The distinction between the Board's civil penalty jurisdiction and criminal prosecution is important. The Board imposes administrative penalties under Section 33 - these are civil in nature and follow the principles of natural justice as prescribed in Section 28. Criminal prosecution, by contrast, involves proceedings before a criminal court with the higher standard of proof ('beyond reasonable doubt') and the full panoply of criminal procedural safeguards. The relationship between civil penalties and criminal prosecution under the DPDPA will depend on the specific rules prescribed, but in general, the Board's penalty proceedings and criminal prosecution are not mutually exclusive - a Data Fiduciary could face both a Board penalty and criminal prosecution for the same violation.

Section 39 - Government as Data Fiduciary

Section 39 addresses the significant scenario where the Government itself is a Data Fiduciary - processing personal data of citizens through its various ministries, departments, and agencies. This is a crucial provision because the Government is one of the largest processors of personal data in India through programmes like Aadhaar, income tax filing, passport services, public health databases, electoral rolls, property registration systems, and countless other digital governance initiatives. Section 39 clarifies that the DPDPA applies to Government entities processing personal data in their capacity as Data Fiduciaries. This means Government departments must comply with the same obligations as private sector Data Fiduciaries - providing notice, obtaining consent or relying on legitimate use grounds, implementing reasonable security safeguards, notifying breaches, and respecting Data Principal rights. However, the practical application of these obligations to Government entities involves significant complexities. Government processing is often authorised by law, which may provide a legitimate use ground under Section 7 that eliminates the consent requirement. Additionally, the exemptions under Section 17 provide broad carve-outs for Government processing in the interests of sovereignty, security, and public order. The interplay between Government obligations and Government exemptions creates a nuanced compliance landscape for public sector data processing.

• Government is subject to DPDPA when processing personal data as a Data Fiduciary
• Government departments must comply with notice, consent, security, and breach notification obligations
• Much Government processing may qualify as legitimate use under Section 7, reducing consent requirements
• Section 17 exemptions provide broad carve-outs for Government processing
• Government digital governance programmes like Aadhaar are directly impacted
• Practical enforcement against Government entities raises institutional challenges

Section 40 - Rule-Making Power of the Central Government

Section 40 is arguably the most consequential of the miscellaneous provisions because it defines the Central Government's power to make rules for carrying out the provisions of the Act. The DPDPA is a skeletal legislation - it establishes the broad framework and principles but delegates the operational details to rules that will be notified by the Central Government. The scope of rule-making under Section 40 is vast. The rules will prescribe the manner and form of consent and notice, the specific security safeguards that constitute 'reasonable' measures, the timeline and format for breach notifications, the criteria for designating Significant Data Fiduciaries, the conditions for cross-border data transfers, the procedure for age verification and verifiable parental consent, the registration and operational requirements for Consent Managers, the procedure for the Board's functioning including inquiry timelines and evidence standards, the ADR mechanisms under Section 32, and numerous other operational details. Until these rules are notified, the Act's operational provisions remain partially defined. This has created a state of anticipatory compliance in the industry, where organisations are preparing for requirements they expect based on the Act's framework but cannot fully implement until the specific standards are prescribed. The rule-making process involves public consultation as required under the Pre-legislative Consultation Policy, providing stakeholders an opportunity to influence the operational framework.

• Central Government empowered to make rules for all operational aspects of the DPDPA
• Rules will prescribe consent standards, security measures, breach notification formats, and timelines
• SDF designation criteria and cross-border transfer conditions will be defined through rules
• Board procedures, ADR mechanisms, and Consent Manager requirements depend on rules
• Rule-making process involves public consultation under the Pre-legislative Consultation Policy
• Until rules are notified, many obligations remain partially defined

Sections 41-43 - IT Act Amendments, Power to Remove Difficulties, and Repeal

Section 41 amends the Information Technology Act, 2000, to integrate the DPDPA into India's digital governance framework. The IT Act has served as the primary legislation governing digital activities in India since 2000, and its Section 43A - which addressed compensation for failure to protect data - provided the only data protection framework prior to the DPDPA. The DPDPA amendments to the IT Act ensure coherence between the two statutes by removing overlapping provisions. Section 42 grants the Central Government the power to remove difficulties that arise in giving effect to the provisions of the Act, for a period of two years from commencement. This is a standard provision in Indian legislation that enables the Government to issue orders resolving implementation challenges without amending the Act itself. The two-year limitation ensures this extraordinary power is available only during the initial implementation phase. Section 43 repeals Section 43A of the IT Act and related provisions in the IT Rules, 2011, that previously governed data protection. This repeal is necessary to avoid dual regulatory frameworks - once the DPDPA is fully operationalised, Section 43A's compensation framework for 'sensitive personal data or information' will no longer apply, and the DPDPA's comprehensive framework will govern data protection exclusively. Organisations currently complying with IT Act Section 43A and the Reasonable Security Practices Rules, 2011, should plan their transition to the DPDPA framework.

Section 44 - Savings and Transitional Provisions

Section 44 provides the transitional framework that bridges the gap between the pre-DPDPA regime and the new regime. Transitional provisions are essential in any legislative change because they address the status of existing rights, obligations, and proceedings. Section 44 typically addresses several critical questions. First, what happens to data processing activities that were lawful under the pre-DPDPA framework but may not comply with DPDPA requirements? The Act is expected to provide a transition period during which existing processing activities must be brought into compliance. Second, what happens to consent previously obtained under the IT Act's framework? Organisations that obtained consent under the IT Act's consent requirements may need to refresh consent to meet the DPDPA's more stringent standards, but a transition period may be provided for this migration. Third, what happens to ongoing proceedings or complaints under the IT Act's data protection framework? The savings provisions typically preserve the validity of proceedings initiated before the commencement of the new Act. For businesses, the transition period is a critical window for bringing existing data processing activities, consent mechanisms, and compliance measures into alignment with the DPDPA. Organisations that use this transition period proactively - mapping existing processing, gap-analysing against DPDPA requirements, and implementing remediation plans - will be significantly better positioned than those that wait for enforcement to begin.

• Transitional provisions bridge the gap between pre-DPDPA and DPDPA regimes
• Existing data processing activities must be brought into compliance within the transition period
• Consent obtained under IT Act framework may need to be refreshed to meet DPDPA standards
• Ongoing proceedings under IT Act data protection provisions are typically preserved
• Transition period provides a window for compliance migration
• Proactive organisations should use the transition period for gap analysis and remediation

Timeline for Notification and Implementation

The DPDPA received Presidential assent on 11 August 2023, but its provisions will be brought into force on dates to be notified by the Central Government. This phased commencement approach allows the Government to operationalise different parts of the Act at different times, reflecting the practical reality that implementing a comprehensive data protection framework requires time for rule-making, Board establishment, industry preparation, and capacity building. The expected implementation timeline involves several phases. The first phase focuses on establishing the Data Protection Board and notifying the core rules - consent standards, notice requirements, breach notification procedures, and penalty guidelines. The second phase brings the substantive obligations into force, with transition periods for existing processing activities. The third phase addresses the more complex provisions - SDF designation, cross-border transfer conditions, Consent Manager registration, and sector-specific guidance. Industry associations and compliance professionals are closely monitoring Government notifications for commencement dates, as these directly trigger compliance deadlines. Organisations should not wait for formal notification to begin their compliance journey - the lead time required for implementing consent management systems, updating privacy policies, establishing breach response procedures, and training staff means that preparation should begin well in advance of the notified commencement date.

How Kraver.ai Helps

Kraver.ai's compliance platform is designed to navigate the complex implementation landscape created by Sections 35 through 44. Our regulatory monitoring module tracks all Government notifications, rule-making progress, and commencement dates, alerting your compliance team immediately when new requirements are activated. For Section 35 Government information requests, our request management module provides secure workflows for receiving, authenticating, processing, and responding to Government directions with full audit trail documentation. The IT Act transition toolkit helps organisations currently complying with Section 43A and the Reasonable Security Practices Rules migrate their existing compliance measures to the DPDPA framework, identifying gaps and providing step-by-step remediation guidance. Our rule-readiness assessments benchmark your current compliance posture against expected rule requirements, ensuring that when rules are notified, your organisation can achieve compliance quickly rather than starting from scratch. The transition planning dashboard maps all existing data processing activities against DPDPA requirements, generates consent refresh campaigns for transitioning from IT Act consent to DPDPA-compliant consent, and tracks remediation progress across your organisation. For Government entities subject to Section 39, Kraver.ai provides specialised compliance modules that address the unique intersection of Government processing obligations and Section 17 exemptions. Begin your DPDPA transition with Kraver.ai and ensure your organisation is ready for every phase of implementation.