The interplay between the DPDP Act and the CPA offers a multi-faceted approach to protecting individuals' personal data in the digital age.

Much like our previous exploration of the overlap between data protection and cyber security, this article raises questions regarding jurisdictional overlap between regulatory authorities.

Here, we explore the overlap of jurisdiction of the Central Consumer Protection Authority (CCPA) under the Consumer Protection Act, 2019 (CPA) and the Data Protection Board of India (DPB) established under the Digital Personal Data Protection Act, 2023 (DPDP Act).

Data protection laws aim to safeguard the personal information of individuals, fostering a sense of trust that their personal data will be handled responsibly. On the other hand, consumer protection law seeks to ensure that individuals are not misled or subjected to unfair practices when engaging with businesses and services.

In today's digital age, where personal data is often the currency for online interactions, the interface between these two realms becomes evident. Issues such as transparent data collection practices, informed consent and the fair use of consumer data intertwine, creating a dynamic legal frontier where the rights and expectations of individuals intersect with the responsibilities of businesses.

Overlaps and conflicts between the DPDP Act and the CPA

Unfair trade practice, as defined under the CPA, encompasses within its ambit unauthorised disclosure of personal information. Section 2(47)(ix) reads as under:

"unfair trade practice" means a trade practice which, for the purpose of promoting the sale, use or supply of any goods or for the provision of any service, adopts any unfair method or unfair or deceptive practice including any of the following practices, namely...

...(ix) disclosing to other person any personal information given in confidence by the consumer unless such disclosure is made in accordance with the provisions of any law for the time being in force."

Section 10 of the CPA confers upon the CCPA a range of powers, including the regulation of issues related to unfair trade practices. Therefore, it appears that the CCPA has jurisdiction to regulate matters that involve unauthorized disclosure of personal information provided by consumers. However, any disclosure of personal information will not amount to an unfair trade practice if the disclosure is made in accordance with the provisions of any law. Arguably, the DPDP Act lays down the provisions for lawful collection and disclosure of personal data. Therefore, this aspect squarely intersects with the domain of the DPB under the DPDP Act.

The DPDP Act defines personal data breach to mean unauthorized processing of personal data, which will include unauthorized sharing or disclosure of digital personal data. Further, the jurisdiction for inquiry and imposing penalty for breach of the provisions of the DPDP Act or breach of personal data is with the DPB as stipulated under Section 27 of the DPDP Act.

Broader ambit of the Data Protection Board

It appears that both the DPB and CCPA will have jurisdiction to inquire into unlawful/unauthorised disclosure of personal data. However, it's worth noting that the DPDP Act has a broader scope, primarily because the definition of a 'data principal' under the DPDP Act is more expansive than that of a 'consumer' under the CPA. Consequently, the jurisdiction of the DPB extends to cases involving personal data of individuals who may not have purchased goods or availed services for consideration.

Wider powers under CPA

Although the DPB has the power to issue directions and impose penalties, the CCPA under Section 20 of the CPA can pass an order for discontinuation of practices which are unfair. Further, under Section 88 of the CPA, failure to comply with such an order of the CCPA may entail imprisonment for a term which may extend to six months in addition to a fine which may extend to twenty lakh rupees, or both. Further, the CCPA can also approach the appropriate Consumer Redressal Commission for protecting and enforcing rights of consumers as a class.

Remedies available to individuals

It is important to highlight here that under the CPA, consumers also have the option of seeking compensation by approaching the appropriate consumer redressal commission. The DPB does not contemplate payment of compensation to the affected data principals. Therefore, individuals who are consumers as defined under the CPA can seek compensation for breach of their personal data. Further, given that the CPA also recognises the right of individuals to make a complaint as a 'class', it is possible for individuals aggrieved from a data breach, including owing to negligence, to seek compensation under the CPA.

Reconciling the DPDP Act and the CPA

The CPA includes disclosure of personal information given in confidence by a consumer as an unfair trade practice unless "such disclosure is made in accordance with the provisions of any law for the time being in force". However, there is no guidance in the CPA on what constitutes personal information and in what circumstances the disclosure will be considered in breach of confidence. Further, the DPDP Act is arguably the general law (in addition to sectoral laws) that lays down the procedure for lawful collection and disclosure of data.

Therefore, an argument can be made that the DPB is the competent and more appropriate authority, being a specialised body, to determine the issue of whether there has been an unauthorised and unlawful disclosure of personal information. Further, if the CCPA or the appropriate consumer redressal commission and the DPB both return findings on these issues, there is a possibility that they may arrive at conflicting views.

The approach taken by the Supreme Court in Competition Commission of India v. Bharti Airtel Limited could provide guidance in reconciling the conflict arising here. In deciding the issue as to whether Telecom Regulatory Authoirty of India (TRAI) or the Competition Commission of India (CCI) would have jurisdiction when the relevant market is the telecom market and may involve practices which fall within the scope of a regulated sector, the Supreme Court held that TRAI being the expert regulatory body that specifically governs the telecom sector, would have the first instance jurisdiction to decide on issues that lead to a prima facie conclusion that the parties have indulged in anti-competitive practices.

Applying a similar principle to the present situation, it can be argued that the DPB will have the first instance jurisdiction to determine if there is an unauthorised and unlawful disclosure of personal information contrary to the provisions of the DPDP Act. This initial determination would be a jurisdictional fact for the CCPA/concerned donsumer redressal commission to exercise its jurisdiction in respect of any pending issue within the CPA. Pertinently, Section 19 of the CPA also empowers the CCPA to refer an issue to another regulatory body if it deems that the matter falls within the purview of that particular regulator.

Concluding remarks

In essence, while both the CPA and the DPDP Act provide for overlapping jurisdiction in cases of unauthorized personal data disclosure, their powers and scopes exhibit some distinctions. This interplay between the two offers a multi-faceted approach to protecting individuals' personal data in the digital age. Further, organisations should be aware of potential liabilities in respect of personal data of individuals that may also arise from other sectoral laws in addition to the DPDP Act.

As these regulatory frameworks continue to evolve, a harmonious collaboration between consumer protection and data protection authorities, as well as an informed public, will be instrumental in shaping a fair and secure digital landscape.

Originally published in Bar & Bench

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.