5
Module 3 • Part 5

Duties of Data Principal

The Reciprocal Obligations: Understanding Section 15 DPDPA and the Responsibilities That Balance Rights

📚 Reading time: 20 minutes

Introduction: Rights Come with Responsibilities

"Every right implies a responsibility; every opportunity, an obligation; every possession, a duty."

— John D. Rockefeller Jr.

The Digital Personal Data Protection Act, 2023 takes a distinctive approach that sets it apart from most global data protection frameworks: it explicitly codifies duties for Data Principals alongside their rights. This is not merely a drafting choice—it reflects a philosophical position that data protection is a two-way street requiring responsible conduct from all participants in the data ecosystem.

While GDPR, CCPA, and most Western frameworks focus almost exclusively on obligations of data controllers/processors, the DPDPA recognizes an inconvenient truth: the data protection system can be undermined not just by corporate misconduct, but also by individuals who provide false information, file frivolous complaints, or impersonate others. Section 15 addresses these concerns directly.

⚠️ Why This Matters for Practitioners

As a data protection lawyer, you will encounter situations where Data Principals have not fulfilled their duties—submitting incorrect documents, filing serial complaints as harassment tactics, or attempting identity-based fraud. Understanding Section 15 enables you to advise both Data Fiduciaries facing such conduct and Data Principals on avoiding liability.

The Statutory Framework: Section 15 DPDPA

📜 Section 15 - Duties of Data Principal (Full Text)

15. Duties of Data Principal.—

(1) A Data Principal shall not—

(a) register a false or frivolous grievance or complaint with a Data Fiduciary or the Board;

(b) furnish any false particulars or suppress any material information or impersonate another person, in specified cases, while—

(i) applying for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities in relation to which personal data is processed by a Data Fiduciary; or

(ii) providing her personal data to a Data Fiduciary for the provision of any service or the issuance of any certificate, licence, permit or similar document;

(c) make a false complaint or fail to furnish verifiable material information to the Board in respect of proceedings initiated by her.

(2) Where the Board is of the opinion that a Data Principal has violated the provisions of sub-section (1), it may, after giving the Data Principal a reasonable opportunity of being heard, impose on the Data Principal such penalty not exceeding rupees ten thousand as may be prescribed.

Structural Analysis: Four Pillars of Duty

🚫

Duty I: No False Grievances

§15(1)(a) — Prohibits registering false or frivolous grievances/complaints with Data Fiduciaries or the Data Protection Board

📋

Duty II: Accurate Particulars

§15(1)(b)(i) — Mandates truthful information when applying for State-issued documents, identifiers, or proofs

🔐

Duty III: No Impersonation

§15(1)(b)(ii) — Prohibits impersonating others or suppressing material information when providing personal data

⚖️

Duty IV: Truthful Proceedings

§15(1)(c) — Requires truthful complaints and provision of verifiable information in DPB proceedings

Detailed Analysis: Unpacking Each Duty

1. False or Frivolous Grievances — §15(1)(a)

The first duty addresses a practical problem faced by organizations worldwide: the weaponization of data protection rights. Some individuals file serial complaints not to vindicate genuine privacy concerns, but to harass former employers, business rivals, or entities they have disputes with.

"False" Grievance

  • Deliberately untrue factual claims
  • Fabricated incidents of data breach
  • Invented consent violations
  • Knowingly incorrect allegations
  • Intent to deceive is essential element

"Frivolous" Grievance

  • Lacking legal merit or substance
  • Trivial matters not worth adjudication
  • Repetitive complaints on same issue
  • Vexatious litigation patterns
  • Intent may be harassment/delay
Case Law

Salem Advocate Bar Association v. Union of India

(2005) 6 SCC 344

Context: While not a data protection case, this judgment provides authoritative guidance on "frivolous" litigation that can be applied by analogy.

Held: The Supreme Court emphasized that frivolous litigation clogs the justice system and undermines access to justice for genuine claimants. The Court noted that "frivolous" includes matters that are:

  • Patently lacking in merit
  • Filed with ulterior motives (harassment, delay, publicity)
  • Repetitive without new grounds
  • Disproportionate to any genuine grievance

Relevance to §15: The DPB will likely adopt similar standards when assessing whether a grievance is "frivolous" under DPDPA.

2. False Particulars in State Document Applications — §15(1)(b)(i)

This duty applies specifically when a Data Principal applies for documents, unique identifiers, or proofs of identity/address issued by the State or its instrumentalities. The provision addresses identity fraud at the foundational level.

Covered Documents Include:

  • Aadhaar card and enrollment data
  • PAN card applications
  • Passport applications
  • Driving license applications
  • Voter ID card registration
  • Birth/death certificate applications
  • Caste/domicile/income certificates
  • Any State-issued unique identifier
Scenario False Address for PAN Card

Facts:

Rajesh wants a PAN card but provides a false residential address (his cousin's home in another state) to avoid tax scrutiny in his actual state of residence. He submits fabricated utility bills as address proof.

Analysis:

Violation: §15(1)(b)(i) — furnishing false particulars when applying for a State-issued document (PAN card) in relation to which personal data is processed by a Data Fiduciary (Income Tax Department).

Additional Liability: Beyond the ₹10,000 DPDPA penalty, Rajesh faces potential prosecution under:

  • Section 277A Income Tax Act (false statements)
  • Section 177 BNS (furnishing false information)
  • Section 336 BNS (forgery of documents)

3. Suppression & Impersonation in Service Provision — §15(1)(b)(ii)

This duty extends beyond State documents to cover situations where a Data Principal provides personal data to any Data Fiduciary for services, certificates, licenses, or permits. Three distinct violations are captured:

Furnishing False Particulars

Actively providing incorrect information — lying about age, qualifications, address, etc.

Suppressing Material Information

Deliberately withholding facts that would affect the decision — hiding disqualifications, prior rejections, criminal history, etc.

Impersonating Another Person

Assuming another's identity to obtain services — using someone else's credentials, documents, or identity markers.

Case Law

Ramjas Foundation v. Union of India

(2023) SCC OnLine SC 1032

Context: Involved suppression of material information in educational admission contexts.

Held: The Supreme Court emphasized that "suppression of material facts" is as culpable as active misrepresentation. The duty of disclosure requires revealing information that a reasonable person would consider relevant to the decision being made.

Key Test: Would disclosure of this information have materially affected the decision? If yes, suppression violates the duty.

Application to §15: When providing personal data for services, Data Principals must disclose information that would affect the Fiduciary's decision, not merely respond to explicit questions.

4. Truthfulness in DPB Proceedings — §15(1)(c)

The final duty ensures integrity of the adjudicatory process before the Data Protection Board. It has two limbs:

False Complaint

  • Fabricated facts in DPB complaints
  • Perjured statements during hearings
  • Forged documentary evidence
  • Deliberately misleading the Board

Failure to Furnish Verifiable Information

  • Refusing to provide supporting documents
  • Unsubstantiated allegations
  • Vague claims without specifics
  • Non-cooperation with investigation
⚖️ Procedural Safeguard: Natural Justice

Section 15(2) explicitly requires the DPB to provide a "reasonable opportunity of being heard" before imposing any penalty on a Data Principal. This incorporates the constitutional principle of audi alteram partem (hear the other side) as enshrined in Article 14 and 21 jurisprudence.

Reference: Maneka Gandhi v. Union of India, (1978) 1 SCC 248 — The right to be heard is a fundamental component of any procedure that affects a person's rights or imposes liability.

Penalty Framework: Section 15(2)

The penalty for violating Data Principal duties is notably modest compared to penalties on Data Fiduciaries—a maximum of ₹10,000 as prescribed by Rules. This calibration reflects several policy considerations:

Violation Section Maximum Penalty Adjudicating Authority
False/frivolous grievance to Fiduciary §15(1)(a) ₹10,000 Data Protection Board
False/frivolous complaint to DPB §15(1)(a) ₹10,000 Data Protection Board
False particulars in State document application §15(1)(b)(i) ₹10,000 Data Protection Board
Suppression/impersonation for services §15(1)(b)(ii) ₹10,000 Data Protection Board
False complaint/non-cooperation with DPB §15(1)(c) ₹10,000 Data Protection Board

"The law cannot make a man honest, but it can at least make him uncomfortable when he is dishonest."

— Adapted from legal maxim

Why the Low Penalty?

Policy Rationale:

  • Proportionality: Individuals have far less capacity to cause harm than organizations processing millions of records
  • Deterrence vs. Oppression: Higher penalties could deter genuine complaints from economically weaker sections
  • Concurrent Liability: §15 violations often trigger more serious offenses under IPC/BNS, IT Act, and domain-specific laws
  • Civil Deterrent: The reputational and procedural consequences of DPB adverse findings may outweigh the monetary penalty
  • Access to Justice: Fear of high penalties shouldn't prevent genuine Data Principals from asserting their rights

⚠️ Concurrent Criminal Liability

The ₹10,000 DPDPA penalty does not preclude prosecution under other statutes. Impersonation attracts Section 419 IPC (up to 3 years), forgery attracts Section 465 IPC (up to 2 years), and false statements to public servants attract Section 177 IPC. The DPB penalty is civil in nature and runs parallel to criminal proceedings.

Practical Scenarios for Legal Practitioners

Scenario 1 The Serial Complainant

Facts:

Meera had a dispute with her former employer, TechCorp Ltd., over her final settlement. After losing the labor tribunal case, she began filing weekly data protection complaints alleging various violations—unauthorized data sharing, inadequate security, consent manipulation—each time with slightly different framing. TechCorp spent significant resources responding to 23 complaints over 8 months. Investigation showed none of the alleged violations occurred.

Legal Analysis:

Primary Violation: §15(1)(a) — frivolous grievances filed with Data Fiduciary and potentially false complaints to DPB if escalated.

Evidence of Frivolousness:

  • Pattern of repetitive complaints post-adverse labor ruling
  • Substantially similar allegations with cosmetic variations
  • No new evidence or changed circumstances
  • Intent appears to be harassment, not genuine privacy protection

Advisory for TechCorp: Document the complaint pattern, maintain records of investigation outcomes, and file a petition to DPB seeking determination of frivolousness under §15(1)(a). The ₹10,000 penalty may seem small, but DPB's formal finding can support civil damages claims for harassment.

Scenario 2 The Impersonation for Insurance

Facts:

Anil has diabetes and heart disease, making health insurance expensive. His younger brother Sunil is healthy. Anil uses Sunil's Aadhaar and medical records to apply for health insurance with HealthGuard Insurance, providing Sunil's personal data as his own. The policy is issued at a lower premium.

Legal Analysis:

Violations:

  • §15(1)(b)(ii) — Impersonating another person while providing personal data to a Data Fiduciary for provision of service (insurance)
  • §15(1)(b)(ii) — Suppressing material information (own medical history)
  • §15(1)(b)(ii) — Furnishing false particulars (claiming to be Sunil)

Concurrent Liability:

  • Section 419 IPC — Cheating by personation (up to 3 years)
  • Section 420 IPC — Cheating with dishonest inducement (up to 7 years)
  • Section 45 Insurance Act — False statements to procure insurance
  • Policy voidability — Insurance contract void ab initio under Section 17 Indian Contract Act

Practical Impact: The ₹10,000 DPDPA penalty is the least of Anil's concerns. He faces criminal prosecution, policy cancellation, claim rejection, and potential civil suit for premium recovery.

Scenario 3 The Unverifiable Complaint

Facts:

Priya files a complaint with the DPB alleging that GlobalBank shared her financial data with third parties without consent. When the DPB requests supporting documentation (copies of consent forms, correspondence with the bank, evidence of unauthorized sharing), Priya fails to provide anything, stating she "just knows" her data was misused because she started receiving marketing calls.

Legal Analysis:

Potential Violation: §15(1)(c) — failure to furnish verifiable material information in DPB proceedings.

However, the analysis requires caution:

  • Priya's complaint may be genuine but poorly articulated
  • Marketing calls could indicate unauthorized sharing (correlation ≠ fabrication)
  • §15(1)(c) requires failure to furnish, implying available information not provided
  • If Priya genuinely has no documents, she hasn't necessarily violated the duty

DPB Approach: The Board should distinguish between:

  1. Good faith complainant with weak evidence: Dismiss for lack of proof, no §15 violation
  2. Complainant withholding available evidence: §15(1)(c) violation if deliberately uncooperative
  3. Fabricated complaint: §15(1)(c) violation for false complaint

Advisory: As Priya's lawyer, help her gather whatever circumstantial evidence exists—call logs, timing of data sharing with bank, any privacy policies she may have signed. Transform vague allegations into verifiable claims.

Global Comparison: India's Unique Approach

India's explicit codification of Data Principal duties is distinctive in the global data protection landscape. Most jurisdictions handle similar concerns through general fraud laws rather than data protection legislation.

Jurisdiction Data Subject Duties Approach
India (DPDPA) Explicit duties in §15 Integrated into data protection law with specific penalties
EU (GDPR) None specified General fraud/criminal laws apply; GDPR focuses on controller obligations
USA (CCPA/CPRA) None specified Consumer protection model; no reciprocal duties
Brazil (LGPD) None specified Rights-focused; duties addressed through civil code
China (PIPL) Partial — truthfulness requirements Some provisions on providing accurate information; State-centric

"With great rights come great responsibilities—the DPDPA recognizes that data protection is not a one-way street but a mutual commitment between all participants in the data economy."

— Policy rationale from DPDPA drafting discussions

Why Did India Take This Path?

Contextual Factors:

  • Scale of Identity Fraud: India's Aadhaar system processes billions of identity verifications; false particulars can cause systemic harm
  • Digital Public Infrastructure: UPI, DigiLocker, and other DPIs depend on accurate data; duties preserve system integrity
  • Litigation Culture: India faces significant frivolous litigation; explicit prohibition deters misuse of data protection rights
  • Balancing Act: Rights without duties could be exploited; duties without rights would be oppressive
  • Constitutional Symmetry: Part III (Rights) and Part IVA (Duties) of Constitution establish this pattern in Indian legal culture
Research Reference

Srikrishna Committee Report (2018)

Chapter 4, Para 4.69-4.73

The Justice B.N. Srikrishna Committee, which drafted the foundational data protection framework that evolved into DPDPA, specifically recommended imposing duties on data subjects:

"While the data subject has a panoply of rights, she also has certain responsibilities towards the data fiduciary and the data protection framework as a whole. These duties arise from the principle that a data subject should not abuse her rights..."

The Committee noted that frivolous complaints burden regulatory resources, impersonation undermines consent frameworks, and false information corrupts data ecosystems.

Interplay: Duties as Limitations on Rights

Section 15 duties interact with Data Principal rights in important ways. Understanding this interplay is essential for advising clients on both sides of data protection disputes.

When Duties Qualify Rights

Right to Access (§11)
Data Fiduciary may require identity verification. Data Principal must provide accurate identification—impersonation to access another's data violates §15(1)(b)(ii).
Right to Correction (§12)
Correction request must be truthful. Requesting "correction" to insert false information violates §15(1)(b)(ii) (furnishing false particulars).
Right to Erasure (§12)
Erasure requests made with intent to destroy evidence of Data Principal's own misconduct could be characterized as abuse of rights.
Right to Grievance Redressal (§13)
Grievances must be genuine, not false or frivolous. §15(1)(a) directly qualifies this right.
Right to Complain to DPB (§13)
Complaints must be truthful and supported by verifiable information. §15(1)(c) directly qualifies this right.

⚠️ Advisory Note: Right vs. Duty Conflicts

When advising Data Principals, emphasize that rights are not absolute. A client seeking to file a complaint should be counseled on the duty to provide verifiable information. A client seeking correction should ensure the "correct" information is actually accurate. Failing to advise on duties could expose clients to §15 penalties and undermine their primary claims.

Defense Strategies: Representing Data Principals

When a Data Principal faces allegations of §15 violations, several defense strategies may be available:

1. Good Faith Defense

Section 15 prohibitions imply a degree of intent or knowledge. A Data Principal who genuinely believed their complaint was valid or their information accurate may argue good faith.

Elements of Good Faith Defense:

  • Reasonable basis for the belief at the time of submission
  • Absence of intent to deceive or harass
  • Cooperation with subsequent investigation
  • Reasonable explanation for any errors or omissions

2. Materiality Challenge

For suppression violations under §15(1)(b), the information must be "material." Challenge whether the withheld information would have actually affected the decision.

Example Immaterial Omission

Vikram applies for a SIM card and doesn't mention he has another SIM from a different provider. The telecom company alleges §15(1)(b)(ii) violation for "suppressing material information."

Defense: Having another SIM is not material to the identity verification or service provision decision. The telecom didn't ask about existing connections, and this information wouldn't have changed their decision to issue the SIM. No materiality = no violation.

3. Procedural Defenses

Check for Procedural Compliance:

  • Was reasonable opportunity to be heard provided? (§15(2) mandatory)
  • Was the Data Principal informed of specific allegations?
  • Was adequate time given to respond and gather evidence?
  • Was the hearing conducted fairly by an impartial adjudicator?
  • Were reasons recorded for the penalty decision?

4. Proportionality Argument

Even if a violation is established, argue for minimal penalty within the ₹10,000 ceiling based on:

Key Takeaways

1

Reciprocal Obligations

DPDPA uniquely imposes duties on Data Principals—truthfulness, no frivolous complaints, no impersonation

2

Four Core Duties

No false grievances, accurate State document applications, honest service applications, truthful DPB proceedings

3

Modest Penalty

Maximum ₹10,000 reflects proportionality but concurrent criminal liability may apply

4

Natural Justice

DPB must provide reasonable opportunity to be heard before imposing any penalty

5

Global Uniqueness

India's approach of explicit data subject duties is distinctive; most jurisdictions rely on general laws