Skip to main content

Rule 22: Power to Call for Information from Data Fiduciaries or Intermediaries

Rule 22 equips the Data Protection Board of India with the authority to demand information from organizations involved in data processing. This rule is crucial because the Board cannot effectively enforce the law without access to detailed records, evidence, and clarifications from Data Fiduciaries and intermediaries.

What the Rule Provides

  • The Board may call for any information it considers necessary from a Data Fiduciary (the entity that decides how data is processed) or an intermediary (such as an internet service provider, platform, or hosting provider) to carry out its functions under the Act.
  • The request for information must be complied with in the form and within the time specified by the Board.
  • Failure to provide accurate or timely information can itself be treated as a violation, exposing the organization to penalties.
  • The details of the authorized persons who can call for such information, and the purposes for which it may be sought, are set out in Schedule VII of the Rules.
Critical Point

Failure to comply with the Board’s information requests — whether by delay, omission, or inaccuracy — may itself amount to a legal violation carrying penalties.

Why This is Important

Without the ability to demand information, the Board’s powers would be limited. Investigating a breach, verifying compliance, or resolving a grievance requires access to technical and organizational records.

Rule 22 ensures that the Board can look “under the hood” of any organization when needed.

Example Scenarios

Example 1

A stock broking firm reports a suspected breach but provides only vague details. The Board can formally demand system logs, encryption policies, and records of breach detection under Rule 22.

Example 2

A telecom company accused of illegally sharing call data with advertisers can be ordered to provide agreements, logs, and data transfer records.

Example 3

A social media platform may be required to disclose how its consent management system functions if users complain that consent withdrawals are being ignored.

Rule 22 reinforces the Board’s role as a proactive regulator. It ensures that organizations cannot withhold information or provide incomplete responses during inquiries.

By mandating cooperation, it strengthens accountability and makes enforcement of the DPDPA more effective.