DPDP Act 2023

Section 15

Duties of Data Principals

THE STATUTE

Original Text

(1) A Data Principal shall have the following duties when exercising her rights under the provisions of this Act, namely — (a) not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; (b) not to impersonate another person while providing her personal data for any specified purpose; (c) not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address; (d) not to furnish any false particulars or suppress any material information or impersonate another person in any of the proceedings before the Board under this Act. (2) A Data Principal who does not comply with this section shall be liable for a penalty as determined by the Board in its proceedings, not exceeding ten thousand rupees.

Simplified

Section 15 is one of the DPDP Act's most distinctive provisions globally: it imposes duties on Data Principals, not just rights. Most data protection frameworks — GDPR, UK GDPR, Australia's Privacy Act — are entirely oriented toward data subject rights and data controller obligations. The DPDP Act's framing of Data Principals as rights-holders who also bear responsibilities reflects a broader Indian constitutional philosophy: the Supreme Court in Puttaswamy itself emphasised that the right to privacy comes with 'a corresponding responsibility'. Four duties are specified: (a) not to make false or frivolous complaints — a provision designed to prevent abuse of the grievance system by flooding Data Fiduciaries and the Board with bad-faith complaints; (b) not to impersonate another when providing personal data — this targets identity fraud at the point of data collection, not just the use of data; (c) not to suppress material information when providing data for identity documents or proofs — critically important for KYC-dependent services like banking, insurance, and financial products; (d) not to furnish false information or impersonate in Board proceedings — protecting the integrity of the regulatory process. The penalty for breach is modest — up to Rs 10,000 — the lowest penalty in the Act's penalty schedule. This reflects that the primary purpose is deterrence and balance (countering the narrative that the Act is entirely Data Principal-friendly) rather than aggressive enforcement against individuals. The DPDP Act's symmetry — rights for Data Principals, obligations for Data Fiduciaries, duties for Data Principals — is politically significant: it helped secure passage of the Act by addressing industry concerns about abuse of the rights framework.

Common Queries

Yes, but only for specific misconduct: providing false information, impersonating others, suppressing material information, or making frivolous complaints. The maximum penalty is ₹10,000 — far lower than penalties on Data Fiduciaries.

The DPDP Act does not define 'frivolous'. This will be developed through Board decisions and Rules. Generally, a complaint made without any factual basis, for harassment purposes, or that is clearly without merit would be frivolous. Genuine disputes where the Data Principal is wrong on the merits are not frivolous.

If the wrong address was material to a document, unique identifier, or proof of address — for example, in a KYC submission for a bank account — this could violate Section 15(1)(c), exposing the Data Principal to a ₹10,000 penalty.

No. Section 15 duties apply to Data Principals who are misusing the rights system — they do not give Data Fiduciaries a defence against legitimate correction or erasure requests. A Data Fiduciary cannot cite Section 15 to refuse a genuine rights request.

Legal Context

Data Principal duties have no direct GDPR equivalent. The concept emerged from Indian legislative discussions that emphasised the social contract in data sharing: if individuals are given strong rights over their data, they should also be responsible for the accuracy of data they provide and the good-faith use of the rights system. The provision reflects India's constitutional tradition of coupling fundamental rights with duties under Part IV-A (Fundamental Duties).

Key Rules & Provisions

Unique global provision — Data Principals have statutory duties alongside rights.

Penalty is minimal (₹10,000) — reflects deterrence purpose, not punitive intent.

Frivolous complaint prohibition balances the grievance mechanism against system abuse.

Identity accuracy obligations reinforce KYC frameworks in regulated sectors.

Related Case Laws

State of Rajasthan v. Union of India (1977)

(1977) 3 SCC 592

RELEVANCE

The Supreme Court's observation that rights and duties are two sides of the same coin — that the exercise of rights carries corresponding responsibilities — underpins Section 15's imposition of duties on Data Principals. The DPDP Act is unusual globally in codifying this balance explicitly.

Privacy Protocol Info

OffenceProviding false or misleading information, suppressing material information, or impersonating another when registering or exercising DPDP rights

PunishmentPenalty up to ₹10,000

Triable ByData Protection Board of India

Cross-References

11 : Right to Access Information 12 : Right to Correction and Erasure 13 : Right to Grievance Redressal 33 : Penalties