Data Protection Board’s Relationship with Judiciary under the DPDP Act, 2023: Appeals, Judicial Review, and Constitutional Implications
Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes the Data Protection Board of India (DPB) as a specialised adjudicatory authority for privacy compliance. Its orders ranging from penalties up to ₹250 crore to corrective directions like erasure or cessation of processing are binding. However, given India’s constitutional framework, DPB decisions are subject to judicial review by the High Courts and Supreme Court.
Table of Contents
Introduction: Why Judicial Oversight Matters
Data protection laws empower regulators to impose heavy obligations on businesses. Without adequate checks, this power risks overreach. In India’s constitutional architecture, the judiciary functions as the ultimate guardian of fundamental rights. Even as the DPB wields enforcement power, courts remain central in resolving disputes and ensuring fairness.
Statutory Framework for Appeals
The DPDP Act provides that:
- Orders of the DPB may be appealed to the High Court within the prescribed period.
- High Courts may confirm, modify, or set aside Board orders.
- Judicial remedies under Articles 32 and 226 of the Constitution remain available.
- Thus, the DPB functions as the first line of adjudication, but its authority is subject to constitutional courts’ supervision.
Nature of the Data Protection Board
Quasi-Judicial Character
- The DPB hears complaints, conducts inquiries, and issues binding orders.
- It applies principles of natural justice- notice, hearing, reasoned decisions.
- Its role is closer to a tribunal than a regulator.
Executive Appointment Concerns
- Members and Chairperson are appointed by the Central Government.
- Critics argue this may compromise independence, especially where State exemptions are involved.
Scope of Judicial Review
High Courts
- Review Board orders for errors of law, procedural irregularities, or proportionality of penalties.
- Can examine whether fiduciaries received due process.
Supreme Court
- As final interpreter of fundamental rights, may assess whether DPB orders infringe Article 21 privacy protections.
- May harmonise conflicts between DPDP and other sectoral or constitutional provisions.
Constitutional Implications
- Article 21 and Privacy: Since privacy is a fundamental right, DPB decisions are reviewable for reasonableness and proportionality.
- Articles 32 and 226: Provide constitutional remedies even beyond statutory appeal and ensure individuals may directly approach High Courts or the Supreme Court for urgent relief.
Separation of Powers
- By vesting adjudication in an executive-appointed body, the DPDP Act blurs boundaries.
- Judicial review functions as the balancing safeguard.
Global Comparisons
GDPR (EU)
- National Data Protection Authorities (DPAs) issue binding orders.
- Appeals lie to administrative or constitutional courts.
- CJEU has ultimate oversight.
United States (FTC Model)
- FTC enforces consumer privacy but federal courts provide judicial check.
United Kingdom (ICO and Tribunal)
- ICO orders appealable to First-Tier Tribunal, then higher courts.
India (DPB + High Courts)
- DPB as primary adjudicator, with High Courts providing constitutional and appellate oversight.
- India’s model places greater weight on constitutional courts than on intermediate tribunals.
Corporate Implications
For businesses facing DPB enforcement:
- High penalties and corrective orders are likely.
- Courts provide the only avenue to challenge disproportionate sanctions.
- Litigation strategy must balance regulatory compliance with judicial relief.
Illustrative Case Scenarios
- Case 1: Banking Penalty: A bank fined ₹200 crore for breach due to inadequate safeguards. Bank challenges order in High Court, arguing proportionality and unavoidable cyber-attack. Court reduces penalty citing mitigating factors.
- Case 2: Social Media Profiling: Platform ordered to stop behavioural profiling of minors. Company argues lack of clear statutory standards. High Court examines whether Board acted beyond its mandate.
- Case 3: Fintech Breach Notification: Fintech penalised for delayed breach reporting. It appeals, claiming ambiguity in notification timelines. Court sets precedent clarifying “prompt” notification.
Risks and Challenges
- Judicial Delays: High Court backlog may dilute speedy resolution intent.
- Consistency: Different High Courts may issue divergent rulings on similar DPB matters.
- Executive Dominance: Lack of statutory independence for DPB raises constitutional concerns.
- Corporate Uncertainty: Fiduciaries may face years of litigation before final clarity.
Compliance and Litigation Strategies
- Robust Documentation: Maintain detailed logs of compliance to defend against DPB orders.
- Early Legal Review: Engage counsel at investigation stage, not just appeal stage.
- Proportionality Arguments: Challenge penalties as disproportionate to harm caused.
- Constitutional Remedies: Where fundamental rights are at stake, approach courts directly under Articles 32/226.
- Sectoral Coordination: Prepare for litigation involving both DPB and sectoral regulators (RBI, SEBI, TRAI).
Conclusion & Key Takeaways
The Data Protection Board of India is a powerful adjudicatory authority, but in India’s constitutional scheme, its decisions cannot be final. Judicial review by High Courts and the Supreme Court provides essential checks against overreach and ensures alignment with fundamental rights under Article 21.
Key takeaways:
- DPB functions as a quasi-judicial tribunal, but executive appointment raises independence concerns.
- Appeals lie to High Courts; constitutional remedies remain available.
- Judicial review ensures proportionality, fairness, and adherence to natural justice.
- Corporates must prepare for dual compliance and potential litigation as DPDP jurisprudence evolves.
Ultimately, the DPB–Judiciary relationship will determine whether India’s privacy law regime inspires trust and predictability for individuals and businesses alike.
Co–Authored by :- Aurelia Menezes
By entering the email address you agree to our Privacy Policy.