The Data Protection Board of India under the DPDP Act, 2023: Structure, Composition, and Adjudicatory Process
Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes the Data Protection Board of India (DPB) as the central adjudicatory authority for privacy law enforcement. The Board is empowered to investigate breaches, adjudicate complaints, impose penalties, and enforce compliance orders.
The DPB is not a policy-making regulator but a quasi-judicial body, designed to provide speedy, independent, and specialised adjudication of data protection disputes. Its structure, composition, and process will directly shape how India’s privacy law is implemented.
Table of Contents
Introduction: Why a Dedicated Data Protection Board?
Traditional regulatory authorities in India (such as SEBI, RBI, and TRAI) combine policy, regulatory, and adjudicatory roles. In contrast, the DPB is envisioned as a specialised adjudicatory authority focused only on enforcement. This design reflects the government’s intent to:
- Provide fast-track adjudication for privacy breaches.
- Separate policy-making (retained by the Central Government) from adjudication.
- Build a sector-agnostic forum for privacy disputes.
Statutory Basis
The DPDP Act mandates the establishment of the Data Protection Board of India by notification of the Central Government. Its functions include:
- Determining non-compliance with the Act.
- Imposing monetary penalties.
- Issuing corrective orders (e.g., erasure, cessation of processing).
- Overseeing grievance escalations from Data Principals.
- The Board’s powers are civil in nature, focusing on compliance rather than criminal enforcement.
Structure and Composition
Chairperson and Members
- The Board consists of a Chairperson and Members, appointed by the Central Government.
- Exact number of members may vary based on workload and specialization needs.
Qualifications
- Persons with expertise in law, data protection, IT, cybersecurity, or public administration are eligible.
- This ensures a multi-disciplinary adjudicatory body.
Tenure and Removal
- Members serve for a fixed term (to be prescribed).
- Removal grounds include misconduct, incapacity, or conflict of interest.
Independence and Accountability
- Though appointed by the Government, the Board functions independently in adjudicatory matters.
- Decisions are subject to judicial review by High Courts/Supreme Court.
Powers and Functions
The DPB’s core functions include:
1. Grievance Escalation Handling: when fiduciaries fail to resolve grievances.
2. Breach Adjudication: inquiries into security lapses, consent violations, and retention failures.
3. Penalty Imposition: up to ₹250 crore per breach.
4. Corrective Directions: orders to erase data, halt processing, or upgrade safeguards.
5. Oversight of Significant Data Fiduciaries: monitoring DPOs, DPIAs, and audits.
6. Public Trust Building: publishing orders to demonstrate accountability.
Adjudicatory Process: Step-by-Step Workflow
To provide clarity for businesses, the DPB’s adjudication can be visualised as a workflow:
Step 1: Complaint or Trigger
- A Data Principal files a complaint after fiduciary grievance mechanisms fail.
- Alternatively, the Board initiates suo motu inquiry (e.g., after media reports of a breach).
Step 2: Preliminary Scrutiny
- Board examines whether the complaint falls within its jurisdiction.
- Frivolous or malicious complaints may be dismissed.
Step 3: Notice to Fiduciary
- Fiduciary receives formal notice with allegations.
- Required to submit a written response within prescribed time.
Step 4: Inquiry and Investigation
- Board may call for documents, audit reports, and system logs.
- Hearings may be held where fiduciaries, complainants, and experts are heard.
Step 5: Determination of Non-Compliance
- Board decides whether breach occurred and assesses its gravity.
Step 6: Penalty or Corrective Order
- Monetary fines imposed based on statutory factors.
- Corrective actions (e.g., erasure, halting transfers) may also be ordered.
Step 7: Publication of Order
- Orders are published to ensure transparency.
Step 8: Appeal
- Fiduciary may appeal to higher judicial forums.
Illustrative Case Examples
Case 1: Social Media Consent Violation: A teenager withdraws consent, but the platform continues targeted advertising. After failed grievance resolution, the DPB orders cessation of processing, imposes a ₹100 crore penalty, and requires future DPIAs for ad algorithms.
Case 2: Healthcare Breach: A ransomware attack exposes patient records at a hospital chain. The DPB imposes a ₹150 crore penalty for inadequate safeguards and delayed breach notification, and directs the hospital to implement upgraded security.
Case 3: Banking Retention Failure: A digital bank retains KYC data beyond statutory limits. The DPB orders deletion of excess data and imposes a ₹40 crore penalty.
Sectoral Implications
Banking and Fintech
- Frequent DPB scrutiny given sensitivity of financial data.
- Must align RBI compliance with DPDP requirements.
Healthcare and Health-Tech
- High penalties for mishandling health records.
- Hospitals must upgrade cybersecurity and redressal systems.
E-Commerce and Retail
- Consent withdrawal and grievance mishandling are key risks.
- DPB may impose systemic improvement orders.
Social Media and Online Platforms
- Largest exposure due to children’s data restrictions and profiling concerns.
- May face recurring DPB orders on advertising practices.
IT/ITES Outsourcing
- Fiduciaries processing foreign data must demonstrate DPDP compliance for Indian operations.
Global Comparisons
GDPR (EU) Supervisory Authorities
- Independent national bodies with investigative and fining powers.
- Can impose turnover-based penalties up to 4% of global revenue.
LGPD (Brazil) ANPD
- National authority combines regulatory and adjudicatory roles.
- Fines capped at ~€9 million.
PDPA (Singapore) PDPC
- Strong powers to investigate and issue compliance directions.
- Penalties up to 10% of annual turnover in Singapore.
CCPA (California) CPPA
- Independent enforcement agency with investigatory powers.
- Lower per-violation fines but high litigation exposure.
India’s DPB is unique as a pure adjudicatory body, separating policymaking from enforcement.
Risks and Challenges
- Backlogs: High complaint volumes may strain resources.
- Consistency: Ensuring uniform decisions across industries.
- Jurisdictional Conflicts: Overlap with RBI, SEBI, TRAI, and sectoral regulators.
- Appeals: Frequent judicial challenges may delay enforcement.
- Capacity: Need for trained experts in law and technology.
Compliance Strategies for Fiduciaries
- Strong Grievance Mechanisms: Resolve disputes internally to avoid DPB escalation.
- Documentation and Logs: Maintain detailed audit trails for all compliance actions.
- Incident Response Teams: Establish rapid response protocols for breaches.
- Legal Readiness: Engage privacy counsel to prepare for DPB inquiries.
- Engagement and Cooperation: Demonstrate good faith by cooperating fully during investigations.
Conclusion & Key Takeaways
The Data Protection Board of India is the backbone of the DPDP Act’s enforcement framework. Its structure, independence, and adjudicatory processes will define the law’s success.
Key takeaways:
- DPB is a specialised adjudicatory authority, not a policymaker.
- Powers include inquiries, penalties (up to ₹250 crore), and corrective directions.
- Adjudication follows a structured workflow: complaint → inquiry → order → appeal.
- Sectoral exposure varies, with social media, banking, and healthcare at greatest risk.
- Fiduciaries should prioritise grievance resolution, documentation, and preparedness to reduce DPB exposure.
The DPB will become one of India’s most consequential regulators, shaping trust and accountability in the country’s digital economy.
Co–Authored by :- Aurelia Menezes
By entering the email address you agree to our Privacy Policy.