Introduction
The Data Protection Board (DPB), is mandated to be established under the Digital Personal Data Protection Act, 2023 (DPDPA). The Data Protection Board will adjudicate complaints, resolve disputes, issue binding directions, impose penalties, and promote accountability among Data Fiduciaries and Data Processors. The recently released draft DPDP Rules, 2025, further defines the Boards’ s composition, responsibilities, and functioning.
Composition
The DPB is constituted by the Central Government to enforce the provisions of the DPDP Act effectively. The composition includes a chairperson and members who are selected through a Search-cum-Selection Committee.
The Central Government will establish a Search-cum-Selection Committee for appointing the Chairperson and Members of the Data Protection Board. For the Chairperson, the Committee will be chaired by the Cabinet Secretary and will include the Secretaries of the Department of Legal Affairs and the Ministry of Electronics and Information Technology, along with two experts with relevant expertise. For Members, the Secretary of the Ministry of Electronics and Information Technology will chair the Committee, and it will include the Secretary of the Department of Legal Affairs, in addition to two experts with relevant expertise. Based on the Committee’s recommendations, the Central Government will appoint the Chairperson and Members after assessing their suitability.
The DPB’s members must include individuals with expertise in specific fields such as data governance, law, technology, etc. The Board’s composition would thus ensure a balance of legal, technical and administrative knowledge essential for addressing complex data protection issues.
Powers and Functions of the DPB
Section 27 of the DPDPA outlines the powers and functions of the DPDPA in relation to personal data breaches and compliance measures.
The DPB is empowered to direct urgent remedial or mitigation measures upon receiving an intimation of personal data under Section 8(6) of the DPDPA. It can also inquire into such breaches and impose penalties as stipulated in the Act. Additionally, the Board can act on complaints made by Data Principals regarding personal data breaches or breaches of obligations by Data Fiduciaries or Consent Managers, and impose penalties accordingly.
The Board is also authorized to issue directions necessary for the effective discharge of its functions, after giving the concerned person an opportunity to be heard and recording reasons in writing. These directions are binding on the person to whom they are issued. Furthermore, the Board has the authority to modify, suspend, withdraw, or cancel any direction issued by it, based on a representation made by an affected person or a reference from the Central Government. While doing so, the Board may impose conditions deemed fit, which will govern the effect of such modification, suspension, withdrawal, or cancellation.
This section ensures that the Board has comprehensive oversight and enforcement capabilities to address personal data breaches and ensure compliance with the provisions of the DPDP Act.
Functioning of the Board
Section 28 of the DPDPA, outlines the procedural framework and operational guidelines for the Data Protection Board of India. This section emphasizes the DPB’s independence and its digital-first approach to handling complaints, inquiries, and decision-making processes. The DPB is mandated to function as an independent body.
The section stipulates that the DPB should, as far as practicable, operate as a digital office. This means that the receipt of complaints, allocation of cases, hearings, and pronouncements of decisions should be conducted digitally. This digital approach is designed to enhance efficiency, transparency, and accessibility, making it easier for individuals to engage with the DPB. The draft DPDP Rules also provide that the DPB can adopt techno-legal measures to conduct proceedings in a manner that does not require the physical presence of any individual.
Upon receiving an intimation, complaint, reference, or directions, the DPB is required to take appropriate action in accordance with the Act and the rules established under it. The DPB must first determine whether there are sufficient grounds to proceed with an inquiry. If it finds insufficient grounds, it must record the reasons in writing and close the proceedings. Conversely, if sufficient grounds are found, the DPB will proceed with an inquiry to ascertain compliance with the Act.
The inquiry process must adhere to the principles of natural justice, ensuring fairness and transparency. The DPB is required to record the reasons for its actions throughout the inquiry. It is vested with powers similar to those of a civil court under the Code of Civil Procedure, 1908. These powers include summoning and enforcing the attendance of individuals, examining them on oath, receiving evidence on affidavit, and requiring the discovery and production of documents. The DPB can also inspect data, books, documents, registers, and other relevant materials.
The DPB is prohibited from preventing access to premises or taking custody of equipment in a manner that would adversely affect the day-to-day functioning of a person. It may, however, seek assistance from police officers or government officials to aid in its inquiries. Interim orders can be issued if deemed necessary during the inquiry, provided the concerned person is allowed to be heard.
Upon completing the inquiry, the DPB must either close the proceedings or take further action as specified in Section 33, based on the findings. Section 33 deals with penalties. If the DPB concludes that a breach of the Act or its rules is significant, it can impose monetary penalties after giving the person an opportunity to be heard. The amount of the penalty is determined based on factors such as the nature, gravity, and duration of the breach, the type of personal data affected, the mitigating measures adopted and whether the breach was repetitive. If a complaint is found to be false or frivolous at any stage, the DPB has the authority to issue a warning or impose costs on the complainant. This provision helps deter misuse of the complaint mechanism.
Procedures for Board Meetings and Authentication of Orders
Rule 18 of the draft Digital Personal Data Protection Rules, 2025, outlines the procedures for meetings of the DPB and the authentication of its orders, directions, and instruments.
The Chairperson will be responsible for fixing the date, time, and place of DPB meetings, approving the agenda items, and issuing notices under his/her signature or that of an authorized individual. Meetings are to be chaired by the Chairperson, or in her absence, by a Member chosen by those present.
A quorum for Board meetings is one-third of its membership. Decisions are made by a majority vote of the Members present and voting. In case of a tie, the Chairperson or the acting chair has a casting vote. Members with a conflict of interest in any business item must abstain from participation and voting on that item, with decisions made by the remaining Members.
In urgent situations requiring immediate action, the Chairperson will be authorized to take necessary actions, recording the reasons in writing, and must communicate these actions to all Members within seven days. These actions will be subject to ratification at the next Board meeting. Additionally, the Chairperson can direct that certain business items be decided by circulation among Members, requiring majority approval.
The Chairperson, any Member, or an authorized individual can authenticate the Board’s orders, directions, or instruments under their signature.
According to Section 23, no action or decision of the board can be invalidated merely due to vacancies, defects in its constitution or appointments, or procedural irregularities that do not impact the merits of the matter.
It is important to note that, the Board must complete inquiries within six months from the date of receipt of intimation, complaint, reference, or direction. This period can be extended by up to three months at a time, with reasons recorded in writing.
Conclusion
The Data Protection Board represents a significant step forward in India’s journey toward safeguarding personal data. By enforcing compliance, resolving disputes, and promoting accountability, the DPB ensures that the digital ecosystem operates within a secure and privacy-respecting framework, benefiting both businesses and individuals alike.
Learn more about the DPDP Act, 2023 and draft DPDP Rules, 2023 by clicking on the links below-
If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com
News of the Week
- Apple Reinforces Siri’s Privacy-Centric Design
Apple has reaffirmed its commitment to user privacy with Siri, highlighting the digital assistant’s focus on on-device processing, data minimisation, and secure cloud practices. This statement comes amidst increasing concerns about data handling by tech companies. In a detailed announcement, Apple clarified that Siri does not use user data for marketing profiles, advertising, or sales. The company assured users, stating, “We are continuously advancing technologies to enhance Siri’s privacy and will persist in doing so.”
2.Chinese Cyberattack Breaches US Treasury Systems
Chinese cyberspies targeted US Treasury systems, breaching unclassified data linked to foreign investments and sanctions. Hackers accessed systems, including the Committee on Foreign Investment (CFIUS) and the Office of Foreign Assets Control (OFAC), using a compromised API key for a BeyondTrust remote management service. BeyondTrust discovered a critical zero-day vulnerability (CVE-2024-12356) linked to the breach. The full impact remains under investigation, with the attack labelled a significant cybersecurity incident affecting multiple Treasury offices.
3.Microsoft’s Largest Security Update Since 2017 Addresses 161 Vulnerabilities
Microsoft started 2025 by releasing patches for 161 security flaws, including three actively exploited zero-day vulnerabilities and 11 rated Critical. The update also includes fixes for a Windows Secure Boot bypass (CVE-2024-7344) and seven vulnerabilities in the Edge browser since December 2024 updates. Notably, three Windows Hyper-V NT Kernel Integration VSP flaws (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) were addressed due to active exploitation. This marks the largest monthly CVE patch count since at least 2017.
https://thehackernews.com/2025/01/3-actively-exploited-zero-day-flaws.html
4.Zero-Day Vulnerability Exploited in Fortinet FortiGate Firewall Attacks
A suspected zero-day vulnerability has been linked to attacks on Fortinet FortiGate firewall devices with exposed management interfaces. Attackers have gained unauthorized administrative access, created new accounts, and performed SSL VPN authentication. Arctic Wolf researchers, monitoring since December 2024, identified threat actors targeting firmware versions 7.0.14 to 7.0.16, modifying configurations, and using DCSync to extract credentials. The campaign highlights significant risks for FortiGate devices accessible on the public Internet.
https://www.darkreading.com/threat-intelligence/zero-day-security-bug-fortinet-firewall-attacks
5. Codefinger Ransomware Targets AWS Users with SSE-C Encryption
A ransomware campaign targeting Amazon Web Services (AWS) users has been identified by Halcyon’s threat intelligence team. Conducted by the threat actor Codefinger, the attack exploits AWS’s server-side encryption with customer-provided keys (SSE-C) to encrypt data. Attackers demand payment for the symmetric AES-256 keys required for decryption. Researchers warn that by leveraging AWS’s encryption infrastructure, recovery is impossible without the attacker’s key, making this campaign especially dangerous for affected users.
