Budgetary Allocation Made for the Data Protection Board of India: Know Your Regulator

The Union Budget for the FY- 2025 has made a significant allocation for establishing and functioning the Data Protection Board of India (DPBI), underscoring the government’s commitment to ensuring a robust data protection framework. The Ministry of Electronics and Information Technology (MeitY) has been allocated ₹2 crores to cover the establishment and salary expenses of the DPBI for FY25. Out of this ₹2 crores, ₹4 lakhs are designated for capital expenditure, including fixed assets such as the digital portal, while ₹1.96 crores are allocated for revenue expenditure, which covers salaries and other operational expenses. This financial support is aimed at enabling the DPBI to fulfil its mandate under the Digital Personal Data Protection Act, 2023, and to position itself as a key player in safeguarding personal data in India.

Data Protection Board of India, as per the DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act), represents a landmark step in establishing a comprehensive data privacy framework in India. A central feature of this Act is the creation of the Data Protection Board of India (DPBI), which serves as the regulatory and adjudicatory body overseeing compliance with the Act. The DPBI shall function as a digital office as far as possible. The DPBI is designed to address the misuse and exploitation of digital personal data by various entities, ranging from small to large technology companies.

Composition and Qualification

Under Section 18 of the DPDP Act, the Indian government is authorized to establish the DPBI, which will function as a corporate body. This provision ensures that the Board has a structured and formalized existence, capable of performing its regulatory functions with authority and legitimacy. Section 19 of the Act outlines the composition and qualifications required for the DPBI. The appointment of the Chairperson is at the discretion of the Central Government, ensuring that a suitable and qualified individual leads the Board. Furthermore, the Board must include members with diverse qualifications, including at least one member with legal expertise in relevant matters. This diversity is intended to provide a well-rounded perspective on issues related to data protection and privacy.

It is important to note that more details regarding the DPBI shall be clarified once the much anticipated rules are released. 

Remuneration and Term

Section 20 of the DPDP Act specifies that the Board members will have a term of two years, with the possibility of reappointment. This relatively short term allows for regular infusion of fresh perspectives and expertise while maintaining continuity through potential reappointments. The Act also outlines grounds for removing a Board member, such as insolvency, conflict of interest, or other disqualifications. These provisions ensure that the Board operates with integrity and accountability, minimizing the risk of conflicts that could undermine its effectiveness.

Powers and Functions

Sections 26 and 27 of the DPDP Act detail the DPBI’s powers and functions. These sections delineate the responsibilities and authority vested in the Chairperson and the Board as a whole.

– Decision-Making Authority: The Chairperson has the authority to make decisions on matters within the Board’s purview. This centralization of decision-making power ensures that the Board operates efficiently and decisively.

– Investigation and Enforcement: The Chairperson can assign any Board member to investigate complaints received by the Board. This delegation of investigative responsibilities enables the Board to handle multiple complaints concurrently, ensuring timely resolution. The Board has the authority to monitor compliance with data protection laws, investigate data breaches, and impose penalties for breaches. If the DPBI finds a concerned entity in breach of the Act, it can address imminent mitigation of issues and impose penalties as per the Act’s provisions.

– Complaint Resolution: The DPBI is empowered to hear complaints from data principals (individuals whose data is being processed) and direct data fiduciaries (entities processing the data) to comply with legal requirements. If a breach is identified, the Board can issue penalties to enforce compliance. The Board also has the authority to direct consent managers and intermediaries to adhere to data protection norms, ensuring comprehensive oversight across the data processing ecosystem.

– Natural Justice and Civil Court Powers: The DPBI is required to conduct inquiries in accordance with the principles of natural justice, ensuring fairness and transparency in its proceedings. It is also granted powers similar to those of a Civil Court under the Code of Civil Procedure (CPC), 1908, including issuing summons, examining people under oath, receiving affidavits, mandating the production of documents, and inspecting data, documents, and registers. These judicial powers equip the Board to effectively enforce compliance and adjudicate disputes.

Procedure

Section 28 of the DPDP Act outlines the procedures to be followed by the DPBI, emphasizing a digital-first approach. The Act mandates that the DPBI function as a digital office as far as possible, streamlining operations and reducing administrative overhead. This digital approach spans all stages, from receiving complaints and conducting hearings to pronouncing rulings, leveraging technology to enhance efficiency and accessibility.

– Complaint Handling: Upon receiving correspondence or complaints regarding a breach of the law, the DPBI is required to act in accordance with Section 27. The Board must determine whether the situation merits further inquiry and provide written reasons for its decisions. This transparency ensures accountability and builds trust in the Board’s processes.

– Inquiry Process: If the DPBI decides that a case merits further inquiry, it must conduct the inquiry in light of natural justice principles. The Board is empowered to issue interim orders if necessary, ensuring timely intervention to prevent further harm. These interim orders can only be issued after allowing the concerned party to be heard, upholding the principles of fairness and due process.

– Final Decision: Upon completion of the inquiry, the DPBI must decide whether to proceed per Section 33 or close the proceedings based on its findings. If the allegation is found to be frivolous or malicious, the Board can issue costs to the complainant, deterring misuse of the complaint mechanism.

Conclusion

India is now just a few steps away from having a comprehensive data privacy and protection legislative framework in place. The Digital Personal Data Protection Act, 2023, and the establishment of the Data Protection Board of India represent crucial steps towards a comprehensive data privacy framework in India. With the significant financial allocation from the Union Budget, the DPBI is poised to effectively oversee and enforce data protection norms, balancing the rights of individuals with the need for data-driven innovation. This initiative not only centralizes administrative and monitoring tasks but also alleviates the burden on the judiciary, paving the way for a robust data privacy landscape in the country.

The DPBI has the potential to significantly shape and enhance the data privacy landscape in India. For its effective functioning, it is crucial that the DPBI’s operations align with global best practices, striking a balance between protecting the rights of individual citizens and facilitating data-driven innovation. The establishment of the DPBI is a promising start, and its success will depend on its ability to adapt and respond to the evolving data protection challenges in the digital age.

The budgetary allocation for the DPBI is a welcome move and it also is a signal that the rules allied to the DPDP Act will also be coming out soon. 

Budget Allocation to Different Data Protection Authorities Across World