Introduction 

The Data Protection Board (DPB) is mandated to be established under the Digital Personal Data Protection Act, 2023 (DPDPA). The Data Protection Board will adjudicate complaints, resolve disputes, issue binding directions, impose penalties, and promote accountability among Data Fiduciaries and Data Processors. The recently released DPDP Rules, 2025 further defines the Boards’ s composition, responsibilities, and functioning.  

Composition 

The DPB is constituted by the Central Government to enforce the provisions of the DPDP Act effectively. The composition includes a chairperson and members who are selected through a Search-cum-Selection Committee.  

The Central Government will establish a Search-cum-Selection Committee for appointing the Chairperson and Members of the Data Protection Board. For the Chairperson, the Committee will be chaired by the Cabinet Secretary and will include the Secretaries of the Department of Legal Affairs and the Ministry of Electronics and Information Technology, along with two experts with relevant expertise. For Members, the Secretary of the Ministry of Electronics and Information Technology will chair the Committee, and it will include the Secretary of the Department of Legal Affairs, in addition to two experts with relevant expertise. Based on the Committee’s recommendations, the Central Government will appoint the Chairperson and Members after assessing their suitability. 

The DPB’s members must include individuals with expertise in specific fields such as data governance, law, technology, etc. The Board’s composition would thus ensure a balance of legal, technical and administrative knowledge essential for addressing complex data protection issues. 

Powers and Functions of the DPB  

Section 27 of the DPDPA outlines the powers and functions of the DPDPA in relation to personal data breaches and compliance measures.  

The Board can enquire into breaches and impose penalties as stipulated in the Act. Additionally, the Board can act on complaints made by Data Principals regarding personal data breaches or breaches of obligations by Data Fiduciaries or Consent Managers and impose penalties accordingly. 

The Board is also authorized to issue directions necessary for the effective discharge of its functions, after giving the concerned person an opportunity to be heard and recording reasons in writing. These directions are binding on the person to whom they are issued. Furthermore, the Board has the authority to modify, suspend, withdraw, or cancel any direction issued by it, based on a representation made by an affected person or a reference from the Central Government. While doing so, the Board may impose conditions deemed fit, which will govern the effect of such modification, suspension, withdrawal, or cancellation. 

This section ensures that the Board has comprehensive oversight and enforcement capabilities to address personal data breaches and ensure compliance with the provisions of the DPDP Act. 

Functioning of the Board 

Section 28 of the DPDPA, outlines the procedural framework and operational guidelines for the Data Protection Board of India. This section emphasizes the DPB’s independence and its digital-first approach to handling complaints, inquiries, and decision-making processes. The DPB is mandated to function as an independent body.  

The section stipulates that the DPB should, as far as practicable, operate as a digital office. This means that the receipt of complaints, allocation of cases, hearings, and pronouncements of decisions should be conducted digitally. This digital approach is designed to enhance efficiency, transparency, and accessibility, making it easier for individuals to engage with the DPB.  

The DPDP Rules allow the Data Protection Board (DPB) to conduct its proceedings using techno-legal systems, ensuring that individuals ordinarily do not need to be physically present. Hearings may be conducted through audio-visual or electronic communication, and physical presence is required only if the Board believes it is necessary for a fair and proper inquiry. 

Upon receiving an intimation, complaint, reference, or direction, the DPB must evaluate whether there are sufficient grounds to proceed. If no grounds exist, it must record its reasons in writing and close the matter. If grounds are sufficient, the Board will initiate an inquiry to determine compliance with the Act. 

All inquiries must follow principles of natural justice, ensuring fairness and transparency. Throughout the process, the DPB must record the reasons for its actions. It is vested with powers similar to those of a civil court under the Code of Civil Procedure, 1908 including summoning individuals, examining them on oath, receiving evidence on affidavit, and requiring the production of documents. The Board may also inspect data, records, books, and other relevant materials. 

After completing the inquiry, the DPB may close the proceedings or take further action under Section 33, including imposing financial penalties. Penalties are determined based on factors such as the nature and gravity of the breach, duration, type of data affected, mitigation efforts, and whether the violation is repetitive. If a complaint is found to be false or frivolous, the Board may issue a warning or impose costs on the complainant to discourage misuse of the process. 

 Procedures for Board Meetings and Authentication of Orders 

Rule 19 of the DPDP Rules sets out how the Data Protection Board (DPB) will conduct its meetings and authenticate its official decisions. 

Scheduling and Conduct of Meetings: The Chairperson is responsible for fixing the date, time, and place of each Board meeting, approving the agenda, and issuing the meeting notice under her signature or through an authorised person. Meetings are chaired by the Chairperson, and in her absence, by a Member selected by those present. 

Quorum and Decision-Making: A minimum of one-third of the Board’s Members is required for quorum. Decisions are taken by majority vote of the Members present. If there is a tie, the Chairperson or the Member presiding in her absence has a casting vote. Any Member who has an interest in a business item must recuse herself from discussion and voting, and the remaining Members will decide the matter. 

Urgent Decisions and Circulation Process: If an urgent situation arises where immediate action is required and a meeting cannot be convened, the Chairperson may take necessary action while recording the reasons in writing. These actions must be communicated to all Members within seven days and placed before the Board for ratification at the next meeting.
The Chairperson may also direct that certain matters be decided through circulation among Members, which will be valid if approved by a majority. 

Authentication of Board Decisions: Orders, directions, and instruments of the Board may be authenticated under the signature of the Chairperson, any Member, or a person authorised through a written general or special order. 

Time Limit for Completion of Inquiries: The Board must complete its inquiries within six months from the date it receives an intimation, complaint, reference, or direction under Section 27. This period may be extended by up to three months at a time, provided reasons are recorded in writing. 

Appeals to the Appellate Tribunal: Individuals or organizations aggrieved by an order or direction of the Board have a clear recourse mechanism. Rule 22(1) provides that “Any person aggrieved by an order or direction of the Board, may prefer an appeal before the Appellate Tribunal, it shall be filed in digital form as the Appellate Tribunal may decide”.  

Rule 22(2) specifies that appeals must be accompanied by a fee equivalent to that applicable under the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), unless the Chairperson of the Appellate Tribunal reduces or waives it at her discretion. This fee “shall be payable digitally using the Unified Payments Interface (UPI) or such other payment system authorised by the Reserve Bank of India”.   

The Appellate Tribunal’s procedures are defined in Rule 22(3). Under Rule 22(3)(a), the Tribunal “shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908), but shall be guided by the principles of natural justice and, subject to the provisions of the Act, may regulate its own procedure.” Like the Board itself, Rule 22(3)(b) mandates that the Tribunal “shall function as a digital office” and may “adopt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual,” while retaining the power to summon and examine individuals on oath. 

Government’s Power to Call for Information 

The Central Government retains oversight authority through Rule 23, which allows it to require Data Fiduciaries or intermediaries to furnish information. Under Rule 23(1), “The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, within the specified period”.  

Where national security is at stake, Rule 23(2) provides that “Where the disclosure of furnishing of information as referred to in sub-rule (1) is likely to prejudicially affect the sovereignty and integrity of India or security of the State, the Central Government may require the Data Fiduciary or intermediary to not disclose such furnishing to affected Data Principal or any other person except with the previous permission, in writing, of the authorised person.” For the purposes of this rule, Rule 23(3) clarifies that the expression “intermediary” has the same meaning as in the Information Technology Act, 2000 (21 of 2000). 

Conclusion 

The Data Protection Board represents a significant step forward in India’s journey toward safeguarding personal data. By enforcing compliance, resolving disputes, and promoting accountability, the DPB ensures that the digital ecosystem operates within a secure and privacy-respecting framework, benefiting both businesses and individuals a like.