Government Starts Appointments Process and Prepares Digital Infrastructure for the Data Protection Board Under the DPDP Act

Background and policy context 

The government of India has begun preparatory work to establish the Data Protection Board of India; the enforcement body created under the Digital Personal Data Protection Act 2023. In an interview with PTI, IT Secretary S Krishnan confirmed that procedures for identifying and appointing members are being drafted and will be placed for approval. Alongside this, the government has completed development of the software needed to run a digital first office for the Board. These steps indicate that institutional capacity for enforcement is being built before the law is fully operational across the economy. 

The DPDP Act creates a rights-based framework for handling digital personal data in India. It applies to persons, companies, and government bodies that collect, store, or use personal data. These entities are called Data Fiduciaries and must follow clear duties related to lawful use, data security, and transparency. Individuals whose data is processed are called Data Principals. They have rights to know how their data is used and to seek correction or deletion where allowed. 

Role and powers of the Data Protection Board 

The Data Protection Board is designed as an independent body that will oversee compliance with the new data protection law. It will have the power to inquire into personal data breaches, issue directions for remedial or mitigation measures, and impose financial penalties where violations are found. The Board will also play a central role in enforcing the rights of Data Principals and ensuring that Data Fiduciaries remain accountable for how they handle personal data. 

Krishnan stated that work is ongoing to finalize the method for calling nominations and selecting suitable persons for these positions. While no exact date was given, he said the Board should become operational in the coming months. This suggests that once appointments are completed and approvals are obtained, the enforcement phase of the DPDP Act will begin. 

Appointment and selection framework 

Under the recently notified DPDP Rules, the central government has laid down a detailed process for selecting the leadership and members of the Board. A search and selection committee headed by the Cabinet Secretary and including the Law Secretary, the IT Secretary, and two domain experts will recommend names for the post of Chairperson. A separate committee, chaired by the IT Secretary and including the Law Secretary and two domain experts, will recommend candidates for other members. 

After reviewing the recommendations of these committees, the central government will make the final appointments. This two-tier structure is intended to ensure that the Board is led by individuals with appropriate expertise and independence, which is essential for credible enforcement of a law that affects both the state and powerful private companies. 

Digital infrastructure for enforcement 

The government has also developed the software needed for a digital first office of the Data Protection Board. This means that the Board will be able to receive complaints, breach notifications, and other filings through online systems from the very start. Such digital infrastructure is important because the law applies to a very large number of entities across sectors and will generate high volumes of regulatory information. 

A digital system can help the Board process cases more quickly, maintain records, and ensure consistency in decision making. It also supports transparency by allowing better tracking of proceedings and outcomes, which is important for building public trust in the new data protection regime. 

Industry consultations and compliance timelines 

Krishnan also addressed questions about whether large technology companies are ready to comply with the new law. He said the government is consulting industry stakeholders to understand their preparedness and to assess how quickly different obligations can be met. According to him, companies have not objected to any particular requirement but have been asked to specify when they will be ready to comply with various parts of the framework. 

The government’s stated aim is to avoid disruption to the digital ecosystem while still ensuring that strong data protection standards are implemented. This reflects the complexity of applying a new legal regime to platforms that operate at scale and across multiple layers of digital services. 

Penalties and enforcement framework 

The DPDP Act includes strong financial penalties to ensure compliance. The highest penalty, up to Rs 250 crore, applies to failure by a Data Fiduciary to put in place reasonable security safeguards to protect personal data. Failure to notify the Board or affected individuals of a personal data breach can result in penalties of up to Rs 200 crore. Violations relating to children’s data also attract penalties up to the same amount. 

Other breaches of the Act or the Rules can lead to penalties of up to Rs 50 crore. These penalties are designed to create a strong incentive for companies and other entities to invest in proper data protection systems and to take their legal duties seriously. 

 What comes next 

With the legal framework and rules now in place, the focus has shifted to building the institutions and systems needed for real world enforcement. Once the Data Protection Board is appointed and begins functioning, it will start shaping how the DPDP Act works in practice. Its decisions will influence how organisations design their data systems and how individuals exercise their rights. 

The coming months will therefore be critical for India’s data protection regime. The success of the DPDP Act will depend not only on the text of the law, but also on how effectively the Board is staffed, supported by technology, and allowed to function independently. 

Source: https://economictimes.indiatimes.com/tech/technology/groundwork-started-for-data-protection-board-online-office-software-ready-it-secretary-krishnan/articleshow/126215026.cms?from=mdr  

1. Vietnam’s New Personal Data Protection Law Comes Into Force in 2026 

Image Source: Gemini 

Vietnam has adopted its first comprehensive Personal Data Protection Law, marking a major shift in how personal data will be regulated in the country. The law was issued on 26 June 2025 and will come into effect on 1 January 2026. It replaces a fragmented set of privacy rules and upgrades the earlier 2023 Personal Data Protection Decree into a full statutory framework. The law signals Vietnam’s intention to treat personal data as a key economic resource while also strengthening individual privacy rights. 

The new PDPL has a wide scope. It applies not only to Vietnamese organisations and individuals, but also to foreign entities that process personal data linked to Vietnam. This includes companies operating in the country and those abroad that process data of Vietnamese citizens or residents. This extraterritorial reach is similar to the approach taken under the EU General Data Protection Regulation. 

The PDPL introduces a revised set of data protection principles. These include lawfulness, purpose limitation, accuracy and storage limitation, security, violation prevention, and balancing national interests with individual rights. Compared to earlier rules, the law places greater emphasis on preventing violations and ensuring that data protection does not conflict with broader national objectives. 

Consent remains an important legal basis for processing data, but the PDPL also introduces a limited form of legitimate interest. This allows certain processing without consent, such as for fraud prevention or internal investigations, subject to safeguards. Data subjects are granted strong rights, including access, correction, erasure, restriction, and objection, although data portability is not included. 

The law keeps strict breach notification duties. Controllers must report violations to the Ministry of Public Security within 72 hours. Banks and financial institutions must also notify affected individuals of any breach. Cross-border data transfers are tightly regulated and require impact assessments to be submitted to the authorities. 

While the PDPL sets out broad enforcement principles, detailed penalties will be fixed through a separate sanction decree. Fines can reach up to 5 percent of annual revenue for serious cross-border data violations. With key decrees expected by the end of 2025, companies have a limited window to prepare for compliance. 

Source: https://iapp.org/news/a/vietnams-pdpl-in-focus-what-to-know-and-watch-for 

2. U.S. Imposes Visa Bans on European Figures in Content Regulation Dispute 

The United States government has denied visas and imposed travel sanctions on five European individuals involved in digital content regulation, including former European Commission tech regulator Thierry Breton. The U.S. State Department, citing concerns over alleged censorship of American viewpoints by foreign actors, said the measures target those it believes pressured U.S.-based platforms to suppress speech that conflicts with certain perspectives. U.S. officials characterised the actions as a defence of free speech and an assertion of national interests in the face of what they describe as extraterritorial influence on digital discourse.  

Accusations of Censorship and Free Speech Concerns 

The visa restrictions form part of a new policy aimed at restricting entry to individuals deemed responsible for censoring protected speech on social media. Among the five targeted are Breton, who led development of the European Union’s Digital Services Act, and activist leaders from organisations focused on combating online hate and disinformation. U.S. Secretary of State Marco Rubio asserted that these figures and their affiliated groups engaged in efforts that could suppress American viewpoints and harm U.S. companies operating in the digital space.  

Strong European Backlash and Sovereignty Dispute 

European institutions and member states condemned Washington’s decision, arguing it undermines European regulatory autonomy and free expression. The European Commission described the measures as unjustified and said it has sought clarification from U.S. authorities, warning of possible responses to defend its sovereign right to set digital policy. French President Emmanuel Macron and officials from Germany and other EU countries criticised the U.S. action as coercive interference in Europe’s democratically adopted digital rules, especially the Digital Services Act, which aims to ensure platform accountability.  

Broader Transatlantic Impact 

The dispute reflects deepening transatlantic tensions over digital regulation, content moderation, and national sovereignty in the digital arena. It adds to ongoing disagreements between the United States and the European Union over how online speech should be governed, the reach of domestic digital laws, and the protection of free speech versus harmful content. European leaders have emphasised their commitment to maintaining robust digital regulation while defending democratic values and regulatory independence in the face of external pressure. 

Source: https://www.reuters.com/world/europe/france-condemns-us-visa-ban-imposed-ex-eu-commissioner-breton-2025-12-24  

3. U.S. Federal AI Policy Push and State Reaction 

 The United States federal government issued a major executive order on December 11, 2025 aimed at shaping national artificial intelligence policy and limiting conflicting state regulation. Titled “Ensuring a National Policy Framework for Artificial Intelligence,” the order directs federal agencies to promote a uniform national approach to AI governance in order to reduce regulatory fragmentation and compliance burdens on industry. A central feature of the order is the creation of an AI Litigation Task Force within the Department of Justice to identify and legally challenge state AI laws that federal officials determine conflict with the national policy framework. The order also instructs the Secretary of Commerce to assess existing state AI laws, flag those deemed “onerous” or inconsistent with federal policy, and potentially advise referral of these laws to the task force for legal challenge.  

The executive order does not itself repeal or invalidate state laws, but it signals a shift toward federal coordination and legal action against regulations that diverge from a centrally defined standard for AI governance. Its implementation and the ensuing state responses could shape the future regulatory landscape for artificial intelligence across the United States. 

Source: https://www.presidency.ucsb.edu/documents/white-house-fact-sheet-president-donald-j-trump-ensures-national-policy-framework-for