Part VI: Institutional Framework
🏛️

Part VI: Institutional Framework

PART VI: INSTITUTIONAL FRAMEWORK

The DPDPA sets up a new institutional mechanism: the Data Protection Board of India ("DPBI"). The Board is designed as a digital-first, adjudicatory body that enforces the Act, resolves disputes, and ensures that both individuals (Data Principals) and entities (Data Fiduciaries) operate within the framework of lawful data use.

DPBI (Sections 18-28, 32-33)

The DPBI is a statutory body corporate established by the Central Government. It has perpetual succession and can sue or be sued in its own name. The government will also notify the Board's headquarters.

Composition and Appointment

The Board consists of a Chairperson and other members, all appointed by the Central Government. Appointees must bring expertise in data governance, ICT, law, or regulation, and at least one member must be a legal expert. Members serve a two-year term with the possibility of reappointment. Safeguards are built in: members can be disqualified for insolvency, criminal conviction, conflicts of interest, or misuse of position, and they must observe a cooling-off period of one year before working with entities they presided over.

Functions and Powers

The DPBI is designed to act as a digital-first adjudicatory body. Its functions include:
  • Responding to personal data breaches, ordering urgent remedial measures, and conducting inquiries.
  • Hearing complaints from Data Principals and examining violations by Data Fiduciaries, Processors, or Consent Managers.
  • Overseeing Consent Manager registration and investigating non-compliance.
  • Issuing binding directions and, where necessary, modifying or withdrawing them.
  • Imposing penalties up to ₹250 crore, depending on the nature of the violation.
  • Exercising civil court powers, such as summoning witnesses, demanding documents, and recording evidence.
The Board also has flexibility: it may accept voluntary undertakings from parties to settle issues and can recommend that the government block access to platforms or services that repeatedly breach the law.

Appellate Tribunal (Sections 29-30, read with TRAI Act, 1997)

Any person aggrieved by an order of the DPBI may appeal to the Telecom Disputes Settlement and Appellate Tribunal ("TDSAT" or "Tribunal"). Appeals must be filed within 60 days, although delays may be condoned for sufficient cause.
The Tribunal can confirm, modify, or set aside the DPBI's order and is expected to dispose of cases within six months. Like the Board, TDSAT is envisioned as a digital office. Its orders carry the same force as civil court decrees. Orders of TDSAT are not the final word. They can be further appealed before the Supreme Court of India under the TRAI Act, 1997, ensuring judicial oversight over the data protection regime. Further, as per Section 39, civil courts have no jurisdiction over matters entrusted to the DPBI or TDSAT. This ensures that disputes relating to personal data protection remain within the specialised adjudicatory structure created by the Act, avoiding parallel litigation.

Alternative Dispute Resolution (ADR) (Sections 31-32)

The Act encourages less adversarial methods of resolution. The DPBI can direct parties to attempt mediation, and entities may also submit voluntary undertakings committing to corrective measures. Once such an undertaking is accepted, further proceedings on the same issue are barred — unless the undertaking is breached.

Regulatory Authorities – GDPR v. DPDP

The EU's General Data Protection Regulation (GDPR) follows a different model. Instead of a central board like India's DPBI, the EU system relies on independent Supervisory Authorities (SAs) in each Member State. These regulators oversee compliance, investigate complaints, and impose fines. To ensure coordination, they are linked through the European Data Protection Board ("EDPB"), which issues guidelines and resolves disputes across the Union. This is obvious, since, unlike the DPDPA, the GDPR cuts across national borders, and providing absolute executive authority to a centralised entity would amount to giving up some sovereign powers. Essentially, the GDPR and the DPDPA differ on a few important counts:
  • Centralised vs. Decentralised: India has one adjudicatory board (DPBI), while the EU has 27+ national regulators coordinated by the EDPB.
  • Digital-first vs. traditional: DPBI is built as a digital-first body for online filings and hearings, whereas EU regulators still rely heavily on physical investigations and local offices.
  • Appeals: In India, appeals flow through TDSAT to the Supreme Court. In the EU, appeals against SA decisions go through national courts, which may refer questions to the CJEU.
  • Blocking powers: India explicitly allows blocking of repeat-offender platforms on DPBI's recommendation (Section 37), a power that EU regulators do not directly hold (though fines and restrictions can be equally severe).