The Chapter V is dedicated to Data protection board of India, from section 18-26 under the DPDP Act, 2023 and Rule 17 to 21 and 5th and 6th Schedule of DPDP Rules, 2025.
- Statutory basis- The Board is established by the Central Government under Section 18 of the Act. It is a "body corporate," meaning it can own property, sign contracts, and sue (or be sued) in its own name.
- Composition and appointment
The section 19 of DPDP Act, 2023
Members: The Board consists of a chairperson and other Members.
Qualification: They must be experts in fields like data governance, law, and digital economy. At least one member must be a legal expert.
Appointment Process: The Central Government appoints them based on recommendations from a "Search-cum-Selection Committee". This committee is led by the Cabinet Secretary (for the Chairperson) or the IT Secretary (for Members).
Term: They hold office for two years and can be re-appointed.
- Powers and function
The Section 27 & 28 of the DPDP Act,2023 and rule 20 of DPDP Rules, 2025, the Board is an independent body that functions mostly as a digital office. Its core jobs are:
- Directing Remedies: If a data breach happens, it can order the company to take urgent steps to fix it or reduce the harm.
- Inquiring into Breaches: It investigates complaints from Data Principals regarding privacy breaches.
- Consent Managers: It oversees Consent Managers and can investigate them if they break the rules.
- Civil Court Powers: For investigations, the Board has the power of a Civil Court. It can summon people, demand documents, and inspect data or books.
- Inquiry process
Legal concept under Section 28 of the DPDP Act, 2023 and Rule 19, DPDP rules, 2025
Start: The process starts when the Board receives a complaint, a government reference, or a breach report.
Screening: The Board decides if there are "sufficient grounds" (enough evidence) to proceed. If not, it closes the case.
Inquiry: If they proceed, they conduct an inquiry following the "principles of natural justice" (fairness).
Digital Proceedings: The Board uses "techno-legal measures" so people do not have to physically appear for hearings.
Timeline: The inquiry must be finished within 6 months. This can be extended by another 3 months if necessary.
Conclusion: After hearing the person concerned, the Board issues an order to either close the case or impose a penalty.
- Penalty powers
The Section 33 & Schedule of the DPDP Act, 2023, the Board lack the jurisdiction to impose a sentence of imprisonment. It can only impose money penalties.
Maximum Penalty: Up to 250 Crore Rupees for a data breach.
Other Penalties: Up to 200 Crore Rupees for failing to notify the Board about a breach.
Factors: When deciding the amount, the Board looks at how bad the breach was, if it was repetitive, and if the company gained money from it
- Appeal procedure
The Section 29 of the DPDP Act and Rule 22 of DPDP Rules, 2025.
- Where to Appeal: If you are unhappy with the Board's decision, you can appeal to the Appellate Tribunal (TDSAT).
- Time Limit: You must file the appeal within 60 days.
- Digital Filing: The appeal must be filed in a digital form.
- How
organisations will interact with the Board
Breach Reporting: Section 8(6) of the Act; Rule 7(2) of the Rules, the companies must report data breaches to the Board "without delay" and send a detailed report within 72 hours.
Voluntary Undertaking: Under section 32 of DPDP Act, 2023, If company make a mistake, they can offer a "voluntary undertaking" (a formal promise) to fix it. If the Board accepts this, they might stop further legal action against you.
Audits (SDFs): Rule 13(2) of the Rules, Significant Data Fiduciaries must submit audit reports to the Board.
- Scenarios where the Board can suspend/cancel registrations
Rule 4(5) of the DPDP Rules, 2025, the Board has the specific power to suspend or cancel the registration of a Consent Manager.
- Scenario: If a Consent Manager fails to meet the conditions of registration mentioned in the Rule 4 of DPDP, rules 2025.
Process:
- The Board informs the Consent Manager of the failure.
- It gives them a chance to be heard (explain themselves).
- If not satisfied, the Board can suspend or cancel the registration to protect the interests of the users.
Blocking Websites: For other companies (Data Fiduciaries), the Board cannot "cancel" them directly, but it can advise the Central Government to block public access to their website/app if they are penalized repeatedly.