Back to Blog
DPDP Act 7 min read

Data Protection Board India: Enforcement and Adjudication

How India's Data Protection Board works — constitution, powers, complaint process, penalty assessment, appeals, and what to expect from enforcement once the Board is operational.

Key Takeaways
  • The Data Protection Board is established under Chapter VI of the DPDP Act as the primary adjudicatory body.
  • The Board hears complaints from Data Principals and can impose financial penalties up to ₹250 crore.
  • Board proceedings are digital-first — the Act envisages a technology-driven adjudication process.
  • Appeals from Board orders go to the High Court.
  • The Board is not yet fully constituted as of April 2026 — its formation follows Rules finalisation.

In this guide

  1. Constitution and Structure of the Board
  2. Powers of the Data Protection Board
  3. How the Complaint Process Works
  4. The Inquiry and Adjudication Process
  5. How Penalties Are Assessed
  6. Appeals: Going to the High Court
  7. What to Expect When Enforcement Begins

Constitution and Structure of the Board

Chapter VI (Sections 18-27) of the DPDP Act establishes the Data Protection Board of India. The Board is constituted by the Central Government and consists of a Chairperson and such number of members as the Government determines. The Chairperson and members are appointed by the Central Government on the recommendation of a Selection Committee.

The Selection Committee for the Chairperson consists of: the Cabinet Secretary (Chair); the Secretary of the Ministry of Electronics and Information Technology; and one expert. This composition reflects the Board's government-adjacent character — unlike GDPR supervisory authorities, which are required to be fully independent, the DPDP Act's Board has closer government ties, which has been a subject of civil society critique.

Board members serve for 2-year terms (renewable) with a mandatory retirement age of 65 for the Chairperson and 60 for members. The Board operates under the Ministry of Electronics and Information Technology's administrative oversight for budgetary purposes, while being intended to function independently in its adjudicatory role.

Powers of the Data Protection Board

Section 28 grants the Board powers to conduct inquiries into alleged violations of the DPDP Act. The Board can: summon and examine witnesses; require production of documents; issue interim directions; and impose financial penalties on Data Fiduciaries found to be in violation. The Board also has the power to direct Data Fiduciaries to take remediation measures.

Section 26 grants the Board civil court powers for the purpose of conducting inquiries — it can enforce attendance, compel production of documents, and issue commissions for examination of witnesses. These powers make the Board a substantive adjudicatory body, not merely an administrative register.

The Board can also refer matters to law enforcement where criminal conduct is involved — though the DPDP Act itself is a civil statute. Where an incident also involves computer crimes under the IT Act 2000, the Board and law enforcement agencies may have overlapping jurisdiction.

How the Complaint Process Works

Section 25 establishes the complaint process. A Data Principal who is aggrieved by a violation of the Act must first raise a grievance with the Data Fiduciary under Section 13. Only after receiving an unsatisfactory response — or no response within the prescribed period — can the Data Principal file a complaint with the Board.

Board complaints must be filed through the Board's digital portal (to be established). The draft Rules indicate an online filing system where complainants describe the nature of the violation, the Data Fiduciary involved, and the outcome of their grievance with the Data Fiduciary. Complainants must provide supporting evidence — screenshots, email correspondence, records of their rights requests and the responses received.

The Central Government can also refer matters to the Board — for example, in response to systemic violations discovered through regulation, media reports, or security incident investigations. The Board's enforcement will therefore not be limited to individual Data Principal complaints but can be triggered by government-initiated investigations.

The Inquiry and Adjudication Process

When a complaint is received, the Board conducts a preliminary review. If the complaint is not frivolous or vexatious, the Board issues a notice to the Data Fiduciary, providing details of the alleged violation and an opportunity to respond. The Data Fiduciary must file a reply within the specified period.

If the matter is not resolved after the preliminary exchange, the Board schedules a hearing. Both parties — the Data Principal (complainant) and the Data Fiduciary (respondent) — have the opportunity to be heard and to present evidence. The Board can also call for additional information and conduct its own investigation.

The Act envisages a technology-driven, paperless adjudication process — hearings may be conducted digitally (video conferencing), submissions filed electronically, and decisions published on the Board's portal. This digital-first approach is designed to make the Board accessible from anywhere in India, consistent with the Act's objectives of providing accessible justice to Data Principals.

How Penalties Are Assessed

Section 33 requires the Board to consider specific factors before imposing a penalty. These factors include: (a) the nature, gravity, and duration of the violation; (b) the type and sensitivity of personal data involved; (c) the number of Data Principals affected; (d) whether the violation was repetitive; (e) whether it was intentional or negligent; (f) the gain to the Data Fiduciary or loss to Data Principals; (g) actions taken to mitigate harm; (h) timeliness of reporting; (i) cooperation with the Board; and (j) the financial capacity of the Data Fiduciary.

The Board must provide a penalty order with reasons — it cannot simply impose a penalty without explaining how the Section 33 factors were weighed. This provides a basis for challenge on appeal and creates precedent for future cases.

The Board may also impose a penalty less than the Schedule 1 maximum. In practice, first-time violations where the Data Fiduciary cooperated, promptly notified, and remediated are likely to result in penalties well below the maximum. Repeat violations, concealment, and lack of cooperation will attract higher penalties.

Appeals: Going to the High Court

Section 29 provides for appeals from Board orders to the High Court having jurisdiction. The appeal must be filed within 60 days of the Board's order. The High Court can stay the Board's order pending appeal if it is satisfied that a prima facie case for appeal exists and that the balance of convenience favours a stay.

The High Court reviews Board orders on both legal and factual grounds — it is not limited to reviewing errors of law only. This provides a broader scope of challenge than some specialist tribunal appeals, which may be restricted to questions of law.

Further appeals from the High Court can be taken to the Supreme Court under the Supreme Court's ordinary appellate and special leave jurisdiction. Given the novelty of DPDP Act enforcement, the Supreme Court is likely to hear significant cases in the Act's early years, creating important jurisprudence on interpretation and enforcement.

What to Expect When Enforcement Begins

Most data protection regulators begin enforcement cautiously: early cases focus on egregious violations (large-scale breaches with inadequate response, systematic violations of consent requirements) rather than technical procedural failures. Expect the Board to prioritise: data breaches from large platforms that failed to implement reasonable security; large-scale non-consensual processing; and violations of children's data protections.

Companies with documented compliance programmes — even if not perfectly complete — are in a much better position than companies with no programme at all. The Board's Section 33 factors explicitly reward cooperation, good-faith remediation, and voluntary disclosure. Your compliance evidence file is your primary defence.

The Board will also be building its own operational capacity — complaint management systems, investigation processes, hearing infrastructure. Expect a learning curve in early enforcement. The first significant penalties imposed will signal enforcement priorities and penalty calibration, creating important market guidance for all Data Fiduciaries.

Frequently Asked Questions

Can the Data Protection Board investigate violations proactively, without a complaint?
Section 28 allows the Central Government to refer matters to the Board. This reference mechanism enables proactive investigation without a specific Data Principal complaint — for example, after a major breach is reported in the media or identified through CERT-In notifications. The Board does not appear to have suo motu powers to initiate investigations independently, but government references can trigger investigations.
Can a company settle with the Data Principal before the Board issues a penalty order?
The Act does not have an explicit settlement or consent order mechanism like GDPR's Article 58 corrective powers. However, the Board can take into account remediation actions and resolution with the complainant as mitigating factors. Prompt resolution of the underlying grievance — even after a Board complaint is filed — is likely to reduce the penalty significantly.
What is the Board's relationship with SEBI, RBI, and other sectoral regulators?
The DPDP Act is general data protection law. Sectoral regulators (SEBI, RBI, IRDAI) have their own data-related requirements. The Act does not explicitly establish primacy between the Board and sectoral regulators. In areas of overlap, the more specific or stricter requirement likely applies. MEITY has indicated it will coordinate with sectoral regulators to avoid duplicative enforcement.
Will the Board publish its decisions?
The Act envisages a digital-first, transparent Board. Publication of decisions (potentially with personal details redacted) is consistent with this approach and standard practice for administrative tribunals. Published decisions will create important precedent. Watch the Board's portal once it is operational for early decisions that will signal enforcement priorities.
If we operate in multiple states, which High Court has jurisdiction for appeals?
The Act specifies the "High Court" as the appellate body without designating a specific High Court. Jurisdiction is likely to follow ordinary civil appellate rules — the High Court with territorial jurisdiction over the Data Fiduciary's registered office or principal place of business. The Delhi High Court may develop special expertise given MEITY's location and the likely concentration of early cases.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act Penalties: Fines Up to ₹250 Crore Explained

DPDP Act

DPDP Act 2023 Explained: What Every Indian Company Must Know

DPDP Act

DPDP Rules 2025: What the Draft Rules Require