v0 App

Introduction

The digital landscape of India is set for a significant transformation with the enforcement of the Digital Personal Data Protection Act, 2023 ("DPDP Act"). At the core of the legislation stands the Data Protection Board of India ("Board"), a powerful regulatory body poised to reshape how business organisations will handle the personal data of the Data Principals in India and across the borders.

As the enforcement of this legislation comes closer, it is pertinent to understand the shape, structure and powers of this regulatory body.

What is the Data Protection Board of India?

Section 18 of the DPDP Act provides for the establishment of the Board by the Central Government. It is tasked with overseeing compliance with India's data protection regulations. Far from being a mere advisory body, the Board operates with the powers of a civil court as stipulated under Section 28(7), giving it significant authority to investigate breaches, adjudicate disputes, and impose substantial penalties.

This independent regulatory body represents the enforcement arm of the DPDP Act, with jurisdiction to impose penalties of up to ₹250 Crore per violation. The scale of these potential penalties underscores the importance of the Board in the data protection ecosystem of India.

Key Powers and Functions of the Board

Section 27 of the DPDP Act has equipped the Board with extensive powers and functions which extend beyond simple oversight. These include:

1. Management of Data Breach Incidents

The Board is empowered to take immediate actions whenever they are notified of the data breach. For instance, it can issue orders requiring certain measures to be taken to minimise the damage arising from the breach incident, has the authority to investigate the data breach and is empowered to impose penalties for the violation of the provisions of the legislation.

As per the Draft DPDP Rule, the businesses are required to:

Notify the Board of the data breach within 72 hours of discovering a breach incident
Provide comprehensive information about the nature, extent, and timing of the breach
Submit an impact assessment outlining potential risks to affected individuals
Detail remedial actions taken to contain the breach and prevent recurrence
Share investigation findings regarding root causes and vulnerabilities

The Board has the power to extend this 72 hour notice requirement window in cases where it receives a written request from the Data Fiduciary.

2. Addressing Complaints from the Data Principals

The Board is empowered to take actions following a Data Principals' complaint pertaining to the violations of his/ her rights guaranteed by the legislation. The Board can also investigate the organisations that fail to meet their obligations as stipulated in the legislation.

3. Overseeing the Functioning of the Consent Managers

The Data Protection Board is empowered to investigate the complaints filed against the Consent Managers and can take actions against them in case they fail to fulfill their obligations under the legislation.

4. Acting on Government References

The Board has the authority to investigate the matters referred to it by the Central and the State Governments. It can take actions based on the directions of the court. Furthermore, it can specifically conduct an investigation into the intermediaries, such as the social media platforms, as and when required by the Government.

5. Issuing Directions

The Data Protection Board is empowered to issue binding directions to any individual after they were given the chance of being heard. These directions must be recorded with reasons and must be complied by the individuals to whom they are issued.

6. Modifications and Withdrawals of Directions

The Data Protection Board is empowered to modify, suspend, withdraw or cancel any of its directions. The same can be done on the basis of the representations made by the affected individuals or on the basis of the references from the Central Government.

7. Remedial Measures

The remedial measures laid down under the legislation portray the flexible enforcement approach that the Board is empowered to adopt while granting remedies to the aggrieved party. These include:

Interim Orders

The Board can issue temporary directives during investigations to prevent ongoing harm

Mediation

Disputes may be referred to mediation for amicable resolution

Voluntary Undertakings

Businesses can proactively commit to specific corrective actions to address compliance issues before they escalate

Structure and Operations of the Board

a) Appointment and Composition

The Board will consist of a Chairperson and multiple Members, all appointed by the Central Government. These members will:

Serve a two-year term and will be eligible for reappointment with eligibility for reappointment
Be appointed on the basis of their expertise in specialised fields including data governance, administration or implementation of laws related to social or economic consumer protection, dispute resolution information and communication technology, digital economy, law, regulation or techno-regulations.
Function independently to ensure impartial decision-making

b) Digital-First Approach

A distinctive feature of the Board is its functioning as a digital office. The Draft DPDP Rules indicate that the Board will adopt "techno-legal measures" to ensure digital operations, including:

Online complaint filing mechanisms
Virtual hearings and evidence submission
Digital documentation management
Reduced need for physical appearances

This digital approach aligns with modern governance principles and aims to streamline regulatory processes, potentially leading to faster complaint resolution and more efficient interactions between the DPB and regulated entities.

c) Appeal Mechanism

The legislative framework establishes a three-tier appeal process against the decisions of the Board:

1. First Appeal

Challenges against the orders of the Board can be brought before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The period of limitation for filing such an appeal is sixty (60) days from the date of receipt of the order or direction of the Board against which the appeal is sought.

2. Final Appeal

Appeals against the decision of the TDSAT shall lie before the Supreme Court of India as per Section 18 of the Telecom Regulatory Authority of India Act, 1997. Such an appeal has to be filed within ninety (90) days from the date of the decision or order of the TDSAT.

3. Self-Correction

The Board retains the authority to modify, suspend, or withdraw its own directives if circumstances warrant

This structured appeal system provides businesses with opportunities to seek review of DPB decisions while ensuring that fundamental data protection principles are upheld.

Preparing Your Business: Business entities should take certain proactive steps to ensure compliance with the upcoming Data Protection Board requirements and avoid potential penalties.

Our Opinion

The Data Protection Board of India represents the enforcement backbone of India's new data protection regime. With its extensive powers, digital operations, and significant authority to impose penalties, the Board will undoubtedly reshape how businesses approach data protection compliance in India.

While the Board has not yet been officially established, its imminent formation signals the beginning of a new era in Indian data privacy regulation. Businesses that prepare now, by updating their data practices, strengthening consent mechanisms, and establishing robust compliance programs, will be better positioned to navigate this evolving regulatory landscape.

At this juncture, organizations should stay informed about developments and adapt their compliance strategies accordingly. In this new privacy landscape, proactive engagement with regulatory requirements will be key to avoiding penalties and building trust with customers and regulatory authorities alike.

The Data Protection Board under the Digital Personal Data Protection Act, 2023