The Data Protection Board of India: Complaints, Inquiries, Appeals

The Data Protection Board of India is established by the Central Government under Section 18. It is a body corporate, meaning it has its own legal identity, can sue and be sued, and operates independently. The Board's headquarters are located at a place notified by the Central Government.

The Board consists of a Chairperson and such number of other Members as the Central Government notifies. Section 19 requires that Members have specialised expertise in data governance, law, information technology, or the digital economy. At least one Member must be an expert in law. The selection process for the Chairperson involves a Search-cum-Selection Committee chaired by the Cabinet Secretary, as specified in Rule 17.

Members are appointed for a 2-year term and are eligible for reappointment. Under Rule 18, the Chairperson receives a salary of ₹4.5 lakh per month and Members receive ₹4 lakh per month. No provision is made for house or car allowances. Members are deemed public servants under Section 25, which means they are subject to anti-corruption laws and official conduct standards.

Section 21 provides safeguards against arbitrary removal. A Member can be disqualified if they are insolvent, convicted of an offence, incapable of performing duties, have a financial interest that conflicts with their role, or have abused their position. However, no Member can be removed without being given a hearing, a basic procedural protection.

Section 22 imposes a 1-year cooling-off period after a Member's term ends, during which they cannot accept employment with any Data Fiduciary. This prevents the revolving-door problem where regulators move directly into roles with the entities they were overseeing.

The Board is designed to function as a digital office. Section 23 provides that proceedings are conducted digitally. One-third of Members constitute a quorum, decisions are taken by majority vote, and the Chairperson has a casting vote in the event of a tie. Rules 19 and 20 further specify that inquiries must be completed within 6 months, extendable by 3 months, and that the Board must adopt digital office functioning throughout its operations.

Section 27 defines four pathways through which the Board takes action. First, when a Data Fiduciary notifies the Board of a personal data breach, the Board can direct urgent remedial measures, conduct an inquiry, and impose penalties. Second, when a Data Principal files a complaint about a violation of their rights, the Board can inquire and penalise. Third, when a complaint is filed regarding a Consent Manager, the Board can inquire and penalise. Fourth, when the Central Government makes a reference to the Board, the Board can inquire and penalise.

After any inquiry, the Board may issue binding directions under Section 27(2), but only after giving the party a hearing. This ensures that no penalty or direction is imposed without the affected party having an opportunity to present their case.

Section 28 sets out the Board's procedural framework. The Board first determines whether there are sufficient grounds to proceed with a complaint or breach notification. If no sufficient grounds exist, the Board closes the matter. If grounds exist, the Board proceeds with an inquiry following the principles of natural justice, which means fair hearing, no bias, and reasoned decisions.

The Board has civil court powers for the purposes of its inquiries. It can summon and examine persons, require the production of documents, and receive evidence. However, Section 28 includes an important limitation: the Board shall not prevent access to any Data Fiduciary's premises or seize any equipment in a manner that would affect the Data Fiduciary's operations. This reflects a deliberate legislative choice to avoid the disruptive raid-and-seize approach seen in some other regulatory regimes.

The Board may pass interim orders during the course of an inquiry, for example directing a Data Fiduciary to take immediate steps to contain a breach while the full inquiry continues.

False or frivolous complaints carry consequences. Section 28 empowers the Board to warn a complainant or impose costs if it finds that a complaint was false or frivolous. This discourages misuse of the complaint mechanism.

Section 29 provides the right of appeal. Any person aggrieved by a decision or direction of the Data Protection Board may appeal to the Appellate Tribunal, which is the Telecom Disputes Settlement and Appellate Tribunal (TDSAT): a body established under the TRAI Act 1997 that has been given jurisdiction over DPDP matters.

The appeal must be filed within 60 days of the Board's decision. The Tribunal may extend this deadline if it is satisfied that there was sufficient cause for the delay. Once an appeal is filed, the Tribunal has the power to confirm, modify, or set aside the Board's decision. The Tribunal must dispose of the appeal within 6 months.

Rule 22 specifies that appeals are filed digitally. The filing fee is determined per the TRAI Act and may be waived by the Tribunal. Payment is accepted via UPI. The Tribunal is guided by the principles of natural justice, meaning the same fairness standards that apply at the Board level also apply on appeal.

From the Tribunal's decision, a further appeal lies to the Supreme Court of India. This creates a three-tier structure: Board (first instance) → TDSAT (first appeal) → Supreme Court (final appeal).

Section 30 provides that any order of the Tribunal is executable as if it were a decree of a civil court. This means that if a party refuses to comply with a Tribunal order, enforcement mechanisms available for civil court decrees, including attachment and execution proceedings, can be used.

Section 31 introduces an alternative to the adversarial process: the Board may direct parties to attempt mediation at any stage of proceedings. This allows disputes to be resolved through negotiation rather than formal adjudication, potentially saving time and cost for all parties.

Section 32 creates a mechanism for resolving enforcement matters without a full adjudication. At any stage of proceedings before the Board, the person against whom proceedings have been initiated may offer a voluntary undertaking. This is, in practical terms, a compliance agreement: a formal promise to the Board that the party will take (or refrain from) specific actions.

The undertaking can include commitments to take particular corrective actions, to refrain from certain conduct, or to publicise the undertaking itself. The Board has discretion to accept or reject the undertaking. It is not obligated to accept one.

If the Board accepts the undertaking, it has a powerful consequence: further proceedings on the matter are barred. The case is effectively closed, and the Board cannot continue to pursue penalties for the same conduct. This gives Data Fiduciaries an incentive to offer meaningful corrective commitments early in the process, as it provides certainty and avoids the risk of penalty proceedings.

However, breaching an accepted voluntary undertaking carries serious consequences. A breach of the undertaking is deemed to be a breach of the Act itself. This means the Board can initiate fresh proceedings, and the penalty for the breach is the penalty that would have applied to the original violation. The undertaking mechanism is therefore not a way to escape liability: it is a way to resolve it through action rather than payment, with a penalty backstop if the commitment is not honoured.