Decrypting India’s Data Protection Regime: The Data Protection Board of India

The Digital Personal Data Protection Rules and the Digital Personal Data Protection Act, 2023 (together, the “DPDP framework”) mark the dawn of a new era in India’s privacy regime, transforming a patchwork of sectoral and Information Technology Act, 2000 based obligations into a unified framework with clear standards, timelines and enforcement mechanisms for all digital personal data.

The DPDP framework does not arrive as a single, clean break with the past, rather, it is being phased into force through a series of notifications.

• With effect from 13 November 2025, the Central Government has first brought into force the institutional core, viz., the constitution of the Data Protection Board of India (“Board”) as well as the definitions and rule-making powers.
• One year from 13 November 2025 (i.e., 13 November 2026), a second layer will be activated, most notably the framework for registration and oversight of Consent Managers, the intermediaries through whom users will actually give, track and withdraw consent.
• Only after eighteen months i.e., 13 May 2027, will the substantive provisions governing notice, consent, “legitimate uses”, data principal rights, fiduciary obligations and the key penalty clauses come into force, marking the point at which the regime really starts to operate for most actors.

This article is the first in a series examining India’s new digital privacy regime, and it focuses on the institution at its centre viz., the Board. It has been established under the DPDP Act as an adjudicatory body. For entities collecting and processing data, the constitution of the Board is the moment when the DPDP framework stops being an abstract compliance risk and becomes a concrete enforcement reality.

Once the Board is set up and functional, Data Fiduciaries (an entity which determines the purpose and means of processing of personal data) will be answerable to a Board which can receive complaints, call for information and records, conduct inquiries into breaches, issue binding directions (including remedial and mitigatory measures) and impose significant monetary penalties.

The Board is presently notified to be a four member body, comprising a Chairperson and Members. While the Board has been formally established and its composition (in terms of size and broad location) notified, the actuals appoints are yet to happen. Appointments will follow recommendations from search cum selection committees chaired respectively by the Cabinet Secretary (for the Chairperson) and the Secretary, Ministry of Electronics and Information Technology (for the other Members).

At its core, the Board’s mandate has two principal dimensions.

• First, it must act on personal data breaches whenever it receives an intimation of a breach from a Data Fiduciary, it is required to consider urgent remedial or mitigation measures, inquire into the breach and, where appropriate, impose penalties.
• Secondly, it must adjudicate complaints from Data Principals if an individual alleges a personal data breach or a failure by a Data Fiduciary to comply with its obligations or honour her statutory rights (access, correction, erasure, grievance redressal, nomination), the Board must inquire into that breach and decide on penalties. The same duty applies where the complaint concerns a Consent Manager, or where the Central or State Government or a court makes a reference, including in relation to intermediaries.

The Board has been vested with the power to issue binding directions to secure compliance, exercise civil court - like powers (including issuing summons, evidence and conducting inspections) to ascertain facts, refer parties to mediation as a softer alternative and impose monetary penalties in cases of non- compliance.

The Board does not appear to be empowered to specifically award damages rather, it will be dealing with regulatory complaints, breach cases and systemic non-compliance under the DPDP Act. In practice, the matters before it are likely to fall into several broad categories as under:

• Cases arising from cyber incidents (notifications of personal data breaches);
• Complaints by Data Principals (failures to provide access, correction or erasure, mishandling of grievances, misuse of consent or non-compliance with protections for children and persons with disabilities);
• Cases involving Consent Managers (failure to accurately reflect or transmit consent/withdrawal, or non-compliance with registration conditions);
• Cases arising from government or court references concerning large scale or repeated breaches, leading to structural directions and higher penalties;
• Proceedings involving intermediaries and other actors who disregard directions issued under the Act; and
• A small subset of cases where penalties may be imposed on Data Principals themselves for example, for frivolous or false complaints or impersonation.

Crucially, under the DPDP Act the Board can only impose monetary penalties on the offender, and those penalties are payable to the State. There does not appear to be any provision empowering the Board to award compensation or damages. In the same vein, the Act also repeals section 43A of the Information Technology Act 2000, which earlier provided a specific statutory compensation mechanism for failure to protect “sensitive personal data”, so that route disappears.

In conspectus, the Board is the spinal cord of the DPDP framework. It is responsible for enforcing the statutory obligations in cases of breaches, rights-violations and systemic non-compliance. It is empowered to commence inquiries, issue directions and impose significant monetary penalties.

Authored by CSL Chambers, New Delhi: Sumeet Lall (Partner - Sumeet.Lall@cslchambers.com), Nikhil Lal (Legal Director – nikhil.lal@cslchambers.com), Ankita Chopra (Associate – ankita.chopra@cslchambers.com) – The contents of this document are for informational purposes only and should not be treated as a legal opinion. Should you have any queries relating to the content of this insight piece or require further information, please don’t hesitate to contact us.