Data Protection Board — Definition & Legal Meaning in India

Also known as: DPBI · Data Protection Board · DPB India · Board under DPDP Act

Legal Glossary Cyber Law Data Protection Board DPBI DPDP Act 2023
Statute: Digital Personal Data Protection Act, 2023, Section 18
New Law: ,
Landmark Case: K.S. Puttaswamy v. Union of India ((2017) 10 SCC 1)
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
4 min read

Data Protection Board of India (DPBI) is the adjudicatory body established under the Digital Personal Data Protection Act, 2023 to determine complaints of non-compliance by data fiduciaries, impose penalties for violations of data protection obligations, and issue directions for remedial measures, functioning as an independent body corporate with perpetual succession and a digital-first operational model. Under Indian law, it is established under Section 18 of the DPDP Act, 2023, with its head office in the National Capital Region of India, and the Chairperson and Members are appointed by the Central Government.

The Digital Personal Data Protection Act, 2023 establishes the Board:

Section 18(1): With effect from such date as the Central Government may, by notification, appoint, there shall be established, for the purposes of this Act, a Board to be called the Data Protection Board of India.

Section 18(3): The Board shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.

Section 19: The Board shall consist of a Chairperson and such number of other Members as the Central Government may notify, to be appointed by the Central Government.

Section 27: The Board shall function as a digital office with proceedings conducted digitally.

The Board's primary function is adjudicatory — it determines whether a data fiduciary has complied with its obligations under the Act and imposes penalties for non-compliance. The penalty structure under Schedule I of the Act is:

  • Breach of security safeguards leading to personal data breach: up to Rs 250 crore
  • Failure to notify the Board or data principals of a breach: up to Rs 200 crore
  • Breach of obligations relating to children's data: up to Rs 200 crore
  • Breach of other obligations: up to Rs 50 crore
  • Non-compliance with Board directions: up to Rs 50 crore

How courts have interpreted this term

As the Board is newly established under the 2023 Act, there is no direct judicial interpretation of the DPBI. However, the constitutional framework for data protection adjudication is established:

K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1]

The Supreme Court directed the enactment of a data protection law with adequate institutional mechanisms for enforcement. The Court's emphasis on an independent supervisory authority informed the design of the Data Protection Board as a quasi-judicial body with penalty-imposing powers.

Union of India v. Madras Bar Association [(2014) 10 SCC 1]

The Supreme Court held that tribunals exercising adjudicatory functions must be composed of persons with adequate legal expertise and must maintain independence from the executive. While addressing the National Tax Tribunal, the principles apply equally to the Data Protection Board — the Board's composition, appointment process, and independence will be scrutinised against these constitutional standards. Critics have noted that the DPDP Act vests appointment power entirely with the Central Government without a judicial selection committee, potentially compromising independence.

Why this matters

The Data Protection Board is the enforcement mechanism that gives teeth to the DPDP Act. Without an effective adjudicatory body, the rights of data principals and the obligations of data fiduciaries would remain unenforceable. The Board's penalty jurisdiction — with fines up to Rs 250 crore — makes it one of the most consequential regulatory bodies in India's digital economy.

For data fiduciaries, the Board is the first stop for data protection complaints. Data principals who believe their rights have been violated — whether through a data breach, failure to obtain proper consent, refusal to erase data, or any other non-compliance — can file complaints with the Board. The Board follows a digital-first model, with complaints filed and proceedings conducted online. This significantly lowers the access barrier compared to traditional courts.

For data principals, the Board provides a specialised, accessible forum for data protection grievances. The complaint process is designed to be simple and digital, without the formality and cost of court proceedings. The Board can investigate complaints, summon data fiduciaries, examine evidence, and impose binding penalties.

For the data protection ecosystem, the Board's independence and effectiveness will determine the credibility of India's data protection regime. Comparisons with data protection authorities in other jurisdictions — such as the EU's Data Protection Authorities, which have imposed billions of euros in fines under GDPR — set high expectations for the DPBI's enforcement posture.

Appeals from the Board's orders lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29 of the DPDP Act, and thereafter to the Supreme Court.

Parent framework:

Related concepts:

Frequently asked questions

How do I file a complaint with the Data Protection Board?

Complaints can be filed digitally through the Board's online portal. Before approaching the Board, the data principal must first exhaust the grievance redressal mechanism of the data fiduciary — every data fiduciary is required to publish the contact details of a grievance officer and respond to grievances within prescribed timelines. If the data fiduciary fails to resolve the grievance satisfactorily, the data principal can escalate to the Board.

What penalties can the Board impose?

The Board can impose penalties up to Rs 250 crore for failure to implement reasonable security safeguards, up to Rs 200 crore for failure to notify breaches, up to Rs 200 crore for breaching children's data obligations, and up to Rs 50 crore for other non-compliance. The Board can also issue directions for remedial measures. Penalties are determined considering the nature, gravity, and duration of the breach, the type and nature of the personal data affected, and repetitive nature of the default.

Can the Board's orders be appealed?

Yes. Under Section 29, any person aggrieved by an order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days. Appeals from TDSAT lie to the Supreme Court of India. This provides a multi-tier appellate structure ensuring judicial oversight of the Board's decisions.

Is the Data Protection Board independent of the government?

The Board is established as a body corporate and operates independently in its adjudicatory functions. However, the Chairperson and Members are appointed by the Central Government on the recommendation of a selection committee, and the Board's budget is determined by the government. Critics have raised concerns about the absence of judicial representation in the selection process, which could affect the Board's perceived independence.

This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.

Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.

Related Terms

Digital Personal Data Protection Act, 2023 Data Fiduciary Data Principal Data Breach Significant Data Fiduciary
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.