Why we need a well-equipped data protection board to enforce digital privacy law

May Be Interested In:John Cleese calls Piers Morgan ‘lazy’ and ‘sloppy’ as he weighs in on Hugh Grant row


Legal practitioners note that the DPBI, established as a quasi-judicial body under the DPDP Act, needs skilled technical and legal professionals, as well as institutional independence, to manage complex investigations and ensure compliance effectively. 

They also point out significant gaps in the framework, including a lack of clarity about the board’s operational structure and the absence of provisions for criminal liability and compensation in cases of data breaches.

The DPDP Act, 2023, imposes fines of up to 250 crore for violations, but experts stress that clear guidelines and robust institutional support are essential for effective implementation.

The DPBI, established under Section 18(1) of the Act, serves as a quasi-judicial body to adjudicate disputes between individuals and data platforms accused of non-compliance. With civil court powers, the board can investigate breaches, impose penalties, and resolve disputes. 

Appeals from its decisions can escalate to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and ultimately the Supreme Court.

“To strengthen the enforceability of the DPDP Act and its rules, the government must focus on institutional and operational improvements,” said Akshayy S. Nanda, partner at Saraf and Partners. 

Also Read: Mint Explainer: The digital personal data protection Act, its rules, and roadblocks

“The board should be equipped with skilled technical and legal professionals to handle complex investigations and enforce compliance effectively. Additionally, sufficient budgetary support is needed to ensure it fulfills its duties within expedited timelines, especially considering the rapidly evolving digital economy,” he added.

Ankit Sahni, partner at Ajay Sahni & Associates, emphasized that the board’s independence and staffing with qualified experts are crucial to building credibility and ensuring fairness in enforcement.

The DPB is intended to act as a quasi-judicial body to investigate non-compliance and impose penalties. Appeals from its decisions will go to the Appellate Tribunal, the TDSAT, according to Arya Tripathy, partner at Cyril Amarchand Mangaldas. 

However, the DPDP Rules provide limited insights into the operationalization of the DPB and Appellate Tribunal provisions. Hopefully, these details will emerge through the consultation phase, and the final rules will bring more clarity, experts say.

Also Read: Privacy law raises complications of verifying parent identity

Need for criminal liability, compensation mechanisms

Some legal experts believe that adding criminal liability for data fiduciaries could act as a stronger deterrent in cases involving fraud, negligence, or intentional non-compliance that cause severe harm to individuals.

“Provisions for criminal liability in cases of severe data breaches could go a long way in ensuring stricter compliance,” said Nazneen Ichhaporia, partner at ANB Legal.

Ichhaporia also highlighted gaps in the current framework, particularly the lack of compensation mechanisms for data principals whose personal data is compromised. She urged regulators to address this issue to protect individuals’ rights more effectively.

Also Read: DPDP draft rules raise concerns on parental consent, national security checks

On 3 January, the government published draft rules for public consultation under the Digital Personal Data Protection (DPDP) Act, proposing several compliance measures.

These include mandatory identity verification for parents before minors under 18 can join online platforms, localization of personal data in India, with exemptions for certain countries notified by the government, and exceptional powers for the Centre to access or withhold personal data in matters related to national security without notifying affected individuals.

“To navigate compliance effectively, data fiduciaries must adopt a proactive approach, starting with robust data governance frameworks, comprehensive privacy impact assessments, and a culture of compliance across organizational levels. Safeguards such as encryption, pseudonymization, and regular audits are critical to mitigating risks. It’s equally essential to invest in training programs and ensure that consent mechanisms are clear, specific, and informed,” suggests Goldie Dhama, partner, Deloitte India.

Also Read: India’s Digital Data Protection rules: A story of hits and misses

Judiciary’s role in shaping enforcement

Legal experts highlighted the pivotal role of courts in clarifying ambiguities in the law and ensuring fairness.

Ankit Sahni from Ajay Sahni & Associates noted that judicial interpretation will help establish procedural standards and balance regulatory enforcement with constitutional rights. Courts can also act as a check against potential overreach or under-enforcement by the board.

“Judicial precedents will significantly shape the enforcement of the DPDP Act, ensuring consistency, fairness, and accountability. By balancing the rights of Data Principals with the operational needs of data fiduciaries, courts will strengthen the legitimacy and effectiveness of India’s data protection framework.” Akshayy S. Nanda from Saraf and Partners added.

The Digital Personal Data Protection (DPDP) Act, 2023 was shaped through over a decade of deliberations, beginning with the Justice A.P. Shah Committee’s 2011 report recommending privacy legislation.

The need for a data protection law gained momentum after the Supreme Court’s 2017 judgment recognizing privacy as a fundamental right. Multiple drafts were proposed before the final version was passed by Parliament on 9 August, 2023, and received presidential assent on 11 August, 2023. The Act introduces stringent rules for data protection, establishes the Data Protection Board, and imposes steep penalties to ensure compliance and accountability.

Also Read: Privacy as priority: India can’t afford any further delay in notifying data protection rules

 

 

 

share Share facebook pinterest whatsapp x print

Similar Content

UPSC NDA 1 Exam 2025: Know last day of registration and important dates
WhatsApp to roll out reverse image search feature; all you need to know
Jeremy Hunt
Jeremy Hunt warns Reeves against ‘declinism’ on UK’s prospects
Dramatically lit studio shot of a scene from The Verge’s “Friend or Faux?” feature.
One creator talks visualizing AI companionship
Texas AG Ken Paxton sues New York doctor for providing abortion pills across state lines
Texas AG Ken Paxton sues New York doctor for providing abortion pills across state lines
Jeff Baena, indie filmmaker and husband of Aubrey Plaza, dies at 47
Jeff Baena, indie filmmaker and husband of Aubrey Plaza, dies at 47
This Man Eats So Much Butter, Cheese, and Beef That Cholesterol Oozes From His Skin
This Man Eats So Much Butter, Cheese, and Beef That Cholesterol Oozes From His Skin
Real News, Real People: Impactful Stories of Today | © 2025 | Daily News