Why we need a well-equipped data protection board to enforce digital privacy law
Legal practitioners note that the DPBI, established as a quasi-judicial body under the DPDP Act, needs skilled technical and legal professionals, as well as institutional independence, to manage complex investigations and ensure compliance effectively.
They also point out significant gaps in the framework, including a lack of clarity about the board’s operational structure and the absence of provisions for criminal liability and compensation in cases of data breaches.
The DPDP Act, 2023, imposes fines of up to ₹250 crore for violations, but experts stress that clear guidelines and robust institutional support are essential for effective implementation.
The DPBI, established under Section 18(1) of the Act, serves as a quasi-judicial body to adjudicate disputes between individuals and data platforms accused of non-compliance. With civil court powers, the board can investigate breaches, impose penalties, and resolve disputes.
Appeals from its decisions can escalate to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and ultimately the Supreme Court.
“To strengthen the enforceability of the DPDP Act and its rules, the government must focus on institutional and operational improvements,” said Akshayy S. Nanda, partner at Saraf and Partners.
Also Read: Mint Explainer: The digital personal data protection Act, its rules, and roadblocks
“The board should be equipped with skilled technical and legal professionals to handle complex investigations and enforce compliance effectively. Additionally, sufficient budgetary support is needed to ensure it fulfills its duties within expedited timelines, especially considering the rapidly evolving digital economy,” he added.
Ankit Sahni, partner at Ajay Sahni & Associates, emphasized that the board’s independence and staffing with qualified experts are crucial to building credibility and ensuring fairness in enforcement.
The DPB is intended to act as a quasi-judicial body to investigate non-compliance and impose penalties. Appeals from its decisions will go to the Appellate Tribunal, the TDSAT, according to Arya Tripathy, partner at Cyril Amarchand Mangaldas.
However, the DPDP Rules provide limited insights into the operationalization of the DPB and Appellate Tribunal provisions. Hopefully, these details will emerge through the consultation phase, and the final rules will bring more clarity, experts say.
Also Read: Privacy law raises complications of verifying parent identity
Need for criminal liability, compensation mechanisms
Some legal experts believe that adding criminal liability for data fiduciaries could act as a stronger deterrent in cases involving fraud, negligence, or intentional non-compliance that cause severe harm to individuals.
“Provisions for criminal liability in cases of severe data breaches could go a long way in ensuring stricter compliance,” said Nazneen Ichhaporia, partner at ANB Legal.
Ichhaporia also highlighted gaps in the current framework, particularly the lack of compensation mechanisms for data principals whose personal data is compromised. She urged regulators to address this issue to protect individuals’ rights more effectively.
Also Read: DPDP draft rules raise concerns on parental consent, national security checks
On 3 January, the government published draft rules for public consultation under the Digital Personal Data Protection (DPDP) Act, proposing several compliance measures.
These include mandatory identity verification for parents before minors under 18 can join online platforms, localization of personal data in India, with exemptions for certain countries notified by the government, and exceptional powers for the Centre to access or withhold personal data in matters related to national security without notifying affected individuals.
“To navigate compliance effectively, data fiduciaries must adopt a proactive approach, starting with robust data governance frameworks, comprehensive privacy impact assessments, and a culture of compliance across organizational levels. Safeguards such as encryption, pseudonymization, and regular audits are critical to mitigating risks. It’s equally essential to invest in training programs and ensure that consent mechanisms are clear, specific, and informed,” suggests Goldie Dhama, partner, Deloitte India.
Also Read: India’s Digital Data Protection rules: A story of hits and misses
Judiciary’s role in shaping enforcement
Legal experts highlighted the pivotal role of courts in clarifying ambiguities in the law and ensuring fairness.
Ankit Sahni from Ajay Sahni & Associates noted that judicial interpretation will help establish procedural standards and balance regulatory enforcement with constitutional rights. Courts can also act as a check against potential overreach or under-enforcement by the board.
“Judicial precedents will significantly shape the enforcement of the DPDP Act, ensuring consistency, fairness, and accountability. By balancing the rights of Data Principals with the operational needs of data fiduciaries, courts will strengthen the legitimacy and effectiveness of India’s data protection framework.” Akshayy S. Nanda from Saraf and Partners added.
The Digital Personal Data Protection (DPDP) Act, 2023 was shaped through over a decade of deliberations, beginning with the Justice A.P. Shah Committee’s 2011 report recommending privacy legislation.
The need for a data protection law gained momentum after the Supreme Court’s 2017 judgment recognizing privacy as a fundamental right. Multiple drafts were proposed before the final version was passed by Parliament on 9 August, 2023, and received presidential assent on 11 August, 2023. The Act introduces stringent rules for data protection, establishes the Data Protection Board, and imposes steep penalties to ensure compliance and accountability.
Also Read: Privacy as priority: India can’t afford any further delay in notifying data protection rules