Sections 18-26 - India's Data Protection Enforcement Architecture
The effectiveness of any data protection law depends ultimately on its enforcement machinery. Sections 18 through 26 of the Digital Personal Data Protection Act, 2023, establish the Data Protection Board of India (DPBI) as the primary enforcement body responsible for adjudicating complaints, imposing penalties, and overseeing compliance with the Act. These nine sections create a comprehensive institutional framework - from the Board's establishment and composition to its functions, inquiry powers, and dispute resolution mechanisms. The DPBI is designed as a 'digital-by-design' body, reflecting India's emphasis on technology-enabled governance. Unlike traditional regulatory bodies that operate through physical hearings and paper-based processes, the DPBI is mandated to function as a digital office, conducting proceedings electronically and maintaining digital records. This design choice is both innovative and practical - given the volume of data protection complaints expected in a country of 1.4 billion people, a purely physical adjudication model would be unsustainable. Understanding these sections is essential for every organisation subject to the DPDPA, because the Board is the body that will receive complaints, conduct inquiries, determine violations, and impose penalties that can reach up to two hundred and fifty crore rupees.
Section 18: Establishment of the Data Protection Board
Section 18 provides for the establishment of the Data Protection Board of India by the Central Government through notification. The Board is not a regulatory body in the traditional sense - it is an adjudicatory body, more akin to a tribunal than a regulator. This distinction is important. Unlike the Information Commissioner's Office in the UK or the CNIL in France, which have broad regulatory powers including the ability to issue guidance, conduct proactive investigations, and set policy, the DPBI's primary function is adjudicatory - it determines whether the Act has been violated and imposes penalties. The Board does not have rule-making power, which rests with the Central Government, or the power to issue binding guidance, which limits its ability to shape the interpretation of the Act proactively. Section 18 also specifies that the Board shall function as a digital office, performing its functions through digital means. This digital-by-design mandate means that complaints will be filed electronically, hearings will be conducted via video conferencing or other digital platforms, orders will be issued digitally, and records will be maintained in electronic form. This approach is expected to make the Board more accessible, efficient, and transparent than traditional tribunals, though it also raises questions about access for Data Principals who may not be digitally literate.
Sections 19-21: Composition, Appointment, and Removal
Section 19 provides for the appointment of a Chairperson and other members of the Board by the Central Government. The Chairperson and members must possess such qualifications, experience, and expertise as may be prescribed, with specialisations expected to include law, information technology, data governance, cybersecurity, and public administration. The Central Government appoints all members, which has raised concerns about the Board's independence from the executive. Unlike the EU's requirement that Data Protection Authorities be 'completely independent' under GDPR Article 52, the DPDPA does not include an explicit independence guarantee. Section 20 prescribes the terms and conditions of service for the Chairperson and members. The term of office, salary, allowances, and other conditions of service are to be prescribed by the Central Government. The term is expected to be renewable, which creates a further concern - members seeking reappointment may be reluctant to make decisions that displease the Government. International best practice recommends non-renewable terms of sufficient length (five to seven years) to ensure independence. Section 21 addresses removal, providing that the Central Government may remove the Chairperson or a member from office on prescribed grounds, which are expected to include proven misbehaviour, incapacity, insolvency, and conviction for an offence involving moral turpitude. The removal process should include safeguards against arbitrary removal, though the specific procedural protections await prescription.
- Chairperson and members appointed by the Central Government
- Qualifications to include law, technology, data governance, and cybersecurity expertise
- Terms of service prescribed by the Central Government - renewable terms expected
- Removal on prescribed grounds with procedural safeguards
- Independence concerns due to Government control over appointment and removal
Section 22: The Board as a Digital Office
Section 22 operationalises the digital-by-design mandate. It provides that the Board shall be a digital office and shall perform its functions through digital means. All communications with the Board - complaint filings, evidence submission, hearing participation, and order receipt - will be conducted electronically. This section reflects India's broader digital governance agenda and the success of digital platforms like the e-Courts system, the Government e-Marketplace, and the UMANG app in delivering government services digitally. For the DPBI, the digital office model offers several advantages. Geographic barriers are eliminated - a Data Principal in a remote village can file a complaint as easily as one in Mumbai. Processing times can be reduced through automated workflows, document management, and scheduling systems. Transparency is enhanced through real-time status tracking and digital record keeping. Costs are reduced by eliminating physical infrastructure and travel requirements. However, the digital office model also presents challenges. Digital literacy and internet access vary widely across India. The Board must ensure that its digital platforms are accessible, user-friendly, and available in multiple languages. It must also address cybersecurity concerns - a digital body handling sensitive personal data breach complaints must itself maintain robust security aligned with standards such as ISO 27001. Technical infrastructure must be reliable, with appropriate redundancy and disaster recovery capabilities to ensure continuity of operations.
Section 23: Functions of the Board
Section 23 defines the core functions of the Data Protection Board. The Board's primary functions include determining whether Data Fiduciaries and Consent Managers have complied with the provisions of the Act, imposing penalties for non-compliance as prescribed in the Schedule to the Act, and directing remedial measures when violations are identified. The Board receives complaints from Data Principals who are unsatisfied with the grievance redressal provided by Data Fiduciaries under Section 13, as well as references from the Central Government regarding potential violations. The Board also receives intimations of personal data breaches from Data Fiduciaries under Section 8(6) and may initiate proceedings based on these breach notifications. The scope of the Board's functions is adjudicatory rather than advisory - it determines specific complaints rather than issuing general guidance or regulations. This means that the DPDPA's interpretation will be shaped case by case through the Board's decisions rather than through proactive regulatory guidance. For organisations, this creates uncertainty in the early years of the Act's implementation, as there will be limited precedent on how the Board interprets specific provisions. Organisations should monitor the Board's early decisions closely and adjust their compliance practices based on emerging interpretive trends.
- Determine compliance with the Act's provisions on receipt of complaints
- Impose penalties as prescribed in the Schedule (up to 250 crore rupees)
- Direct remedial measures for identified violations
- Receive and act on personal data breach intimations from Data Fiduciaries
- Accept references from the Central Government regarding potential violations
- Function as an adjudicatory body rather than a policy-making regulator
Section 24: Inquiry and Complaint Handling Process
Section 24 establishes the procedure for the Board to handle complaints and conduct inquiries. When a complaint is received - whether from a Data Principal, a reference from the Central Government, or arising from a breach notification - the Board must provide the Data Fiduciary or Consent Manager an opportunity to be heard before making any determination. This is a fundamental requirement of natural justice and ensures that organisations have the chance to present their side before penalties are imposed. The Board may conduct such inquiry as it considers necessary, which includes the power to call for information, documents, and evidence from the parties involved. The Board can also appoint inquiry officers to investigate complaints on its behalf. The inquiry process is expected to be conducted digitally, with evidence submitted electronically, hearings held via video conferencing, and orders issued through the digital platform. Section 24 also addresses the relationship between the Board's inquiry process and the grievance redressal mechanism under Section 13. A Data Principal must first exhaust the grievance mechanism with the Data Fiduciary - as outlined in the DPDPA compliance checklist - before approaching the Board - the Board is not a first-instance complaint forum but an escalation body. This ensures that Data Fiduciaries have the opportunity to resolve grievances directly before regulatory intervention, reducing the Board's caseload and encouraging effective internal grievance resolution.
Section 25: Voluntary Undertaking
Section 25 introduces a progressive enforcement tool - the voluntary undertaking. It allows a Data Fiduciary that is the subject of a complaint or inquiry to offer a voluntary undertaking to the Board regarding the matter. The voluntary undertaking is essentially a commitment by the Data Fiduciary to take specific corrective actions, implement compliance measures, or refrain from certain processing activities, in exchange for the Board accepting the undertaking in lieu of further proceedings. If the Board accepts the voluntary undertaking, it may close the complaint without imposing penalties, provided the Data Fiduciary fulfils the commitments made. If the Data Fiduciary breaches the voluntary undertaking, the Board can reopen the proceedings and impose penalties. This mechanism has significant advantages for both the Board and organisations. For the Board, it reduces adjudicatory workload and achieves compliance outcomes faster than full proceedings. For organisations, it offers an opportunity to resolve complaints without the reputational and financial impact of a formal adverse determination and penalty. Voluntary undertakings are a well-established enforcement tool internationally - the Australian Information Commissioner and the UK's ICO both use similar mechanisms. The DPDPA's adoption of this approach reflects a pragmatic, outcomes-focused enforcement philosophy that prioritises compliance improvement over punitive action.
- Data Fiduciary can offer commitments to corrective actions and compliance measures
- Board may accept the undertaking and close the complaint without penalties
- Breach of the voluntary undertaking allows the Board to reopen proceedings
- Reduces Board workload and achieves faster compliance outcomes
- Mirrors enforcement tools used by Australian and UK data protection authorities
- Prioritises compliance improvement over punitive enforcement
Section 26: Alternate Dispute Resolution
Section 26 empowers the Board to attempt to settle complaints through alternate dispute resolution (ADR) mechanisms, including mediation, before proceeding to formal adjudication. This provision recognises that many data protection disputes can be resolved through negotiation and compromise rather than adversarial proceedings. A Data Principal who wants their data corrected and a Data Fiduciary willing to make the correction but disagreeing on the scope - this type of dispute is better resolved through mediation than through a formal hearing and penalty. ADR is expected to be particularly useful for complaints that arise from misunderstandings, communication failures, or technical issues rather than deliberate non-compliance. A Data Fiduciary - whether a large corporation or a Significant Data Fiduciary - that failed to respond to a grievance due to an internal routing error, rather than a wilful refusal, is a good candidate for mediated resolution. The ADR process is likely to be faster, less costly, and less adversarial than formal proceedings, benefiting both parties. However, ADR is voluntary - neither party can be compelled to accept a mediated outcome. If ADR fails, the Board proceeds to formal inquiry and adjudication under Section 24. The Board's challenge will be to develop a pool of qualified mediators with expertise in data protection law and technology - a specialised skill set that may take time to build in India. Organisations should approach ADR opportunities constructively, as willingness to engage in mediation may be viewed favourably by the Board if the matter ultimately proceeds to formal adjudication.
Independence Concerns and Comparison with International Models
The most significant criticism of Sections 18-26 relates to the Board's independence - or the perceived lack thereof. The Central Government controls the appointment and removal of the Chairperson and members, prescribes their terms of service, and can refer matters to the Board. This degree of executive control contrasts sharply with the GDPR's requirement under Article 52 that each supervisory authority shall act with complete independence in performing its tasks and exercising its powers. The EU model requires that DPA members be appointed through transparent procedures, serve non-renewable terms of sufficient duration, and be free from external influence. Several EU DPAs have demonstrated their independence by imposing significant fines on government entities and challenging government surveillance programmes. The DPBI's structure raises questions about whether it will be able to adjudicate complaints against government agencies with the same rigour as complaints against private companies, especially given the broad exemptions under Section 17. India's proposed model is closer to a tribunal than an independent regulator, which may limit its effectiveness as a check on government data processing. However, the Board's decisions are subject to appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and ultimately to the Supreme Court, providing judicial oversight of its determinations. Organisations should track the Board's early decisions - particularly any involving government entities - for signals about its practical independence and enforcement approach.
- Central Government controls appointment, removal, and terms of service
- No explicit statutory guarantee of Board independence
- GDPR Article 52 requires complete independence for EU DPAs - not mirrored in DPDPA
- Board functions as adjudicatory tribunal rather than independent regulator
- Decisions appealable to TDSAT and Supreme Court - providing judicial oversight
- Early decisions will signal the Board's practical independence and enforcement posture
How Kraver.ai Helps
Kraver.ai's compliance platform prepares your organisation for every aspect of interaction with the Data Protection Board of India. Our Board-readiness module ensures that your grievance redressal mechanism satisfies Section 13 requirements - reducing the likelihood that complaints escalate to the Board in the first place. When a Board complaint does arise, our litigation management module provides structured workflows for responding to Board inquiries, assembling evidence, preparing submissions, and tracking proceeding timelines. The module generates Board-ready documentation packages that demonstrate your compliance posture, grievance handling efforts, and corrective actions taken. For breach notification under Section 8(6), Kraver.ai automates the preparation of breach intimations in the format the Board requires, ensuring timely and complete notification. Our voluntary undertaking module helps you evaluate whether offering a voluntary undertaking under Section 25 is strategically appropriate, drafts undertaking proposals aligned with Board expectations, and monitors fulfilment of commitments to ensure you do not breach the undertaking. For ADR proceedings under Section 26, the platform provides mediation preparation tools including dispute summaries, compliance evidence packages, and proposed resolution frameworks. Kraver.ai's regulatory intelligence engine tracks all published Board decisions, identifying trends in interpretation, enforcement priorities, and penalty patterns that inform your compliance strategy. Stay ahead of the Board's evolving enforcement approach with Kraver.ai. Explore our compliance services or get in touch for a consultation.