Introduction - Why Enforcement Powers Matter
A data protection law is only as effective as its enforcement mechanism. The Digital Personal Data Protection Act, 2023, having established the Data Protection Board of India (DPBI) through Sections 18 to 26, must also equip the Board with the procedural tools necessary to investigate complaints, examine evidence, and impose penalties. Sections 27 and 28 serve precisely this function - they define the powers the Board can exercise and the procedures it must follow when conducting inquiries. Without these provisions, the Board would exist as an institutional shell without operational teeth. Section 27 grants the Board specific civil court powers, enabling it to compel the production of evidence and testimony. Section 28 then prescribes the procedural framework governing how the Board conducts inquiries and arrives at decisions, including the imposition of penalties. Together, these sections ensure that enforcement under the DPDPA is not arbitrary but follows established legal principles - particularly the principles of natural justice that are foundational to Indian administrative law. For businesses operating in India, understanding these sections is essential for preparing for regulatory interactions.
Section 27 - Civil Court Powers of the Board
Section 27 confers upon the Data Protection Board certain powers that are ordinarily vested in civil courts under the Code of Civil Procedure, 1908. This is a well-established legislative technique in Indian law - regulators like SEBI, the Competition Commission of India, and various tribunals have been similarly empowered. The specific powers granted include the power to summon and enforce the attendance of any person and examine them on oath, the power to require the discovery and production of documents, the power to receive evidence on affidavits, and any other matter that may be prescribed by the Central Government through rules. The grant of civil court powers means that the Board can legally compel cooperation. A Data Fiduciary or Data Processor cannot simply ignore a Board summons or refuse to produce documents - doing so would constitute contempt equivalent to contempt of a civil court. This is a significant enforcement lever because it transforms Board inquiries from voluntary engagements into legally binding proceedings where non-cooperation carries its own legal consequences beyond the DPDPA penalties themselves.
- Power to summon and enforce the attendance of any person
- Power to examine persons on oath
- Power to require discovery and production of documents
- Power to receive evidence on affidavits
- Power to requisition public records from any court or office
- Any other matter prescribed by the Central Government
Summoning Powers - Compelling Attendance and Testimony
The Board's power to summon individuals and examine them on oath is perhaps its most significant investigative tool. This power allows the Board to call any person - whether a Data Fiduciary's CEO, a Data Protection Officer, a technical employee, or even a third-party Data Processor - to appear before the Board and provide testimony under oath. Testimony given on oath carries legal consequences for perjury, meaning that individuals who provide false or misleading testimony can face criminal prosecution under the Indian Penal Code. This creates a strong incentive for truthful and complete disclosure during Board proceedings. For organisations, the summoning power means that key personnel must be prepared to appear before the Board at relatively short notice. The Board can specify who it wants to examine, and the organisation cannot substitute a different person without the Board's permission. This underscores the importance of ensuring that individuals responsible for data protection within the organisation are well-informed about processing activities, compliance measures, and incident details. Organisations should consider conducting mock examination sessions with key personnel to prepare them for potential Board inquiries.
Document Production - Requiring Disclosure of Records
The power to require the discovery and production of documents enables the Board to access any records relevant to its inquiry. This includes data processing records, consent logs, privacy policies, internal communications, technical architecture documents, incident reports, vendor contracts, data flow diagrams, audit reports, and any other documentation the Board deems relevant to the matter under investigation. Unlike voluntary requests for information - which organisations might respond to selectively - a Board order for document production is legally binding. The scope of this power is broad: the Board can require both existing documents and the preparation of new documents or summaries if necessary to understand the organisation's processing activities. Organisations should be aware that privileged communications, such as legal advice from retained counsel, may be subject to different treatment under established principles of legal professional privilege. However, the scope of privilege in regulatory proceedings before quasi-judicial bodies has been a subject of evolving jurisprudence in India. Proactively maintaining comprehensive data processing records is the best preparation for potential document production requirements - organisations that wait until a Board inquiry to create documentation will find themselves at a significant disadvantage.
Electronic Proceedings and Digital-First Approach
A distinctive feature of the DPDPA is its emphasis on digital proceedings. Section 27 contemplates hearings conducted through electronic means, reflecting the Act's overall digital-first philosophy. The Board is expected to conduct its proceedings primarily through digital channels - video conferencing for hearings, electronic submission of documents and evidence, digital signatures for affidavits, and online case management systems. This digital-first approach has several practical implications. First, it reduces the logistical burden on organisations that might otherwise need to travel to the Board's physical location for hearings. Second, it enables the Board to handle a larger volume of cases efficiently. Third, it creates automatic digital records of proceedings, enhancing transparency and accountability. However, electronic hearings also raise questions about the confidentiality of proceedings, the security of submitted documents, and the authentication of witnesses in a virtual environment. The rules prescribed under the DPDPA will need to address these procedural details. For organisations, preparing for electronic proceedings means ensuring that relevant personnel have access to reliable video conferencing technology, that documents can be submitted in prescribed electronic formats, and that representatives are comfortable presenting evidence and arguments in a virtual setting.
Section 28 - Procedure for Inquiry and Imposing Penalties
Section 28 establishes the procedural framework that the Board must follow when conducting inquiries and determining whether to impose penalties. The section mandates that the Board follow the principles of natural justice - a constitutional requirement for all quasi-judicial bodies in India. The principles of natural justice, as developed through Indian jurisprudence, include two fundamental rules: nemo judex in causa sua (no one should be a judge in their own cause) and audi alteram partem (hear the other side). In practical terms, this means the Board must provide the entity under inquiry with a reasonable opportunity to present its case before arriving at any adverse finding or imposing any penalty. The Board cannot impose penalties in an ex parte manner - it must issue notice, provide the grounds for the proposed action, allow the entity to respond with evidence and arguments, and consider that response before making its determination. This procedural safeguard is critical for businesses because it ensures that Board proceedings are fair and that penalties are not imposed without due process. Any failure by the Board to follow these principles would render its orders vulnerable to challenge on appeal.
Principles of Natural Justice in Board Proceedings
The application of natural justice principles in Board proceedings creates a structured framework for inquiry. First, the Board must issue a show cause notice to the entity, specifying the alleged violation, the provisions of the DPDPA that have been contravened, and the proposed penalty or action. The notice must provide sufficient detail for the entity to understand the case against it and prepare a meaningful response. Second, the entity must be given a reasonable time to respond - 'reasonable' being assessed based on the complexity of the matter, the volume of evidence involved, and any urgency considerations. Third, the entity has the right to present evidence, call witnesses, and make oral submissions in support of its case. Fourth, the Board must consider all evidence and submissions before arriving at its determination. Fifth, the Board's order must be a reasoned order - it must explain the findings of fact, the application of law to those facts, and the rationale for the penalty imposed. A reasoned order is essential not only for the entity's understanding but also for effective appellate review. The Supreme Court of India has consistently held that quasi-judicial bodies must provide reasons for their decisions as a fundamental aspect of natural justice and good governance.
- Show cause notice specifying the alleged violation and relevant DPDPA provisions
- Reasonable time to respond based on complexity and volume of evidence
- Right to present evidence, call witnesses, and make oral submissions
- Board must consider all evidence and submissions before determination
- Reasoned order explaining findings, legal application, and penalty rationale
- Right to be represented by a legal practitioner or authorised representative
Evidence Standards and Burden of Proof
While Section 28 does not explicitly address the standard of proof applicable in Board proceedings, established Indian administrative law principles provide guidance. In regulatory proceedings before quasi-judicial bodies, the standard of proof is typically 'preponderance of probability' - a lower threshold than the 'beyond reasonable doubt' standard applicable in criminal cases. This means the Board must be satisfied, based on the evidence presented, that a violation is more likely to have occurred than not. The burden of proof initially lies with the complainant or the Board itself (when acting suo motu) to establish a prima facie case of violation. Once a prima facie case is established, the burden may shift to the Data Fiduciary or Data Processor to demonstrate compliance - for example, by producing consent records, security audit reports, breach notification logs, or other compliance documentation. This shifting burden underscores the importance of maintaining comprehensive compliance records. Organisations that can produce contemporaneous documentation of their compliance measures - consent logs, data protection impact assessments, security audit reports, training records, and breach response records - will be significantly better positioned to defend themselves in Board proceedings than those relying on retrospective reconstruction of compliance activities.
Practical Preparation for Board Interactions
Given the Board's powers under Sections 27 and 28, organisations should proactively prepare for potential regulatory interactions. The first step is to designate a regulatory liaison - a senior individual responsible for coordinating the organisation's response to Board inquiries. This person should have authority to engage legal counsel, access relevant documentation, and coordinate with internal teams. Second, organisations should maintain a 'Board readiness file' - a continuously updated collection of key compliance documents that can be quickly assembled in response to a Board inquiry. This file should include current privacy policies, consent mechanisms and logs, data processing registers, security measures documentation, breach response plans and incident logs, vendor agreements, and Data Protection Officer appointment details. Third, organisations should establish internal protocols for responding to Board notices, including escalation procedures, response timelines, and approval workflows. Fourth, key personnel likely to be summoned - the DPO, CISO, CTO, and senior management - should receive training on providing testimony in regulatory proceedings. Fifth, organisations should engage legal counsel with experience in regulatory proceedings before Indian quasi-judicial bodies, as the procedural nuances of such proceedings differ significantly from civil litigation.
- Designate a regulatory liaison with authority and access to coordinate Board responses
- Maintain a continuously updated Board readiness file with key compliance documents
- Establish internal response protocols with escalation procedures and timelines
- Train key personnel on providing testimony in regulatory proceedings
- Engage legal counsel experienced in quasi-judicial regulatory proceedings
- Conduct periodic mock inquiries to test organisational readiness
How Kraver.ai Helps
Kraver.ai's compliance platform is designed to keep your organisation Board-ready at all times, directly addressing the requirements of Sections 27 and 28. Our compliance documentation engine maintains a continuously updated repository of all key compliance artefacts - privacy policies, consent records, data processing registers, security assessments, breach notifications, and vendor agreements - organised and indexed for rapid retrieval in response to Board inquiries. The audit trail module provides tamper-proof, time-stamped records of all compliance activities, creating the contemporaneous documentation that is critical for meeting evidentiary standards in Board proceedings. Our Board interaction management feature provides workflow templates for responding to show cause notices, including automated task assignment, deadline tracking, and response drafting assistance. The evidence assembly tool allows you to quickly compile relevant documentation packages in prescribed formats for electronic submission to the Board. For testimony preparation, Kraver.ai generates comprehensive briefing packages for personnel who may be summoned, including summaries of relevant processing activities, compliance measures, and incident histories. Our platform ensures that when the Board exercises its powers under Sections 27 and 28, your organisation can respond promptly, completely, and confidently. Start building your Board readiness with Kraver.ai today.