Top 10 operational impacts of India’s DPDPA – Enforcement and the Data Protection Board
This article provides insight on enforcement and the Data Protection Board in relation to India's DPDPA.
Published: 11 Oct. 2023
Last updated: 20 Jan. 2026
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's Ministry of Electronics and Information Technology has finally issued the long awaited Digital Personal Data Protection Rules, 2025 and has operationalized the Digital Personal Data Protection Act, 2023. While a vast majority of the sections of the DPDPA will go into effect in phases within the next 18 months, the government has already issued an official notification bringing into force the provisions related to the establishment of the Data Protection Board of India and its powers and operations, which were made effective immediately.
While organizations will likely fast track measures to ensure they are DPDPA-compliant within the implementation period, the government faces the even more daunting task of ensuring all necessary measures, checks and balances are put in place immediately to effectuate a smooth rollout.
Implementation challenges
The DPDPA is far more exhaustive than the existing data protection framework covered under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. As a result, like with the implementation of any new legislation, organizations are likely to face several changes.
While the enforcement timeline released by the government offers organizations some room to breathe and ready themselves, privacy professionals, especially at larger organizations, still require more clarity. Specifically, organizations that are uncertain about whether they qualify as a significant data fiduciary may be divided on whether to proactively start taking the necessary actions to comply with the additional requirements imposed on such entities or if they should wait and watch. Those steps include identifying and appointing a data protection officer, adopting measures to ensure personal data specified by the government is stored locally, and adopting other technical and operational requirements.
Heavy compliance costs, both in terms of manpower and resources, are another major cause of concern — especially for smaller organizations that may need to onboard technology and resources to ensure detailed compliance. Organizations will likely also need to update technology or procure software to aid in compliance with several of the requirements under the DPDPA, like data portability, consent mechanisms and the provision of the right to data erasure.
For organizations that use emerging technologies such as artificial intelligence and blockchain, many of these requirements become even more challenging as personal data is often inadvertently processed as part of their business offerings.
Authority and grievance redressal process
Any grievance raised by a data principal in relation to data processing must first be addressed by the internal grievance redressal mechanism adopted by a data fiduciary. If this fails, the DPBI is vested with the powers to receive and investigate complaints raised by data principals.
The DPBI, which has been established as an independent supervisory authority under the DPDPA, will serve as a digital office — the first of its kind in India. The head office will be located in New Delhi and consist of four members. The board will be led by a chairperson and the members will serve two-year renewable terms.
The chairperson will be selected by a search and selection committee consisting of the cabinet secretary and the secretaries to the government in charge of the Department of Legal Affairs and the MeitY. The board will also include two experts of repute with special knowledge or practical experience in a field that, in the opinion of the government, may be useful. The DPDP Rules determine the salary of the chairperson and other board members and the terms and conditions to appoint supporting officers and employees. The rules also detail the manner and procedure the DPBI will need to follow to conduct meetings and initiate actions.
The DPBI has been bestowed broad powers to initiate inquiries, investigate complaints, impose fines and penalties, and take other necessary actions upon receiving a complaint from a data principal, consent manager, government entity or an intimation from the data fiduciary. One positive provision under the DPDP Rules is the requirement that all inquiries conducted by the board must be completed within six months from the date of receiving the intimation/complaint, unless the board extends the period — reasons recorded in writing — for up to three months at a time. This aims to ensure the timely resolution of grievances. The DPBI has also been granted the power to refer disputing parties to mediation and to accept voluntary undertakings from data fiduciaries to take, or refrain from, certain actions as settlement. The DPDPA and the DPDP Rules, however, do not confer the DPBI any lawmaking authority to issue directions or regulations.
Broad powers of the government
The rules prescribe specific details regarding notice requirements and security standards for data fiduciaries, eligibility and registration criteria for consent managers, and protocols for breach notifications. Nevertheless, the government retains broad authority to issue additional rules and conditions, adopt delegated legislation, and take other measures necessary for implementation.
Besides the foregoing, the DPDPA also empowers the government to request access to any information from a data fiduciary, any entity processing personal data, an intermediary (as defined by the IT Act) or from the DPBI. This authority is extremely broad and is subject to fewer restrictions than those provided for under the existing IT Act and SPDI Rules. After the board sanctions the concerned data fiduciary at least twice and advises the government to issue such an order, the government is empowered to order or direct any government agency and intermediary to block information from public access "in the interests of the general public."
Appellate body
The DPBI has been granted the powers of a civil court under the Code of Civil Procedure, 1908 with respect to the powers to summon and enforce the attendance of any person, receive affidavits, require discovery, and produce and inspect documents. However, the DPDPA expressly forecloses individuals' access to civil courts for relief under the law. It will be interesting to see how this interplays with the Supreme Court decision that found citizens have a fundamental right to privacy under Article 21 of India's constitution. The DPDPA instead grants any person aggrieved by an order of the DPBI the right to file an appeal before the Telecom Disputes Settlement and Appellate Tribunal.
While the TDSAT derives authority from the Department of Telecommunications, the MeitY spearheaded the adoption of the DPDPA. Accordingly, given that the TDSAT was originally set up to handle disputes pertaining to telecommunications and information technology — in contrast to the board which is proposed to be constituted purely to regulate the processing of digital personal data in India — the appeals process under the DPDPA begs the question of whether the TDSAT is the right appellate body to handle data privacy appeals.
Further, while Section 43A of the IT Act will be repealed when the DPDPA comes into full effect, the rest of the IT Act's provisions remain in force. As a result, in case of a data breach where multiple provisions of the IT Act are triggered, a data principal or any impacted party may indulge in forum shopping by seeking recourse from the tribunals/authorities that are most likely to provide favorable outcomes. This may lead to confusion and conflict among affected parties and regulatory authorities.
That said, the Cyber Appellate Tribunal, which was the appellate body under the IT Act for certain notified matters, was merged with the TDSAT in 2017. Accordingly, the TDSAT may be the logical choice to entertain appeals of decisions passed by the DPBI. This, however, does not address the concern that the primary role of the TDSAT has historically been to serve as the appellate body for telecom disputes.
Penalties
The DPDPA stipulates varying penalty amounts depending on the violation. A data fiduciary may be fined a penalty of INR50 crore (approximately USD5.6 million) for the breach of any provision of the DPDPA or for infractions against the rules for which no specific penalty is stipulated. A fine of up to INR250 crore (approximately USD28 million) may be imposed for failing to implement reasonable security safeguards to prevent a personal data breach.
The DPDPA also sets out general parameters that may be considered to determine the appropriate penalty, such as the nature, gravity and duration of the breach and the nature of the personal data affected, the repetitive nature and implications of the breach, among others. Under Section 43A of the IT Act, a company breaching its obligations in respect of personal data causing wrongful loss or gain is liable to pay damages to the affected individual. The DPDPA eliminates a data principal's right to receive compensation. However, given that the DPBI has been granted extensive authority to issue directions under the DPDPA, including powers equivalent to those of a civil court, it remains unclear whether such powers extend to granting compensation to data principals. For now, even the DPDP Rules do not prescribe any such requirement.
Additionally, unlike the E.U. General Data Protection Regulation and the California Consumer Privacy Act, the DPDPA permits the DPBI to levy penalties on data principals to ensure they do not take undue advantage of any noncompliance under the law that may be attributable to their own action. The DPBI can prescribe a penalty of up to INR10,000 (approximately USD112) on a data principal if they fail to perform duties stipulated under the DPDPA.
A way forward
The enforcement provisions laid down under the DPDPA are a significant upgrade from the existing data protection framework and are well-balanced in approach. The DPDPA allows businesses to continue with fewer operational challenges, while also deterring data processing entities from allowing data breaches to occur.
While organizations will need to take concrete steps — such as updating privacy policies, notifying data principals, and updating third-party contracts with vendors and service providers — implementing necessary actions within the given timeframe, though reasonable, will remain challenging for smaller players who will likely need to significantly uphaul their processes, user interfaces, security measures, contracts and policies.
Although the DPDPA stipulates its provisions will prevail in the case of any conflict with other laws, most regulators today prescribe their own terms on data localization and data security. Therefore, the government must examine any similar or conflicting obligations stipulated under different laws regulated by various authorities and clarify what would constitute a repeal versus what would be considered a supplemental obligation imposed by a sectoral regulator.
Harmonizing the terms of the DPDPA with the GDPR and laws of other jurisdictions will be crucial as businesses grow to ensure India meets the adequacy standards necessary to facilitate smooth cross-border data processing.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Top 10 operational impacts of India’s DPDPA – Enforcement and the Data Protection Board
This article provides insight on enforcement and the Data Protection Board in relation to India's DPDPA.
Published: 11 Oct. 2023
Last updated: 20 Jan. 2026
Contributors:
Namita Viswanath
Partner, CMS INDUSLAW
Raghav Muthanna
Partner, IndusLaw
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's Ministry of Electronics and Information Technology has finally issued the long awaited Digital Personal Data Protection Rules, 2025 and has operationalized the Digital Personal Data Protection Act, 2023. While a vast majority of the sections of the DPDPA will go into effect in phases within the next 18 months, the government has already issued an official notification bringing into force the provisions related to the establishment of the Data Protection Board of India and its powers and operations, which were made effective immediately.
While organizations will likely fast track measures to ensure they are DPDPA-compliant within the implementation period, the government faces the even more daunting task of ensuring all necessary measures, checks and balances are put in place immediately to effectuate a smooth rollout.
Implementation challenges
The DPDPA is far more exhaustive than the existing data protection framework covered under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. As a result, like with the implementation of any new legislation, organizations are likely to face several changes.
While the enforcement timeline released by the government offers organizations some room to breathe and ready themselves, privacy professionals, especially at larger organizations, still require more clarity. Specifically, organizations that are uncertain about whether they qualify as a significant data fiduciary may be divided on whether to proactively start taking the necessary actions to comply with the additional requirements imposed on such entities or if they should wait and watch. Those steps include identifying and appointing a data protection officer, adopting measures to ensure personal data specified by the government is stored locally, and adopting other technical and operational requirements.
Heavy compliance costs, both in terms of manpower and resources, are another major cause of concern — especially for smaller organizations that may need to onboard technology and resources to ensure detailed compliance. Organizations will likely also need to update technology or procure software to aid in compliance with several of the requirements under the DPDPA, like data portability, consent mechanisms and the provision of the right to data erasure.
For organizations that use emerging technologies such as artificial intelligence and blockchain, many of these requirements become even more challenging as personal data is often inadvertently processed as part of their business offerings.
Authority and grievance redressal process
Any grievance raised by a data principal in relation to data processing must first be addressed by the internal grievance redressal mechanism adopted by a data fiduciary. If this fails, the DPBI is vested with the powers to receive and investigate complaints raised by data principals.
The DPBI, which has been established as an independent supervisory authority under the DPDPA, will serve as a digital office — the first of its kind in India. The head office will be located in New Delhi and consist of four members. The board will be led by a chairperson and the members will serve two-year renewable terms.
The chairperson will be selected by a search and selection committee consisting of the cabinet secretary and the secretaries to the government in charge of the Department of Legal Affairs and the MeitY. The board will also include two experts of repute with special knowledge or practical experience in a field that, in the opinion of the government, may be useful. The DPDP Rules determine the salary of the chairperson and other board members and the terms and conditions to appoint supporting officers and employees. The rules also detail the manner and procedure the DPBI will need to follow to conduct meetings and initiate actions.
The DPBI has been bestowed broad powers to initiate inquiries, investigate complaints, impose fines and penalties, and take other necessary actions upon receiving a complaint from a data principal, consent manager, government entity or an intimation from the data fiduciary. One positive provision under the DPDP Rules is the requirement that all inquiries conducted by the board must be completed within six months from the date of receiving the intimation/complaint, unless the board extends the period — reasons recorded in writing — for up to three months at a time. This aims to ensure the timely resolution of grievances. The DPBI has also been granted the power to refer disputing parties to mediation and to accept voluntary undertakings from data fiduciaries to take, or refrain from, certain actions as settlement. The DPDPA and the DPDP Rules, however, do not confer the DPBI any lawmaking authority to issue directions or regulations.
Broad powers of the government
The rules prescribe specific details regarding notice requirements and security standards for data fiduciaries, eligibility and registration criteria for consent managers, and protocols for breach notifications. Nevertheless, the government retains broad authority to issue additional rules and conditions, adopt delegated legislation, and take other measures necessary for implementation.
Besides the foregoing, the DPDPA also empowers the government to request access to any information from a data fiduciary, any entity processing personal data, an intermediary (as defined by the IT Act) or from the DPBI. This authority is extremely broad and is subject to fewer restrictions than those provided for under the existing IT Act and SPDI Rules. After the board sanctions the concerned data fiduciary at least twice and advises the government to issue such an order, the government is empowered to order or direct any government agency and intermediary to block information from public access "in the interests of the general public."
Appellate body
The DPBI has been granted the powers of a civil court under the Code of Civil Procedure, 1908 with respect to the powers to summon and enforce the attendance of any person, receive affidavits, require discovery, and produce and inspect documents. However, the DPDPA expressly forecloses individuals' access to civil courts for relief under the law. It will be interesting to see how this interplays with the Supreme Court decision that found citizens have a fundamental right to privacy under Article 21 of India's constitution. The DPDPA instead grants any person aggrieved by an order of the DPBI the right to file an appeal before the Telecom Disputes Settlement and Appellate Tribunal.
While the TDSAT derives authority from the Department of Telecommunications, the MeitY spearheaded the adoption of the DPDPA. Accordingly, given that the TDSAT was originally set up to handle disputes pertaining to telecommunications and information technology — in contrast to the board which is proposed to be constituted purely to regulate the processing of digital personal data in India — the appeals process under the DPDPA begs the question of whether the TDSAT is the right appellate body to handle data privacy appeals.
Further, while Section 43A of the IT Act will be repealed when the DPDPA comes into full effect, the rest of the IT Act's provisions remain in force. As a result, in case of a data breach where multiple provisions of the IT Act are triggered, a data principal or any impacted party may indulge in forum shopping by seeking recourse from the tribunals/authorities that are most likely to provide favorable outcomes. This may lead to confusion and conflict among affected parties and regulatory authorities.
That said, the Cyber Appellate Tribunal, which was the appellate body under the IT Act for certain notified matters, was merged with the TDSAT in 2017. Accordingly, the TDSAT may be the logical choice to entertain appeals of decisions passed by the DPBI. This, however, does not address the concern that the primary role of the TDSAT has historically been to serve as the appellate body for telecom disputes.
Penalties
The DPDPA stipulates varying penalty amounts depending on the violation. A data fiduciary may be fined a penalty of INR50 crore (approximately USD5.6 million) for the breach of any provision of the DPDPA or for infractions against the rules for which no specific penalty is stipulated. A fine of up to INR250 crore (approximately USD28 million) may be imposed for failing to implement reasonable security safeguards to prevent a personal data breach.
The DPDPA also sets out general parameters that may be considered to determine the appropriate penalty, such as the nature, gravity and duration of the breach and the nature of the personal data affected, the repetitive nature and implications of the breach, among others. Under Section 43A of the IT Act, a company breaching its obligations in respect of personal data causing wrongful loss or gain is liable to pay damages to the affected individual. The DPDPA eliminates a data principal's right to receive compensation. However, given that the DPBI has been granted extensive authority to issue directions under the DPDPA, including powers equivalent to those of a civil court, it remains unclear whether such powers extend to granting compensation to data principals. For now, even the DPDP Rules do not prescribe any such requirement.
Additionally, unlike the E.U. General Data Protection Regulation and the California Consumer Privacy Act, the DPDPA permits the DPBI to levy penalties on data principals to ensure they do not take undue advantage of any noncompliance under the law that may be attributable to their own action. The DPBI can prescribe a penalty of up to INR10,000 (approximately USD112) on a data principal if they fail to perform duties stipulated under the DPDPA.
A way forward
The enforcement provisions laid down under the DPDPA are a significant upgrade from the existing data protection framework and are well-balanced in approach. The DPDPA allows businesses to continue with fewer operational challenges, while also deterring data processing entities from allowing data breaches to occur.
While organizations will need to take concrete steps — such as updating privacy policies, notifying data principals, and updating third-party contracts with vendors and service providers — implementing necessary actions within the given timeframe, though reasonable, will remain challenging for smaller players who will likely need to significantly uphaul their processes, user interfaces, security measures, contracts and policies.
Although the DPDPA stipulates its provisions will prevail in the case of any conflict with other laws, most regulators today prescribe their own terms on data localization and data security. Therefore, the government must examine any similar or conflicting obligations stipulated under different laws regulated by various authorities and clarify what would constitute a repeal versus what would be considered a supplemental obligation imposed by a sectoral regulator.
Harmonizing the terms of the DPDPA with the GDPR and laws of other jurisdictions will be crucial as businesses grow to ensure India meets the adequacy standards necessary to facilitate smooth cross-border data processing.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
Global AI Law and Policy Tracker
US State Privacy Legislation Tracker
IAPP Global Legislative Predictions 2026
