Data Protection Authority

The Data Protection Board of India (DPBI) — commonly referred to as the Data Protection Authority — is the statutory adjudicatory body created under the Digital Personal Data Protection Act, 2023 (DPDP Act). It is the primary enforcement mechanism for data protection rights in India. Constitution: The DPBI is a body of Chairperson and Members appointed by the Central Government on the recommendation of a Selection Committee. Members must have expertise in law, technology, regulation, or public administration. The Chairperson and Members serve fixed terms. Functions and Powers: 1. Hear and decide complaints filed by Data Principals (individuals) against Data Fiduciaries 2. Inquire into personal data breaches (on application or suo motu) 3. Direct Data Fiduciaries to take remedial action 4. Impose financial penalties (up to ₹250 crore per instance) 5. Direct the blocking of access to data or services in egregious cases Penalty structure (Schedule to the DPDP Act): failure to implement security safeguards — up to ₹250 crore; failure to notify data breach to DPBI — up to ₹200 crore; failure to comply with obligations regarding children's data — up to ₹200 crore; failure to comply with DPBI directions — up to ₹150 crore; breach of other obligations — up to ₹50 crore; Data Principal's own obligations (providing false information) — up to ₹10,000. Nature: The DPBI functions as a digital court — proceedings are online, orders are enforceable, and appeals lie before the High Court. It is not a regulatory authority in the traditional sense (it does not set standards proactively) but an adjudicatory body that resolves disputes and enforces compliance. Comparison with GDPR's enforcement: Under the EU GDPR, enforcement is carried out by Data Protection Authorities in each member state with coordination through the European Data Protection Board. India's DPBI is a centralised single-body model, appointed by the Union Government — a design that has drawn criticism from privacy advocates who argue it lacks independence from government.

• 1 DPBI: Data Protection Board of India — adjudicatory body under DPDP Act 2023
• 2 Constitution: Chairperson + Members appointed by Central Government via Selection Committee
• 3 Hears complaints from Data Principals against Data Fiduciaries
• 4 Investigates data breaches — on application or suo motu
• 5 Maximum penalty: ₹250 crore (failure to implement security safeguards)
• 6 Other penalties: breach notification failure ₹200 cr; children's data ₹200 cr; DPBI non-compliance ₹150 cr
• 7 DPDP Rules 2025 (notified November 14, 2025): DPBI formally constituted from November 13, 2025 (Phase I); online complaint portal and mobile app; full enforcement from May 2027 (Phase III)
• 8 Online proceedings; appeals lie before the High Court
• 9 Criticism: appointed by Union Government — potential independence deficit vs. EU GDPR model

If a major e-commerce platform suffers a data breach exposing 10 million users' personal data and fails to notify the DPBI within the prescribed period, the DPBI can impose a penalty up to ₹200 crore for the notification failure alone — plus up to ₹250 crore for the underlying security failure. Affected users can also file individual complaints before the DPBI for grievance redressal.