Enforcement Deficit in DPDP Act: A Call for Federated Data Protection Authority.

Digital Personal Data Protection Act, 2023 (hereinafter referred as DPDP) governs the personal data protection of citizens and individual residing in the India. The DPDP establishes the central authority for enforcement of the Act known as Data Protection Board of India (DPB). However, Data privacy experts, legal scholars and academician have raised the concern regarding the centralized structure of DPB. Major concerns are about its independence, accessibility and efficiency of the Board. In this blog, an analysis of DPB will be done at various levels and compared with the global enforcement framework. It will also suggest the policy recommendation for the effective enforcement of DPDP by the DPB.

The DPDP Act’s Centralized Enforcement Structure

The DPDP provides for establishment of central authority under Section 18 responsible to deal with the complaints of data breach and non-compliances, imposing penalties for any violation, adjudicating complaints. However, the Board:

• Lacks suo motu powers — it cannot independently investigate breaches unless a formal complaint is filed.
• The lack of authority (or ability) to make regulations limits its ability to change its enforcement practices (or methods) in times of emerging threats.
• The central government appoints it completely, with no criteria for assessment or obligation for knowledge of the legal, technical, and administrative domains (sufficient and only relevant knowledge), raising concerns around independence from government.
• Has no regional approach, making it harder for communities and citizens throughout the geographic and linguistic complexities of India to access and develop relationships with the Digital Office – the Digital Office operates as a centralized service center (like ticketing).

This centralized and reactive model creates the bottleneck (a cancellation based on limited capacity), trust is limited and public engagement is weakened – all important factors in a digital rights ecosystem.

Structural Limitations of the Centralized DPB

The DPB lacks independence, as it is appointed directly by the executive government and operates with a limited budget. This restricts its ability as a regulator to provide independent oversight, especially over government agencies, which are major public sector data collectors. Section 27(3) further allows the executive government to override DPB decisions, undermining its nominal authority. The absence of state or regional offices leads to weak enforcement. It reduces the trust of state governments, raises federalism concerns, and leaves no one accountable for public sector data misuse.

Enforcement Gaps under the DPDP Act:

As mentioned above, issues related to the structure of the DPB lead to an enforcement deficit in the Act. The DPDP grants various rights to data principals, such as the right to access, withdraw, correct data, and raise grievances. The effectiveness of these rights depends on a strong enforcement mechanism.

Less Focus on Smaller Entities: Due to the DPB’s structure, it will mostly handle high-profile cases and large companies processing sensitive data. As a result of being overburdened, the Board cannot focus on the many small or medium-sized data handlers, who operate with little fear of scrutiny.

Government Agencies Shielded: The DPDP exempts government agencies under broad national security and sovereignty clauses (Sections 17 and 18), which severely weakens accountability. Since the DPB is under executive control and appointed by the central government, enforcement against state-run data breaches is unlikely.

Low Public Trust: The centralized DPB model risks being perceived as inaccessible and politically biased. Without institutional independence and regional reach, citizens may lack confidence in redressal mechanisms, affecting overall compliance culture and awareness.

Digital by Design — But Heavy on Execution

To its credit, the DPDP Act envisions a digitally governed enforcement model — from machine-readable consent artifacts, to automated dashboards, to a digital-first grievance resolution pipeline. The Consent Management Platform (CMP) plays a pivotal role in this architecture, tasked with:

• Informing, educating, and collecting consent from Data Principals.
• Routing grievances and Data Principal Access Requests (DPARs).
• Providing real-time metrics to the DPB — including onboarding rates of fiduciaries, consent volume, average grievance resolution times, etc.

This system enables data-driven supervision, automated compliance triggers, and algorithmic detection of anomalies. These include suspicious notice patterns or sudden spikes in complaints. However, building and maintaining such technological infrastructure, compliance data ingestion, and behavioral analysis at a national level is highly complex.

A single central authority cannot realistically scale to review, validate, and act on millions of digital footprints across thousands of data fiduciaries.

GDPR’s Centralized Enforcement Tendencies: Large Players vs. Smaller Entities

The EU GDPR, despite operating through national Data Protection Authorities (DPAs), exhibits a centralized enforcement bias due to the one-stop-shop mechanism. Most high-profile penalties have come through Ireland’s DPA, which oversees Big Tech firms headquartered there (Meta, Google, TikTok). In contrast, smaller businesses often evade scrutiny unless complaints are filed

This uneven enforcement reveals that a centralized system, even in the EU’s decentralized regulatory design, fails to ensure equitable oversight. India’s single DPB may replicate these imbalances, with even worse consequences due to its scale and digital divide.

Why a Federated Model Makes Sense

Instead of a purely decentralized or centralized structure, a federated enforcement framework — combining digital infrastructure with distributed governance nodes — can enable robust, equitable, and scalable enforcement.

1. Federated ≠ Decentralized Chaos

Federated governance maintains a central coordinating authority (the DPB) but empowers state- or regional-level enforcement nodes with jurisdictional autonomy, aligned protocols, and shared datasets. These bodies would:

• Handle local grievances and audits.
• Monitor regional data fiduciaries.
• Promote compliance in local languages and contexts.
• Collaborate with the central DPB for cross-border and complex cases.

2. Scalable Enforcement via Regional Hubs

Distributing enforcement across zonal or state-level digital protection boards reduces the burden on the central DPB. It also ensures that small and medium fiduciaries face meaningful oversight. Regional boards can proactively conduct randomized audits of consent notices. They can auto-flag anomalies and manage high-frequency data flows in localized ecosystems such as healthcare, education, or transport.

3. Public Sector Accountability

Government agencies remain major data processors but are currently shielded via sweeping exemptions under Sections 17 and 18. A federated structure improves peer-level regulatory engagement between state boards and their own government departments, enabling more nuanced enforcement while preserving federal balance.

4. Localized Trust and Participation

By establishing regional enforcement points, the DPDP regime can bridge the digital divide, improve grievance redressal timelines, and foster grassroots awareness. Citizens are far more likely to engage with privacy rights when support is offered in their language, in their region.

Recommendations for the better enforcement of DPDP Act:

1. Amend the Act for Regional Boards – Create state- or zonal-level data protection boards with explicit jurisdictional powers and enforcement of regionally in-their-areas.
2. Ensure Institutional Independence – Appoint non-executive members of governmental boards with judicial, civil society and technical experts. Repeal Section 27(3) to remove executive override.
3. Federated Data Coordination Platform – Build a National Data Governance Dashboard to collate the flow of data from the CMPs, fiduciaries and regional boards — just like the EU’s EDPB to resolve cross-jurisdictional issues.
4. Fund and Train Regional Boards – tailor budget to hire, train and provide standardised training packages for tech-legal experts in regions to establish consistent enforcement approach.
5. Require Reporting Metrics for CMPS – Requires CMPs to produce reporting that is standard, machine-readable to populate central and regional monitoring systems, covering commitment logs, breach details, grievances/resolutions logs.
6. Limit Government Exemptions – Require that all exemptions are tightly defined with no blanket exemptions for “sovereignty” clauses. All national security exemptions must be reviewed by a designated independent review body.
7. Improve digital grievance system – deploy real-time escalation workflows, verify consent artifacts, vendor timeframe for dispute resolution SLAs.

Reimagining Enforcement for a Digital Democracy

The DPDP Act is a promising law undermined by its centralized and executive-dominated enforcement framework. To truly protect citizens’ data rights, India must decentralize enforcement by establishing independent, state-level DPBs with strong federal coordination. This approach, grounded in India’s federal structure and aligned with global regulatory best practices, will help close enforcement gaps. It will restore trust and ensure the right to privacy is upheld across the country. Policymakers have a narrow window to correct the architecture before implementation hardens. Acting now will define the credibility and success of India’s data protection regime.