The Data Protection Board of India

The Data Protection Board of India (DPBI) is a new authority under India’s Digital Personal Data Protection Act, 2023. There have been increasing concerns about people’s privacy concerning their data in today’s digital age. The DPBI is responsible for protecting people’s rights as well as monitoring how organisations process data. This detailed but easy-to-understand overview shares what the DPBI is, what it does and why it matters.

What is the Data Protection Board of India?

The Data Protection Board of India (DPBI) is a special body created by the Indian government under the Digital Personal Data Protection Act, 2023. Its main job is to look into complaints and take action when someone misuses or mishandles your personal data online. You can think of it as a digital court that deals only with issues related to privacy and data protection. If your personal information is leaked or used without your permission, you can complain to this Board.

The Board works fully online and is independent, meaning it can make its own decisions without outside pressure. It has the power to investigate companies, order them to fix problems, and even impose heavy fines if they break the law. The members of the Board are experts in law, technology, or data protection, and they are appointed by the government. All its rules and powers come from Section 18 to Section 28 of the Digital Personal Data Protection Act, 2023

Why Was the Data Protection Board of India (DPBI) Created?

In 2017, the Supreme Court held that privacy is a fundamental right. The 2017 decision kicked off a process of building data protection laws in India. The Data Protection Board of India (DPBI) will be set up to ensure companies in India handle your personal data properly. It will also check if they comply with the terms specified in the Digital Personal Data Protection Act, 2023. As our offline life moves to an online world, our privacy has also been put at risk. The time had come to set up an authority that is dedicated to preventing misuse of your data and ensuring that you have recourse.

The DPBI acts as an independent overseer for digital privacy. It provides a platform to address issues like data leaks, misuse of personal data, or data collected and used without permission. Before this law, people had no clear or quick way to complain or seek justice if their digital privacy was violated. The DPBI now adds a new layer of trust. It ensures that there is a faster, fairer legal route to correct violations and protect your digital rights.

The Data Protection Board of India will come into existence once the DPDPA rules are officially published, providing a clearer timeline for when the law will take effect and data protection enforcement will begin. The DPBI will investigate data breaches and ensure companies comply with the law. At the same time, it is designed to protect the digital rights of citizens in today’s evolving digital world.

Under Which Ministry Does the Data Protection Board of India (DPBI) Operate?

The Data Protection Board of India (DPBI) operates under the Ministry of Electronics and Information Technology (MeitY). MeitY is responsible for India’s digital policy and data governance. The Board functions as an independent, digital-first adjudicatory body. It acts much like a specialized court for data protection issues.

The DPBI will continue to receive complaints from individuals and will investigate data breaches. The DPBI can make interim directions and impose significant penalties (up to ₹250 crore) for violations. In the case of ongoing or continuing non-compliance, the DPBI can recommend blocking access to digital media platforms.

The DPBI will be entirely electronically based to allow for speedy, transparent, and accessible resolution. Also the decisions of the DPBI can be appealed to the Telecom Disputes Settlement and Appellate Tribunal(TDSAT). In the event that any person or entity wishes to appeal to the Supreme Court this is permissible. The process is streamlined and straightforward.

When Was the DPBI Established?

The Data Protection Board of India (DPBI) was created by the Indian Parliament passing the Digital Personal Data Protection Ordinance, 2023 (Act No. 22 of 2023) in August 2023 and the President providing assent to the ordinance. However, the government has not yet formally constituted or made functional or operational the DPBI as of today.

The commencement date of the DPBI will be announced by the Ministry of Electronics and Information Technology (MeitY) by way of notification as set out in Section 18(1) of the Digital Personal Data Protection Act, 2023. Until this notification has been issued, the DPBI is in the early preparation stage, which included developing its information technology infrastructure, hiring staff, and setting up all operational processes.

Where is the Data Protection Board of India (DPBI) Headquartered?

The Data Protection Board of India (DPBI) will primarily function as a digital office. It will carry out all key processes—such as filing complaints, conducting hearings, running investigations, and issuing decisions—online. This digital-first model will make data protection issue resolution faster, more accessible, and more transparent.

The DPDPA 2023 allows the Central Government to decide the physical location of the Board’s headquarters under Section 18(3). However, the government has not yet issued any official notification. The Board is tentatively expected to be based in Delhi. Even if the government sets up a physical office, the Board will continue to operate in a digital-by-default manner, in line with its legal framework.

Who are the Members of the Data Protection Board of India (DPBI) ?

Under the Digital Personal Data Protection Act, 2023, the Data Protection Board of India (DPBI) will have a Chairperson and a set number of Members. The Central Government will determine and notify the exact number, as stated in Section 19(1) of the Act.

The Central Government will designate the Chairperson and Members as per the recommendations of a Search-cum-Selection Committee under Section 19(2).

Eligible candidates must be persons of high integrity with demonstrated ability but must also have special knowledge, or practical experience in at least one of the following:

• Data governance
• Law
• Information technology
• Cybersecurity
• Consumer or social protection
• Regulation or techno-regulation
• Digital economy

Also, at least one of the Members must have expertise in law as contained in Section 19(3).

What are the Powers and Functions of the DPBI?

The DCPB has extensive powers to enforce data protection laws. This is for their jurisdiction is extensive, and the DPBI can: investigate data breaches, hold hearings, issue binding orders, and order significant penalties (fines) against every organizations that violates or acts against a data privacy standards. Additionally, given serious cases, the DPBI could bar repeat offenders. The DPBI operates as a free-standing adjudicative body—meaning it acts like a digital court for data protection matters. The functioning of the DPBI as follows:

1. Receives Complaints:If personal data is misused, leaked, or treated fairly, the person can make complaint to the DPBI use concerning their privacy violations.
2. Investigates Breaches: The DPBI Board can investigate a data breach or violations of the Digital Personal Data Protection Act, 2023. The DPBI can investigate a complaint from anyone or a references from government or judicial authorities (section 27).
3. Digital-First Process: All steps of all processes—receiving complaints, hearings, and decisions—are conducted in a digital or online fashion (section 28), making it convenient.
4. Issues Orders and Penalties: After an inquiry, if a company or person is found guilty of violating data protection laws, the Board can issue directions or impose financial penalties (Section 33).
5. Monitors Consent Managers: The Board also keeps a check on Consent Managers, who help users give or withdraw consent for data sharing (Section 6 and 27).
6. Independent but Accountable: Though it works under MeitY, the Board has independence in its decision-making, ensuring fairness and transparency.

How Can Citizens File a Complaint?

If a person’s personal data is misused or mishandled, they should first attempt to escalate the issue with the company’s grievance officer. A grievance officer represents the concerned organization, called the Data Fiduciary. In the event a company does not appropriately respond to the grievance or provide resolution, the Data Principal may bring the matter to the Data Protection Board of India (DPBI).

The government has not yet officially notified the exact complaint process. However, the DPBI is expected to run entirely on a digital platform. Once active, the platform will likely include a dedicated grievance section for filing complaints online. In many cases, users may submit grievances through a Consent Manager. Consent Managers act as intermediaries and help users manage their data rights.

If the issue remains unresolved, the Data Principal can approach the DPBI directly. They may also choose an Online Dispute Resolution (ODR) mechanism, depending on the case.

How Does the Data Protection Board of India (DPBI) Work with Other Regulators?

The Data Protection Board of India (DPBI) is an adjudicatory body under the Digital Personal Data Protection Act, 2023 but is an independent body and is supposed to work closely with regulators and government offices to help ensure enforcement of the data protection laws across various sectors of the economy.

In sectors like banking, telecom, insurance, and healthcare, other regulators such as RBI, TRAI, IRDAI, and NHA are already in charge. In these cases, the DPBI will coordinate with these authorities to clarify how enforcement will work. The goal is to reduce duplication, avoid confusion, and prevent regulatory conflicts. For example, if a bank misuses a consumer’s personal data, the RBI and DPBI may work together. They will decide how to conduct the investigation and impose penalties, ensuring clear accountability.

The Board will also work with technical and cybersecurity agencies such as CERT-In, the National Cybercrime Coordination Centre (I4C), and law enforcement bodies under the Ministry of Home Affairs for responding to data breaches, cyberattacks, and criminal misuse of personal data. For example, while CERT-In may investigate the technical cause of a breach, DPBI can impose penalties on the responsible entity.

Further, complaints will often first go through Consent Managers like concur—intermediaries that help users manage their data rights. If unresolved, complaints may escalate to the DPBI or even go through Online Dispute Resolution (ODR) mechanisms. Over time, the Board is also expected to engage in international cooperation with data protection authorities in other countries, especially in cross-border data processing cases.

Is There a DPBI Website?

Presently, there is no standalone DPBI website. News and notification about the DPBI will be published on MeitY’s official website (meity.gov.in) until the DPBI’s digital portal is up and running.

What About Recruitment at the Data Protection Board of India (DPBI) ?

Recruitment for the Data Protection Board of India (DPBI) will start once the Board is formally set up. Under the Digital Personal Data Protection Act, 2023, the Central Government will appoint the Chairperson and Members and may also issue a notification for the hiring of officers and staff to assist in the operational functions of the Board (Sections 19–24).

Details regarding recruitment, including jobs, eligibility criteria, application processes and timelines, will be published through:

• The MeitY (Ministry of Electronics and IT) website.
• Official Government Employment portals like NCS or employmentnews.gov.in

Candidates who wish to take on these roles should keep an eye on these sources and prepare as appropriate based on their backgrounds in the area of law, data governance, cybersecurity, digital economy or related area, as that is prescriptive of the qualifications needed for jobs with the DPBI.