The Digital Personal Data Protection Board: Persisting Questions of Constitutionality

The Digital Personal Data Protection (DPDP) Act, 2023, was heralded as a landmark in India’s journey towards recognizing and safeguarding informational privacy. However, as the draft Digital Personal Data Protection Rules, 2025, have been unveiled, several critical questions about the constitutionality and functional robustness of the DPDP Board remain unanswered. This blog explores these issues and their implications for the enforcement of data protection rights in India.

Concerns Regarding the DPDP Board

The DPDP Board is envisioned as the sole adjudicating body responsible for implementing the DPDP Act. However, several constitutional and functional issues surround its formation and operation:

Lack of Independence:

• The independence and impartiality of the DPDP Board remain questionable due to its direct dependence on the union government for appointments, terms of service, and removals.
• The two-year tenure for board members is too short to build expertise in this complex area of law and regulation, raising doubts about the board’s capacity to deliver justice effectively.

Inadequate Qualifications and Selection Processes:

• The qualifications for the chairperson and members, though mentioned in Section 20(3) of the act, are vague and do not ensure a sufficiently competent or diverse board composition.
• The draft rules propose that search-cum-selection committees, composed primarily of government appointees, will select members, further consolidating government control over the board’s functioning.

Jurisdictional Gaps:

• Civil court jurisdiction over data protection issues has been removed, and the board’s powers are limited to imposing penalties on data fiduciaries, with no provision for compensating affected individuals.
• The repeal of Section 43A of the Information Technology Act, 2000, has stripped individuals of their right to seek compensation for damages caused by data breaches.

Procedural Ambiguities:

• Rules regarding the board’s inquiry and appeals procedures lack specificity. For instance, while Rule 18 mentions that inquiries should conclude within six to nine months, it provides no clarity on the process or safeguards for ensuring fair adjudication.

Draft Rules, 2025: Addressing or Exacerbating Concerns?

The draft rules fail to address many critical issues identified in the act and leave room for ambiguity:

• Rule 16: Governing appointments, this rule emphasizes government discretion without establishing clear criteria for selecting board members or ensuring the inclusion of legal and adjudicatory expertise.
• Rule 18: Lays out procedural guidelines but lacks detail on conducting inquiries, leaving much to interpretation and potentially undermining procedural fairness.
• Rule 19: Simply reiterates the act’s provision for a “digital office” without elaborating on its functions or how it would enhance the board’s efficacy.
• Rule 21: Addresses appeals but does not provide detailed procedural safeguards, leaving key aspects to be decided by the appellate tribunal later.

Constitutional Concerns

The DPDP Act and draft rules collectively raise constitutional questions:

Right to Privacy:

• The board’s limited powers and procedural deficiencies undermine its ability to protect citizens’ fundamental right to privacy as recognized by the Supreme Court in Puttaswamy v. Union of India (2017).

Efficacious Remedies:

• The removal of the right to seek compensation and the lack of an independent adjudicatory process deprive individuals of meaningful remedies, potentially violating Article 14 (Right to Equality) and Article 21 (Right to Life and Personal Liberty).

Government Control:

• The heavy influence of the government on the board’s composition and functioning raises concerns about its impartiality, a key requirement for regulatory bodies under the Constitution.

Conclusions and Recommendations

The draft rules, while a step in operationalizing the DPDP Act, fall short of addressing fundamental issues regarding the board’s independence, capacity, and efficacy. For the DPDP Board to function as an effective guardian of data protection rights, the following measures are essential:

Strengthening Independence:

• The selection process for the board’s members must involve non-governmental stakeholders and ensure transparency.
• The term of office should be extended to provide members sufficient time to build expertise and institutional capacity.

Enhancing Procedural Clarity:

• The rules must clearly define the board’s inquiry and adjudication processes, ensuring fairness and accountability.
• The appellate mechanism should include detailed guidelines to guarantee timely and effective resolution of disputes.

Restoring Remedies:

• The act should empower the board to award compensation to affected individuals for data breaches and other violations.

As the draft rules undergo public scrutiny and potential revision, it is imperative for the government to address these concerns. Ensuring a robust, independent, and empowered DPDP Board is crucial not only for protecting citizens’ data privacy but also for building trust in India’s digital ecosystem.

By : team atharvaexamwise

Stay tuned to Atharva Examwise for in-depth analysis and updates on policies shaping India’s future.