BACK TO DPDP ACT
DPDP Act 2023

Section 18

Establishment and Constitution of Data Protection Board of India

THE STATUTE

Original Text

(1) The Central Government shall, by notification, establish a body to be called the Data Protection Board of India to exercise the powers conferred on, and to perform the functions assigned to it, under this Act. (2) The Board shall be a body corporate having perpetual succession and a common seal. (3) The Board shall consist of a Chairperson and such number of other Members, as may be prescribed. (4) The Chairperson and Members shall be appointed by the Central Government in such manner as may be prescribed. (5) The Board shall function as a digital office and proceedings before the Board shall be conducted in such digital manner as may be prescribed.

Simplified

[DPDP Rules 2025 — Rules 17–21 operationalise this section; Rules 17–21 in force 13 Nov 2025] Section 18 establishes the Data Protection Board of India (DPBI), the DPDP Act's enforcement and adjudicatory body. The Board is designed as a 'digital office' — proceedings will be conducted online, reducing the need for physical presence and theoretically making it more accessible. The Board's powers under the Act include: receiving and adjudicating complaints from Data Principals; imposing financial penalties on Data Fiduciaries; directing remediation; and referring cases to authorities where criminal offences are involved. The critical institutional concern is independence: unlike GDPR's supervisory authorities which have statutory independence guarantees (Article 52 GDPR), the DPDP Act gives the Central Government extensive control over the Board's composition and functioning. The Chairperson and Members are appointed by the Central Government, their terms and removal conditions are at the government's discretion, and the government can give 'policy directions' to the Board. This raises serious questions about whether the Board can independently restrain government data processing — especially given the broad Section 17(1)(a) exemption. Comparison with EU: GDPR regulators are constitutionally independent; India's DPBI is more comparable to a tribunal than an independent authority.

Common Queries

The DPDP Act 2023 received Presidential assent on 11 August 2023 but has not been brought fully into force at once — Section 1(3) provides for phased commencement by Central Government notification. Different provisions are being notified at different dates, allowing the government to build the Data Protection Board infrastructure before full compliance obligations go live.
Yes. Section 1(2) extends the Act to India and also applies to processing outside India that is connected with offering goods or services to Data Principals in India. An Indian company with international operations that processes data of Indian users even outside India must comply.
The Act applies to all Data Fiduciaries by default, but the Central Government can exempt classes of small businesses or startups under Section 17(4). Until a specific exemption is notified, even small businesses processing digital personal data technically have DPDP obligations — though enforcement priority will likely focus on larger entities first.
The IT Act 2000 and its SPDI Rules 2011 were piecemeal, lacked enforcement teeth, had unclear extra-territorial reach, did not create Data Principal rights, and predated the explosion of digital data collection. The DPDP Act creates a comprehensive rights-based framework mandated by the Supreme Court's recognition of privacy as a fundamental right in Puttaswamy (2017).

Legal Context

Earlier drafts proposed a more independent Data Protection Authority (DPA) modelled on GDPR's supervisory authorities. The Srikrishna Committee recommended a fully independent DPA. The final DPDP Act's Board design, with extensive government control over appointments, was criticised by the Opposition, civil society, and legal scholars as compromising the regulator's independence — a concern particularly acute given the broad state surveillance exemption in Section 17.

Key Rules & Provisions

'Digital office' design — all proceedings conducted online, reducing physical barriers to access.

Government controls Board composition — independence concerns differ from GDPR model.

Board is a corporate body with perpetual succession — has legal personality to be sued and to enter contracts.

Appeal from Board orders lies to High Court.

Rules 17–21 (DPDP Rules 2025, in force 13 Nov 2025): Board appointments via Search-cum-Selection Committee — Cabinet Secretary chairs Chairperson committee.

Rule 19(9): 6-month inquiry completion deadline, extendable by 3 months at a time in writing.

Fifth Schedule: Chairperson ₹4.5 lakh/month; Members ₹4 lakh/month consolidated salary.

Rule 19: quorum is one-third of membership; decisions by majority vote with casting vote for Chairperson.

Board head office: Delhi-NCR.

Related Case Laws

L. Chandra Kumar v. Union of India (1997)

(1997) 3 SCC 261
RELEVANCE

The Supreme Court held that tribunal adjudication cannot oust the constitutional jurisdiction of High Courts. The DPDP Board's design as an adjudicatory body with appeal to TDSAT and ultimately to High Courts under Article 226 reflects this constitutional architecture — the Board exercises delegated judicial power within limits set by Puttaswamy and L. Chandra Kumar.