DPDP Act 2023

Section 20

Chairperson and Members of Data Protection Board

THE STATUTE

Original Text

(1) The Chairperson and other Members of the Board shall be appointed by the Central Government in such manner as may be prescribed. (2) A person shall not be qualified for appointment as Chairperson or Member of the Board unless he has been a person of ability, integrity and standing, having special knowledge of, and professional experience in, law, information technology, data governance, data management, data science, cyber and internet laws, management, social science, human rights, or other fields, as may be prescribed. (3) The Chairperson and Members of the Board shall hold office for such term, not exceeding two years, and shall be eligible for re-appointment. (4) The salary, allowances and other service conditions of the Chairperson and Members shall be such as may be prescribed. (5) The Central Government may, after giving the Chairperson or a Member an opportunity of being heard, remove him from office if he is of unsound mind, insolvent, has been convicted, or has acquired any financial or other interest that is likely to prejudicially affect the functions as Chairperson or Member.

Simplified

Section 20 governs the composition and appointment of the Data Protection Board's Chairperson and Members — the people who will decide India's major data protection cases. The qualifications clause is deliberately broad: candidates may have expertise in law, information technology, data governance, data management, data science, cyber law, management, social science, or human rights. This multi-disciplinary list reflects the complex nature of data protection disputes, which often require technical knowledge (how data systems work), legal expertise (constitutional and statutory interpretation), and understanding of social impacts (how data processing affects vulnerable communities). The two-year term (renewable) is notably shorter than most regulatory body appointments in India, where terms of 3–5 years are standard. Critics have argued this makes Board members more susceptible to executive influence — short terms with government-controlled re-appointment create incentives to please the appointing authority. The removal grounds are standard across Indian regulatory legislation: unsound mind, insolvency, conviction, or financial conflict of interest. Notably, there is no 'independence of the Board' protection in the statute — unlike GDPR's Article 52 which requires supervisory authorities to be 'independent'. This absence, combined with government control over appointments and re-appointments, is the central structural independence concern about the DPBI.

Common Queries

The Central Government appoints the Chairperson and all Members of the Data Protection Board, in the manner prescribed by DPDP Rules.

The maximum term is two years, with eligibility for re-appointment. This is shorter than most Indian regulatory appointments and has been criticised as potentially compromising independence.

Section 20(2) requires expertise in one or more of: law, information technology, data governance, data management, data science, cyber and internet laws, management, social science, or human rights. The Rules may specify additional fields.

The removal grounds in Section 20(5) are limited to unsound mind, insolvency, conviction, and financial conflicts of interest. Political disagreement is not a valid ground. However, the government controls re-appointment, creating softer incentive pressures.

Legal Context

Earlier proposals (Srikrishna Committee, JPC) recommended a more independent Data Protection Authority with longer terms and a selection committee involving judiciary and civil society. The final DPDP Act's Board design gives the Central Government full control over appointments — a significant departure from the independence model of India's securities (SEBI) and telecom (TRAI) regulators, which have longer terms and more structured appointment processes.

Key Rules & Provisions

Two-year term — significantly shorter than most Indian regulatory appointments.

Central Government controls all appointments — no independent selection committee.

Broad multi-disciplinary qualification criteria — technical, legal, and social expertise all recognised.

Independence not guaranteed by statute — contrast with GDPR's Article 52.

Related Case Laws

S.P. Sampath Kumar v. Union of India (1987)

(1987) 1 SCC 124

RELEVANCE

The Supreme Court upheld the constitutional validity of tribunal appointments even without full judicial independence — but emphasised that tribunals exercising judicial functions must have adequate independence safeguards. The DPDP Board's two-year terms and government-controlled appointments sit in tension with this principle, raising Section 20's constitutional vulnerability.

Privacy Protocol Info

OffenceN/A (Institutional — Board Composition Provision)

PunishmentN/A

Triable ByN/A

Cross-References

18 : Data Protection Board of India 21 : Vacancies etc. not to Invalidate Proceedings 22 : Staff of the Board