BACK TO DPDP ACT
DPDP Act 2023

Section 28

Inquiry by the Board

THE STATUTE

Original Text

(1) For the purposes of conducting an inquiry, the Board shall — (a) give the Data Fiduciary or Data Processor, as the case may be, a notice, calling upon it to show cause in the manner as may be prescribed, as to why the inquiry should not be conducted; (b) give the Data Fiduciary or Data Processor a reasonable opportunity of being heard; (c) consider the reply, if any, filed by the Data Fiduciary or Data Processor; and (d) make such inquiry as it deems fit. (2) The Board shall conclude the inquiry within such period as may be prescribed.

Simplified

Section 28 establishes the procedural framework for the Board's formal inquiry — the process by which a complaint moves from acceptance to a concluded decision that may result in penalties. The inquiry framework is built on natural justice: the Data Fiduciary receives notice, has the opportunity to show cause why the inquiry should not proceed, submits a reply, and is given a reasonable opportunity to be heard before any adverse decision. Four procedural steps are mandated: (a) Notice to the Data Fiduciary — a show cause notice explaining the basis for the inquiry and requiring the Data Fiduciary to respond; (b) Reasonable opportunity to be heard — the Data Fiduciary can make representations, submit evidence, and challenge the complainant's case; (c) Consideration of the reply — the Board must actually engage with the Data Fiduciary's response, not ignore it; (d) Such inquiry as the Board deems fit — giving the Board flexibility in how deeply it investigates (calling witnesses, inspecting systems, etc.). Section 28(2) imposes a prescribed timeline for conclusion — the Board cannot allow inquiries to drag on indefinitely, which has been a persistent problem with Indian regulatory enforcement. The DPDP Rules will specify this timeline. The inquiry is conducted digitally (consistent with the Board's digital office design), which should accelerate proceedings compared to traditional quasi-judicial proceedings. Following conclusion, if a contravention is established, the Board imposes penalties under Section 33.

Common Queries

Yes. Section 28(1)(b) mandates a 'reasonable opportunity of being heard' — this is a statutory codification of natural justice. A penalty imposed without a hearing would be legally vulnerable.
The DPDP Rules will specify a maximum duration. The timeline is not yet notified, but the Act's digital office design and the prescription of a mandatory deadline signal an intent for faster resolution than traditional regulatory proceedings.
Yes. Section 28(1)(c) requires the Board to consider the Data Fiduciary's reply, which would include evidence submitted in response to the show cause notice.
Yes. The Board functions as a 'digital office' under Section 18(5), and proceedings are conducted in a digital manner. Physical hearings are not required.

Legal Context

The inquiry procedure is modelled on natural justice principles codified across Indian regulatory legislation — the IT Act's Adjudicating Officer procedure, SEBI's adjudicatory process, and competition law enforcement all follow similar show-cause → reply → hearing → decision structures.

Key Rules & Provisions

Prescribed timeline for inquiry conclusion — preventing indefinite regulatory uncertainty for Data Fiduciaries.

Natural justice mandatory — show cause, reply, hearing are all required steps.

Board has flexibility in depth of inquiry — from document-based review to full evidentiary hearings.

Digital inquiry proceedings — consistent with the Board's online office design.

Related Case Laws

Maneka Gandhi v. Union of India (1978)

(1978) 1 SCC 248
RELEVANCE

The Supreme Court's landmark ruling that procedural fairness — including the right to be heard before adverse action — is a constitutional requirement under Article 21, not merely a procedural technicality. Section 28's notice, reply, and hearing requirements codify this Maneka Gandhi principle for DPDP Act inquiries.