BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 1 (In force — 13 November 2025) ADMINISTRATIVE

Rule 17–21

Data Protection Board of India — Constitution, Appointments, and Procedures

Practical Note

Rules 17–21 are already operative (Phase 1). The DPBI has been established and the search-cum-selection committee for appointing Board members was to be constituted by December 2025. Watch for official DPBI membership announcements — the DPBI will begin issuing guidelines, standards, and specifications that will shape the full compliance picture before the May 2027 deadline.

THE STATUTE

Original Text

Rule 17: The Data Protection Board of India shall be established as a body corporate with perpetual succession and a common seal. Rule 18: The Board shall consist of a Chairperson and such number of other Members as the Central Government may determine. Rule 19: The Chairperson and Members shall be appointed by the Central Government on the recommendation of a Search Committee. Rule 20: The qualifications for appointment include: persons of ability, integrity and standing having special knowledge of, and professional experience in, data protection, information technology, law, or related fields. Rule 21: The Board shall function as a digital office and all proceedings shall be conducted digitally.

Analysis & Details

Rules 17–21 provide the foundational administrative framework for the Data Protection Board of India (DPBI) — India's data protection regulator. KEY PROVISIONS: ESTABLISHMENT: The DPBI is a body corporate — it has legal personality, perpetual succession, and a common seal. It can sue and be sued in its own name. It is headquartered in the National Capital Region. COMPOSITION: The Chairperson plus members as determined by the Central Government. The precise number of members has not been publicly fixed — flexibility is maintained. APPOINTMENT: Members are appointed by the Central Government on the recommendation of a Search Committee. The Search Committee (to be constituted by December 2025) includes the Cabinet Secretary and other senior officials. This government-appointed-on-search-committee model has been criticised for lack of independence compared to GDPR's requirement for independently appointed DPAs (Article 52 GDPR). QUALIFICATIONS: Appointees must have 'special knowledge and professional experience' in data protection, IT, law, or related fields. This is deliberately broad — enabling appointment of technologists, lawyers, economists, or administrators. DIGITAL OFFICE: Rule 21 establishes the DPBI as a 'digital office' — all proceedings, communications, notices, orders, and complaints are processed electronically. No physical submission of documents is required. This is the first Indian regulatory body established as a wholly digital institution.

GDPR Parallel

Articles 51–54 (Supervisory Authority + Independence Requirements)

IT Act Impact

The DPBI replaces the Adjudicating Officers under IT Act Section 46 for digital personal data matters. It is a significantly more powerful body — the Adjudicating Officers could impose maximum penalties of ₹5 crore; the DPBI can impose up to ₹250 crore.

Common Queries

Yes. The DPBI was formally established on 13 November 2025 through Gazette Notification G.S.R. 845(E). The Board's administrative infrastructure (headquarters in the National Capital Region, digital operations platform) was established from this date. However, the Chairperson and Board members had not yet been appointed as of the Rules' notification — the Search Committee for appointments was to be constituted by December 2025.
This is debated. The DPBI's Chairperson and members are appointed by the Central Government on the recommendation of a Search Committee. GDPR Article 52 requires supervisory authorities to act 'with complete independence' from government. The DPDP's appointment process — with the Cabinet Secretary chairing the Search Committee — raises questions about institutional independence. The DPBI's functional independence will ultimately depend on the calibre of appointees and the government's approach to non-interference in enforcement decisions.
Key similarities: both are dedicated regulatory bodies with powers to investigate, adjudicate, and fine. Key differences: (1) the EU has 53 DPAs (one per member state + the EDPB); India has one DPBI; (2) EU DPAs are required to be fully independent; DPBI's independence is less certain given the appointment process; (3) the DPBI is a digital-only office; most EU DPAs have physical offices; (4) appeals from DPBI go to TDSAT; EU DPA decisions are judicially reviewed by national courts.

Key Rules & Provisions

DPBI formally established as body corporate from 13 November 2025.

Government appointment process — independence concerns noted.

Digital office model — no physical proceedings.

Headquarters in National Capital Region.

Appointment of Chairperson and members pending as of Nov 2025.