Introduction
In today’s digital world, data privacy is a fundamental right. With the implementation of the Digital Personal Data Protection Act (DPDPA), 2023, India has taken a significant step toward safeguarding personal data. The Data Protection Board (DPB) is the regulatory body responsible for enforcing the provisions of the Act and providing remedies for data privacy violations.
If you believe your personal data has been misused, leaked, or mishandled, you can file a complaint with the Data Protection Board of India (DPB). This article breaks down the steps involved in filing a complaint under the DPDPA, 2023, the powers of the DPB, and legal remedies available to you.
What is the Data Protection Board (DPB)?
The Data Protection Board (DPB) is India’s first independent regulatory body under the DPDPA, 2023. It is responsible for ensuring compliance with the Act, resolving disputes, and upholding individuals’ digital privacy rights.
Key Features of DPB:
Regulatory Role: The DPB monitors compliance with data protection laws and investigates complaints related to data privacy violations.
Independent Authority: Though under government oversight, the DPB functions as a quasi-judicial body with the power to impose penalties and recommend policy changes.
Digital-First Approach: The DPB operates entirely online, allowing easy access to complaint filing, hearings, and decision-making processes.
Comparison with GDPR: Similar to GDPR’s Data Protection Authorities (DPAs) in Europe, the DPB holds companies accountable for data breaches and privacy violations.
Structure & Governance of the Data Protection Board
Chairperson & Members
The DPB consists of a Chairperson and other Members, all of whom are appointed by the Central Government (as per Section 19 of the DPDPA).
Members are experts in data privacy laws, technology, cybersecurity, and governance.
The Chairperson has administrative powers and decision-making authority.
Independence & Decision-Making Power
While the DPB is meant to function independently, it is still under government oversight, which raises concerns about neutrality. However, its quasi-judicial powers allow it to issue legally binding rulings on data privacy violations.
Digital-First Functioning
Unlike traditional regulatory bodies, the DPB has adopted a digital-first model:
All proceedings, including filing complaints, hearings, and final decisions, are conducted online.
This ensures faster resolutions and greater accessibility to justice.
Powers & Jurisdiction of the DPB
Handling Data Privacy Violations
The DPB is empowered to investigate complaints and take action against data breaches by organizations or individuals.
Issuing Financial Penalties
The DPB can impose monetary penalties of up to ₹250 crore on companies found guilty of data privacy violations (as per the Schedule of DPDPA).
Ordering Data Deletion & Correction
If a company is found misusing data, the DPB can order it to:
Delete personal data.
Correct incorrect data.
Stop processing the data immediately.
Overseeing Cross-Border Data Transfers
The DPB plays a crucial role in ensuring that companies comply with government-approved cross-border data transfer regulations.
Taking Action Against ‘Significant Data Fiduciaries’
Organizations handling large volumes of sensitive data must comply with stricter regulations. The DPB has the power to audit their compliance and take action if necessary.
Issuing Guidelines & Policy Directives
The DPB can propose and set new data protection policies and advise the government on privacy law amendments.
How to File a Complaint with the DPB?
Step 1: File a Grievance with the Data Fiduciary (Company First Approach)
Before approaching the DPB, individuals must first file a formal grievance with the organization or company responsible for handling their personal data.
The grievance should be in writing and submitted through an official channel such as email, online grievance portals, or customer service contacts.
The company is legally required to acknowledge and respond to the complaint within 30 days (as per Section 13 of the DPDPA).
If the issue is resolved satisfactorily, there is no need to escalate it to the DPB.
If the company fails to respond or provides an inadequate response, the individual can proceed to the DPB.
Step 2: Escalation to the DPB
Once the company fails to resolve the grievance, individuals can file a formal complaint with the DPB.
The complaint must contain all supporting documents such as email conversations, screenshots, or any response from the company.
A unique complaint reference number will be generated upon submission.
DPB will review the case to determine whether it falls within its jurisdiction.
Step 3: Submitting a Digital Complaint
Since DPB functions digitally, complaints must be filed online via the official DPB portal.
Individuals need to provide:
Full name and contact details.
Evidence of the data privacy violation.
Details of previous attempts to resolve the matter with the company.
A written statement describing the complaint clearly.
Step 4: Inquiry & Resolution by DPB
Once the complaint is received, DPB will:
Investigate the company’s practices related to the alleged violation.
Seek a formal response from the company.
Conduct hearings online if required.
Issue a binding decision within a stipulated time.
Step 5: Penalties & Appeals
If found guilty, companies may face monetary penalties and be ordered to rectify violations immediately.
Individuals who are dissatisfied with DPB’s decision can appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29 of the Act.
The appeal must be filed within 60 days from the date of the DPB’s decision.
How Does the DPB Compare to Global Data Protection Authorities?
The Data Protection Board of India (DPB), established under the Digital Personal Data Protection Act, 2023 (DPDPA), serves as the nation’s primary enforcement authority for digital data protection. However, data protection laws and regulatory bodies vary significantly across the world, with some nations adopting independent data protection authorities (like the GDPR in the European Union) and others enforcing sector-specific regulations (as seen in the United States).
To better understand how India’s DPB compares to global counterparts, we must examine its structure, powers, jurisdiction, enforcement mechanisms, and independence in relation to three major data protection models:
The European Union’s General Data Protection Regulation (GDPR)
The United States’ sector-based privacy framework (CCPA, HIPAA, FTC, etc.)
Other notable data protection authorities such as the UK’s ICO and Singapore’s PDPC
1. DPB vs. GDPR (European Union)
The EU’s GDPR is considered the gold standard for data privacy laws globally. It establishes Data Protection Authorities (DPAs) in each EU member state, ensuring strict enforcement of privacy rights.
Key differences between GDPR DPAs and India’s DPB include:
Independence: GDPR mandates fully independent Data Protection Authorities (DPAs) that do not function under government influence, whereas the DPB remains under Indian government oversight.
Fines & Penalties: GDPR allows DPAs to impose penalties up to 4% of a company’s global revenue, whereas the DPB caps penalties at ₹250 crore (about €28 million).
Data Transfer Restrictions: GDPR prohibits data transfers to non-compliant countries without stringent contractual safeguards, whereas DPB is yet to define its cross-border data policies fully.
The Right to Be Forgotten: GDPR provides individuals with an explicit legal right to have their personal data deleted, whereas DPB grants deletion rights only in certain cases.
Consent Standards: GDPR demands explicit and informed consent, whereas DPDPA allows certain exemptions for processing data without consent (such as for government services and employer records).
2. DPB vs. US Data Privacy Model (CCPA, FTC, HIPAA, etc.)
Unlike the EU’s centralized GDPR, the US follows a fragmented, sector-specific approach with multiple enforcement agencies:
The Federal Trade Commission (FTC): Regulates consumer privacy violations.
The California Consumer Privacy Act (CCPA): Provides GDPR-like rights in California but lacks nationwide coverage.
The Health Insurance Portability and Accountability Act (HIPAA): Covers healthcare data.
Key differences between the US model and India’s DPB:
Centralized vs. Sector-Specific: DPB acts as a single national enforcement body, whereas US privacy laws are fragmented across different sectors and states.
Legal Remedies: The US model allows direct lawsuits (private right of action), whereas DPDPA does not yet permit individuals to sue companies directly.
Consent & Opt-Out Rights: The CCPA follows an opt-out model (users can request companies to stop collecting data), whereas DPDPA relies primarily on consent but with specific exemptions.
Cross-Border Data Transfers: The US lacks stringent restrictions on data transfers, whereas India is expected to implement a country-specific whitelist for cross-border data flow.
3. DPB vs. Other Global Privacy Regulators
Other nations have also established strong data protection authorities, such as:
UK’s Information Commissioner’s Office (ICO)
Singapore’s Personal Data Protection Commission (PDPC)
Australia’s Office of the Australian Information Commissioner (OAIC)
Key takeaways from these regulators:
UK’s ICO is highly independent and functions without direct government interference, whereas India’s DPB operates under the Ministry of Electronics and Information Technology (MeitY).
Singapore’s PDPC balances strict data protection with business flexibility, an approach India may adopt for startups and MSMEs.
Australian laws include both privacy and cybersecurity oversight, while India’s DPB currently focuses only on personal data.
DPB vs. Global Data Protection Authorities
Feature | India’s DPB (DPDPA) | GDPR (EU DPAs) | US Model (FTC, CCPA, HIPAA) | UK ICO & Singapore PDPC |
Independence | Government-controlled | Fully independent | Sector-based enforcement (no single body) | Independent regulators |
Penalties & Fines | Up to ₹250 crore | Up to 4% of global turnover | Varies (CCPA fines up to $7,500 per violation) | ICO: Up to £17.5 million or 4% of turnover |
Right to Be Forgotten | Limited & conditional | Explicitly granted | Not universally recognized | Recognized |
Consent Requirements | Flexible (certain exemptions exist) | Strict opt-in consent | Opt-out for CCPA, HIPAA requires explicit consent | Generally opt-in consent required |
Cross-Border Data Flow | To be determined by government whitelist | Strict rules, requires compliance mechanisms (SCCs, Adequacy decisions) | Minimal restrictions | Moderate restrictions with adequacy requirements |
Private Right of Action (Lawsuits by Individuals) | Not allowed (complaints go through DPB) | Allowed in some cases | Allowed under CCPA, HIPAA, etc. | Limited |
Regulatory Focus | Digital personal data only | Comprehensive across all sectors | Varies by law (healthcare, finance, tech, etc.) | Data protection + cybersecurity measures |
The Future of Data Protection in India with DPB
As India’s digital landscape expands, so does the need for strong data protection frameworks. With millions of users interacting online daily, companies are constantly collecting, storing, and processing personal data. However, concerns over data misuse, surveillance, and security breaches have made data protection a top priority for both consumers and businesses.
The Data Protection Board of India (DPB), established under the Digital Personal Data Protection Act (DPDPA), 2023, is set to transform India’s approach to digital privacy. However, its future effectiveness will depend on how well it enforces regulations, adapts to evolving technologies, and balances business innovation with consumer privacy rights.
Let’s explore the future of data protection in India with DPB, covering compliance, public awareness, evolving regulations, and the role of emerging technologies.
1. Stronger Compliance for Businesses
With the DPB acting as India’s primary enforcement authority, businesses will need to adopt stricter data protection measures or risk severe penalties. The DPDPA mandates that all businesses handling digital personal data must comply with the following:
Mandatory Compliance Requirements:
Appointing a Grievance Officer – Companies must have a designated officer to handle consumer complaints and data protection issues.
Implementing Security Safeguards – Businesses must take adequate security measures to prevent data breaches and leaks.
Consent-Driven Data Processing – Data must be processed only with the consent of users, except for government-mandated exemptions.
Ensuring Cross-Border Data Compliance – Companies must follow government-approved guidelines for transferring personal data outside India.
2. Greater Public Awareness & Consumer Rights Enforcement
One of the biggest challenges in India’s data protection journey is low public awareness about privacy rights. Many users do not know they can:
File complaints against companies misusing their data
Request correction or deletion of their personal data
Challenge unlawful data processing
Seek legal recourse under the DPB’s jurisdiction
3. Evolving Regulations & Expanding Jurisdiction
As technology advances, so must India’s data protection laws. The DPB will likely expand its regulatory scope to address new challenges, including:
Upcoming Areas for Regulation
Artificial Intelligence (AI) & Big Data: AI algorithms collect and analyze massive amounts of user data
Facial Recognition & Biometric Data: Many Indian cities are deploying facial recognition for surveillance
Internet of Things (IoT) & Smart Devices: Smart devices collect real-time user data.
Conclusion
The Data Protection Board (DPB) is India’s first dedicated privacy enforcement authority, giving citizens a powerful tool to protect their data rights. Filing a complaint is a structured process, ensuring that violators are held accountable. As India’s digital economy grows, awareness and active participation in data protection enforcement will be critical for a safer online ecosystem.
Comments