Evaluating the Enforcement Mechanism under India’s Data Protection Framework: The Role of the Data Protection Board

A law’s true effectiveness lies not in its text but in its enforcement. This paper examines the enforcement architecture under India’s Digital Personal Data Protection Act, 2023, with particular focus on the Data Protection Board of India (DPB) as the central adjudicatory and regulatory authority. It analyses the structure, powers, and functioning of the DPB, including its role in adjudicating complaints, imposing penalties, and facilitating compliance through mechanisms such as voluntary undertakings. The study highlights key innovations such as the digital-by-default complaint system and the Board’s quasi-judicial powers, which mark a significant shift from the earlier fragmented regime under the Information Technology Act, 2000. However, the paper critically evaluates several structural and functional concerns. The most pressing issue is the lack of institutional independence, given the Central Government’s exclusive control over appointments and removals, raising constitutional concerns in light of the right to privacy recognised in Puttaswamy v. Union of India. Additional challenges include accessibility barriers created by fully digital proceedings, the limited deterrent value of the penalty framework when compared to global standards like the GDPR, and the potential misuse of the voluntary undertaking mechanism due to lack of clear guidelines and transparency. The appellate framework through TDSAT is also questioned for its lack of specialised expertise in data protection law. The paper concludes that while the DPB represents a significant step forward in India’s data protection regime, its current design risks undermining effective enforcement. It recommends reforms including ensuring structural independence, strengthening penalties, introducing inclusive access mechanisms, clarifying procedural safeguards, and developing specialised appellate expertise. Without such reforms, the DPB may struggle to function as a credible and effective guardian of India’s data privacy rights.