India’s Data Protection Board: The Enforcer That Isn’t There Yet

Introduction and Legislative Background

The data protection law of India has been in development for many years and is currently at a crucial point. The Digital Personal Data Protection Act 2023 (DPDP Act) is a major piece of legislation that establishes a comprehensive framework for the protection of personal data. Nevertheless, there have been delays in the establishment of the enforcement agency of the Act, namely, the Data Protection Board of India (DPBI).

The DPDP Act got its Presidential assent in August 2023 and paved the way for a robust data protection framework. After a long period of consultations, the Government notified the Digital Personal Data Protection Rules, 2025 (DPDP Rules) on November 13, 2025, thereby bringing into force several key provisions of the Act, particularly those relating to the establishment and functioning of the DPBI. The Board is designed as a quasi-judicial body responsible for adjudicating disputes, enforcing statutory obligations, and imposing monetary penalties of up to ₹250 crores in cases of non-compliance or personal data breaches.

Delay in Operationalisation and Judicial Concerns

Although there was an official notification of the rules and the formation of the Board through the law, the DPBI is yet to become fully operational due to delays in appointing its leadership and other Members. As of April 2026, public information indicates that the Chairperson and the other Members of the Board, as envisaged under the DPDP Act and DPDP Rules, have not yet all been appointed and assumed office. Also, the setting up of search-cum-selection committees, which is necessary for appointing the Chairperson and Members, has faced delays

This institutional lacuna is now starting to have real consequences from the point of view of law. Recently, in a case involving the Madhya Pradesh High Court, the Court ordered the petitioner to refer their grievance related to alterations in data protection procedures by an important social networking site to the DPBI. The DPBI was also asked to pass a reasoned order in respect of the same within a specific period of time. While this decision is in line with the legal framework provided under the DPDP Act in terms of Section 18 of the Act, it brings forth the existence of a significant inconsistency within the institution.

This institutional vacuum gives rise to significant constitutional and administrative issues. In deciding to refer cases to a specialized agency, the courts are following the rule of competence. Nevertheless, the lack of an operational Board will result in a remedy not being available to the parties at all. It could mean that the judiciary will have to reclaim the power granted to the Board by the statute, increasing the risk of overlapping jurisdiction and potentially conflicting interpretations.

Regulatory and Economic Implications

Beyond the confines of the courtroom, there are further ramifications for the Indian digital economy resulting from the delay in implementing the DPBI framework. These include compliance obligations imposed by the DPDP Act such as reporting of any data breaches, consent management of users, and following the principles of purpose limitation and data minimization. However, the lack of an operational regulator means that there will be no supervisory body to oversee the fulfilment of these obligations.

Another area impacted by this issue is the developing ecosystem known as "Consent Managers." These entities are meant to be established through the DPDP framework as third-party intermediaries that will help individuals manage and monitor their consents for the processing of their personal data. The regulation and registration of these entities are under the jurisdiction of the DPBI. Thus, the delay in the creation of the Board has put off the development of this particular ecosystem.

In a similar vein, the non-existence of the DPBI also affects how personal data breaches can be handled. According to the DPDP Act, data fiduciaries must report any breach of data to the Board, and in some instances, directly to those affected. Without the proper authority in place to receive, review, and respond to these reports, this mandate becomes meaningless.

Policy Challenges and Global Perspective

From a policy point of view, it is plausible the delay is a result of the complications associated with establishing such a body. Selecting a Chairperson and other members of the board is a job carried out by a high-level committee consisting of government personnel and experts in the field. It is important that the Board have the right expertise on data governance, law, and technology. However, in addition to this, there is the issue of independence, considering that the State is one of the data fiduciaries.

The difficulty in recruiting qualified professionals to serve in the public sector as regulators could also be another reason. Data protection is a niche area, and individuals with technical and legal skills related to data protection can be found working in the private sector, and their remuneration schemes are vastly different from those in public institutions.

In comparison, the global data protection frameworks highlight the need for an effective regulatory agency. For example, the GDPR, under the umbrella of the European Union, largely depends on independent supervisory agencies present in each of the member states. Likewise, countries like the UK and Singapore boast of their robust data protection regulatory bodies that offer assistance to users, facilitate compliance, and build trust in the online environment. These examples illustrate that the effectiveness of a data protection framework is closely tied to the capacity and independence of its supervisory authority; for the DPDP framework in India to be effective, the DPBI must similarly be fully constituted and equipped to function independently and at scale.

Conclusion

Against this backdrop, there lies an urgent need to establish Data Protection Board. A working DPBI will not only facilitate the proper enforcement of the DPDP Act but will also provide necessary clarity to businesses, uphold individuals’ rights, and enhance India’s standing in the global digital economy. The formulation of guidelines, interpretive mechanisms, and enforcement cases by the Board will go a long way in helping implement the DPDP Act effectively.

Before all that happens, however, the current situation signifies a transitional period for India’s data protection laws a period where the legislative framework has already been put in place, but the institutional infrastructure remains to be set up. Bridging this gap is important for India to achieve what it has set out to accomplish through its data protection laws.

Author: Naman Kapoor and Monika Singh, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.