8.10 Chairperson's Powers: Section 26
Section 26 concentrates administrative authority in the Chairperson, establishing clear lines of institutional governance while enabling flexible case management.
(a) general superintendence and giving direction in respect of all administrative matters of the Board;
(b) authorise any officer of the Board to scrutinise any intimation, complaint, reference or correspondence addressed to the Board; and
(c) authorise performance of any of the functions of the Board and conduct any of its proceedings, by an individual Member or groups of Members and to allocate proceedings among them."
Three Pillars of Chairperson Authority
The Chairperson has general superintendence over all administrative matters. This includes:
- Budget and financial management
- Human resource administration
- Office infrastructure and premises
- Technology systems and digital office operations
- External stakeholder relations
- Policy formulation for Board operations
The Chairperson can authorize Board officers to scrutinize incoming communications. This preliminary screening function is crucial for:
- Filtering frivolous or vexatious complaints
- Categorizing matters by urgency and complexity
- Identifying incomplete submissions requiring follow-up
- Routing matters to appropriate benches or members
Perhaps the most significant power: the Chairperson can constitute single-member or multi-member benches and allocate cases among them. This enables:
- Parallel proceedings: Multiple benches hearing cases simultaneously
- Expertise matching: Assigning technical cases to technically-qualified members
- Workload balancing: Even distribution among members
- Conflict avoidance: Recusing members with interests in specific cases
When representing clients before the DPB, practitioners should note that bench composition may affect case outcomes. A single-member bench handles routine matters; complex cases involving significant penalties may warrant multi-member benches. While parties cannot dictate bench composition, they may request (without right) that certain complex matters be heard by a larger bench.
8.11 Board Functions & Inquiry Triggers: Section 27
Section 27 defines the Board's core jurisdictional functions—the circumstances that trigger Board action and its consequent powers. Understanding these triggers is essential for knowing when and how to approach the Board.
(a) on receipt of an intimation of personal data breach... to direct any urgent remedial or mitigation measures... and to inquire into such personal data breach and impose penalty...
(b) on a complaint made by a Data Principal... or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court...
(c) on a complaint made by a Data Principal in respect of a breach in observance by a Consent Manager...
(d) on receipt of an intimation of breach of any condition of registration of a Consent Manager...
(e) on a reference made by the Central Government in respect of the breach in observance of the provisions of sub-section (2) of section 37 by an intermediary..."
Five Inquiry Triggers
Direction-Issuing Power: Section 27(2)
This broad direction-issuing power requires two procedural safeguards:
- Hearing opportunity: Audi alteram partem—the affected party must be heard
- Reasoned decision: Board must record reasons in writing—essential for appellate review
Board directions under Section 27(2) are binding on the recipient. Non-compliance can lead to further proceedings and penalties. However, the affected person can appeal to TDSAT under Section 29, and the Board itself can modify, suspend, or cancel directions under Section 27(3).
Direction Modification: Section 27(3)
The Board retains power to revisit its own directions:
| Trigger | Action Available | Conditions |
|---|---|---|
| Representation by affected person | Modify, suspend, withdraw, or cancel | May impose conditions |
| Central Government reference | Modify, suspend, withdraw, or cancel | May impose conditions |
8.12 Board Procedure: Section 28
Section 28 establishes the procedural framework for Board operations, with two revolutionary features: digital-by-design operation and civil court-equivalent powers.
Digital by Design: Revolutionary Mandate
The DPDPA's "digital by design" mandate represents India's most ambitious experiment in digital adjudication—creating a regulatory body specifically designed for online operation from inception.
The digital-by-design mandate reflects the principle that the remedy should match the nature of the right. Since digital personal data protection inherently involves digital technologies, the enforcement mechanism should be equally digital-native. This approach draws from Bentham's observation that effective justice requires accessible forums—digital operation removes geographic barriers and enables 24/7 access.
Civil Court Powers: Section 28(7)
(a) summoning and enforcing the attendance of any person and examining her on oath;
(b) receiving evidence of affidavit requiring the discovery and production of documents;
(c) inspecting any data, book, document, register, books of account or any other document; and
(d) such other matters as may be prescribed."
These powers transform the DPB into a quasi-judicial body with teeth:
| Power | CPC Equivalent | Practical Application |
|---|---|---|
| Summoning attendance | Order V CPC | Compel Data Fiduciary officials, DPOs, witnesses to appear |
| Examination on oath | Order XVIII CPC | Cross-examination of witnesses; perjury consequences apply |
| Evidence on affidavit | Order XIX CPC | Sworn statements as evidence; false affidavit = criminal offense |
| Discovery & production | Order XI, XII CPC | Compel production of internal documents, data logs, contracts |
| Document inspection | Order XI Rule 14 CPC | Physical or digital inspection of records, systems |
Section 28(8) expressly restricts DPB's powers: "The Board or its officers shall not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person." Unlike some regulators with "dawn raid" powers, the DPB cannot physically seize equipment or disrupt business operations.
8.13 Inquiry Process Flow: Section 28(3)-(12)
Section 28 establishes a structured inquiry process with defined stages, natural justice requirements, and procedural safeguards.
Receipt of Trigger
Board receives intimation, complaint, reference, or court direction as per Section 27(1). Officers scrutinize for completeness and jurisdiction under Chairperson's authorization (Section 26(b)).
Grounds Assessment — Section 28(3)
Board determines whether there are sufficient grounds to proceed with an inquiry. This is a preliminary threshold determination, not a substantive adjudication.
Decision Point: Proceed or Close
Section 28(4): If insufficient grounds, Board may close proceedings with recorded reasons.
Section 28(5): If sufficient grounds, Board proceeds to inquiry with recorded reasons.
Inquiry Conduct — Section 28(6)
Board conducts inquiry following principles of natural justice and records reasons for its actions. This includes notice to parties, opportunity to respond, evidence examination, and hearings.
Interim Orders — Section 28(10)
If necessary during inquiry, Board may issue interim orders after hearing the affected party and recording reasons. Examples: data processing suspension, breach mitigation directions.
Final Determination — Section 28(11)
On completion, after giving opportunity to be heard, Board either closes proceedings or proceeds to penalty determination under Section 33, with recorded reasons.
Natural Justice Requirements
Section 28(6)'s explicit natural justice mandate incorporates established principles:
| Principle | Latin Maxim | Application in DPB Proceedings |
|---|---|---|
| Right to be heard | Audi alteram partem | Notice of proceedings, opportunity to respond, hearing before decision |
| No bias | Nemo judex in causa sua | Member recusal for conflict of interest under Rule 18(5) |
| Reasoned decision | — | Board must record reasons at each stage (closure, interim orders, final orders) |
| Fair procedure | — | Equal treatment of parties, evidence disclosure, cross-examination rights |
Maneka Gandhi v. Union of India (1978) 1 SCC 248 established that any procedure affecting rights must be "right, just, and fair." The Supreme Court held that natural justice is an integral part of Article 21. The DPB, affecting fundamental right to privacy per K.S. Puttaswamy, must adhere to rigorous natural justice standards. Non-compliance provides grounds for TDSAT appeal.
Frivolous Complaints: Section 28(12)
To deter misuse of the complaint mechanism:
This provision balances access to justice with deterrence of vexatious litigation. The Board has discretion between warning (for misguided complaints) and costs (for clearly frivolous or malicious complaints).
8.14 Inquiry Timeline: Rule 18(9)
Rule 18(9) imposes time limits on Board inquiries, promoting timely resolution:
| Phase | Duration | Total Cumulative |
|---|---|---|
| Initial Period | 6 months | 6 months |
| First Extension | Up to 3 months | 9 months |
| Second Extension | Up to 3 months | 12 months |
| Further Extensions | 3 months each (no cap) | Unlimited (with reasons) |
Unlike some regulatory timelines, Rule 18(9) doesn't impose an absolute outer limit. Extensions are possible indefinitely "for reasons to be recorded in writing." This provides flexibility for complex cases but could undermine the promise of speedy resolution. Practitioners should note this when setting client expectations.
8.15 Law Enforcement Assistance: Section 28(9)
For effective enforcement, the Board can requisition assistance from law enforcement:
This provision enables:
- Summons enforcement: Police assistance for compelling attendance
- Document collection: Government officer assistance for evidence gathering
- Technical expertise: Requisitioning experts from government departments
- Order enforcement: Assistance in implementing Board directions
The provision states "it shall be the duty of every such officer to comply." This mandatory language leaves no discretion to the requisitioned officer. Failure to comply could constitute dereliction of duty. This ensures the DPB's orders have the backing of state enforcement machinery.
8.16 Key Takeaways
🎯 Essential Points to Remember
- Chairperson Powers: General superintendence, scrutiny authorization, bench constitution, and case allocation
- Five Inquiry Triggers: Breach intimation, Data Principal complaint, Government reference, court direction, Consent Manager/intermediary breaches
- Direction Power: Section 27(2) enables binding directions after hearing and recorded reasons; appealable to TDSAT
- Digital by Design: Board mandated to operate digitally—complaints, allocation, hearings, and decisions all digital
- Civil Court Powers: Summons, oath examination, affidavit evidence, document discovery, inspection
- Important Limitation: Cannot prevent premises access or seize equipment that affects day-to-day functioning (Section 28(8))
- Natural Justice: Explicit requirement in Section 28(6)—audi alteram partem, nemo judex, reasoned decisions
- Frivolous Complaints: Board can warn or impose costs on false/frivolous complainants
- Inquiry Timeline: 6 months default, extendable by 3 months at a time with recorded reasons
- Law Enforcement: Mandatory compliance by police/government officers with Board requisitions