Data Protection Board Formed Under New Law—But Without Parliamentary Oversight
- ByAdmin --
- 22 Apr 2025 --
- 0 Comments
India has taken a significant step in the direction of safeguarding digital privacy with the formation of the Data Protection Board of India (DPBI) under the Digital Personal Data Protection Act, 2023 (DPDPA). However, the move has sparked serious concerns among civil society, digital rights advocates, and legal experts—mainly because the board has been constituted without adequate parliamentary oversight or transparency.
This development brings to the forefront the tension between executive discretion and institutional accountability, especially in an era where personal data is a valuable resource and privacy is a fundamental right under Article 21 of the Constitution.
Background: The Digital Personal Data Protection Act, 2023
- The DPDPA was enacted in August 2023 and came into force in phases beginning early 2024.
- It aims to regulate the processing of digital personal data in a manner that recognizes the right of individuals to protect their data while facilitating lawful data processing for legitimate purposes.
- The Data Protection Board is the primary adjudicatory body under this legislation, tasked with enforcing compliance, imposing penalties, and adjudicating disputes.
What's the Controversy?
While the government notified the establishment of the DPBI in April 2025, the manner of its constitution and the absence of checks and balances has drawn criticism.
Key Concerns:
- Lack of Parliamentary Oversight: The board was formed by executive notification without being subject to detailed debate or scrutiny by Parliament.
- Appointment Process: There is no public information on the criteria, transparency, or independence of the board members.
- Potential Executive Control: The central government retains significant control over appointments, removals, and terms of service—raising concerns over the board’s autonomy.
- Opaque Functioning: No clear roadmap has been provided on how the board will function, hear complaints, or enforce penalties.
Legal and Constitutional Implications
The formation of the board touches upon core legal principles involving separation of powers, accountability of regulatory bodies, and fundamental rights.
Relevant Legal Points:
- Article 21: The right to privacy has been upheld as a fundamental right in the Puttaswamy v. Union of India (2017) case. A data protection regime must protect this right through an independent and accountable institutional framework.
- Rule of Law: Any adjudicatory body that can impose civil penalties must function independently and fairly. Concentration of power in the hands of the executive could violate this principle.
- Doctrine of Checks and Balances: Regulatory bodies must be shielded from undue executive influence to ensure impartial decision-making.
Digital Rights Advocates Respond
Various stakeholders, including digital rights organizations like Internet Freedom Foundation (IFF) and Software Freedom Law Center (SFLC), have expressed concerns over the formation of the board without democratic checks.
Key Objections Raised:
- The DPDPA provides wide discretionary powers to the Centre without strong institutional safeguards.
- The law lacks provisions ensuring transparency in appointments or operations of the board.
- Unlike bodies like SEBI or TRAI, there is no parliamentary committee involved in vetting appointments.
Comparisons with Global Practices
In jurisdictions like the EU (under GDPR), data protection authorities are:
- Statutorily independent
- Accountable to legislative bodies
- Transparent in their decision-making
India’s board, in contrast, is executively appointed, and there is little clarity on how independence will be maintained in practice.
Way Forward: Need for Reform and Oversight
Legal experts suggest the following steps to enhance the legitimacy and accountability of the Data Protection Board:
- Independent Selection Panel: Appointments should be made by an independent committee including members from the judiciary, civil society, and Parliament.
- Annual Reporting to Parliament: The board should be mandated to submit a detailed report of its decisions, actions, and penalties.
- Public Consultations: Before operationalizing key aspects like grievance redressal mechanisms, stakeholder consultations must be conducted.
- Judicial Review: Provisions must clarify the scope for judicial review of board decisions to safeguard constitutional rights.
While the establishment of the Data Protection Board marks a milestone in India’s journey towards protecting digital privacy, the lack of transparency and absence of parliamentary scrutiny raises serious questions about its independence, accountability, and effectiveness.
For a law that governs one of the most important aspects of our digital lives—our personal data—it is essential that the regulatory authority operates with credibility, impartiality, and public trust. Without structural reforms and legislative oversight, the board risks becoming an extension of the executive, rather than a guardian of citizens’ rights.
RELATED Blog
0 comments