India Activates Data Protection Board Under New 2025 Rules

India has formally notified the Digital Personal Data Protection Rules 2025 and activated the Data Protection Board of India (DPBI) as the enforcement authority under the Digital Personal Data Protection (DPDP) Act 2023. The Act had already defined the Board’s mandate to investigate complaints, conduct inquiries and impose penalties. The newly notified rules now specify how the Board will be staffed, how it will operate, and how its processes differ from the draft rules issued in January 2025.

The government has also notified the commencement of key provisions of the DPDP Act. Sections 18 to 26, which establish the Board and define its powers, apply from 13 November 2025. Other obligations will come into effect over the next 18 months.

What the notified rules say about the Data Protection Board

The Central Government will constitute the DPBI and appoint its Chairperson and Members. The rules set up two search and selection committees:

• The committee for the Chairperson is chaired by the Cabinet Secretary and includes the Secretaries of Legal Affairs and the Ministry of Electronics and Information Technology (MeitY), along with two experts of repute.
• The committee for Members is chaired by the Secretary of MeitY and includes the Secretary of Legal Affairs and two experts.

These committees will recommend candidates, and the Central Government will make the final appointments. The rules continue to expect Members to bring experience relevant to the Board, including in law, technology and public administration.

The rules also state that the Board will function as a digital office. Rule 20 instructs the Board to use techno-legal measures to conduct proceedings without requiring physical presence, while retaining the power to summon and examine people on oath. The rules further require the Board to complete inquiries within six months of receiving an intimation, complaint or direction under Section 27. Extensions may be granted only in three-month blocks and must be supported with written reasons.

A separate notification fixes the Board’s head office in the National Capital Region.

Composition, functioning and authority

The notified rules lay out the Board’s internal processes:

• The Chairperson sets the meeting schedule, approves the agenda and issues notices.
• The Chairperson presides over meetings, or the Members present may elect another Member to chair if the Chairperson is absent.
• One-third of the Members form the quorum.
• Members take decisions by majority vote, and the Chairperson or acting chairperson has a second or casting vote in the event of a tie.
• Members with a conflict of interest must recuse themselves and cannot vote on the relevant item.

The rules also empower the Chairperson to act during emergencies when convening a meeting is not feasible. The Chairperson must record reasons in writing, inform Members within seven days, and place the action before the Board for ratification at the next meeting. The Chairperson may also direct the Board to decide items by circulation, which requires approval from a majority of Members.

The Board may authenticate its orders and directions through the signature of the Chairperson, any Member or another authorised individual.

Tenure, salary and service conditions

The notified rules retain the salary levels in the draft:

• Chairperson: Rs 4.5 lakh per month
• Members: Rs 4 lakh per month

These are consolidated salaries without housing or car facilities. The Chairperson and Members may contribute to the Provident Fund of the Board on the same terms as its officers and employees. They are not entitled to pension or gratuity for their service on the Board.

The rules also provide that they:

• Receive travelling allowance at scales linked to Level 17 for the Chairperson and Level 15 for Members.
• Are eligible for group health insurance or may opt for medical assistance based on their prior government or public sector service.
• Receive leave, casual leave, leave encashment and leave travel concession as per Central Civil Services rules.
• Must avoid conflicts of interest and follow Central Civil Services classification and conduct rules similar to Group A officers.
• Will not receive sitting fees or sumptuary allowance.

The rules allow the Board to appoint staff with prior approval from the Central Government. Staff may be taken on deputation from government bodies or appointed through the National Institute for Smart Government. They receive gratuity, medical insurance, travel allowance and leave benefits, and are governed by Central Civil Services conduct and disciplinary rules.

What has changed from the draft rules

Most structural elements remain the same, but the notified rules tighten and clarify several parts of the Board’s design and functioning.

First, the government has separated the search and selection process for the Chairperson and Members.
The draft rules proposed a single committee chaired by the Cabinet Secretary. The notified rules replace this with two bodies: one chaired by the Cabinet Secretary to select the Chairperson and another chaired by the Secretary of MeitY to select Members. This change creates a clearer appointment structure.

Second, the notified rules introduce mandatory inquiry timelines for the first time.
The draft did not specify how long inquiries should take. The notified rules now require the Board to complete an inquiry within six months and limit extensions to three-month blocks with written justification. This creates a more predictable and structured process.

Third, the notified rules expand the digital-office framework.
The draft described the Board as digital-first but did not explain how it would function. The notified rules add a dedicated provision instructing the Board to operate as a digital office using techno-legal systems, while clarifying that physical presence may still be required for summoning or examining individuals.

Advertisements

All other elements, such as quorum, voting procedure, service conditions, salary levels and conflict-of-interest rules, remain unchanged from the draft.

How the Board will enforce breach reporting

The notified rules preserve the framework for reporting personal data breaches but add more practical detail.

When a Data Fiduciary becomes aware of a breach, it must immediately inform affected Data Principals through their registered mode of communication. The intimation must clearly describe the breach, its likely impact, mitigation measures, safety steps and a business contact.

The Data Fiduciary must also inform the Board without delay and describe the nature, extent, timing, location and likely impact of the breach.

Within seventy-two hours of becoming aware of the breach, the Data Fiduciary must send an updated report to the Board unless the Board grants more time. This report must explain:

• the facts and reasons behind the breach
• mitigation measures taken or planned
• findings on the person responsible
• steps to prevent recurrence
• details of the notices sent to Data Principals

This structure remains similar to the draft rules discussed during MediaNama’s February roundtable. However, the six-month inquiry timeline and detailed reporting requirements create additional operational pressure for companies that must manage breach containment and compliance simultaneously.

How the Board will exercise enforcement powers

Voluntary undertakings

The DPDP Act allows the Board to accept voluntary undertakings at any stage of an inquiry. These undertakings may include commitments to take corrective action or stop certain conduct. Once the Board accepts an undertaking, it cannot pursue enforcement on the same issue unless the entity violates the undertaking.

Blocking recommendations

If a Data Fiduciary repeatedly violates the Act, or if public interest requires stronger intervention, the Board may recommend that the Central Government block access to information or systems used by the entity. The Government may issue the blocking order after giving the entity an opportunity to be heard.

Appeals

Any aggrieved person may appeal DPBI orders to the Telecom Disputes Settlement and Appellate Tribunal. Appeals must be filed digitally, and fees will match the fee for appeals under the Telecom Regulatory Authority of India Act unless TDSAT (Telecom Disputes Settlement and Appellate Tribunal) reduces or waives it. Further appeals may be made to the Supreme Court.

What’s Missing From the Data Protection Board Framework

• No procedure for how inquiries will be conducted
  The rules set timelines but do not outline inquiry stages, investigative steps, evidentiary standards or internal checks.
• No coordination mechanism with other DPDP Act bodies
  The Act envisages multiple entities, including the committee on cross-border data flows, but the rules do not explain how these bodies will interact with the Board.
• No guidance on case selection or prioritisation
  The rules do not say how the Board will decide which complaints, breach reports or directions to take up first, or whether thresholds apply.
• No workflow for handling high-volume breach notifications
  While reporting obligations are detailed, the rules do not describe how the Board will receive, screen, categorise or escalate breach reports.
• No transparency obligations for the Board itself
  The rules do not mandate the publication of orders, inquiry outcomes, penalty records, annual summaries or procedural guidelines.
• No clarity on staffing structure or required capacity
  The Board may appoint staff with government approval, but the rules do not specify staffing levels, organisational units or administrative support systems.
• No detailed conflict-of-interest protocol
  Members must recuse themselves when conflicted, but the rules do not define how conflicts must be declared, logged or managed.
• No operational definition of the digital office
  Rule 20 calls for techno-legal measures but does not describe authentication standards, record-keeping systems, access controls or digital infrastructure.

When the DPDP Act and rules take effect

The DPDP Act follows a three stage rollout:

• From 13 November 2025, the provisions that establish the Board and its powers come into force.
• One year from the notification date, section 6(9) on verifying parental consent and section 27(1)(d) on publishing data processing descriptions take effect.
• Eighteen months from the notification date, the remaining core obligations including consent requirements, notice standards, rights of Data Principals, duties of Data Fiduciaries and significant fiduciary obligations apply.

The DPDP Rules follow a similar pattern. Rules 1, 2 and 17 to 21 take effect immediately. Rule 4, which covers the registration and obligations of Consent Managers, takes effect in one year. The remaining rules including those on breach reporting and the Board’s procedures apply in eighteen months.

Together, these notifications activate the DPBI immediately while delaying most compliance requirements for companies until 2026 and mid 2027.

Also read: