Skip to main content

Q1 - Can the Board initiate an investigation on its own, or only based on complaints?

Answer

The Digital Personal Data Protection Act, 2023 (DPDPA) gives the Data Protection Board of India (DPBI) a broad mandate to act both on complaints and on its own initiative, depending on the source of information it receives.

1. Board’s Power to Act

Section 27(1)
The Board may initiate inquiries and impose penalties when:

  • It receives an intimation of a personal-data breach from a Data Fiduciary.
  • A Data Principal files a complaint regarding a breach or rights violation.
  • It receives a reference from the Central or State Government.
  • It acts in compliance with a court direction.
  • It receives information about a Consent Manager’s registration breach.

While the Act does not use the exact phrase suo motu (on its own motion), Section 28(3-5) empowers the Board to determine whether sufficient grounds exist to proceed with an inquiry, and to do so “into the affairs of any person” to verify compliance. This effectively allows self-initiated investigations once a credible basis arises from a breach notice, reference, or other trigger.

2. Complaint-Based vs. Self-Initiated Action

Mode of ActionTrigger SourceExample Scenario
Complaint-BasedA Data Principal or Consent Manager files a complaintA user complains that a fintech app leaked personal data.
Government-ReferredCentral/State Government or court referenceThe government refers a suspected CERT-In violation.
Self-Initiated (Quasi Suo Motu)Board determines sufficient grounds after a breach notification or monitoringThe Board notices multiple breach reports from a sector and opens an inquiry.
Example

If a Data Fiduciary reports a major data breach, the Board can initiate an inquiry directly—it does not need a user complaint. It may also issue urgent mitigation or remedial directions under Section 27(1)(a) and later impose penalties if violations are confirmed.

3. Due-Process Safeguards

During any self-initiated or complaint-based inquiry:

  • The Board must follow principles of natural justice (Section 28 (6)).
  • It must record written reasons for opening or closing the case.
  • The concerned party must be given an opportunity to be heard.
  • Interim orders or directions may be issued only with justification in writing.

4. Key Takeaway

The Data Protection Board can:

  • Begin action on receipt of complaints, government references, or breach reports, and
  • Conduct its own inquiry when it determines that sufficient grounds exist — effectively giving it quasi-suo-motu powers.

Thus, the Board is not limited to waiting for complaints; it can act proactively to protect individuals’ data rights.

Referenced Provisions:

  • Section 27(1)(a-e) – Board’s powers to inquire on complaints, breaches, and government references.
  • Section 28(3-5) – Board’s discretion to determine grounds and initiate inquiries.
  • Section 28(6-11) – Inquiry procedure and due-process safeguards.