Q2 - What rights do companies have during an investigation — can they contest evidence?
Under the Digital Personal Data Protection Act, 2023 (DPDPA), organizations under investigation by the Data Protection Board of India (DPBI) enjoy clear procedural and evidentiary rights. The Act explicitly requires that all inquiries follow the principles of natural justice, meaning every company has the right to defend itself, contest evidence, and appeal decisions.
1. Right to a Fair Hearing
Section 28(6) —
The Board shall conduct every inquiry following the principles of natural justice and must record reasons for its actions.
This guarantees that no organization can be penalized or held liable without being:
- Informed of the allegations,
- Given an opportunity to be heard, and
- Allowed to present documents, evidence, or witnesses in its defense.
2. Right to Contest Evidence and Cross-Examine
Section 28(7) —
The Board has powers equal to a civil court under the Code of Civil Procedure, 1908, including the power to:
- Summon and examine witnesses under oath,
- Require discovery and production of documents, and
- Receive evidence on affidavit or inspect data, books, or registers.
These provisions mean companies may:
- Challenge the authenticity or relevance of evidence presented against them,
- Submit counter-evidence (technical reports, logs, audit trails, etc.),
- Cross-examine witnesses or experts presented by the Board, and
- Request inspection of materials being relied upon during the inquiry.
If the Board claims a company failed to secure customer data, the company can present incident logs, encryption reports, or vendor contracts proving compliance and contest any inaccurate or misleading evidence.
3. Protection from Disruptive Seizure or Overreach
Section 28(8) —
The Board or its officers cannot seize or take into custody any equipment in a way that disrupts the company’s day-to-day functioning.
This prevents arbitrary shutdowns or operational paralysis during investigations — ensuring fairness while preserving business continuity.
4. Right to Interim and Final Representation
Section 28(10)–(11) —
The Board may issue interim orders only after giving the concerned person an opportunity of being heard.
Upon completing the inquiry, it must again give the organization a final opportunity to present its defense before deciding on penalties.
Thus, a company has the right to respond at multiple stages — both before temporary directions and before final penalties.
5. Right to Appeal
Section 29(1–5) —
Any person aggrieved by an order or direction of the Board may appeal to the Appellate Tribunal within 60 days of receiving the order.
The Tribunal can:
- Confirm, modify, or set aside the Board’s decision;
- Accept delayed appeals if justified; and
- Must decide cases expeditiously (within six months).
This gives companies a structured appellate remedy similar to judicial review, ensuring checks and balances against arbitrary action.
6. Key Takeaway
During a DPDPA investigation, companies have the right to:
- A fair and transparent inquiry;
- Access and challenge evidence;
- Submit counter-proof and witness statements;
- Protection from operational disruption; and
- Appeal any adverse orders to an independent Tribunal.
These safeguards uphold the principles of due process while allowing the Data Protection Board to enforce accountability effectively.
Referenced Provisions:
- Section 28(6–11) – Inquiry procedure and natural-justice safeguards.
- Section 29(1–7) – Appeal rights before the Appellate Tribunal.
- Code of Civil Procedure, 1908 (Section 28(7)) – Civil-court powers of the Board.