Skip to main content

Rule 18: Procedure of Board Meetings and Authentication of Orders or Instruments

Rule 18 lays down the governing framework for how the Data Protection Board of India will conduct its meetings and issue valid, legally binding decisions. The rule is designed to ensure that the Board operates with order, consistency, and legitimacy, so that no decision or communication is ever questioned for lack of proper procedure.

What the Rule Provides

  • The procedure for conducting meetings of the Board, including how meetings are convened, the quorum requirements, voting processes, and decision-making methods, shall be prescribed by the Central Government.
  • All orders, directions, or decisions of the Board must be authenticated. This means that they must bear the signature or digital authentication of the Chairperson or an authorized Member.
  • Any instrument or document issued by the Board must also be properly authenticated in the prescribed manner. Without authentication, such instruments have no legal effect.
Critical Point

No order, direction, or instrument of the Board has legal force unless it is properly authenticated. This safeguard ensures that the Board’s actions cannot be invalidated in court due to procedural defects.

This framework ensures that the Board’s internal decision-making is systematic and that its external communications carry formal legal validity.

Why This is Important

The Board will be making decisions that can have profound consequences for both individuals and organizations — from ordering a company to delete millions of user records to imposing penalties worth hundreds of crores.

If such decisions were issued without a clear procedure or valid authentication, they could be challenged in court and lose their authority. Rule 18 prevents this by ensuring that every order is procedurally sound and formally certified.

Example Scenarios

Example 1

Suppose a social media platform is found guilty of repeatedly misusing children’s personal data. The Board decides to impose a fine of ₹100 crore. Under Rule 18, this decision must be issued as a formal order, signed or digitally authenticated by the Chairperson or an authorized Member. Only then will it be enforceable.

Example 2

If the Board instructs a stock broking firm to stop transferring client financial data to overseas servers, that instruction must also be properly authenticated. An unauthenticated email or unsigned note would not carry legal force.

Rule 18 ensures the credibility and enforceability of the Board’s actions.
It protects organizations by giving them confidence that directions they receive are formally valid, and it protects individuals by ensuring that the Board’s rulings are not undermined in legal disputes due to procedural defects.

In effect, this rule is about maintaining discipline, legitimacy, and legal certainty in the functioning of India’s data protection regulator.