Skip to main content

Rule 21: Appeals to the Appellate Tribunal

Rule 21 provides the mechanism for challenging the decisions of the Data Protection Board of India. It ensures that organizations and individuals have a clear legal pathway to appeal if they believe that an order of the Board is incorrect, unfair, or excessive.

This right of appeal is an essential safeguard to maintain checks and balances in the enforcement of the DPDPA.

What the Rule Provides

  • Any person or entity aggrieved by an order of the Board may file an appeal before the Appellate Tribunal established under existing law.
  • The appeal must be filed within the time limit specified in the Rules or as prescribed by the Tribunal.
  • The Tribunal has the authority to review the case, examine the legality of the Board’s order, and either confirm, modify, or set aside the decision.
  • Orders passed by the Appellate Tribunal carry binding force and can themselves be subject to further judicial review in higher courts such as the High Court or the Supreme Court.
Critical Point

Without an appellate system, there would be a risk of unchecked power by the Board. Rule 21 ensures fairness by allowing independent review of its decisions.

Why This is Important

The Data Protection Board has powers to:

  • Impose penalties (up to ₹250 crore)
  • Restrict data processing activities
  • Direct companies to take corrective actions

Rule 21 ensures that such strong powers are balanced with a right to appeal, safeguarding fairness and accountability.

Example Scenarios

Example 1

A pharmaceutical company penalized for failing to protect patient trial data may argue that it had in fact implemented adequate safeguards and that the breach occurred due to circumstances beyond its control. Under Rule 21, it can appeal the Board’s decision to the Appellate Tribunal.

Example 2

A social media platform ordered to delete large volumes of user-generated content may challenge the scope of the order, claiming that it is disproportionate. The Tribunal can reassess whether the Board acted within its authority.

Example 3

An insurance company fined for delayed breach notification may appeal on the grounds that the delay was due to verified technical issues, and not negligence.

Rule 21 ensures that enforcement under the DPDPA is not one-sided. It reassures organizations that while the Board has strong powers, its orders are not final and unchallengeable.

This balance encourages compliance while protecting against potential overreach, ultimately strengthening the legitimacy of India’s data protection framework.