Express Computer: National: Saturday, 5th July
2025.
India’s Digital Personal Data Protection Act, 2023 (DPDP Act) represents a landmark effort to safeguard personal data in the world’s largest democracy. The Act establishes a Data Protection Board of India (DPB) as the central authority to enforce its provisions. However, questions have arisen about the DPDP Act’s enforcement architecture and whether it truly empowers citizens. Legal experts and civil society have already voiced alarm that the DPB, as constituted, is not autonomous, raising doubts about the adequacy of enforcement and remedies under the new law.
This report provides a
detailed analysis of the DPDP Act’s structural limitations, focusing on the
centralized nature of the DPB and why this design creates a significant
enforcement gap. It draws parallels to enforcement under the EU’s General Data
Protection Regulation (GDPR) where a similarly centralized enforcement
framework has tended to target large tech companies while leaving smaller
entities relatively under-regulated and explores how those experiences inform
India’s situation. The analysis then assesses the feasibility of establishing
state-level Data Protection Boards in India to enable more effective, localized
enforcement. The report concludes with clear policy recommendations to reform
the DPDP Act’s enforcement structure and address the identified gaps.
The DPDP Act’s Centralized Enforcement Structure
Under the DPDP Act, all enforcement authority is vested in the Data Protection Board of India (DPB), a single national body constituted by the Central Government . This represents a highly centralized model. The DPB is envisioned as a quasi-judicial body responsible for receiving personal data breach reports, adjudicating complaints of non-compliance, and imposing penalties for violations of the Act . Appeals from the DPB’s orders will lie with the Telecom Disputes Settlement Appellate Tribunal (TDSAT) at the national level . Notably, the DPB’s mandate is narrower than a full-fledged regulatory authority: unlike the independent Data Protection Authority proposed in earlier drafts, the DPB is not empowered to make regulations or codes of practice, nor to proactively supervise or audit data processing activities outside of specific inquiries . It can take action (such as directing remedies or penalties) only when a breach or complaint is brought before it, which inherently centralizes and potentially limits proactive enforcement.
The composition and appointment of the DPB further underscore its centralized character. All members of the Board, including its chairperson, are appointed by the Central Government, with terms and service conditions prescribed by central rules . The DPDP Act and draft Rules propose a selection committee dominated by senior central officials (e.g. the Cabinet Secretary and secretaries of the central ministries), essentially giving the Union government full discretion over DPB appointments. Unlike the earlier 2019 draft which considered more diverse representation, the final Act did not incorporate recommendations to include judicial or independent members in the selection process . This means the DPB is organically tied to the executive, lacking the statutory guarantees of independence that characterize many regulatory bodies.
The centralized design is also evident in jurisdiction. The DPB will handle data protection issues arising across the entire country including matters involving state government data systems without any sub-national branches or authorities . Citizens’ grievances first must be raised with the data fiduciary (the entity handling their data), and only if unresolved can they be escalated to the DPB for adjudication . In effect, a single national board in New Delhi becomes the sole forum for enforcement actions under the Act.
While a unitary enforcement body may streamline oversight, it also raises capacity and accessibility concerns. India’s digital ecosystem is vast, comprising millions of data-processing entities and nearly 800 million internet users. Even conservative estimates suggest the DPB would be expected to regulate on the order of “600 million entities” (including individuals and organizations involved in data processing) across India . This immense scope calls into question how one centralized board with finite personnel and no state-level offices can effectively monitor compliance, investigate widespread violations, or respond swiftly to local complaints. The DPDP Act’s approach relies heavily on classifying certain large companies as “Significant Data Fiduciaries” (SDFs) for closer scrutiny, but this still leaves a long tail of smaller data fiduciaries that may escape proactive oversight. The centralized structure thus risks creating an enforcement bottleneck, where only the most prominent cases (or those flagged by complaints) receive attention, potentially allowing many infractions by smaller or less visible entities to go unaddressed.
Structural Limitations of the Centralized DPB
The DPDP Act’s centralized enforcement model suffers from structural weaknesses that hinder effective data protection. A primary concern is the lack of independence of the Data Protection Board. Because the DPB is both appointed and funded by the Union government, with its officials classified as civil servants under central rules , it does not enjoy the institutional autonomy typically expected of a watchdog agency. Indeed, commentators have described the DPB as a “watchdog without teeth,” noting that neither the Act nor the draft DPDP Rules ensure an independent or transparent character for the Board . By design, the executive branch holds decisive power over who sits on the Board and can even influence its operations through service rules. This raises a conflict of interest, given that the government itself is a major collector and processor of citizens’ data (e.g. through Aadhaar, welfare schemes, etc.).
In the words of Justice B.N. Srikrishna (who chaired the committee that wrote the first draft Bill), having a regulator under government control is problematic “since the State will be the biggest data processor” a regulator must be “free from the clutches of the Government” to fairly oversee both private and government actors . The current DPB structure, however, concentrates power in the hands of the executive, undermining its credibility as an impartial enforcer.
Another structural limitation is the potential for executive interference in enforcement actions, which dilutes accountability. The DPDP Act contains provisions such as Section 27(3) enabling the Central Government to issue directions that the DPB “may modify or suspend” its own orders based on a government reference . This effectively gives the Union government a veto or override power on the Board’s decisions, especially in cases where government entities are involved. Such a mechanism severely erodes the Board’s ability to hold the government accountable for data breaches . It violates basic tenets of natural justice (“nemo judex in causa sua” – no one should be a judge in their own cause) by allowing an interested party (the executive) to influence adjudication outcomes . The consequence is an enforcement gap when it comes to regulating the government’s own data practices: observers have noted it would be “naïve to expect that the Board would be strong enough to issue orders against the central and state governments… and impose a penalty on them for data breaches” under this framework . In short, the centralized DPB is structurally handicapped from acting against the most powerful data fiduciaries government bodies due to executive control and override provisions.
Moreover, the absence of regional or state-level offices creates practical limitations. Ordinary citizens whose data rights are violated may find it difficult to effectively seek redress from a Delhi-based board. While the Act permits digital complaint filing, the lack of local presence could discourage individuals (especially those in remote areas) from pursuing grievances, widening the enforcement gap. The centralized Board might also lack on-the-ground insights into local contexts or sector-specific issues prevalent in different states. By concentrating enforcement authority at the center, the DPDP Act foregoes the benefits of localized oversight, such as faster response times and culturally/language-tailored outreach and investigations. This one-size-fits-all structure is at odds with India’s federal polity, where states carry significant governance responsibilities including managing large personal data systems for state programs (e.g. health, education, public distribution systems). Yet the DPB, a central body, is empowered to adjudicate issues even in these state-run domains . This raises federalism concerns: data breaches in a state government database would be decided by a central board controlled by the Union government, potentially causing mistrust or turf tensions between state authorities and the central regulator . The DPDP Act thus establishes a centralized enforcement regime that may be mismatched to India’s decentralized governance structure a mismatch that could hamper cooperative enforcement and leave many local issues inadequately addressed.
Enforcement Gaps and the “Enforcement Deficit” in the DPDP Act
Collectively, the above structural issues create what can be termed an “enforcement deficit” in the DPDP Act. Although the law grants individuals (data principals) various rights such as the right to access their data, seek correction or erasure, and obtain redress for grievances the effectiveness of these rights hinges on robust enforcement mechanisms . The centralized DPB model, as currently constituted, leaves several gaps:
Limited Deterrence for Smaller Entities: The enforcement structure may end up focusing on a few high-profile cases, while numerous smaller or medium-sized data handlers operate with minimal fear of scrutiny. A single Board in charge of the entire country is likely to prioritize major violations or large data breaches, simply due to capacity constraints. This creates an implicit under-regulation of smaller entities, which may slip “below the radar.” The Act does allow the Board to impose fines up to ₹250 crore (≈ $30 million) for non-compliance , but such headline-grabbing penalties are expected chiefly for big tech companies or significant data fiduciaries. Smaller firms, startups, or local enterprises which often lack strict compliance processes might never face enforcement unless a complaint is made, and even then the Board’s bandwidth to address thousands of small complaints is questionable.
GDPR’s Centralized Enforcement Tendencies: Large Players vs. Smaller Entities
The European Union’s GDPR is often seen as the gold standard of data protection laws, but its enforcement record reveals a bias: regulators have predominantly targeted Big Tech companies, while smaller entities have faced relatively fewer high-impact actions. Under the GDPR, enforcement is carried out by national Data Protection Authorities (DPAs) in each EU member state (in some federal countries like Germany, multiple state DPAs exist).
The GDPR also introduces a one-stop-shop mechanism for cross-border cases, whereby one “lead” DPA (usually where the company has its EU headquarters) handles a case with input from other concerned DPAs . In theory, this framework distributes enforcement across countries; in practice, it has led to centralization of major cases in a few jurisdictions. For instance, Ireland’s DPA (the Data Protection Commission) became the lead regulator for tech giants like Facebook/Meta, Google, Apple and others due to their EU base in Ireland . This has meant that a small authority in Ireland was responsible for some of the most complex, global cases and the result was “sluggish enforcement” that frustrated other EU stakeholders . Major cross-border investigations often took years, prompting the EU to recently propose procedural reforms to “fast-track” big tech privacy cases and overcome bottlenecks in the one-stop-shop system.
The focus of GDPR enforcement has undeniably been on large market players, especially Big Tech firms that process massive amounts of personal data. Evidence for this is seen in the pattern of fines and actions over the first five years of GDPR. By 2021, authorities had issued over 800 fines in total , but the largest penalties by far were levied on giant companies: e.g. a €746 million fine on Amazon (Luxembourg DPA, 2021), €225 million on WhatsApp, €50 million on Google, €35 million on H&M, and various multi-million euro fines on Meta (Facebook, Instagram) in Ireland and other jurisdictions . These headline-grabbing fines underscore that regulators concentrated their toughest enforcement on a handful of tech corporations dominating the EU market.
In contrast, small- and medium-sized enterprises (SMEs) have rarely faced comparable action. While it’s true that hundreds of smaller fines (often in the tens or hundreds of thousands of euros) have been issued Spain, for example, leads in number of GDPR fines with many small penalties mostly against local firms those cases seldom make news and often come only after individual complaints. The overall perception is that GDPR regulators have finite resources and thus direct them toward the most prominent, high-impact violators (which also yields the most publicized deterrence). A U.S.-based analysis noted bluntly: “GDPR protections are broad. While enforcement has focused primarily on large companies, small businesses can be especially affected” . In other words, small entities are certainly subject to GDPR (with no formal exemptions for size) but, practically, they are less likely to be audited or fined unless a significant issue comes to light.
This dynamic has led to criticism that GDPR enforcement has left smaller actors under-regulated or at least under-enforced. Privacy advocates worry that many SMEs may not fully comply with GDPR requirements (due to lack of awareness or resources) yet face little regulatory pressure, which could undermine the GDPR’s overall efficacy. Meanwhile, Big Tech companies armed with large legal teams have fought or delayed sanctions (for example, through appeals in courts), further straining regulators’ capacity . The European Data Protection Board (EDPB) has acknowledged challenges in achieving consistent enforcement across regions and entity sizes, reaffirming the need for cooperation among national DPAs . Notably, some EU lawmakers have even raised concerns about enforcement imbalances: in 2023, Members of the European Parliament voted for a resolution to consider action against Ireland for failing to enforce GDPR swiftly against Big Tech, indicating frustration with the lopsided focus and delays .
The EU experience suggests that centralization in enforcement whether through the one-stop-shop mechanism or simply the practical centralization of effort on big cases can create enforcement gaps. Large companies become the main targets (and rightly so, given their impact), but enforcement against smaller or local violations remains inconsistent. The GDPR model is more decentralized than India’s DPB (since each EU country has its own DPA), yet even there we see that without sufficient local initiative and resources, many smaller infractions are addressed slowly or not at all. This provides a cautionary parallel for India: a single centralized Board is even more likely to tilt its attention toward large, nationwide cases (e.g. a breach by a major tech platform) and struggle to systematically police the vast number of smaller data fiduciaries operating across the country. The GDPR’s first few years highlight the importance of having multiple enforcement touchpoints and adequately resourced authorities to cover the full spectrum of regulated entities. It also shows the value of localizing enforcement to some degree for example, Spain’s and France’s proactivity in issuing numerous fines, big and small, indicates that local enforcement bodies can tackle smaller offenders effectively when empowered to do so.
In summary, the GDPR’s enforcement pattern heavy on big players, lighter on small ones underscores that centralized or concentrated enforcement mechanisms tend to leave gaps at the lower end of the spectrum. For India, this lesson amplifies the concern that the DPDP Act’s central DPB could replicate those shortcomings in an even more pronounced way unless structural changes are made.
The Case for Decentralized Enforcement: State-Level Data Protection Boards
To address the enforcement deficit, experts have advocated for decentralizing data protection enforcement in India by instituting state-level Data Protection Boards or authorities . Given India’s federal structure and the sprawling scale of data processing nationwide, a one-size-fits-all central regulator is arguably inadequate. Distributing enforcement powers to the states (while maintaining national standards) could close the gaps identified above. There are several strong rationales and precedents for a state-level enforcement model:
Local Reach and Efficiency: A state-level Data Protection Board (or Authority) in each state (or region) would be closer to data principals and fiduciaries in that area, allowing faster response to complaints and more active supervision of local entities. As Rajya Sabha MP Amar Patnaik noted, devolving enforcement and grievance redressal to regional bodies would “increase efficiency and reduce possible operational bottlenecks,” much as seen under India’s Right to Information (RTI) Act and Consumer Protection Act which have state and district-level bodies . With state DPBs, an individual aggrieved by a privacy breach could approach a nearby authority that understands the local context (including language and regional business practices), rather than dealing with a distant central Board. This ground-up approach aligns with how other large jurisdictions handle privacy for example, Germany (a federal country) enforces data protection through independent DPAs in each state (Land), coordinated by a federal commissioner. Australia likewise has both federal privacy regulators and complementary state privacy laws/ombudsmen for regional matters . Such models acknowledge that enforcement must be ubiquitous, not just concentrated at the top.
It must be acknowledged that establishing state-level DPBs would require legal and structural adjustments. Data protection as a subject matter is not explicitly allocated in India’s Constitution; with privacy recognized as a fundamental right, the Union has legislated the DPDP Act using its powers. For state bodies to be created, the DPDP Act would need to be amended to either mandate or permit states to form their own Data Protection Boards (with defined jurisdiction and powers). This could be done by the Union Parliament inserting provisions for state boards and coordinating mechanisms (somewhat akin to how the central and state pollution control boards are constituted under the Water Act/Air Act).
Alternatively, states could potentially enact their own supplementary legislation for state-level authorities, but that risks legal conflicts unless the Union law explicitly allows it. The most straightforward path is an amendment to the DPDP Act setting up a decentralized enforcement architecture e.g., one could envision a structure where each state has a Data Protection Board handling complaints and breaches within the state, while a Central Data Protection Authority/Commission oversees cross-state issues, issues policy guidance, and hears appeals. The central body could also ensure uniform application of core principles, much as the European model or India’s consumer protection model (where state commission decisions can be appealed to the National Commission, ensuring some consistency).
In terms of feasibility, these models are not far-fetched. The Financial Express op-ed by Amar Patnaik argued that the Consumer Protection Act’s model would be ideal to replicate for DPDP enforcement . All service providers who handle personal data are analogous to data fiduciaries, and all consumers of those services are data principals thus a layered system of district/state/national forums for privacy complaints could be envisaged using consumer law as a template . This would not violate the spirit of the DPDP Act; rather, it would strengthen it by plugging enforcement gaps. Politically, involving states in enforcement may actually smooth the rollout of the law, as states will feel ownership in protecting their citizens’ data rights rather than perceiving the law as solely a Central diktat.
In conclusion of this section, decentralizing enforcement through state-level DPBs is presented as a logical and structurally sound reform. It promises more effective, accessible, and credible enforcement particularly for smaller entities and state-related data processing which in turn would help realize the DPDP Act’s objectives more fully. The next section builds on this analysis to outline specific policy recommendations to achieve these goals.
Policy Recommendations
To bridge the enforcement gap in the DPDP Act’s current framework, a series of policy and legislative measures should be considered. Below are key recommendations based on the above analysis:
Amend the DPDP Act to Establish State Data Protection Boards: Introduce provisions that create Data Protection Boards at the state level (or empower state governments to set them up). Each State DPB should have jurisdiction over violations and grievances arising within that state (especially involving state government agencies or local businesses), while adhering to the DPDP Act’s overall standards. A Central Data Protection Authority/Board can coexist to handle inter-state issues, major cases, and policy uniformity. This multi-tier structure, akin to the RTI and Consumer Protection models, will decentralize enforcement and make redress more accessible . It will also alleviate the load on a single authority and ensure that even smaller infractions get attention at the appropriate level.
Conclusion
The Digital Personal Data Protection Act, 2023, as it currently stands, contains admirable principles and rights on paper, but its centralized enforcement architecture poses a serious structural weakness. A single, executive-controlled Data Protection Board of India is ill-equipped to manage the breadth of India’s data economy and lacks the inherent independence to enforce the law impartially across both private and public sectors. This analysis has shown that the centralized nature of the DPB creates an enforcement gap – one where smaller entities might fall through the cracks and where government actors might be placed above scrutiny. The EU’s experience with the GDPR serves as a cautionary tale: even with multiple national regulators, enforcement skewed toward big tech has left many smaller violations inadequately addressed . India’s one-board model risks amplifying those shortcomings if left unchanged.
To fortify India’s data protection regime, structural reforms are necessary. Empowering state-level Data Protection Boards would decentralize enforcement, bringing oversight closer to the citizens and contexts it serves . Coupling this with measures to guarantee the independence of these bodies (through diversified appointment processes and removal of executive overrides) will build public trust and credibility in the enforcement of privacy rights . In essence, data protection in a country as vast and diverse as India must be a shared enterprise: the Union and states should collaborate, each within their sphere, to protect citizens’ personal data. This federated approach, with appropriate coordination, would address the current enforcement deficit by ensuring that no violation is too local or too minor to escape notice, and no violator is insulated by power or distance.
As India stands at the cusp of implementing the DPDP Act, it has the opportunity to course-correct its enforcement design before it solidifies. Policymakers would do well to heed the evidence and examples highlighted in this report from international lessons to domestic analogues in RTI and consumer law and strengthen the law’s framework. Establishing a decentralized yet unified enforcement mechanism will require political will and administrative effort, but the payoff would be a data protection regime that truly lives up to the constitutional promise of privacy as a fundamental right . The policy recommendations outlined (state boards, independence guarantees, federal coordination, etc.) offer a roadmap to achieve this balance of strong enforcement with local relevance and accountability. Implementing these will help ensure that the Digital Personal Data Protection Act fulfills its mandate, not only in letter but in spirit protecting every individual’s personal data through a robust, responsive, and reliable enforcement ecosystem.
India’s Digital Personal Data Protection Act, 2023 (DPDP Act) represents a landmark effort to safeguard personal data in the world’s largest democracy. The Act establishes a Data Protection Board of India (DPB) as the central authority to enforce its provisions. However, questions have arisen about the DPDP Act’s enforcement architecture and whether it truly empowers citizens. Legal experts and civil society have already voiced alarm that the DPB, as constituted, is not autonomous, raising doubts about the adequacy of enforcement and remedies under the new law.
The DPDP Act’s Centralized Enforcement Structure
Under the DPDP Act, all enforcement authority is vested in the Data Protection Board of India (DPB), a single national body constituted by the Central Government . This represents a highly centralized model. The DPB is envisioned as a quasi-judicial body responsible for receiving personal data breach reports, adjudicating complaints of non-compliance, and imposing penalties for violations of the Act . Appeals from the DPB’s orders will lie with the Telecom Disputes Settlement Appellate Tribunal (TDSAT) at the national level . Notably, the DPB’s mandate is narrower than a full-fledged regulatory authority: unlike the independent Data Protection Authority proposed in earlier drafts, the DPB is not empowered to make regulations or codes of practice, nor to proactively supervise or audit data processing activities outside of specific inquiries . It can take action (such as directing remedies or penalties) only when a breach or complaint is brought before it, which inherently centralizes and potentially limits proactive enforcement.
The composition and appointment of the DPB further underscore its centralized character. All members of the Board, including its chairperson, are appointed by the Central Government, with terms and service conditions prescribed by central rules . The DPDP Act and draft Rules propose a selection committee dominated by senior central officials (e.g. the Cabinet Secretary and secretaries of the central ministries), essentially giving the Union government full discretion over DPB appointments. Unlike the earlier 2019 draft which considered more diverse representation, the final Act did not incorporate recommendations to include judicial or independent members in the selection process . This means the DPB is organically tied to the executive, lacking the statutory guarantees of independence that characterize many regulatory bodies.
The centralized design is also evident in jurisdiction. The DPB will handle data protection issues arising across the entire country including matters involving state government data systems without any sub-national branches or authorities . Citizens’ grievances first must be raised with the data fiduciary (the entity handling their data), and only if unresolved can they be escalated to the DPB for adjudication . In effect, a single national board in New Delhi becomes the sole forum for enforcement actions under the Act.
While a unitary enforcement body may streamline oversight, it also raises capacity and accessibility concerns. India’s digital ecosystem is vast, comprising millions of data-processing entities and nearly 800 million internet users. Even conservative estimates suggest the DPB would be expected to regulate on the order of “600 million entities” (including individuals and organizations involved in data processing) across India . This immense scope calls into question how one centralized board with finite personnel and no state-level offices can effectively monitor compliance, investigate widespread violations, or respond swiftly to local complaints. The DPDP Act’s approach relies heavily on classifying certain large companies as “Significant Data Fiduciaries” (SDFs) for closer scrutiny, but this still leaves a long tail of smaller data fiduciaries that may escape proactive oversight. The centralized structure thus risks creating an enforcement bottleneck, where only the most prominent cases (or those flagged by complaints) receive attention, potentially allowing many infractions by smaller or less visible entities to go unaddressed.
Structural Limitations of the Centralized DPB
The DPDP Act’s centralized enforcement model suffers from structural weaknesses that hinder effective data protection. A primary concern is the lack of independence of the Data Protection Board. Because the DPB is both appointed and funded by the Union government, with its officials classified as civil servants under central rules , it does not enjoy the institutional autonomy typically expected of a watchdog agency. Indeed, commentators have described the DPB as a “watchdog without teeth,” noting that neither the Act nor the draft DPDP Rules ensure an independent or transparent character for the Board . By design, the executive branch holds decisive power over who sits on the Board and can even influence its operations through service rules. This raises a conflict of interest, given that the government itself is a major collector and processor of citizens’ data (e.g. through Aadhaar, welfare schemes, etc.).
In the words of Justice B.N. Srikrishna (who chaired the committee that wrote the first draft Bill), having a regulator under government control is problematic “since the State will be the biggest data processor” a regulator must be “free from the clutches of the Government” to fairly oversee both private and government actors . The current DPB structure, however, concentrates power in the hands of the executive, undermining its credibility as an impartial enforcer.
Another structural limitation is the potential for executive interference in enforcement actions, which dilutes accountability. The DPDP Act contains provisions such as Section 27(3) enabling the Central Government to issue directions that the DPB “may modify or suspend” its own orders based on a government reference . This effectively gives the Union government a veto or override power on the Board’s decisions, especially in cases where government entities are involved. Such a mechanism severely erodes the Board’s ability to hold the government accountable for data breaches . It violates basic tenets of natural justice (“nemo judex in causa sua” – no one should be a judge in their own cause) by allowing an interested party (the executive) to influence adjudication outcomes . The consequence is an enforcement gap when it comes to regulating the government’s own data practices: observers have noted it would be “naïve to expect that the Board would be strong enough to issue orders against the central and state governments… and impose a penalty on them for data breaches” under this framework . In short, the centralized DPB is structurally handicapped from acting against the most powerful data fiduciaries government bodies due to executive control and override provisions.
Moreover, the absence of regional or state-level offices creates practical limitations. Ordinary citizens whose data rights are violated may find it difficult to effectively seek redress from a Delhi-based board. While the Act permits digital complaint filing, the lack of local presence could discourage individuals (especially those in remote areas) from pursuing grievances, widening the enforcement gap. The centralized Board might also lack on-the-ground insights into local contexts or sector-specific issues prevalent in different states. By concentrating enforcement authority at the center, the DPDP Act foregoes the benefits of localized oversight, such as faster response times and culturally/language-tailored outreach and investigations. This one-size-fits-all structure is at odds with India’s federal polity, where states carry significant governance responsibilities including managing large personal data systems for state programs (e.g. health, education, public distribution systems). Yet the DPB, a central body, is empowered to adjudicate issues even in these state-run domains . This raises federalism concerns: data breaches in a state government database would be decided by a central board controlled by the Union government, potentially causing mistrust or turf tensions between state authorities and the central regulator . The DPDP Act thus establishes a centralized enforcement regime that may be mismatched to India’s decentralized governance structure a mismatch that could hamper cooperative enforcement and leave many local issues inadequately addressed.
Enforcement Gaps and the “Enforcement Deficit” in the DPDP Act
Collectively, the above structural issues create what can be termed an “enforcement deficit” in the DPDP Act. Although the law grants individuals (data principals) various rights such as the right to access their data, seek correction or erasure, and obtain redress for grievances the effectiveness of these rights hinges on robust enforcement mechanisms . The centralized DPB model, as currently constituted, leaves several gaps:
Limited Deterrence for Smaller Entities: The enforcement structure may end up focusing on a few high-profile cases, while numerous smaller or medium-sized data handlers operate with minimal fear of scrutiny. A single Board in charge of the entire country is likely to prioritize major violations or large data breaches, simply due to capacity constraints. This creates an implicit under-regulation of smaller entities, which may slip “below the radar.” The Act does allow the Board to impose fines up to ₹250 crore (≈ $30 million) for non-compliance , but such headline-grabbing penalties are expected chiefly for big tech companies or significant data fiduciaries. Smaller firms, startups, or local enterprises which often lack strict compliance processes might never face enforcement unless a complaint is made, and even then the Board’s bandwidth to address thousands of small complaints is questionable.
GDPR’s Centralized Enforcement Tendencies: Large Players vs. Smaller Entities
The European Union’s GDPR is often seen as the gold standard of data protection laws, but its enforcement record reveals a bias: regulators have predominantly targeted Big Tech companies, while smaller entities have faced relatively fewer high-impact actions. Under the GDPR, enforcement is carried out by national Data Protection Authorities (DPAs) in each EU member state (in some federal countries like Germany, multiple state DPAs exist).
The GDPR also introduces a one-stop-shop mechanism for cross-border cases, whereby one “lead” DPA (usually where the company has its EU headquarters) handles a case with input from other concerned DPAs . In theory, this framework distributes enforcement across countries; in practice, it has led to centralization of major cases in a few jurisdictions. For instance, Ireland’s DPA (the Data Protection Commission) became the lead regulator for tech giants like Facebook/Meta, Google, Apple and others due to their EU base in Ireland . This has meant that a small authority in Ireland was responsible for some of the most complex, global cases and the result was “sluggish enforcement” that frustrated other EU stakeholders . Major cross-border investigations often took years, prompting the EU to recently propose procedural reforms to “fast-track” big tech privacy cases and overcome bottlenecks in the one-stop-shop system.
The focus of GDPR enforcement has undeniably been on large market players, especially Big Tech firms that process massive amounts of personal data. Evidence for this is seen in the pattern of fines and actions over the first five years of GDPR. By 2021, authorities had issued over 800 fines in total , but the largest penalties by far were levied on giant companies: e.g. a €746 million fine on Amazon (Luxembourg DPA, 2021), €225 million on WhatsApp, €50 million on Google, €35 million on H&M, and various multi-million euro fines on Meta (Facebook, Instagram) in Ireland and other jurisdictions . These headline-grabbing fines underscore that regulators concentrated their toughest enforcement on a handful of tech corporations dominating the EU market.
In contrast, small- and medium-sized enterprises (SMEs) have rarely faced comparable action. While it’s true that hundreds of smaller fines (often in the tens or hundreds of thousands of euros) have been issued Spain, for example, leads in number of GDPR fines with many small penalties mostly against local firms those cases seldom make news and often come only after individual complaints. The overall perception is that GDPR regulators have finite resources and thus direct them toward the most prominent, high-impact violators (which also yields the most publicized deterrence). A U.S.-based analysis noted bluntly: “GDPR protections are broad. While enforcement has focused primarily on large companies, small businesses can be especially affected” . In other words, small entities are certainly subject to GDPR (with no formal exemptions for size) but, practically, they are less likely to be audited or fined unless a significant issue comes to light.
This dynamic has led to criticism that GDPR enforcement has left smaller actors under-regulated or at least under-enforced. Privacy advocates worry that many SMEs may not fully comply with GDPR requirements (due to lack of awareness or resources) yet face little regulatory pressure, which could undermine the GDPR’s overall efficacy. Meanwhile, Big Tech companies armed with large legal teams have fought or delayed sanctions (for example, through appeals in courts), further straining regulators’ capacity . The European Data Protection Board (EDPB) has acknowledged challenges in achieving consistent enforcement across regions and entity sizes, reaffirming the need for cooperation among national DPAs . Notably, some EU lawmakers have even raised concerns about enforcement imbalances: in 2023, Members of the European Parliament voted for a resolution to consider action against Ireland for failing to enforce GDPR swiftly against Big Tech, indicating frustration with the lopsided focus and delays .
The EU experience suggests that centralization in enforcement whether through the one-stop-shop mechanism or simply the practical centralization of effort on big cases can create enforcement gaps. Large companies become the main targets (and rightly so, given their impact), but enforcement against smaller or local violations remains inconsistent. The GDPR model is more decentralized than India’s DPB (since each EU country has its own DPA), yet even there we see that without sufficient local initiative and resources, many smaller infractions are addressed slowly or not at all. This provides a cautionary parallel for India: a single centralized Board is even more likely to tilt its attention toward large, nationwide cases (e.g. a breach by a major tech platform) and struggle to systematically police the vast number of smaller data fiduciaries operating across the country. The GDPR’s first few years highlight the importance of having multiple enforcement touchpoints and adequately resourced authorities to cover the full spectrum of regulated entities. It also shows the value of localizing enforcement to some degree for example, Spain’s and France’s proactivity in issuing numerous fines, big and small, indicates that local enforcement bodies can tackle smaller offenders effectively when empowered to do so.
In summary, the GDPR’s enforcement pattern heavy on big players, lighter on small ones underscores that centralized or concentrated enforcement mechanisms tend to leave gaps at the lower end of the spectrum. For India, this lesson amplifies the concern that the DPDP Act’s central DPB could replicate those shortcomings in an even more pronounced way unless structural changes are made.
The Case for Decentralized Enforcement: State-Level Data Protection Boards
To address the enforcement deficit, experts have advocated for decentralizing data protection enforcement in India by instituting state-level Data Protection Boards or authorities . Given India’s federal structure and the sprawling scale of data processing nationwide, a one-size-fits-all central regulator is arguably inadequate. Distributing enforcement powers to the states (while maintaining national standards) could close the gaps identified above. There are several strong rationales and precedents for a state-level enforcement model:
Local Reach and Efficiency: A state-level Data Protection Board (or Authority) in each state (or region) would be closer to data principals and fiduciaries in that area, allowing faster response to complaints and more active supervision of local entities. As Rajya Sabha MP Amar Patnaik noted, devolving enforcement and grievance redressal to regional bodies would “increase efficiency and reduce possible operational bottlenecks,” much as seen under India’s Right to Information (RTI) Act and Consumer Protection Act which have state and district-level bodies . With state DPBs, an individual aggrieved by a privacy breach could approach a nearby authority that understands the local context (including language and regional business practices), rather than dealing with a distant central Board. This ground-up approach aligns with how other large jurisdictions handle privacy for example, Germany (a federal country) enforces data protection through independent DPAs in each state (Land), coordinated by a federal commissioner. Australia likewise has both federal privacy regulators and complementary state privacy laws/ombudsmen for regional matters . Such models acknowledge that enforcement must be ubiquitous, not just concentrated at the top.
It must be acknowledged that establishing state-level DPBs would require legal and structural adjustments. Data protection as a subject matter is not explicitly allocated in India’s Constitution; with privacy recognized as a fundamental right, the Union has legislated the DPDP Act using its powers. For state bodies to be created, the DPDP Act would need to be amended to either mandate or permit states to form their own Data Protection Boards (with defined jurisdiction and powers). This could be done by the Union Parliament inserting provisions for state boards and coordinating mechanisms (somewhat akin to how the central and state pollution control boards are constituted under the Water Act/Air Act).
Alternatively, states could potentially enact their own supplementary legislation for state-level authorities, but that risks legal conflicts unless the Union law explicitly allows it. The most straightforward path is an amendment to the DPDP Act setting up a decentralized enforcement architecture e.g., one could envision a structure where each state has a Data Protection Board handling complaints and breaches within the state, while a Central Data Protection Authority/Commission oversees cross-state issues, issues policy guidance, and hears appeals. The central body could also ensure uniform application of core principles, much as the European model or India’s consumer protection model (where state commission decisions can be appealed to the National Commission, ensuring some consistency).
In terms of feasibility, these models are not far-fetched. The Financial Express op-ed by Amar Patnaik argued that the Consumer Protection Act’s model would be ideal to replicate for DPDP enforcement . All service providers who handle personal data are analogous to data fiduciaries, and all consumers of those services are data principals thus a layered system of district/state/national forums for privacy complaints could be envisaged using consumer law as a template . This would not violate the spirit of the DPDP Act; rather, it would strengthen it by plugging enforcement gaps. Politically, involving states in enforcement may actually smooth the rollout of the law, as states will feel ownership in protecting their citizens’ data rights rather than perceiving the law as solely a Central diktat.
In conclusion of this section, decentralizing enforcement through state-level DPBs is presented as a logical and structurally sound reform. It promises more effective, accessible, and credible enforcement particularly for smaller entities and state-related data processing which in turn would help realize the DPDP Act’s objectives more fully. The next section builds on this analysis to outline specific policy recommendations to achieve these goals.
Policy Recommendations
To bridge the enforcement gap in the DPDP Act’s current framework, a series of policy and legislative measures should be considered. Below are key recommendations based on the above analysis:
Amend the DPDP Act to Establish State Data Protection Boards: Introduce provisions that create Data Protection Boards at the state level (or empower state governments to set them up). Each State DPB should have jurisdiction over violations and grievances arising within that state (especially involving state government agencies or local businesses), while adhering to the DPDP Act’s overall standards. A Central Data Protection Authority/Board can coexist to handle inter-state issues, major cases, and policy uniformity. This multi-tier structure, akin to the RTI and Consumer Protection models, will decentralize enforcement and make redress more accessible . It will also alleviate the load on a single authority and ensure that even smaller infractions get attention at the appropriate level.
Conclusion
The Digital Personal Data Protection Act, 2023, as it currently stands, contains admirable principles and rights on paper, but its centralized enforcement architecture poses a serious structural weakness. A single, executive-controlled Data Protection Board of India is ill-equipped to manage the breadth of India’s data economy and lacks the inherent independence to enforce the law impartially across both private and public sectors. This analysis has shown that the centralized nature of the DPB creates an enforcement gap – one where smaller entities might fall through the cracks and where government actors might be placed above scrutiny. The EU’s experience with the GDPR serves as a cautionary tale: even with multiple national regulators, enforcement skewed toward big tech has left many smaller violations inadequately addressed . India’s one-board model risks amplifying those shortcomings if left unchanged.
To fortify India’s data protection regime, structural reforms are necessary. Empowering state-level Data Protection Boards would decentralize enforcement, bringing oversight closer to the citizens and contexts it serves . Coupling this with measures to guarantee the independence of these bodies (through diversified appointment processes and removal of executive overrides) will build public trust and credibility in the enforcement of privacy rights . In essence, data protection in a country as vast and diverse as India must be a shared enterprise: the Union and states should collaborate, each within their sphere, to protect citizens’ personal data. This federated approach, with appropriate coordination, would address the current enforcement deficit by ensuring that no violation is too local or too minor to escape notice, and no violator is insulated by power or distance.
As India stands at the cusp of implementing the DPDP Act, it has the opportunity to course-correct its enforcement design before it solidifies. Policymakers would do well to heed the evidence and examples highlighted in this report from international lessons to domestic analogues in RTI and consumer law and strengthen the law’s framework. Establishing a decentralized yet unified enforcement mechanism will require political will and administrative effort, but the payoff would be a data protection regime that truly lives up to the constitutional promise of privacy as a fundamental right . The policy recommendations outlined (state boards, independence guarantees, federal coordination, etc.) offer a roadmap to achieve this balance of strong enforcement with local relevance and accountability. Implementing these will help ensure that the Digital Personal Data Protection Act fulfills its mandate, not only in letter but in spirit protecting every individual’s personal data through a robust, responsive, and reliable enforcement ecosystem.
.JPG)
.JPG)
