The Digital Gavel: Navigating Adjudication Under DPDP Act, 2023

However, a critical tension has emerged: how will the DPB balance its mandate for "digital-speed" justice with the age-old Principles of Natural Justice?

The Adjudicatory Architecture: How the Board Operates

Unlike traditional courts, the DPB is designed as a "Digital Office" where the adjudication process is structured to handle high-volume digital complaints and issues through a due process:

I) Proceedings can be triggered by a complaint from a Data Principal i.e. an individual, a reference from the Government, or the Board's suo motu observation of a breach.

II) The Board first determines if there is a prima facie case. However, if the complaint is deemed "false or frivolous," the complainant can be fined up to ₹10,000.

III) If the Board concludes that grounds exist, the it conducts a digital inquiry. For this purpose, it possesses the powers of a Civil Court, empowering it to summon witnesses, examine them on oath, and demand the production of documents or digital logs.

IV) Under a unique "settlement" mechanism, a company can submit a voluntary undertaking to fix its breaches. If it is accepted, this bars further proceedings, acting as a "consent decree" thereby avoiding the maximum penalty.

V) If a breach is confirmed, the Board can levy massive financial penalties, even for a single failure to protect data.

The Natural Justice Conflict: A Legal Critique

At the bedrock of the Constitution of India, the Principles of Natural Justice, i.e., Audi Alteram Partem (hear the other side) and Nemo Judex in Causa Sua (no one should be a judge in their own cause) lay. The DPDP Act explicitly mandates that the Board follow these principles, yet several legal “traps" in the Act's framework challenge their implementation:

The "Digital-Only" Barrier

The Board is mandated to operate primarily as a digital office. While it would be efficient, but a purely digital adjudication may disadvantage individuals or small MSMEs with limited "tech-legal" literacy. Which brings into light the great digital divide and does a lack of physical hearing options violate the right to a "fair and effective hearing"? One could argue that "digital-only" processes may lack the nuance required for complex cross-examinations.

Excessive Executive Discretion

The Chairperson and Members of the Board are appointed by the Central Government. Since the State is the largest data collector in India, the issue is whether a Board appointed entirely by the Executive truly be impartial when investigating government breaches? This creates a perceived conflict with the principle of Nemo Judex, potentially leading to a higher rate of appeals to the Appellate Tribunal (TDSAT).

The "No-Harm" Penalty Threshold

The Board can impose a penalty simply because a company failed to implement "reasonable safeguards," even if no actual harm occurred to an individual. Jurisprudentially, natural justice requires a correlation between the gravity of an act and its punishment. Imposing a ₹200 crore fine for a "procedural lapse" where no data was leaked might be seen as disproportionate and arbitrary, which could lead to a direct violation of Article 14 of the Constitution.

Strategic Implications for Corporates

For the Corporates, the adjudicatory process under the DPB is not just a legal risk, but it is a business continuity risk. Because the Board operates as a civil court, companies must maintain "Admissibility-Ready" logs. If their backend cannot prove when a user withdrew consent or how data was deleted, they have no defense in a digital inquiry. Further, Principles of Natural Justice provides for a "reasonable opportunity" to respond to the other party. However, the requirement to report breaches within 72 hours (or less) forces companies to make admissions of guilt before they have even completed their internal forensic audits. Furthermore, companies are constructively liable for their vendors' breaches, actions or data leaks. The Board will not accept an argument presented by a company that "the cloud provider messed up." A company must be prepared to defend the vendor's actions as their own.

There is no doubt that the DPDP Act's adjudicatory process is a bold experiment in digital-first justice. While it promises to solve the law's “delay”, it must not do so at the cost of law's “fairness.”

For corporates, the best way forward will be Compliance by Design and not wait for a notice from the Board. In a system where the regulator has the power to impose a ₹250 crore fine without proving actual harm, the compliance with the process is the only protection.

Author: Adv. Varun Singh, Founder, Foresight Law Offices India. Views are personal.