Data protection board

From Justice Definitions Project

What is 'Data Protection Board'?

The Data Protection Board (DPB) is the central authority established under the Digital Personal Data Protection Act, 2023 to ensure effective enforcement of data protection obligations in India. Functioning as an independent adjudicatory body, the DPB is vested with the powers of a civil court to investigate complaints, adjudicate disputes, and impose substantial penalties of up to ₹250 crore per violation for non-compliance.[1] As the enforcement arm of the DPDP framework, the Board plays a crucial role in upholding accountability, safeguarding individual rights, and fostering a culture of responsible data governance among fiduciaries and intermediaries.

However, the DPB’s independence is tempered by Section 36 of the Act, which empowers the Central Government to require the Board, any Data Fiduciary, or intermediary to furnish information necessary to carry out the purposes of the Act. While this provision strengthens administrative coordination and ensures executive oversight, it also raises concerns regarding the extent of governmental influence over a body intended to function autonomously. Thus, the DPB emerges as a key institution situated at the intersection of regulatory autonomy and state supervision. It reflects the delicate balance that defines India’s evolving data protection regime.

Official Definition of 'Data  Protection Board'

'Data Protection Board' as defined in legislation(s)

According to Section 2(c) of the Digital Personal Data Protection Act, 2023  the “Board” refers to the Data Protection Board of India established by the Central Government under Section 18.

Legal provision(s) relating to 'Data Protection Board'

Digital Personal Data Protection Act, 2023

The Data Protection Board of India (DPB) is established under Chapter V of the Digital Personal Data Protection Act, 2023, as per Section 18. It functions as a body corporate, capable of owning property, entering contracts, and engaging in legal proceedings. The Board’s headquarters and date of establishment are to be notified by the Central Government. Section 36 further empowers the Central Government to require the Board, any Data Fiduciary, or intermediary to furnish information necessary for carrying out the purposes of the Act.

Under Section 27(1), the Board is vested with broad regulatory functions, including directing remedial or mitigation measures upon receiving information about a personal data breach, conducting inquiries, and imposing penalties. It may act on complaints by Data Principals, references from government bodies, or court directions. The Board can also investigate failures by Consent Managers or intermediaries to comply with obligations and take action for breaches of registration conditions.

Section 27(2) empowers the Board to issue binding directions after providing a fair hearing and recording reasons in writing, while Section 27(3) allows it to review, modify, suspend, or withdraw directions upon request. Section 28 establishes that the Board will function independently and primarily as a digital office, ensuring that complaints, hearings, and decisions are conducted electronically using prescribed techno-legal tools.

Composition of the Board

According to Section 19, the Board consists of a Chairperson and other Members, with their number determined by the Central Government. The appointees must have expertise in law, data governance, consumer protection, or digital technologies, and at least one Member must be a legal expert. Section 20 provides that both the Chairperson and Members serve for a two-year term, are eligible for reappointment, and cannot have their service conditions altered to their disadvantage.

Terms of Office of Members

Disqualifications for appointment or continuation are listed in Section 21, covering insolvency, conviction for moral turpitude, incapacity, conflict of interest, or misuse of position. Section 22 provides for resignation, filling of vacancies, and post-tenure restrictions, including a one-year cooling-off period before accepting employment with a data fiduciary dealt with during tenure.

Section 23 ensures that procedural defects or vacancies do not invalidate the Board’s proceedings and allows for digital or physical meetings, while Section 24 empowers the Board to appoint officers and employees with Central Government approval. Under Section 25, all members and employees are deemed public servants as defined under Section 21 of the Indian Penal Code. The Chairperson, as per Section 26, exercises powers of general supervision, allocation of work, and administrative control over the Board.

Powers and Functions of DPB

Section 27 of the DPDP Act, 2023, grants the DPB the authority to carry out the following powers and functions:

1. Monitoring Compliance and Addressing Breaches: The DPB monitors compliance with laws if it receives communication regarding a data breach. If the DPB finds the concerned entity to be in breach of the Act, it has the authority to not only address the imminent mitigation of remedial issues but also to impose penalties as per the Act’s provisions.

2. Directing Data Fiduciaries: Upon receiving a complaint, the DPB can direct Data Fiduciaries to comply with legal requirements concerning the protection of the personal data of Data Principals. If a breach of the Act is found, the DPB can issue a penalty.

3. Directing Consent Managers: If a complaint is received, the DPB can direct Consent Managers to comply with legal requirements regarding the protection of personal data of Data Principals. If a breach of the Act is found, the DPB shall issue a penalty.

4. Directing Intermediaries: Upon receiving a complaint, the DPB can instruct Intermediaries to comply with legal requirements concerning the protection of personal data of Data Principals. If the concerned entity is found to be in breach of the Act, the DPB has the authority to issue a penalty.

5. Ensuring Natural Justice and Imposing Penalties: The DPB shall allow the person concerned to be heard per the principles of natural law. If the DPB finds the concerned entity in breach of the Act, it is empowered to issue a penalty per the provisions of the Act.

Digital Personal Data Protection Rules, 2025
Appointment, Service Conditions, and Functioning of the Data Protection Board

Rule 17 now provides for the constitution of two separate Search-cum-Selection Committees, one for the appointment of the Chairperson, chaired by the Cabinet Secretary with the Secretary, Department of Legal Affairs; the Secretary, MeitY; and two experts of repute as Members and another for the appointment of Members other than the Chairperson, chaired by the Secretary, MeitY with the Secretary, Department of Legal Affairs and two experts of repute as Members. The Central Government may appoint the Chairperson or Members only from among the individuals recommended by these Committees, and under Rule 17(4), no act or proceeding of these Committees can be challenged merely due to any vacancy or defect in their constitution.

Rule 18 specifies the salary and service conditions of the Chairperson and Members in accordance with the Fifth Schedule, fixing the Chairperson’s consolidated monthly salary at ₹4,50,000 and that of Members at ₹4,00,000, with no house or car facilities, and providing for provident fund eligibility, but no pension or gratuity, along with medical facilities, travelling allowance (equivalent to Level 17 for the Chairperson and Level 15 for Members), leave entitlements, LTC benefits, and conflict-of-interest restrictions.

Rule 19 governs the procedure for meetings of the Board, under which the Chairperson determines the date, time, agenda, and issues the notice of meetings, and in the Chairperson’s absence, the Members present elect a presiding Member; the quorum for any meeting is one-third of the Board, and decisions are taken by majority vote, with the Chairperson or presiding Member having a casting vote in the event of a tie. Rule 19 further requires mandatory recusal where a Member has a conflict of interest, empowers the Chairperson to take emergency decisions without a formal meeting subject to recording reasons in writing, notifying the decision within seven days, and placing it before the Board for ratification permits decisions by circulation with majority assent, allows orders and instruments of the Board to be authenticated by the Chairperson, a Member, or authorised personnel, and mandates that inquiries be completed within six months, subject to further extensions in blocks of three months with recorded reasons.

Obligations of Data Fiduciaries

Under Section 5(1)(iii), a Data Fiduciary must inform the Data Principal about how to file complaints before the Board. Section 6(6) mandates that in the event of a personal data breach, the Data Fiduciary must notify both the Board and affected Data Principals in the prescribed manner. Also, Section 10(2)(a)(iii) requires Significant Data Fiduciaries to appoint a Data Protection Officer reporting directly to the governing body.

Rule 3(c)(iii) remains consistent in requiring that the Data Fiduciary’s notice include the specific communication link and other means through which a Data Principal may file a complaint before the Board.

Rule 7(2) has been updated to mandate that a Data Fiduciary, upon becoming aware of a personal data breach, must immediately intimate the Board with a description of the nature, extent, timing, and location of the breach, and must thereafter, within seventy-two hours or within an extended period permitted by the Board, submit a detailed report containing an updated description of the breach, the facts and circumstances leading to it, the mitigation measures undertaken, the findings on the person responsible, the remedial steps proposed to avoid recurrence, and a report of all intimations issued to affected Data Principals.

Further, Rule 12(2) has been renumbered as Rule 13(2), under which Significant Data Fiduciaries are required to submit to the Board the significant observations arising from their Data Protection Impact Assessments and audits.

Section 37(1) empowers the Central Government, upon a written reference from the Board, to block access to certain information hosted by a Data Fiduciary if repeated penalties have been imposed in the public interest.

Obligations of Consent Managers

Under Section 2(g), a Consent Manager is defined as a person registered with the Board who enables Data Principals to give, manage, and withdraw consent transparently. Rule 4 prescribes the registration process, requiring submission of documents for Board approval. If a Consent Manager fails to meet its obligations, the Board may issue corrective directions or suspend or cancel registration.

Schedule I - Part A, Condition 7, requires that the Consent Manager’s governing documents contain mandatory adherence clauses subject to Board approval. Condition 9(a) mandates that the Consent Manager’s platform conform to frameworks published by the Board. Under Schedule I - Part B, Obligation 11(d), the Consent Manager must disclose additional information as directed by the Board. Obligation 12 requires maintaining audit mechanisms and reporting outcomes periodically, while Obligation 13 prohibits transfer of control without prior Board approval.

Complaint Redressal Mechanism

The grievance redressal framework is detailed under Sections 13 and 15. Section 13(3) stipulates that a Data Principal must first exhaust the grievance mechanism of the Data Fiduciary or Consent Manager before approaching the Board. Section 15(d) places a duty on Data Principals not to file false or frivolous complaints before either the Data Fiduciary or the Board.

Section 28(2)-(6) outlines the procedural safeguards for inquiries. Upon receiving a complaint, the Board must assess its merits (Section 28(3)) and may close the matter with written reasons (Section 28(4)). If sufficient grounds exist, a full inquiry must be initiated (Section 28(5)), adhering to natural justice principles (Section 28(6)).

The Board has powers similar to a civil court under Section 28(7), including summoning witnesses, demanding documents, and inspecting data. However, as per Section 28(8), it cannot seize equipment or disrupt daily operations. The Board may issue interim orders (Section 28(10)) and, after inquiry, may either close proceedings or proceed under Section 33 (Section 28(11)). False or frivolous complaints may attract warnings or costs (Section 28(12)).

Rule 19 supports the Board’s digital-first approach, enabling fully electronic proceedings while retaining powers to summon and examine individuals on oath.

Adjudication Mechanism and Penalties

The adjudicatory process is governed primarily by Sections 27, 28, 32, 33, and 34. Section 32 allows the Board to accept voluntary undertakings from any person at any stage of proceedings under Section 28. The Board may vary such undertakings (Section 32(3)), and once accepted, further proceedings on the same matter are barred (Section 32(4)). Non-compliance, however, is deemed a breach (Section 32(5)).

Under Section 33(1), if the Board concludes after inquiry that a person has breached the Act, it may impose monetary penalties after a fair hearing. Section 33(2) provides the criteria for determining penalties, such as the nature, gravity, and repetition of the breach, as well as mitigation efforts. Section 34 mandates that all penalties be credited to the Consolidated Fund of India.

Section 35 provides immunity to the Board, its Chairperson, Members, and staff for actions done in good faith. Section 39 bars civil courts from entertaining matters under the Board’s jurisdiction and prohibits injunctions against actions taken under the Act.

Appellate Mechanism

Section 29 of the DPDP Act provides the right to appeal orders or directions of the Board before the Appellate Tribunal within sixty days. Section 29(5) requires that a copy of every order of the Tribunal be sent to the Board and the parties involved. Rule 21 specifies that such appeals must be filed digitally, in accordance with the Tribunal’s procedure.

Under the Digital Personal Data Protection Rules, 2025, the Telecom Disputes Settlement and Appellate Tribunal (TDSAT)[2] is designated as the appellate body. However, this arrangement faces structural challenges. The TDSAT currently lacks a technical member specializing in data protection, a gap that would require amendment of the Telecom Regulatory Authority of India Act, 1997. Also, with over 3,400 pending cases and limited capacity, timely resolution appears unrealistic. The Tribunal’s digital infrastructure also requires significant upgrades to handle e-filings, real-time tracking, and transparency. Without these reforms, the TDSAT may struggle to serve as an effective appellate authority under the DPDP framework.[3]

Official government reports that engage with 'Data Protection Board'

48th Loksabha Report: Standing Committee on Communications and Information Technology

According to this report,[4] the Data Protection Board (DPB) will serve as a fully digital grievance redressal body, with proceedings conducted entirely online. It will hear complaints of Data Principals who are not satisfied with the grievance mechanism of Data Fiduciaries. The DPB is empowered to conduct inquiries under the principles of natural justice and impose financial penalties on Data Fiduciaries for personal data breaches. In cases of significant breaches, it may impose monetary penalties, and such penalties can also be cited as supporting material in civil court claims.

At the same time, the report makes it clear that the DPB is not a court or tribunal and therefore lacks the power to grant compensation. Determination of compensatory damages remains a judicial function that can only be exercised by civil courts. Thus, while the DPB ensures accountability through penalties and enforcement of obligations, individuals seeking compensation for harm caused by data breaches will need to pursue their claims separately before the courts.

55th Loksabha Report: Standing Committee on Communications and Information Technology

According to the Committee’s report,[5] the Data Protection Board (DPB) holds significant authority to ensure compliance with data protection norms. It can conduct inquiries adhering to the principles of natural justice and impose financial penalties on Data Fiduciaries responsible for personal data breaches. This mechanism reinforces accountability and encourages entities to maintain robust data security measures.

The report suggested that repeated violations invite stricter consequences to protect public interest. If an entity faces monetary penalties more than twice for major breaches, the DPB may recommend that the Central Government block the services of the defaulting organization. This step underscores the government’s commitment to deterring habitual offenders and preserving the integrity of the data protection framework.

B.N. Srikrishna Committee Report (2018)

The B.N. Srikrishna Committee Report (2018)[6] proposed the creation of a Data Protection Authority (DPA) as the central independent regulator for implementing and enforcing India’s data protection law. The DPA was designed to be more than just an adjudicatory body; it would oversee monitoring, enforcement, grievance redressal, policy formulation, standard setting, and public awareness. Its structure reflected a comprehensive regulator that balanced individual rights with innovation and business needs.

A key recommendation was that the DPA should have broad regulatory and supervisory powers. These included classifying “significant data fiduciaries” based on the scale and risk of their processing, and imposing heightened obligations on them such as audits, Data Protection Impact Assessments, and appointment of Data Protection Officers. The DPA was also given enforcement tools like issuing codes of practice, directions, warnings, cease and desist orders, and even suspension of business activities in cases of serious violations. It would also have an adjudication wing to resolve disputes between individuals and data fiduciaries, with appeals going to a dedicated tribunal and ultimately the Supreme Court.

Importantly, the Committee envisioned the DPA as a body that could shape the future of privacy law in India, not only through enforcement but also by conducting research, raising public awareness, and developing guidance. It emphasised the DPA’s independence from the executive, ensuring it had the credibility and autonomy to regulate both state and private entities. In essence, the Committee framed the DPA as a strong, independent, and holistic institution central to protecting the fundamental right to privacy.

International Experience

Europe: European Data Protection Board

The European Data Protection Board (EDPB)[7] is an independent body established under the General Data Protection Regulation (GDPR) to ensure a uniform and coherent application of data protection laws across the European Union and European Economic Area. It succeeded the Article 29 Working Party on 25 May 2018. Comprising representatives from national data protection authorities and the European Data Protection Supervisor (EDPS), with participation from the European Commission in a non-voting capacity, the EDPB plays a central role in guiding and harmonizing regulatory practices.[8] Its functions include issuing guidelines, adopting binding decisions in cross-border enforcement disputes, and advising the European Commission on legislative matters relating to personal data. Further, the EDPB encourages the development of codes of conduct, certification schemes, and facilitates cooperation and information exchange among national authorities. The Board's secretariat, hosted by the EDPS, operates under the direction of the EDPB Chair.[9]

United Kingdom: Information Commissioner’s Office

The Information Commissioner’s Office (ICO)[10] is the key regulator overseeing data protection and privacy in the UK. It ensures compliance with the UK Data Protection Act 2018 and the UK’s version of the GDPR, which together protect sensitive personal information such as ethnic background, political opinions, religious beliefs, health, sexual life, and criminal history. The ICO’s responsibilities include monitoring data protection compliance, investigating breach reports, conducting audits and advisory visits, providing guidance on managing data privacy risks, and handling complaints and inquiries. When necessary, the ICO enforces data protection laws through legal actions and fines. Further, the ICO collaborates with international data protection authorities, including the European Data Protection Board, to promote consistent standards and cooperation in safeguarding personal data.[11]

United States:  Federal Trade Commission (FTC)

The FTC is the principal federal regulator overseeing consumer privacy in the U.S. It enforces key laws such as the Children’s Online Privacy Protection Act (COPPA) and the Gramm‑Leach‑Bliley Act (GLBA). Under COPPA, the FTC imposes requirements on online operators concerning how they collect and handle data from children under 13, including parental consent mechanisms, data retention policies, and reasonable security safeguards. Recent amendments reinforce standards on data retention and introduce new parental verification methods, reflecting evolving digital practices. Meanwhile, under GLBA, the FTC enforces rules requiring financial institutions to disclose information-sharing practices and provide opt-out rights while maintaining safeguards against pretexting or unauthorized disclosures Federal Trade Commission.[12]

California:  California Privacy Protection Agency (CPPA)

Established as the first standalone state-level privacy regulator in December 2020 under the California Privacy Rights Act (CPRA), the CPPA administers and enforces both the California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA). It conducts its own administrative hearings, issues penalties, and leads rulemaking related to privacy, cybersecurity, and automated decision-making. The agency also oversees the data broker registry and is implementing California’s “DROP” system to simplify data deletion requests statewide. Notably, in early 2025 the CPPA fined Honda approximately $630,000 for obstructing consumers’ ability to exercise their CCPA rights, stressing its commitment to fairness in privacy management systems.[13]

Canada:  Office of the Privacy Commissioner (OPC)

The Office of the Privacy Commissioner (OPC)[14] is Canada’s federal privacy authority for both the private sector under the Personal Information Protection and Electronic Documents Act (PIPEDA) and federal government institutions under the Privacy Act. It investigates complaints and promotes compliance among businesses and government departments. While serving as an ombudsman without direct power to impose fines or issue orders, the OPC can initiate public inquiries and bring cases before courts to enforce PIPEDA’s privacy protections[15]

Australia: Office of the Australian Information Commissioner (OAIC)

The Office of the Australian Information Commissioner[16] (OAIC) enforces the Privacy Act 1988 and oversees the implementation of the 13 Australian Privacy Principles (APPs) that govern both private-sector organizations (with turnovers above AUD 3 million) and federal agencies. Its enforcement powers include investigating privacy complaints, conducting data breach assessments, publishing breach notices, initiating civil penalties, and accepting enforceable undertakings. In recent years it has pursued major enforcement actions, such as a AUD 50 million settlement with Meta over a Cambridge Analytica related breach and has focused on risks from third‑party suppliers and data retention concerns as part of broader reform efforts.[17]

New Zealand: Office of the Privacy Commissioner (OPC)

The Office of the Privacy Commissioner (OPC)[18] administers the Privacy Act 2020, overseeing both public and private sector compliance with the 13 Information Privacy Principles. It handles complaints, conducts investigations and conciliation, issues compliance notices, and refers serious breaches to the Human Rights Review Tribunal. The Commissioner also issues sector‑specific codes of practice, advises on privacy policy, and leads public education initiatives. Importantly, breach notifications are mandatory, and criminal penalties (up to NZD 10,000) may apply for obstructing access requests or destroying records after a request has been lodged.[19]

Brazil: Autoridade Nacional de Proteção de Dados (ANPD)

The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil’s federal-level data protection agency responsible for enforcing the Lei Geral de Proteção de Dados (LGPD). It has independent regulatory and investigative powers, including issuing sanctions such as warnings; fines (up to 2 % of revenue, capped at R$ 50 million per violation); suspension or prohibition of processing; data blocking or erasure; and publicity of confirmed breaches. Enforcement extends to companies operating abroad but handling Brazilian users' data. Recent actions include ordering Meta to suspend use of Brazilian data for AI training and overseeing age-verification reforms at TikTok, showing growing regulatory assertiveness.[20]

Japan : Personal Information Protection Commission (PPC)

The Personal Information Protection Commission (PPC)[21] is an independent governmental authority charged with enforcing the Act on the Protection of Personal Information (APPI). Established in 2016 and expanded to eight commissioners, including a chair appointed by the Prime Minister with Diet approval, it oversees national data protection policy, issues guidance, reviews legislative proposals, and supervises both public and private sector compliance with APPI. While direct penalty powers under APPI are limited, the PPC may refer serious violations to other enforcement bodies and plays a leading advisory and oversight role under Japan’s privacy.[22]

South Korea : Personal Information Protection Commission (PIPC)

The PIPC is the central, independent data protection regulator under the Personal Information Protection Act (PIPA). Originally founded in 2011, its powers were significantly expanded in a 2020 amendment: the PIPC now functions as a minister-level agency under the Prime Minister, with authority to investigate privacy violations, adjudicate complaints, impose administrative fines, and issue corrective orders, all without direct oversight from the Prime Minister. Its enforcement track record includes multimillion‑dollar fines against Facebook, Google, Meta, and others for violations such as undeclared behavioral tracking or insecure security practices.[23]

Challenges

The following challenges[24] can be anticipated:

1. Limited Institutional Independence Despite New Selection Committees

Even though Rule 17 introduces Search-cum-Selection Committees, all members of these committees are senior executive officials. There is still no judicial or independent representation. Since the Central Government itself is a major data fiduciary, its dominant role in appointments raises concerns about genuine independence and the Board’s ability to impartially adjudicate cases involving the State.

2. Short Tenure and Dependence on Executive Reappointment

Section 20 prescribes a two-year term for the Chairperson and Members significantly shorter than global data protection regulators. Although reappointment is possible, it increases dependence on the executive for career continuity, affecting institutional stability, autonomy, and long-term planning.

3. Absence of Mandated Technical Expertise or Eligibility Requirements

The Act and Rules do not specify minimum technical qualifications or specialisation for Members, despite the DPB adjudicating complex issues such as cybersecurity failures, AI-related harms, cross-border transfers, and digital forensics. The lack of mandated technical capacity may lead to uneven or shallow handling of technologically sophisticated disputes.

4. Broad Emergency Powers and Limited Procedural Safeguards

Rule 19 allows the Chairperson to take decisions without a formal meeting in “emergency” situations, but neither the Act nor the Rules define what constitutes an emergency. The absence of clear guardrails or collective oversight mechanisms risks concentration of decision-making power and reduces procedural transparency.

Way Ahead

The provisions under the Digital Personal Data Protection Act, 2023, especially those concerning the role of the Board, reflect an attempt to balance accountability, transparency, and efficiency in the governance of data protection. By ensuring digital-by-design procedures, adherence to natural justice, and powers akin to civil courts, the Act empowers the Board to act as a credible enforcement authority. However, the effectiveness of these mechanisms will depend on how swiftly and fairly the Board can address complaints, resolve breaches, and prevent misuse of its powers. Going forward, clarity in subordinate rules, capacity-building of the Board, and fostering trust among stakeholders will be essential to ensure that the Act delivers on its promise of safeguarding personal data while enabling the growth of India’s digital economy.

References

  1. KING STUBB & KASIVA, https://ksandk.com/data-protection-and-data-privacy/penalties-adjudication-under-indias-dpdp-act-2023/#:~:text=The%20Digital%20Personal%20Data%20Protection,individuals%2C%20and%20duration%20of%20violation.(last visited Oct.27,2025)
  2. Telecom Disputes Settlement and Appellate Tribunal, https://tdsat.gov.in/Delhi/Delhi.php, (last visited Oct 27, 2025)
  3. THE HINDU, https://www.thehindu.com/opinion/op-ed/telecom-tribunal-reforms-to-handle-data-protection-pleas/article69350061.ece, (last visited Oct.27,2025)
  4. 48th Lok Sabha Report, https://acrobat.adobe.com/id/urn:aaid:sc:AP:a63f6bdd-9631-4922-8a2a-a3dbb66227db, (last visited Oct. 27, 2025)
  5. 55th Lok Sabha Report, https://acrobat.adobe.com/id/urn:aaid:sc:ap:c57077fd-672b-42ae-bc18-d81a3da89a4a, (last visited Oct. 27,2025)
  6. B.N. Srikrishna Committee Report, https://acrobat.adobe.com/id/urn:aaid:sc:ap:c57077fd-672b-42ae-bc18-d81a3da89a4a, (last visited Oct. 27, 2025)
  7. EUROPEAN DATA PROTECTION BOARD, https://www.edpb.europa.eu/edpb_en, (last visited Oct. 27,2025)
  8. EUROPEAN COMMISSION, https://ec.europa.eu/newsroom/article29/items/629492/en#:~:text=date:%2011/06/2018,/documentation/index_en.htm., (last visited Oct. 27,2025)
  9. EUROPEAN DATA PROTECTION BOARD,https://www.edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en, (last visited Oct 27, 2025)
  10. Information Commissioner's Office, https://ico.org.uk/, (last visited Oct. 27,2025)
  11. TRUST ARC, https://trustarc.com/resource/uk-data-protection-act-gdpr/#:~:text=How%20are%20data%20privacy%20risks,law%20on%20January%201%2C%202021., (last visited Oct 27,2025) )
  12. ALSTON & BIRD, https://www.alston.com/en/insights/publications/2025/01/ftc-finalizes-amendments-coppa-rule?, (last visited Oct 27, 2025)
  13. COMPLIANCE HUB,https://www.compliancehub.wiki/california-intensifies-ccpa-enforcement-record-fines-and-new-priorities-emerge-in-summer-2025/, (last visited Oct. 27,2025)
  14. OFFICE OF THE PRIVACY COMMISSIONER OF CANADA, https://www.priv.gc.ca/en/, (last visited Oct. 27,2025)
  15. TRUE VAULT, https://www.truevault.com/learn/what-is-pipeda-understanding-canadas-privacy-law?, (last visited Oct. 27,2025)
  16. Office of the Australian Information Commissioner,https://www.oaic.gov.au/, (last visited Oct. 27,2025)
  17. IKIGAI LAW, https://www.ikigailaw.com/article/306/data-protection-in-australia, (last visited Oct. 27, 2025)
  18. OFFICE OF PRIVACY COMMISSIONER, https://www.privacy.org.nz/, (last visited Oct. 27, 2025)
  19. PRIVACY COMMISSIONER,https://www.privacy.org.nz/assets/New-order/Privacy-Act-2020/Privacy-Act-2020/Privacy-Act-2020-information-sheets-full-final-set-A711970.pdf#:~:text=The%20Privacy%20Commissioner%20frequently%20investigates%20complaints%20about,direction%20to%20the%20business%20or%20organisation%20concerned., (last visited Oct. 27,2025)
  20. ICLG, https://iclg.com/practice-areas/data-protection-laws-and-regulations/brazil?, (last visited Oct.27,2025)
  21. PERSONAL INFORMATION PROTECTION COMMISSION, https://www.ppc.go.jp/en/, (last visited Oct. 27, 2025)
  22. DLA PIPER,https://www.dlapiperdataprotection.com/index.html?t=law&c=JP, (last visited Oct. 27, 2025)
  23. DATA GUIDANCE, https://www.dataguidance.com/news/south-korea-pipc-fines-dsg-krw-114m-pipa-violations, (last visited Oct. 27,2025)
  24. OXFORD HUMAN RIGHTS HUB, https://ohrh.law.ox.ac.uk/revisiting-right-to-information-in-india-is-the-dpdp-act-counterproductive-to-rti-act/, (last visited Oct 27, 2025)
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Data_protection_board&oldid=10005"