von IVNEET WALIA und TANMAY DURANI
The Supreme Court’s Puttaswamy judgment (2017) enshrined privacy as a fundamental right, necessitating a robust data protection framework. The Digital Personal Data Protection Act (DPDPA) 2023 establishes the Data Protection Board of India (DPB) under Section 18. However, the DPB’s design—modelled after sectoral regulators like Securities Exchange Board of India [SEBI, Financial Regulator] or Telecom Regulatory Authority of India [TRAI, Telecom Regulator] -undermines its ability to safeguard privacy. This article contends that the DPB must be reimagined as an independent Fourth Branch Institution, structurally insulated from executive control and empowered to hold the state accountable in the digital age.
The Fundamental Flaw: The Sectoral Regulator Model
The DPB under the DPDPA 2023, modelled after sectoral regulators like SEBI or TRAI, is structurally unfit to fulfil its constitutional mandate. The DPB’s core purpose is to oversee compliance with data protection laws, investigate breaches, adjudicate disputes (e.g., misuse of personal data), and impose penalties on violators—including government agencies. Functionally, it combines roles akin to a regulator (setting standards), an oversight body (monitoring compliance), and a quasi-judicial authority (resolving grievances). Needless to say, unlike economic regulators that align with executive agendas, the DPB must independently check executive power in data governance.
However, the Act’s design entrenches executive control, undermining its autonomy.
Three flaws stand out. First, Section 19(2) grants the Central Government unilateral authority to appoint DPB members, bypassing bipartisan or judicial oversight, which risks institutionalizing bureaucratic bias. Second, Section 20(1) lets the executive set service conditions (salaries, tenure, removal), while Section 20(2) imposes renewable two-year terms, incentivizing compliance over independence to secure reappointment. Third, though the DPB has adjudicatory powers (Section 27), its efficacy is hollowed out by the government’s power to exempt its agencies from scrutiny (Section 17(2)(a)).
These provisions embed the DPB within the executive framework, stripping its capacity to act as an impartial watchdog. Instead of safeguarding the fundamental right to privacy (as affirmed in Puttaswamy), the DPB risks becoming an extension of executive authority, unable to restrain government overreach in data processing. The structure thus contradicts its core purpose: ensuring accountability against state power.
The Imperative of Independence: Understanding Fourth Branch Institutions
The traditional separation of powers into legislative, executive, and judicial branches often fails to ensure robust accountability in parliamentary systems, where the executive, backed by a legislative majority, faces limited oversight. This gap leaves the judiciary as the primary check on power, underscoring the need for “Fourth Branch Institutions.” These bodies, termed the “Democracy Branch,” operate independently to safeguard constitutional democracy, filling accountability voids left by conventional mechanisms. Their mandate depends on how a constitution defines democracy. These operate through both constitutional and statutory frameworks. Constitutional bodies like the Election Commission (under Article 324) and the Comptroller and Auditor General (CAG, Constitutional Financial Auditor, under Article 148) derive independence directly from the Constitution, overseeing elections and auditing public expenditure.
Statutory bodies, such as the Central Bureau of Investigation (CBI, Crime-Investigation Agrency), established via legislation, have been construed by courts—notably in the Vineet Narain v. Union of India (1997) judgment—and legal scholarship as institutions embodying Fourth Branch features (see here and here). The Supreme Court in Vineet Narain emphasized the CBI’s need for autonomy to act as a check on executive power, despite its statutory origins.
South Africa, by contrast, explicitly constitutionalizes such bodies under Chapter IX (“State Institutions Supporting Constitutional Democracy”), mandating institutions like the Human Rights Commission and Electoral Commission to uphold democratic accountability. While India’s equivalents—whether constitutional (e.g., Election Commission) or statutory (e.g., CBI)—lack formal Fourth Branch designation, their functional independence and oversight roles mirror the purpose of South Africa’s framework, addressing accountability gaps inherent to parliamentary governance.
Independence of the Fourth Branch Institutions is ensured through legal safeguards:
- Appointment processes: Often involving multi-party committees or judicial oversight (e.g., South Africa’s Public Protector is appointed by Parliament via a 60% majority).
- Tenure protections: Fixed terms and immunity from arbitrary removal (e.g., India’s Election Commissioners can only be removed through impeachment).
- Financial autonomy: Budgets shielded from direct executive control (e.g., South Africa’s Chapter IX institutions receive funding directly from Parliament).
- Operational freedom: Mandates to investigate, audit, or adjudicate without government interference (e.g., India’s CAG audits expenditures independently).
In Indian context, there is the Comptroller and Auditor General (CAG) of India’s six-year term, salary protections, and impeachment-based removal process (mirroring Supreme Court judges) are constitutionally enshrined under Article 148, with details codified in the Comptroller and Auditor General’s (DPC) Act, 1971. These safeguards, can only be altered by Parliament via a two-thirds supermajority, ensuring political consensus is required to for a major change which could undermine core independence.
Why the DPB Must Transcend the Sectoral Model
Privacy is not merely an individual right but a prerequisite for exercising democratic freedoms. Mass state surveillance or poorly regulated data collection, as seen in India’s controversial Aadhaar biometric ID program (which faced legal challenges over privacy risks), can deter citizens from expressing dissent or accessing services freely. A data protection body tasked with curbing such abuses cannot function if structurally subordinated to the same executive it must regulate.
Unlike sectoral regulators that mediate between industry and public interests, the DPB’s core mandate is adversarial: it must hold the state accountable for data misuse. This requires independence akin to that of a constitutional court or electoral commission. For example, Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) oversees compliance with data protection laws, including scrutiny of government agencies. While part of the executive branch, it operates autonomously, with fixed terms and legal protections against arbitrary removal – reflecting Fourth Branch-like insulation.
Similarly, the DPB’s effectiveness hinges on its ability to act autonomously, even when scrutinizing security agencies or welfare programs that process vast amounts of citizen data.
Practical Reforms: Building a Fourth Branch DPB
To transform the DPB into a Fourth Branch Institution, three reforms are critical. First, appointments to the DPB should involve a bipartisan committee, including opposition lawmakers and judicial representatives, to prevent executive monopolization. Second, members must serve fixed, non-renewable terms with salaries protected from arbitrary adjustment—a measure that would align the DPB with institutions like India’s Election Commission. Third, the DPB’s jurisdiction must extend to all government agencies, eliminating exemptions that shield state entities from scrutiny.
These changes would mirror safeguards seen in frameworks like the EU’s GDPR, which mandates independent national data authorities empowered to investigate public and private actors alike. Critically, as India’s Supreme Court affirmed in Vineet Narain – recognizing structural autonomy for bodies like the CBI to insulate them from political control – the DPB requires similar statutory guarantees to credibly address power asymmetries in digital governance. Without such structural autonomy, the DPB risks becoming a token entity, unable to fulfill its mandate as a guardian of public accountability.
Zitiervorschlag: Walia, Ivneet und Durani, Tanmay, Fourth Branch Data Protection Board: A Post-Puttaswamy Imperative, JuWissBlog Nr. 32/2025 v. 18.03.2025, https://www.juwiss.de/32-2025/
Dieses Werk ist lizenziert unter einer Creative Commons Namensnennung – Nicht kommerziell – Keine Bearbeitungen 4.0 International Lizenz.
