The wrong forum for your data: Why TDSAT falls short under the DPDP Act

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) marks a decisive shift in the country’s digital governance framework. While the statute promises a rights-based regime, its adjudicatory structure raises concerns.

At the centre of this debate lies the decision to designate the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) as the appellate authority for decisions of the Data Protection Board (DPB).

The concerns begin with the DPB itself. Under the DPDP Act, 2023, particularly Sections 27 and 28 read with Section 33, the DPB performs quasi-judicial functions, including inquiries into personal data breaches, adjudication of complaints and imposition of penalties, supported by civil court–like powers under Section 28(7).

However, its composition raises immediate concerns. Under Sections 19(1) and 19(2) of the DPDP Act, 2023, the Chairperson and members are appointed by the Central government, while Section 20(1) provides that their salaries, allowances and other service conditions are to be prescribed by it. Section 20(2) fixes their tenure, thereby placing key aspects of their appointment and functioning within executive control.

This is particularly problematic because the government itself is one of the largest data fiduciaries in India. While the statute describes the DPB as an independent body, its structural dependence suggests otherwise. This raises classic separation of powers concerns and undermines adjudicatory independence.

Weak first-instance independence compounds appellate weakness, risking executive influence across the adjudicatory chain and undermining appellate integrity.

Section 29 of the DPDP Act provides that appeals from the Data Protection Board lie before the TDSAT, must be filed within 60 days and are to be disposed of within 6 months. The DPDP Rules, 2025 mandate that such appeals be filed in digital form.

On paper, this reflects efficiency. However, in practice, the feasibility of this mechanism is doubtful. The 6-month disposal timeline appears unrealistic, particularly when assessed against TDSAT’s existing backlog of over 3,917 pending cases between February 2020 and April 2026, along with its expanding jurisdiction under the Telecommunications Act, 2023.

What is equally concerning is the legislative inconsistency behind this choice. The 2018 Personal Data Protection Bill contemplated a specialised tribunal, in line with the Justice BN Srikrishna Committee’s recommendations, allowing either the creation of a new tribunal or conferral of powers on an existing one. The 2022 draft shifted appellate jurisdiction to High Courts. The final law adopts TDSAT, without offering any justification.

This unexplained shift raises concerns of institutional arbitrariness and suggests a possible bypassing of constitutional courts. While assigning jurisdiction to High Courts may have been counterintuitive given their workload, the present choice fails to resolve that concern.

The right to privacy has been firmly recognised as a fundamental right in KS Puttaswamy v. Union of India (2017). Disputes under the DPDP framework are, therefore, not merely regulatory; they are constitutional in nature.

This distinction is critical. Questions involving consent, access, processing, storage, transfer and misuse of personal data implicate dignity, autonomy and informational self-determination. Such disputes demand a high degree of adjudicatory independence and constitutional sensitivity.

The move towards tribunalisation must therefore be carefully scrutinised. In L Chandra Kumar v. Union of India (1997), the Supreme Court made it clear that tribunals cannot act as substitutes for High Courts, and that judicial review remains part of the basic structure. Diverting privacy disputes to tribunals risks weakening constitutional adjudication.

TDSAT derives its mandate from the Telecom Regulatory Authority of India Act, 1997. Its statutory purpose is to adjudicate disputes between licensors and licensees, inter-operator disputes and consumer grievances within the telecom sector.

Data protection disputes are fundamentally different. They involve:

• Consent frameworks

• Access rights

• Data processing and storage

• Cross-border transfers

• Unauthorised use and breaches

As has been explicitly recognised, matters relating to telecommunications are fundamentally distinct from matters concerning privacy and data protection. This is not a superficial divergence but a conceptual one, requiring entirely different legal and technical expertise.

The assignment of DPDP appeals to TDSAT, therefore, reflects a clear functional mismatch between statutory purpose and adjudicatory role.

The justification for tribunals lies in their ability to provide sector-specific expertise. Their legitimacy flows from the presence of technical members with domain knowledge.

However, TDSAT’s governing framework tells a different story. Under Section 14C of the TRAI Act, members are required to have experience as a Secretary to the Government or expertise in fields such as telecommunications, technology, commerce, industry or administration. It is designed to handle matters under the TRAI Act and the Telecommunications Act, 2023, not data protection.

There is no requirement for expertise in data protection or privacy law. This omission directly conflicts with the principles laid down in Union of India v. R Gandhi (2010). The Supreme Court held that technical members must possess domain-specific expertise, tribunals must include judicial members and replacing courts without adequate expertise may render tribunals unconstitutional. Indeed, such arrangements risk judicial encroachment without competence. Applying the reasoning in R Gandhi directly, since TDSAT does not possess expertise relevant to data protection, its adjudication of DPDP appeals amounts to an unconstitutional encroachment upon the domain of the judiciary.

This inconsistency is brought into sharper relief by comparison. Under the Companies Act, the SEBI Act and the Income Tax Act, domain-specific expertise is required at both the original and appellate stages; the qualification standard flows consistently through the adjudicatory chain. The DPDP Act uniquely fractures this chain.

More significantly, this is not merely an external critique, but an internal contradiction. Section 19(3) of the DPDP Act requires DPB members to have expertise in data governance, law and regulation, reflecting the need for specialised adjudication. Yet, appeals lie to a body with no such requirement. The Act thus mandates expertise at first instance but abandons it at the appellate stage, creating structural incoherence. The result is anomalous: the appellate body is less equipped than the one it reviews.

The structural weaknesses of TDSAT extend beyond expertise.

First, the tenure of its members is limited to three years under Section 14D of the TRAI Act. As noted in R Gandhi, such short tenures prevent the development of expertise and discourage professionals from joining specialised tribunals, especially in complex domains like data protection.

Second, the tribunal reflects the “post-retirement” phenomenon. With other members retiring at 65 under Section 14D(b), tribunal positions often become post-retirement placements for bureaucrats. This raises concerns about independence and neutrality.

Third, this structure creates perverse incentives: bureaucrats may align with executive preferences in anticipation of post-retirement tribunal roles, reducing such posts to rewards for deference and undermining both independence and neutrality.

Fourth, while TDSAT includes judicial members, its limited bench strength, expanding caseload and sector-specific design continue to raise concerns about its adequacy for constitutional adjudication. The Supreme Court, in Madras Bar Association v. Union of India (2021), emphasised that tribunals exercising adjudicatory functions must retain a meaningful judicial component, independence, impartiality and security of tenure to ensure fairness, the dilution of which undermines their legitimacy as judicial bodies.

Finally, even though the Chief Justice of India is consulted, it does not fully solve the problem, because the government still controls tribunal appointments.

TDSAT’s existing caseload further complicates its role. Between February 2020 and April 2026, over 3,917 cases remained pending. With additional responsibilities under the Telecommunications Act, 2023, its workload is only expected to increase.

Against this backdrop, the expectation that DPDP appeals will be disposed of within 6 months is unrealistic. Capacity constraints make it unclear how TDSAT can effectively handle DPB appeals while meeting statutory timelines.

This is further aggravated by the nature of DPDP disputes, which are digital-first, quasi-judicial and highly complex, requiring institutional sophistication that TDSAT currently lacks.

The DPDP Rules require appeals to be filed digitally. However, TDSAT’s current digital infrastructure does not inspire public confidence. Its website lacks accessibility, navigation and meaningful access to case information.

Although the TRAI Annual Report, 2023 refers to a new legal case management system, its implementation status and impact on case disposal remain unclear.

Given the complexity and expected volume of data protection disputes, efficient systems for digital filing, case tracking and information access are essential. At present, this requirement remains unmet.

The institutional design also lacks adequate accountability mechanisms. TDSAT must be accountable across three core dimensions, expertise, capacity and infrastructure.

One possible solution is the publication of detailed annual reports, including:

• Number of appeals filed

• Appeals allowed or dismissed

• Pending cases

• Key issues involved

Such reporting must be categorised across telecom, broadcasting and data protection matters to enable meaningful oversight. Without such mechanisms - and given concerns regarding independence, expertise and executive influence - the tribunal risks failing to inspire public confidence in privacy adjudication.

If TDSAT is to function as the appellate authority under the DPDP Act, substantial reforms are essential:

• Appointment of technical members with expertise in data protection and privacy (requiring amendment to Section 14C);

• Expansion of institutional capacity through increased budgetary allocations and additional benches;

• Comprehensive technological upgrades for digital filing and case management;

• Strong accountability mechanisms, including detailed and categorised annual reporting.

Data protection is no longer peripheral, it is central to India’s digital governance framework. The effectiveness of TDSAT will directly impact the enforcement of rights, the credibility of institutions and the rule of law.

The decision to vest appellate jurisdiction in TDSAT reflects a deeper tension between administrative convenience and constitutional necessity. In attempting to create an efficient dispute resolution mechanism, the DPDP framework risks undermining the very rights it seeks to protect.

The forum is not a procedural detail; it is the guarantee of justice and, in the context of data protection, that guarantee currently appears misplaced.

Shivam Jadaun is a Delhi-based lawyer and tech consultant specialising in technology law, AI, and tech policy.