The Digital Personal Data Protection Act, 2023 (DPDPA) establishes a structured enforcement framework to ensure compliance with data protection obligations. One of the most significant mechanisms under the Act is the imposition of monetary penalties for violations. These penalties are administered by the Data Protection Board of India, which has the authority to investigate contraventions and impose financial sanctions where necessary.
The power to impose penalties arises when a person—typically a data fiduciary—is found to have violated obligations prescribed under the Act or the rules framed under it. The penalties are not arbitrary but are determined according to the Schedule to Section 33 of the Act, which specifies maximum limits for different categories of violations.
Factors Considered by the Board While Imposing Penalties
Before determining the appropriate penalty, the Data Protection Board must take into account several important factors to assess the seriousness of the violation. These considerations ensure that the enforcement process remains balanced and proportionate.
The Board evaluates:
- Nature, gravity, and duration of the breach
- Type and nature of personal data affected
- Whether the breach was repetitive in nature
- Whether the entity took steps to mitigate the breach
- Whether any financial gain was derived from the violation
These criteria help ensure that penalties reflect the severity of the violation and the conduct of the entity involved.
Another important feature of the Act is that penalties collected are credited to the Consolidated Fund of India. The monetary penalties imposed by the Board are therefore regulatory in nature and do not directly compensate affected individuals.
Penalty Structure under Section 33 of the Act
The Act establishes a categorical penalty structure, where specific violations correspond to specific maximum penalty limits rather than a single uniform fine. According to the official Schedule under Section 33(1), the following maximum penalties may be imposed:
- Failure to Implement Reasonable Security Safeguards (Section 8(5))
Maximum penalty: ₹250 crores - Failure to Notify the Board and Affected Data Principals of a Personal Data Breach (Section 8(6))
Maximum penalty: ₹200 crores - Failure to Fulfil Additional Obligations Relating to Children’s Data (Section 9)
Maximum penalty: ₹200 crores - Failure to Fulfil Additional Obligations of a Significant Data Fiduciary (Section 10)
Maximum penalty: ₹150 crores - Breach of Duties under Section 15
This includes situations such as filing a false complaint by a data principal.
Maximum penalty: ₹10,000 - Breach of Any Other Provision of the Act or Rules
Maximum penalty: Up to ₹50 crores - Breach of a Voluntary Undertaking Accepted by the Board (Section 32)
In such cases, the penalty applicable is the same as that prescribed for the original breach.
This structured penalty framework ensures that violations are addressed in proportion to their nature and seriousness.
Enforcement and Compliance Mechanism
The Data Protection Board does not impose penalties automatically. It conducts an evaluation of the circumstances surrounding the violation. In particular, the Board examines:
- Whether the entity gained commercially from the violation
- Whether steps were taken to mitigate the breach
- Whether the processing activity was stopped promptly
- The overall impact of the breach on individuals and their data rights
This approach introduces an element of regulatory flexibility, allowing entities that take prompt remedial actions to potentially face reduced penalties.
In addition to imposing penalties, the Board also has the authority to issue directions to ensure compliance. If a data fiduciary fails to follow such directions, the Board may impose additional penalties. In serious cases of non-compliance, these penalties may reach the highest tier permitted under the relevant category.
Conclusion
The penalty framework under the Digital Personal Data Protection Act, 2023 is designed to function as a strong deterrent against data protection violations. By specifying clear penalty limits and requiring the Board to consider contextual factors, the Act seeks to balance strict enforcement with procedural fairness. The system ultimately encourages organisations to adopt robust data protection practices and ensures accountability in the handling of personal data.
Recent Posts
- Supreme Court on Prolonged Pre-Trial Detention: A Violation of Rights
- Section 13 of the Hindu Marriage Act, 1955: Grounds of Divorce
- Judicial Separation under Hindu Law: A Legal Perspective
- Sections 11 and 12 of the Hindu Marriage Act, 1955: Void and Voidable Marriages
- Digital Personal Data Protection Act, 2023-Key Compliance Requirements under the Legal Framework
- Digital Personal Data Protection Act, 2023Applicability of the Act to Companies and Organisations
- Digital Personal Data Protection Act, 2023,Implications and Consequences of Non-Compliance, including Relevant Penalties
- Digital Personal Data Protection Act, 2023, Legislative Evolution: Withdrawal of the 2019 Bill and Enactment of the DPDP Framework
- Digital Personal Data Protection Act, 2023- Legislative Evolution: The Personal Data Protection Bill, 2019 and the JPC Process
- The Digital Personal Data Protection (DPDP) Act, 2023,Constitutional Roots and Legislative Evolution