Penalties Under the DPDP Act, 2023 - How Much and When

Introduction

The Digital Personal Data Protection Act, 2023 is not merely a rights-based framework. It is a fully enforceable law backed by a regulatory authority and a structured penalty system.

To ensure compliance and accountability, the Act establishes the Data Protection Board of India and provides for substantial financial penalties for violations.

1. Enforcement Authority: Data Protection Board of India

The Data Protection Board of India (DPB) is the central enforcement body under the Act.

It is responsible for:

• Receiving complaints from Data Principals

• Investigating data breaches

• Examining non-compliance

• Conducting inquiries

• Issuing directions

• Imposing monetary penalties

The Board functions as a regulatory authority to ensure effective implementation of the Act.

2. Powers of the Data Protection Board

The Board has the authority to:

• Initiate inquiries into violations

• Seek information from Data Fiduciaries

• Order corrective action

• Impose penalties

• Address breach notifications

• Handle grievance-related complaints

Its powers are administrative and regulatory in nature.

3. What Are Penalties?

Penalties under the DPDP Act are monetary fines imposed for non-compliance.

They are designed to:

• Ensure accountability

• Encourage data protection compliance

• Deter negligence

• Protect personal data

The Act provides a structured penalty schedule with different amounts depending on the violation.

4. Maximum Penalty Structure Under the Act

(A) Failure to Prevent Data Breach

If reasonable security safeguards are not implemented and a breach occurs:Up to ₹250 crore

(B) Failure to Notify Data Breach

If the breach is not reported to:

• The Data Protection Board

• Affected Data Principals

Up to ₹200 crore

(C) Non-Compliance Regarding Children’s Data

Failure to follow obligations related to processing children’s data:Up to ₹200 crore

(D) Non-Compliance by Significant Data Fiduciaries

Failure to meet enhanced obligations such as:

• Appointing a Data Protection Officer

• Conducting audits

• Performing impact assessments

Up to ₹150 crore

(E) General Non-Compliance

For other violations not covered above:Up to ₹50 crore

(F) Violation of Board Directions

Failure to comply with directions issued by the Data Protection Board may also attract penalties under applicable provisions.

(G) Violation by Data Principals

If individuals violate their duties (for example, providing false information):Up to ₹10,000

This ensures responsibility on both organisations and individuals.

5. Factors Considered Before Imposing Penalty

While imposing penalties, the Board may consider:

• Nature and seriousness of violation

• Type of data involved

• Duration of non-compliance

• Level of harm caused

• Mitigation measures taken

• Repeated violations

This ensures proportionality.

6. Appeal Mechanism

Orders of the Data Protection Board can be challenged before the appropriate appellate authority as provided under the Act.

This ensures procedural fairness and oversight.

7. Legal Foundation

The enforcement framework aligns with constitutional privacy principles recognised in:

🔹 Justice K.S. Puttaswamy v. Union of India

The Supreme Court held that:

• Privacy is a fundamental right.

• Restrictions must be proportionate.

• Institutional safeguards are necessary.

The DPDP enforcement structure reflects these constitutional principles.

Conclusion

The penalty and enforcement provisions under the DPDP Act, 2023 ensure that:

• Data protection is legally binding.

• Violations have serious financial consequences.

• Organisations are held accountable.

• Individuals are protected.

This makes the Act a strong regulatory framework for India’s digital ecosystem.