Penalties Under the DPDP Act, 2023
The DPDP Act establishes a clear and significant penalty framework. Penalties are imposed by the Data Protection Board of India after due inquiry, giving the accused an opportunity to be heard. The penalties are civil in nature — monetary fines, not criminal prosecution.
The Penalty Schedule
| Breach | Maximum Penalty |
|---|---|
| Failure to implement security safeguards | ₹250 crore |
| Failure to notify breach to Board or individuals | ₹200 crore |
| Breach of children’s data obligations | ₹200 crore |
| Breach of Significant Data Fiduciary obligations | ₹150 crore |
| Any other provision of the Act or Rules | ₹50 crore |
| Breach of duties by a Data Principal | ₹10,000 |
What Factors Determine the Penalty Amount?
The Board does not automatically impose the maximum. It considers:
- Nature, gravity, and duration of the breach
- Sensitivity of the personal data involved
- Whether the breach was repetitive
- Whether any gain was made or loss avoided
- Whether timely steps were taken to mitigate harm
- The likely impact of the penalty on the organisation
Examples
Example 1 — Failure to Secure Data (₹250 crore) A large e-commerce platform stores millions of customer records — names, addresses, and payment details — without encryption or access controls. Hackers exploit this and steal the data. The platform had no reasonable safeguards in place. The Board finds them liable for up to ₹250 crore.
Example 2 — Failure to Report a Breach (₹200 crore) A telecom company discovers that its customer database has been compromised. Instead of notifying the Board and affected customers promptly, it delays disclosure for weeks hoping to manage the situation internally. This failure to notify attracts a penalty of up to ₹200 crore.
Example 3 — Children’s Data Violation (₹200 crore) An ed-tech platform collects data of students under 18 without obtaining verifiable parental consent. It also runs targeted advertisements directed at children on its platform. Both violations together attract a penalty of up to ₹200 crore.
Example 4 — Significant Data Fiduciary Default (₹150 crore) A major social media platform notified as a Significant Data Fiduciary fails to appoint a Data Protection Officer based in India and does not conduct its mandatory annual Data Protection Impact Assessment. The Board imposes a penalty of up to ₹150 crore.
Example 5 — Data Principal Misuse (₹10,000) An individual files repeated false complaints against a company with the Data Protection Board, with no genuine grievance. The Board finds the complaints frivolous and imposes a penalty of up to ₹10,000 on the individual.
Can the Government Go Further?
Yes. If the Board reports that penalties have been imposed on a Data Fiduciary on two or more occasions, the Central Government may direct platforms and intermediaries to block public access to that organisation’s services in India — making repeat non-compliance an existential risk for businesses.
The Key Takeaway
Penalties under the DPDP Act are not symbolic. They are substantial, scalable, and designed to deter. Compliance is not a one-time exercise — it is an ongoing obligation, and the cost of ignoring it far exceeds the cost of getting it right.
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.
Karthik & Sunil 