DPDP Series 1.8: Penalty under DPDP Act, 2023

Penalties Under the DPDP Act, 2023

The DPDP Act establishes a clear and significant penalty framework. Penalties are imposed by the Data Protection Board of India after due inquiry, giving the accused an opportunity to be heard. The penalties are civil in nature — monetary fines, not criminal prosecution.


The Penalty Schedule

BreachMaximum Penalty
Failure to implement security safeguards₹250 crore
Failure to notify breach to Board or individuals₹200 crore
Breach of children’s data obligations₹200 crore
Breach of Significant Data Fiduciary obligations₹150 crore
Any other provision of the Act or Rules₹50 crore
Breach of duties by a Data Principal₹10,000

What Factors Determine the Penalty Amount?

The Board does not automatically impose the maximum. It considers:

  • Nature, gravity, and duration of the breach
  • Sensitivity of the personal data involved
  • Whether the breach was repetitive
  • Whether any gain was made or loss avoided
  • Whether timely steps were taken to mitigate harm
  • The likely impact of the penalty on the organisation

Examples

Example 1 — Failure to Secure Data (₹250 crore) A large e-commerce platform stores millions of customer records — names, addresses, and payment details — without encryption or access controls. Hackers exploit this and steal the data. The platform had no reasonable safeguards in place. The Board finds them liable for up to ₹250 crore.

Example 2 — Failure to Report a Breach (₹200 crore) A telecom company discovers that its customer database has been compromised. Instead of notifying the Board and affected customers promptly, it delays disclosure for weeks hoping to manage the situation internally. This failure to notify attracts a penalty of up to ₹200 crore.

Example 3 — Children’s Data Violation (₹200 crore) An ed-tech platform collects data of students under 18 without obtaining verifiable parental consent. It also runs targeted advertisements directed at children on its platform. Both violations together attract a penalty of up to ₹200 crore.

Example 4 — Significant Data Fiduciary Default (₹150 crore) A major social media platform notified as a Significant Data Fiduciary fails to appoint a Data Protection Officer based in India and does not conduct its mandatory annual Data Protection Impact Assessment. The Board imposes a penalty of up to ₹150 crore.

Example 5 — Data Principal Misuse (₹10,000) An individual files repeated false complaints against a company with the Data Protection Board, with no genuine grievance. The Board finds the complaints frivolous and imposes a penalty of up to ₹10,000 on the individual.


Can the Government Go Further?

Yes. If the Board reports that penalties have been imposed on a Data Fiduciary on two or more occasions, the Central Government may direct platforms and intermediaries to block public access to that organisation’s services in India — making repeat non-compliance an existential risk for businesses.


The Key Takeaway

Penalties under the DPDP Act are not symbolic. They are substantial, scalable, and designed to deter. Compliance is not a one-time exercise — it is an ongoing obligation, and the cost of ignoring it far exceeds the cost of getting it right.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.8: Penalty under DPDP Act, 2023

DPDP Series 1.7: Consent

What is Valid Consent Under the DPDP Act?

Consent is the foundation of the DPDP Act. Before collecting or processing any personal data, a Data Fiduciary must obtain consent that meets every one of the following conditions. If even one condition is missing — the consent is invalid.


The Five Pillars of Valid Consent

Free — Consent must not be forced, pressured, or made a condition for a service where the data is not genuinely necessary. The individual must have a real choice.

Specific — Consent must be tied to a clearly defined purpose. A blanket “I agree to everything” is not valid. Each purpose requires its own consent.

Informed — The individual must know exactly what data is being collected, why it is being collected, and what their rights are — before they consent.

Unconditional — Consent cannot be bundled with unrelated terms or conditions. It must stand on its own.

Unambiguous with a Clear Affirmative Action — Silence, pre-ticked boxes, or inaction do not count as consent. The individual must actively and clearly say yes.


What is the Notice Requirement?

Before seeking consent, every Data Fiduciary must serve a Notice to the individual. This notice must be in clear, plain language — not buried in legal jargon. It must be available in English or any language listed in the Eighth Schedule of the Indian Constitution.

The Notice must contain:

What data is being collected — A clear description of the personal data proposed to be processed.

Why it is being collected — The specific purpose for which the data will be used.

How to exercise rights — A clear explanation of how the individual can access, correct, erase their data, or withdraw consent.

How to withdraw consent — The notice must explicitly tell the individual the manner in which they can withdraw consent. This is a distinct and mandatory element, separate from the general rights section.
The notice must make clear that consent is limited to data necessary for the specified purpose — the individual should understand they are not consenting to unlimited data collection. The notice must clarify that withdrawing consent will not affect the legality of processing already carried out before withdrawal — so individuals understand what withdrawal does and does not undo. For existing data collected before the Act, the notice obligation is triggered as soon as reasonably practicable — this timeline aspect was mentioned but could be more explicit.

How to complain — Details of how the individual can raise a complaint with the Data Protection Board of India.

Who to contact — Business contact information of the Data Protection Officer or a designated person who can answer questions about data processing.


What About Data Already Collected Before the Act?

If consent was obtained before the Act came into force, the Data Fiduciary must still issue a notice — as soon as reasonably practicable — informing the individual of the data held, its purpose, and how to exercise their rights going forward.


What Happens to Invalid Consent?

Any portion of consent that violates the Act is invalid to that extent. The rest of the consent may still hold — but the Data Fiduciary cannot rely on the invalid portion to justify processing.


A Practical Example

A food delivery app asks you to sign up. Before you proceed, it shows a notice stating: your name, phone number, and address will be used to deliver your orders. It tells you how to delete your account and who to contact for queries. You then tap “I Agree” — actively, not by default. That is valid consent.

If instead the app pre-ticks a box agreeing to share your data with advertising partners — that portion of consent is invalid.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.7: Consent

DPDP Series 1.6: Services to Indian Individuals by Foregin Entity

I’m a US Citizen Providing Services to Indians. Am I Covered Under the DPDP Act?

The short answer is — Yes, very likely.

The DPDP Act, 2023 is not limited to organisations or individuals based in India. Its reach is intentionally extraterritorial, designed to protect Indian individuals regardless of where the entity collecting their data is located.


What Does the Act Say?

The Act applies to the processing of digital personal data in two scenarios:

Within India — Any personal data collected in digital form (or digitised from non-digital form) within the territory of India.

Outside India — Any processing of digital personal data outside India, if such processing is in connection with offering goods or services to individuals in India.

This second provision is what covers you directly as a US-based service provider.


Does This Apply to Me?

Ask yourself these questions:

Do you collect personal data of individuals located in India? If yes — names, email addresses, phone numbers, payment details, usage behaviour — you are processing personal data of Indian Data Principals.

Do you offer goods or services to individuals in India? If your platform, app, or service is accessible to and targeted at Indian users — even if your servers are in the US — you fall within the scope of the Act.

Do you receive payment or registrations from Indian users? If Indian individuals are signing up, subscribing, or transacting with you, you are offering services to Data Principals within India.

If your answer to any of the above is yes, the DPDP Act applies to you.


What Are Your Obligations?

As a Data Fiduciary operating from outside India, you must:

  • Obtain free, informed, and unambiguous consent from Indian users before collecting their data
  • Provide a clear notice describing what data is collected and why
  • Use the data only for the stated purpose
  • Implement reasonable security safeguards to prevent breaches
  • Delete the data once the purpose is served or consent is withdrawn
  • Report breaches to the Data Protection Board of India and affected users promptly

Are There Any Restrictions on Sending Data Back to the US?

Yes, potentially. The Central Government has the power to restrict transfer of personal data to specific countries. If India notifies the US as a restricted destination, additional compliance steps may apply before you can transfer or store Indian users’ data on US servers.


What Happens If You Don’t Comply?

Non-compliance exposes you to penalties imposed by the Data Protection Board of India — up to ₹250 crore for security failures and up to ₹200 crore for failure to report a breach. The Board has jurisdiction over processing that affects Indian Data Principals, regardless of where you are based.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.6: Services to Indian Individuals by Foregin Entity

DPDP Series 1.5: Data Breaches

What is a Data Breach?

A personal data breach under the DPDP Act, 2023 is any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data — that compromises its confidentiality, integrity, or availability.

In plain terms: if personal data ends up where it shouldn’t, gets changed without authorisation, or becomes inaccessible when it should be available — it is a breach.


How Does a Breach Happen?

Breaches can occur in many ways — through external attacks, internal negligence, or simple system failures.

Example 1 — Cyberattack A hospital’s patient database is hacked. Names, phone numbers, diagnoses, and medical histories of thousands of patients are stolen and published online. This is a breach of confidentiality.

Example 2 — Accidental Disclosure An HR executive accidentally emails salary slips of 500 employees to the wrong mailing list. The data was not stolen — but it was disclosed without authorisation. Still a breach.

Example 3 — Insider Threat A bank employee downloads and sells customer account details to a third party for personal gain. This is unauthorised processing — a serious breach.

Example 4 — Ransomware Attack A company’s servers are encrypted by ransomware. All customer data becomes inaccessible. Even though data was not stolen, loss of availability is a breach under the Act.

Example 5 — Third-Party Vendor Failure A Data Fiduciary shares customer data with a cloud service provider (Data Processor). The vendor suffers a security failure and the data is exposed. The Data Fiduciary remains accountable.


What Must a Data Fiduciary Do After a Breach?

The Act imposes a strict response obligation:

Notify immediately — Inform every affected Data Principal about the nature of the breach, its likely consequences, and the steps being taken to contain it.

Report to the Board — Intimate the Data Protection Board of India with full details: the root cause, timeline of events, persons responsible, mitigation measures taken, and steps to prevent recurrence.


What Are the Consequences?

Failure to implement safeguards that could have prevented the breach attracts a penalty of up to ₹250 crore. Failure to notify the Board or affected individuals attracts up to ₹200 crore — both imposed by the Data Protection Board.


The Key Takeaway

A breach is not just a hacking incident. Sending data to the wrong person, losing a device with unencrypted data, or a vendor’s server going down — all can qualify. The obligation to protect data, and to respond swiftly when things go wrong, rests squarely on the Data Fiduciary.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.5: Data Breaches

DPDP Series 1.4: Data Fiduciary – Obligations

Am I a Data Fiduciary? What Are My Obligations?


Q: How do I know if I am a Data Fiduciary?

If your organisation decides why and how personal data is collected and processed — you are a Data Fiduciary. This includes businesses, hospitals, schools, employers, apps, government bodies, and NGOs. Size does not matter; if you collect personal data of individuals in India, you qualify.


Q: Do I need consent before collecting data?

Yes. Before collecting any personal data, you must give the individual a clear notice describing what data is being collected and why. Consent must be free, specific, informed, and unambiguous.


Q: Can I collect more data than I need? No. You may only collect data that is necessary for the stated purpose. Collecting excess data is a violation of the Act.


Q: How long can I keep the data?

Only as long as the purpose requires. Once the purpose is served or the individual withdraws consent, you must delete the data — unless a law requires you to retain it for a specific period.


Q: What security measures must I put in place?

You must implement reasonable technical and organisational safeguards — including encryption, access controls, monitoring logs, and data backups — to prevent unauthorised access or breaches.


Q: What must I do if there is a data breach?

You must immediately notify the Data Protection Board and every affected individual, describing the nature of the breach, its likely impact, and the steps being taken to contain it.


Q: Must I have a grievance mechanism?

Yes. Every Data Fiduciary must establish an effective grievance redressal system and publish contact details of a person who can respond to Data Principal queries.


Q: What are the penalties for non-compliance?

Penalties can reach up to ₹250 crore for failure to implement security safeguards, and up to ₹200 crore for failure to report a breach — imposed by the Data Protection Board.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.4: Data Fiduciary – Obligations