Penalties and Enforcement Under the DPDP Act
- Kiratraj Sadana
- May 26
- 3 min read
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) is not a symbolic statute—it introduces a strong enforcement mechanism backed by a dedicated Data Protection Board of India and significant financial penalties. For businesses, non-compliance is no longer just a reputational issue; it’s a financial and legal liability.
In this article, we break down the penalty structure, enforcement powers, and what Indian businesses must do to stay within the bounds of the law.
1. Enforcement Authority: The Data Protection Board of India
The Data Protection Board of India is a quasi-judicial authority established under the DPDP Act with the power to:
Conduct inquiries and investigations
Issue directions for compliance
Impose penalties
Hear complaints from Data Principals
Handle breach notifications and disputes
The Board’s orders are enforceable as civil court decrees and subject to appeal before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
2. Key Penalties Under the DPDP Act
Here is a summary of the major penalty provisions for businesses:
Offence | Maximum Penalty |
Failure to take reasonable security safeguards | ₹250 crore |
Failure to notify data breaches | ₹200 crore |
Non-fulfilment of obligations by Significant Data Fiduciary | ₹150 crore |
Failure to provide grievance redressal | ₹50 crore |
Violation of consent obligations | ₹200 crore |
Processing children’s data without safeguards | ₹200 crore |
Non-compliance with Board orders | ₹50 crore |
Note: Penalties are per instance of non-compliance and can be cumulative.
3. How the Penalty Process Works
The penalty process under the DPDP Act follows a quasi-judicial path:
Complaint/Trigger: Initiated by breach notification, user complaint, or suo motu action.
Inquiry Notice: The Data Protection Board issues a notice to the Data Fiduciary.
Opportunity to Respond: The entity can present evidence, submissions, and remedial actions.
Hearing & Decision: The Board may conduct oral hearings or proceed on written submissions.
Order & Penalty: If found guilty, the Board issues a penalty order with enforcement provisions.
4. Factors Considered by the Board While Imposing Penalties
The Act provides for a nuanced and proportional approach. The Board will consider:
Nature, gravity, and duration of the violation
Type and sensitivity of personal data affected
Whether the breach was intentional, negligent, or accidental
Past history of compliance
Efforts taken to mitigate damage
Promptness in notifying affected users and the Board
This ensures fair outcomes, especially for smaller entities or first-time violations.
5. Does Every Non-Compliance Lead to a Penalty?
Not necessarily. The Board may:
Issue a warning
Recommend remedial action without financial penalty
Allow for voluntary undertakings and time-bound corrective steps
However, repeat offenders or serious breaches—especially those impacting national interest or children—are unlikely to escape financial consequences.
6. Appeals and Remedies
Appeal lies before the TDSAT (not the High Court)
Must be filed within 60 days of the Board’s order
Final appeal from TDSAT lies to the Supreme Court of India
Legal representation and documentation are crucial to present mitigating factors before both the Board and the Tribunal.
7. How Apar Law Helps Clients Manage DPDP Compliance Risk
We provide end-to-end enforcement and risk management services:
Drafting internal compliance frameworks and incident response protocols
Conducting legal audits and privacy impact assessments
Representing clients before the Data Protection Board
Advising on mitigation and voluntary undertakings
Defending penalty proceedings and preparing appeals to TDSAT
Conclusion
The DPDP Act introduces a robust enforcement mechanism that prioritises compliance, deterrence, and corrective action. With penalties reaching up to ₹250 crore per violation, Indian businesses must adopt a proactive approach to privacy and security governance.
Comentários