1. Overview of the Penalty Framework
The Digital Personal Data Protection Act, 2023 (DPDPA) establishes a Schedule-capped monetary penalty framework administered by the Data Protection Board of India (DPBI) under Section 33. Penalties are administrative in nature and are imposed only after the Board concludes an inquiry, determines that a breach is significant, and gives the person an opportunity of being heard.
The Act does not prescribe a mathematical formula, turnover-linked multiplier, or per-person calculation for arriving at the exact penalty amount. Instead, the Board exercises discretion within statutory caps, guided by mandatory consideration factors under Section 33(2) and an adjustment mechanism under Section 33(3).
2. Penalty Quantum Under the Schedule
The Schedule to the Act (read with Section 33(1)) specifies seven categories of breach and their corresponding maximum penalties. The statutory text uses the formulation "May extend to…" for each category.
| Item | Breach Category | Liable Person | Provision | Maximum Penalty |
|---|---|---|---|---|
| 1 | Failure to take reasonable security safeguards to prevent personal data breach | Data Fiduciary | Section 8(5) | ₹250 crore |
| 2 | Failure to give notice of personal data breach to the Board or affected Data Principal | Data Fiduciary | Section 8(6) | ₹200 crore |
| 3 | Breach of additional obligations in relation to children | Data Fiduciary | Section 9 | ₹200 crore |
| 4 | Breach of additional obligations of Significant Data Fiduciary | Significant Data Fiduciary | Section 10 | ₹150 crore |
| 5 | Breach of duties of Data Principal | Data Principal | Section 15 | ₹10,000 |
| 6 | Breach of voluntary undertaking accepted by the Board | Person who gave the undertaking | Section 32 | Up to applicable underlying penalty |
| 7 | Breach of any other provision of the Act or Rules | Any person | Any other provision | ₹50 crore |
3. The Statutory Trigger for Penalty
A monetary penalty is not automatic. The statutory structure requires the following sequential conditions to be satisfied:
- 1Breach of the Act or Rules — there must be a contravention of a provision.
- 2Inquiry by the Board — the DPBI must conduct an inquiry under Section 28.
- 3Significance determination — the Board must conclude that the breach is significant.
- 4Opportunity of being heard — the person must be given a reasonable opportunity to present their case.
- 5Schedule-based cap — the penalty must fall within the amount specified in the Schedule for that category.
Statutory structure: Breach + Inquiry + Significance + Hearing + Schedule Cap = Monetary Penalty under Section 33.
4. Factors for Determining the Penalty Amount
Under Section 33(2), the Board shall have regard to the following factors when fixing the quantum within the Schedule cap. These are statutory considerations, not numerical weights or percentage multipliers.
| Factor | Description |
|---|---|
| Nature, gravity and duration of the breach | What the breach was, how serious it was, and how long it continued |
| Type and nature of personal data affected | Whether sensitive, financial, health, or children's data was involved |
| Repetitive nature of the breach | Whether it was a first-time or recurring violation |
| Gain realised or loss avoided | Whether the person profited or avoided costs by the breach |
| Mitigation action | Steps taken to reduce the effects and consequences |
| Timeliness and effectiveness of mitigation | Whether the response was prompt and effective |
| Proportionality and deterrence | Whether the penalty secures observance and deters future breach |
| Likely impact of penalty on the person | Financial capacity and effect on operations |
5. Critical Statutory Enhancement: Section 33(3)
A crucial provision often overlooked is Section 33(3), which empowers the Board to reduce or enhance the penalty to the extent of twice the quantum after considering the Section 33(2) factors.
| Schedule Item | Base Cap | Effective Maximum After 2× Enhancement |
|---|---|---|
| Item 1 — Security safeguards | ₹250 crore | ₹500 crore |
| Item 2 — Breach notification | ₹200 crore | ₹400 crore |
| Item 3 — Children's obligations | ₹200 crore | ₹400 crore |
| Item 4 — Significant Data Fiduciary | ₹150 crore | ₹300 crore |
| Item 7 — Residual category | ₹50 crore | ₹100 crore |
This means the Board is not rigidly bound by the Schedule caps if the aggravating factors justify a higher penalty. Conversely, mitigating factors may lead to a reduction.
6. Detailed Penalty Categories
6.1 Failure to Take Reasonable Security Safeguards (Schedule Item 1)
- Liable person: Data Fiduciary
- Provision: Section 8(5)
- Penalty cap: ₹250 crore (enhanceable to ₹500 crore)
- Description: Failure to protect personal data in its possession or control, including processing undertaken by a Data Processor on its behalf, by taking reasonable security safeguards to prevent a personal data breach.
6.2 Failure to Notify Personal Data Breach (Schedule Item 2)
- Liable person: Data Fiduciary
- Provision: Section 8(6)
- Penalty cap: ₹200 crore (enhanceable to ₹400 crore)
- Description: Failure to give the Board and each affected Data Principal intimation of a personal data breach.
6.3 Breach of Additional Obligations Relating to Children (Schedule Item 3)
- Liable person: Data Fiduciary
- Provision: Section 9
- Penalty cap: ₹200 crore (enhanceable to ₹400 crore)
- Description: Breach of obligations such as obtaining verifiable parental consent, prohibiting tracking or behavioural monitoring, and prohibiting targeted advertising directed at children.
6.4 Breach of Additional Obligations of Significant Data Fiduciary (Schedule Item 4)
- Liable person: Significant Data Fiduciary
- Provision: Section 10
- Penalty cap: ₹150 crore (enhanceable to ₹300 crore)
- Description: Non-compliance with additional obligations such as appointment of a Data Protection Officer, undertaking a Data Protection Impact Assessment, and periodic audits.
6.5 Breach of Duties of Data Principal (Schedule Item 5)
- Liable person: Data Principal
- Provision: Section 15
- Penalty cap: ₹10,000
- Description: Breach of duties such as not registering a false or frivolous complaint and not furnishing false information.
6.6 Breach of Voluntary Undertaking (Schedule Item 6)
- Liable person: Person whose undertaking has been accepted
- Provision: Section 32
- Penalty cap: Up to the amount applicable for the underlying breach in respect of which proceedings under Section 28 were instituted
- Description: Where the Board accepts a voluntary undertaking, breach of any term may attract penalty up to the extent applicable for the original breach.
6.7 Breach of Any Other Provision — Residual Category (Schedule Item 7)
- Liable person: Any person
- Provision: Any other provision of the Act or Rules
- Penalty cap: ₹50 crore (enhanceable to ₹100 crore)
- Description: This residual category captures all breaches not specifically covered by Items 1 to 6, ensuring no gap in enforcement.
7. Role-Wise Penalty Exposure
7.1 Data Fiduciary
| Breach | Provision | Maximum Penalty |
|---|---|---|
| Failure to take reasonable security safeguards | Section 8(5) | ₹250 crore |
| Failure to notify personal data breach | Section 8(6) | ₹200 crore |
| Breach of obligations relating to children | Section 9 | ₹200 crore |
| Breach of any other provision (residual) | Any other provision | ₹50 crore |
7.2 Significant Data Fiduciary
| Breach | Provision | Maximum Penalty |
|---|---|---|
| Breach of additional obligations of SDF | Section 10 | ₹150 crore |
| Failure to take reasonable security safeguards | Section 8(5) | ₹250 crore |
| Failure to notify personal data breach | Section 8(6) | ₹200 crore |
| Breach of obligations relating to children | Section 9 | ₹200 crore |
| Breach of any other provision (residual) | Any other provision | ₹50 crore |
7.3 Data Principal
| Breach | Provision | Maximum Penalty |
|---|---|---|
| Breach of duties of Data Principal | Section 15 | ₹10,000 |
7.4 Person Giving Voluntary Undertaking
| Breach | Provision | Maximum Penalty |
|---|---|---|
| Breach of accepted voluntary undertaking | Section 32 | Up to applicable penalty for underlying breach |
7.5 Any Other Person
| Breach | Provision | Maximum Penalty |
|---|---|---|
| Breach of any other provision of Act or Rules | Residual category | ₹50 crore |
8. Cumulative and Non-Exclusive Nature of Penalties
Under Section 33(4), any penalty imposed is without prejudice to any other action that may be taken under the DPDPA or under any other law for the time being in force. This has two important implications:
- Parallel proceedings: Criminal prosecution, civil suits, or regulatory actions under sectoral laws (e.g., the IT Act, RBI regulations, SEBI guidelines) may proceed alongside DPDPA penalties.
- Separate penalties for separate breaches: A single incident may trigger multiple penalty categories. For example, a data breach caused by inadequate security (Item 1) coupled with delayed notification (Item 2) could attract separate penalties up to ₹250 crore and ₹200 crore respectively.
9. Destination of Penalty Sums
All sums realised by way of penalties imposed by the Board are credited to the Consolidated Fund of India under Section 34 of the Act. Penalties are not paid as compensation to affected Data Principals. Affected individuals must pursue remedies for compensation separately under other applicable laws.
10. Statutory Safeguards and Limits
| Aspect | Statutory Position |
|---|---|
| Maximum base penalty | ₹250 crore (Item 1) |
| Maximum effective penalty | ₹500 crore (after 2× enhancement under Section 33(3)) |
| Minimum penalty | Not specified — the Board may impose nil or nominal penalties for technical or trivial breaches |
| Per-person calculation | Not prescribed |
| Turnover-linked formula | Not prescribed |
| Imprisonment | Not provided under the DPDPA |
| Opportunity to be heard | Mandatory before penalty imposition |
| Appeal | Available to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29 |
11. Final Statutory Position
The DPDPA penalty framework is a discretionary, Schedule-capped, administrative monetary penalty system. The Board determines the actual amount by weighing statutory factors under Section 33(2) and may adjust the quantum up to twice the Schedule cap under Section 33(3). There is no fixed formula, but there is a clear statutory ceiling and a structured inquiry process that every organisation must understand to assess its compliance risk accurately.