Penalties under the Digital Personal Data Protection Act,2023
The Digital Personal Data Protection Act,2023(DPDPA,2023) has casted responsibility of Data Processor, Data Fiduciary and Significant Data fiduciary to comply with the requirements of provisions so that there is no contravention at their end while processing the personal data of Data Principal.
The contravention to Section 8(5), Section 8(6) , Section 9, Section 10,Section 15, Section 32 and contraventions as may be provided under the Rules made thereunder shall be liable for penalty under the enactment.
Overview of Penalties in DPDPA 2023
The prominent contraventions can be summarised as under:
a.Failure of Data Processor or Data Fiduciary to ensure reasonable safeguards for preventing personal data breach- Up to Rs. 250 crore
b.Failure to notify the Data Protection Board and affected Data Principals- Up to Rs. 200 crore
c.Non-fulfilment of obligations pertaining to children- Up to Rs. 200 crore
d. Non-fulfilment of obligations as a Significant Data Fiduciary- Up to Rs. 150 crore
e.Non-compliance with the duties of a Data Principal stipulated under Section 16 of the Bill – Up to Rs. 10 thousand
f.Non-compliance with the proposed enactment under the DPDA,2023 as a whole besides any Rule made thereunder – Up to Rs. 50 crores
The penalty provisions as stipulated under Section 33 of DPDPA,2023 can be referred as under;
Specific Penalties for Data Fiduciaries
Section 33. Penalties
(1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.
(2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:—
(a) the nature, gravity and duration of the breach;
(b) the type and nature of the personal data affected by the breach;
(c) repetitive nature of the breach;
(d) whether the person, as a result of the breach, has realised a gain or avoided any loss;
(e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
(f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
(g) the likely impact of the imposition of the monetary penalty on the person.
The Schedule under Section 33(1) prescribes the quantum of mandatory penalty as below;
THE SCHEDULE [See section 33 (1)]
Breach of provisions of this Act or rules made thereunder –
1.Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8.- May extend to two hundred and fifty crore rupees.
2.Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8- May extend to two hundred crore rupees.-May extend to two hundred crore rupees.
3.Breach in observance of additional obligations in relation to children under section 9.-May extend to two hundred crore rupees.
4. Breach in observance of additional obligations of Significant Data Fiduciary under section 10.-May extend to one hundred and fifty crore rupees.
5.Breach in observance of the duties under section 15.-May extend to ten thousand rupees.
6. Breach of any term of voluntary undertaking accepted by the Board under section 32.-Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted.
7.Breach of any other provision of this Act or the rules made thereunder.- May extend to fifty crore rupees.
The business entities need to understand their data flow, data consents, data processing records and data storage so that the unforeseen liabilities of hefty penalty can be avoided under DPDPA,2023.
Specific Penalties for Data Fiduciaries
The Digital Personal Data Protection Act, 2023, outlines stringent penalties for Data Fiduciaries (entities responsible for processing personal data) who fail to comply with its requirements. These penalties are primarily based on non-compliance with consent management, data processing principles, and safeguarding personal data. The penalties can extend up to Rs250 crores, depending on the severity of the violation. Specific violations include failure to obtain valid consent, misuse of data, improper data retention, and failure to implement security measures, which could lead to breaches and substantial fines.
Data Fiduciaries must regularly audit their compliance frameworks, implement strong privacy practices, and ensure transparent data handling procedures. Non-compliance, particularly around data breach reporting, could result in fines, legal liabilities, and reputational damage. Maintaining strict data governance protocols is essential to avoid penalties and protect personal data in line with DPDPA 2023 guidelines.
Avoiding Penalties under DPDPA 2023
To further safeguard your organization, it’s crucial to maintain comprehensive data processing records, ensure appropriate consents, and implement robust security measures. Proactively conducting regular audits and assessments can mitigate the risk of incurring significant fines under the DPDPA, 2023.
To know more about the issues discussed above, You may please connect with dataprivacy@amlegals.com or mridusha.guha@amlegals.com.
Navigation
Practice Areas
© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.
