Penalties under the Digital Personal Data Protection Act,2023
The Digital Personal Data Protection Act,2023(DPDPA,2023) has casted responsibility of Data Processor, Data Fiduciary and Significant Data fiduciary to comply with the requirements of provisions so that there is no contravention at their end while processing the personal data of Data Principal.
The contravention to Section 8(5), Section 8(6) , Section 9, Section 10,Section 15, Section 32 and contraventions as may be provided under the Rules made thereunder shall be liable for penalty under the enactment.
The prominent contraventions can be summarised as under:
a.Failure of Data Processor or Data Fiduciary to ensure reasonable safeguards for preventing personal data breach- Up to Rs. 250 crore
b.Failure to notify the Data Protection Board and affected Data Principals- Up to Rs. 200 crore
c.Non-fulfilment of obligations pertaining to children- Up to Rs. 200 crore
d. Non-fulfilment of obligations as a Significant Data Fiduciary- Up to Rs. 150 crore
e.Non-compliance with the duties of a Data Principal stipulated under Section 16 of the Bill – Up to Rs. 10 thousand
f.Non-compliance with the proposed enactment under the DPDA,2023 as a whole besides any Rule made thereunder – Up to Rs. 50 crores
The penalty provisions as stipulated under Section 33 of DPDPA,2023 can be referred as under;
Section 33. Penalties
(1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.
(2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:—
(a) the nature, gravity and duration of the breach;
(b) the type and nature of the personal data affected by the breach;
(c) repetitive nature of the breach;
(d) whether the person, as a result of the breach, has realised a gain or avoided any loss;
(e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
(f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
(g) the likely impact of the imposition of the monetary penalty on the person.
The Schedule under Section 33(1) prescribes the quantum of mandatory penalty as below;
THE SCHEDULE [See section 33 (1)]
Breach of provisions of this Act or rules made thereunder –
1.Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8.- May extend to two hundred and fifty crore rupees.
2.Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8- May extend to two hundred crore rupees.-May extend to two hundred crore rupees.
3.Breach in observance of additional obligations in relation to children under section 9.-May extend to two hundred crore rupees.
4. Breach in observance of additional obligations of Significant Data Fiduciary under section 10.-May extend to one hundred and fifty crore rupees.
5.Breach in observance of the duties under section 15.-May extend to ten thousand rupees.
6. Breach of any term of voluntary undertaking accepted by the Board under section 32.-Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted.
7.Breach of any other provision of this Act or the rules made thereunder.- May extend to fifty crore rupees.
The business entities need to understand their data flow, data consents, data processing records and data storage so that the unforeseen liabilities of hefty penalty can be avoided under DPDPA,2023.
To know more about the issues discussed above, You may please connect with email@example.com or firstname.lastname@example.org.