Introduction
The Digital Personal Data Protection Act (DPDP Act), enacted on August 11, 2023, represents a landmark development in India’s data protection landscape. It lays down a comprehensive framework for safeguarding personal data, holding Data Fiduciaries accountable, and ensuring that individual privacy rights are respected. A central component of this Act is its robust enforcement mechanism, which includes the establishment of the Data Protection Board of India (DPBI) and the penalties for non-compliance.
Enforcement Mechanisms
The enforcement of the DPDP Act relies heavily on the Data Protection Board of India (DPBI), which serves as a critical body in overseeing compliance with the Act’s provisions. Established under Chapter V of the DPDP Act, the Board is an independent corporate entity empowered to handle complaints, investigate violations, direct corrective actions, and impose penalties on entities that fail to comply with the law.
Composition and Structure of the DPBI
The DPBI consists of a chairperson and other members who serve renewable terms of two years. To prevent conflicts of interest, the Chairperson and any other Member shall not, for one year after leaving office, accept employment without prior approval of the Central Government and must disclose any subsequent employment with a Data Fiduciary against whom they initiated or oversaw proceedings. The chairperson holds significant administrative authority, overseeing the functioning of the Board, assigning tasks, and delegating responsibilities among members. In the chairperson’s absence, the senior-most member assumes these duties.
To ensure transparency and accountability, the members, officers, and employees of the Board are classified as public servants under Section 21 of the Indian Penal Code, 1860 (Section 2 (28) of the Bharatiya Nyaya Sanhita, 2023 also defines Public Servant). This designation subjects them to strict accountability standards in the performance of their duties.
Key Responsibilities of the DPBI
Response to Data Breaches:
The DPBI plays a crucial role in addressing personal data breaches. Upon notification of a breach, the Board is empowered to immediately direct remedial or mitigation actions to minimize the impact of the breach. An inquiry is then initiated, and if necessary, penalties are imposed on the Data Fiduciary responsible for the breach.
Handling of Complaints:
Upon receiving any complaints, the Board is required to act as per S. 27 of the Act and must first decide on the validity of the complaint. If the Board decides that the grounds for the complaint are insufficient, then the reasons must be recorded in writing.
Complaints by Data Principals:
If a Data Principal (the individual whose data is affected) files a complaint regarding a breach or failure of a Data Fiduciary to meet their obligations under the Act, the DPBI is authorized to investigate the issue and take corrective actions, which may include imposing financial penalties. The DPDPA however, requires the Data Principal to firstly exhaust the Grievance Redressal Mechanism provided by the Data Fiduciary or Consent Manager before filing a complaint with the Board.
Complaints Regarding Consent Managers:
The Board also handles complaints against consent managers, entities that manage consent for the processing of personal data. If these consent managers fail to fulfil their obligations, the DPBI can investigate and impose penalties.
Breach of Registration Conditions:
If a consent manager breaches any of its registration conditions, the DPBI has the authority to conduct an investigation and impose penalties.
Investigation of Intermediary Breaches:
The Board can also investigate breaches by intermediaries as outlined in Section 37(2) of the Act. These investigations may be initiated based on referrals from the Central Government, and the Board can impose penalties as stipulated in the Act.
Directive Powers:
The DPBI has the authority to issue binding directions to ensure that data fiduciaries comply with the provisions of the DPDP Act. Affected parties are given an opportunity to be heard before any directions are issued, and the Board must provide documented reasons for its decisions.
Additionally, the Board can modify, suspend, withdraw, or cancel any issued directions upon receiving representations from affected parties or referrals from the Central Government. It also has the power to impose conditions on such modifications or cancellations.
Inquiries and Investigations:
When there is sufficient reason to believe that a breach has occurred, the DPBI has the power to conduct detailed inquiries. This may involve summoning witnesses and examining documents relevant to the breach. The Board must ensure that its actions are thorough and transparent, adhering to the principles of natural justice as it has been granted powers similar to those of a Civil Court under the Code of Civil Procedure, 1908.
Functioning of Board as Digital Office
As per Rule 19 of the Digital Personal Data Protection Rules, 2025 the Board shall function as a digital office which may adopt techno-legal measures to conduct proceedings online.
Procedural Framework of the Data Protection Board
The procedural framework of the Data Protection Board (DPB) under the Digital Personal Data Protection (DPDP) Act is designed to systematically handle data breaches and complaints.
1. Filing a Complaint
Eligibility: A Data Principal (individual whose data is processed) can file a complaint if they believe their data rights have been violated. Complaints can also be initiated by references from the Central or State Government or court orders.
Initial Grievance Redressal Mechanism: Before approaching the DPB, the Data Principal must first seek redress through the Data Fiduciary or Consent Manager’s grievance redressal mechanism.
2. Investigation
Commencement: Upon receiving a legitimate complaint or breach notification, the DPB initiates an investigation.
Principles of Natural Justice: The inquiry is conducted following principles of natural justice, ensuring fairness and transparency throughout the process.
Documentation: All actions and findings during the investigation are meticulously documented for accountability,
3. Adjudication
Decision Making: After completing the investigation, the DPB assesses whether a breach of the Act has occurred and decides on appropriate actions.
Interim Orders: The Board can issue interim orders during investigations to prevent further harm or data loss
Written Reasons: The DPB must provide written reasons for its decisions, ensuring transparency in its adjudication process.
4. Imposition of Penalties
If a violation is confirmed, the DPB has the authority to impose substantial penalties, which can reach up to ₹250 Crore per violation depending on the severity
5. Process of Appeals
Decisions made by the DPB can be appealed to the Appellate Tribunal within a period of 60 days from the receipt of the order or direction. Further appeals may be made to higher courts, including the Supreme Court of India.
Penalties Under the DPDP Act
The penalties outlined in the DPDP Act serve as a deterrent to violations and aim to enforce responsible data management practices among organizations. These penalties are significant, with fines imposed based on the nature of the violation. Importantly, the Act does not impose criminal sanctions; instead, it focuses on financial penalties to encourage compliance.
Section 33: Imposition of Penalties
Authority to Impose Penalties: Section 33 of the DPDP Act empowers the DPBI to impose penalties on data fiduciaries and consent managers for various breaches of the Act’s provisions.
Opportunity for Hearing: Before any penalty is imposed, the DPBI is required to provide the concerned party with an opportunity to present its case, ensuring that the process is fair and transparent.
The Schedule annexed to the DPDP Act outlines the maximum penalties for different types of breaches:
| Penalty | Particulars of the Violation |
| Up to ₹250 Crores | Failure to take reasonable security safeguards to prevent data breach (Section 8(5)) |
| Up to ₹200 Crores | Failure to notify the Board and/or affected Data Principals about a data breach (Section 8(6)) |
| Up to ₹200 Crores | Breach of additional obligations related to children’s data (Section 9) |
| Up to ₹150 Crores | Breach of additional obligations of significant data fiduciaries (Section 10) |
| Up to the extent applicable to the breach. | Breach of any term of voluntary undertaking accepted by the Board (Section 32) |
| Up to ₹50 Crores | Breach of any other provision |
Factors Influencing Assessment of Penalties
According to Section 33(2) of the DPDP Act, several factors are considered when determining the amount of the penalty:
- Nature and Severity: The gravity of the breach, including the impact it has on the Data Principal and the duration of non-compliance.
- Type of Data Affected: The sensitivity of the data involved in the breach, with more severe penalties for breaches involving highly sensitive data.
- Repetitive Nature: Whether the violation is a one-time occurrence or part of a pattern of repeated non-compliance.
- Financial Gain or Loss Avoidance: If the violator benefited financially from the breach or avoided financial losses through their actions.
- Mitigation Efforts: Whether the organization took steps to mitigate the effects of the breach once it was identified.
- Proportionality and Effectiveness: Ensuring that the penalty is proportional to the violation and effective in compelling future compliance.
These factors guide the DPBI in determining a penalty that not only serves as punishment but also encourages organizations to adopt robust data protection practices.
Conclusion
The DPDP Act marks a significant shift in India’s approach to data protection. It emphasizes accountability through financial penalties rather than criminal sanctions, aiming to incentivize responsible data management practices among businesses and data fiduciaries. As India transitions into a more digital economy, organizations must remain vigilant and proactive in adhering to the DPDP Act’s provisions. Understanding the penalties for non-compliance, the processes for addressing breaches, and the key responsibilities of the DPBI is essential for businesses looking to protect themselves from substantial fines and maintain trust with consumers. The DPDP Act is not only a regulatory challenge but also an opportunity for organizations to strengthen their data protection measures and demonstrate their commitment to privacy and security in an increasingly data-driven world.
Tsaaro Consulting, in collaboration with PSA Legal Counsellors and Advertising Standards Council of India, has authored a whitepaper titled ‘Navigating Cookies: Recalibrating Your Cookie Strategy in Light of the DPDPA’. If you want to learn more about cookie consent management, read the whitepaper by clicking here.
The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation!
Learn more about the Draft Rules here:
