The DPDPA Penalty and Enforcement Framework

The penalty provisions of the DPDPA, contained in the Schedule, establish maximum amounts for different categories of contravention. The highest bracket, up to ₹250 crore, applies to failures in implementing security safeguards under Section 8(5) and breaches of cross-border data transfer provisions. Failure to notify the Board and affected Data Principals of a breach carries penalties up to ₹200 crore. Violations involving children's data under Section 9 carry penalties up to ₹200 crore.

What makes this framework distinctive is the role of the Data Protection Board in determining the actual penalty within these limits. The Board is empowered to consider not just the violation itself, but the organisation's overall compliance posture, whether the Data Fiduciary took reasonable precautions, whether it cooperated with the Board's inquiry, and whether it acted to mitigate harm. This means that the quality of an organisation's compliance programme is directly relevant to its financial exposure.

Security Safeguard Failures

Failure to implement reasonable security safeguards to prevent personal data breaches. Maximum penalty up to ₹250 crore under the Schedule, determined by the Board based on the nature and extent of the failure.

Breach Notification Failure

Failure to notify the Board and affected Data Principals of a personal data breach without undue delay. This carries a separate penalty bracket of up to ₹200 crore, independent of the breach itself.

Children's Data Violations

Processing children's data without verifiable parental consent, or engaging in tracking, behavioural monitoring, or targeted advertising directed at children, may attract penalties up to ₹200 crore.

General Fiduciary Obligations

Failure to comply with general Data Fiduciary obligations, including purpose limitation, data minimisation, and accuracy requirements, carries penalties up to ₹50 crore under the Schedule.

Cross-Border Transfer Violations

Transferring personal data to jurisdictions on the restricted list carries penalties up to ₹250 crore. Organisations with global operations must ensure their data flows comply with the Section 16 framework.

Board Adjudication Discretion

The Board considers the nature, gravity, and duration of the contravention, the type of personal data affected, actions taken to mitigate, repetitive nature of the contravention, and any advantage gained from the breach.

The Adjudication Architecture

The Data Protection Board of India is established under Section 18 as a quasi-judicial body with the authority to inquire into complaints, conduct investigations, and impose penalties. The Board's proceedings are digital-first, designed for speed and scale. Crucially, Section 33 grants the Board discretion to determine penalty amounts within the maximums prescribed by the Schedule. This discretion makes the organisation's compliance evidence, not just its compliance status, directly relevant to enforcement outcomes.

"The Board's discretion in penalty determination means that compliance is not binary. The quality and depth of your compliance programme will directly influence your financial exposure."

What is the maximum penalty under the DPDPA?

The maximum penalty under the DPDPA Schedule is up to ₹250 crore for contraventions related to security safeguard failures under Section 8(5) and cross-border data transfer violations under Section 16. The Data Protection Board determines the actual penalty amount within this limit based on the circumstances of each case.

How does the Data Protection Board determine the penalty amount?

Under Section 33, the Board considers multiple factors: the nature, gravity, and duration of the contravention; the type of personal data affected; the actions taken by the Data Fiduciary to mitigate the impact; the repetitive nature of the contravention; and whether the Data Fiduciary made a gain or avoided a loss through the contravention.

Can a delayed breach notification result in a separate penalty?

Yes. Failure to notify the Board and affected Data Principals of a personal data breach carries a separate penalty bracket of up to ₹200 crore under the Schedule. This is independent of any penalty for the security safeguard failure that led to the breach. The notification obligation arises without undue delay from the point of awareness.

Are penalties under the DPDPA cumulative?

The DPDPA Schedule prescribes penalties for distinct categories of contravention. Where multiple contraventions arise from a single incident or pattern of conduct, the Board has discretion in determining how penalties are assessed. The total exposure depends on the specific provisions contravened and the Board's adjudication.

Get the Penalty Exposure Assessment Brief

This brief provides a structured framework for mapping your organisation's data processing activities to the DPDPA penalty categories and quantifying regulatory exposure.