DPDPA Penalty Structure Breakdown

The Schedule to DPDPA creates a graduated penalty system based on how serious the violation is. This is different from GDPR, which calculates penalties based on company revenue. Indian law takes a fixed maximum approach instead.

At the top sits the Rs 250 Crore maximum penalty for failing to implement reasonable security safeguards. The legislature clearly views security failures as the most serious violations since they expose people to severe and often permanent harm.

Breach notification failures attract penalties up to Rs 200 Crore. The law treats hiding breaches as something that makes the original harm worse. Violations involving children's data also face penalties up to Rs 200 Crore, showing the extra protection given to minors under Section 9. Other violations like consent failures and denying rights can attract penalties up to Rs 50 Crore each.

The Data Protection Board has flexibility in deciding actual penalty amounts within these maximum limits. They consider factors like how serious the violation was, how many people were affected, whether it was a repeat offence, and what steps the organisation took to fix things.

Section 34 makes clear that these are civil monetary penalties, not criminal liability. However, directors and officers may face personal accountability in certain situations.

Importantly, penalties can add up across multiple violations. An organisation with several failures could face total penalties exceeding any single maximum. This means companies with large scale data operations need to think about cumulative risk, not just individual violation potential. On the positive side, there is no minimum penalty floor, giving the Board room to handle minor or accidental violations without excessive punishment.