Q4 - Can the Board impose non-financial remedies apart from fines?
Yes. The Data Protection Board of India (DPBI) has the authority to impose non-financial remedies — such as directions, corrective orders, and voluntary undertakings — in addition to monetary penalties. This ensures that enforcement under the DPDPA is not only punitive but also corrective and preventive in nature.
1. Corrective Directions Under Section 27(2)
Section 27(2) —
The Board may, after giving the person concerned an opportunity of being heard and recording reasons in writing, issue such directions as it may consider necessary, and such person shall be bound to comply with them.
This means the Board can:
- Order a company to stop processing certain categories of data.
- Direct it to implement stronger security controls or modify consent mechanisms.
- Require data deletion, breach mitigation, or system audits.
- Instruct companies to notify affected users about violations or breaches.
If a health-tech startup is found collecting patient data without explicit consent, the Board may order it to suspend such processing, purge unlawfully collected data, and revise consent workflows, even before any fine is imposed.
2. Voluntary Undertakings Under Section 32
Section 32(1–3) —
The Board may accept a voluntary undertaking from any person in respect of compliance with this Act, which may include commitments to:
- Take certain actions within a defined time,
- Refrain from specific practices, or
- Publicly disclose compliance steps.
Section 32(4) —
Once accepted, this undertaking bars further proceedings on that matter — unless breached.Section 32(5) —
If breached, it is treated as a violation of the Act, and penalties can then be imposed.
This mechanism encourages organizations to self-correct through compliance plans rather than facing immediate penalties.
A social-media platform voluntarily agrees to introduce parental consent verification for minors within 45 days. The Board accepts this as a voluntary undertaking and halts further inquiry — provided the company meets its commitment.
3. Mediation and Alternative Dispute Resolution
Section 31 —
The Board may direct parties to resolve a complaint through mediation, using a mutually agreed mediator.
This provision helps avoid litigation and promotes cooperative resolution, especially in disputes between Data Fiduciaries and Data Principals.
4. Range of Non-Financial Remedies
| Type of Remedy | Legal Basis | Description |
|---|---|---|
| Remedial Directions | Section 27(2) | Orders to correct or halt non-compliant processing. |
| Voluntary Undertakings | Section 32 | Commitments by the company to rectify issues proactively. |
| Mediation | Section 31 | Encouraged resolution of disputes through dialogue. |
| Operational Restrictions | Section 27(2) | Suspension or limitation of data activities until compliance. |
| Public Disclosure Orders | Section 32(2) | Requiring the entity to publicly state compliance steps. |
5. Key Takeaway
The DPDPA empowers the Board to do more than impose fines.
It can:
- Order corrective actions,
- Suspend operations,
- Encourage voluntary compliance, and
- Facilitate mediation.
These powers ensure that enforcement focuses on behavioral correction, systemic improvement, and data protection accountability, not just monetary punishment.
Referenced Provisions:
- Section 27(2) – Authority to issue binding directions.
- Section 31 – Mediation powers.
- Section 32(1–5) – Voluntary undertakings and compliance commitments.