Q5 - What is the maximum penalty for breaches under DPDPA?
The Digital Personal Data Protection Act, 2023 (DPDPA) imposes severe monetary penalties on organizations (Data Fiduciaries or Data Processors) that fail to protect personal data or violate their obligations under the Act.
The maximum penalty for a data breach — meaning a breach of security safeguards resulting in unauthorized access, disclosure, alteration, or loss of personal data — is ₹250 crore per instance of non-compliance.
1. Legal Reference
Section 33(1) —
The Data Protection Board of India may, after conducting an inquiry, impose monetary penalties specified in the Schedule for failure to comply with the provisions of this Act.
Schedule (Entry 2) —
Breach of obligations relating to security safeguards (Section 8(5)) — Penalty up to ₹250 crore.
This is the highest single penalty allowed under the DPDPA for any category of violation.
2. Penalty Framework Overview
The DPDPA defines different penalty caps depending on the type of violation:
| Violation | Relevant Section | Maximum Penalty (₹ Crore) |
|---|---|---|
| Breach of security safeguards (data breach) | Section 8(5) | 250 |
| Failure to notify the Data Protection Board and affected individuals of a breach | Section 8(5) read with Section 33(1) | Up to 200 |
| Non-compliance with additional obligations of Significant Data Fiduciaries (SDFs) | Section 10(2) | 150 |
| Failure to fulfill obligations regarding children’s data | Section 9 | 200 |
| Non-fulfillment of general duties by Data Fiduciaries (e.g., correction/erasure) | Section 12 | 50 |
| Failure to respond to or redress user grievances | Section 13 | 50 |
| Non-compliance with Board directions or orders | Section 28(6) | 10 |
3. How the Board Decides the Penalty Amount
Penalties under the DPDPA are not automatic or fixed — the Data Protection Board of India determines the final amount based on Section 33(2), which requires consideration of:
- The nature, gravity, and duration of the violation.
- The type and sensitivity of personal data involved.
- Whether the breach was intentional, negligent, or repeated.
- The actions taken to mitigate harm and cooperate during investigation.
- The likely impact on affected individuals.
This ensures proportionate enforcement — severe penalties for major systemic failures and smaller fines or warnings for minor lapses.
4. Multiple Breaches and Aggregation
If a company commits multiple distinct breaches, each may be treated separately.
For example:
- A data leak (₹250 crore) + failure to notify users (₹200 crore) could theoretically total ₹450 crore in penalties. The Board may, however, consolidate penalties where violations are interconnected.
5. Realistic Enforcement Approach
The DPDPA’s penalty model follows a risk-based and deterrent approach, similar to the EU GDPR. While ₹250 crore represents the maximum limit, actual penalties will likely depend on:
- The company’s size and turnover;
- Extent of negligence or intent;
- Remedial measures taken; and
- Whether it is a first-time or repeat offender.
A large digital platform suffers a massive breach exposing millions of users’ personal and financial data. Investigation shows poor security controls and failure to notify users for over a week. The Data Protection Board finds multiple violations and imposes a ₹200 crore penalty, citing breach of security safeguards under Section 8(5) and delayed reporting.
A small startup suffers a contained internal breach affecting only 50 users, reports it promptly, and demonstrates corrective action. The Board may issue a warning or small penalty, emphasizing proportional accountability rather than punishment.
6. Key Takeaway
- The maximum penalty for a data breach under DPDPA is ₹250 crore.
- The actual penalty depends on the seriousness, intent, and response to the breach.
- Prompt reporting, transparency, and strong remediation can significantly reduce penalties.
Referenced Provisions:
- Section 8(5) – Obligation to safeguard data and report breaches.
- Section 33(1)–(2) – Power and factors for imposing penalties.
- Schedule (Entries 1–7) – Penalty amounts for different types of violations.
- Section 40(2) – Power of Central Government to frame detailed penalty rules.