What is the penalty for DPDPA violations?

What the Law Says

The Digital Personal Data Protection Act, 2023 (DPDPA) sets out financial penalties for non-compliance by data fiduciaries and processors. These penalties are imposed by the Data Protection Board of India (now subsumed under the Digital Personal Data Protection Authority).

The DPDPA empowers the Digital Personal Data Protection Authority to impose penalties for failure to comply with obligations under the Act. Penalties vary based on the type of violation — such as failing to implement reasonable security safeguards, not reporting a personal data breach, or processing data without consent.

The law distinguishes between different categories of breaches and prescribes tiered penalties. The highest penalty applies to serious violations involving significant harm or repeated non-compliance.

Statutory Text

The Authority may, after due inquiry, impose a penalty of up to two hundred and fifty crore rupees on any data fiduciary or data processor for failure to comply with the provisions of this Act.

— Digital Personal Data Protection Act, 2023, s. 33(1) — Penalty for failure to comply with provisions of the Act

Statutory Text

The Authority may, after due inquiry, impose a penalty of up to fifty crore rupees on any data fiduciary or data processor for failure to comply with the provisions of this Act.

— Digital Personal Data Protection Act, 2023, s. 33(2) — Penalty for failure to comply with provisions of the Act

Sources