Penalties Under the DPDP Act: The Complete Breakdown

Section 33(1) provides that when the Board finds a significant breach of the Act, it may impose a penalty as specified in the Schedule, but only after giving the person a hearing. The word "significant" is important — it signals that the Board has discretion to assess the seriousness of a breach before imposing penalties.

The Schedule to the Act sets out seven categories of breach and their maximum penalties. These are upper limits — the Board determines the actual amount based on the circumstances of each case. The penalty table is as follows:

Breach 1: Failure to take reasonable security safeguards to prevent a personal data breach, as required by Section 8(5) — penalty up to ₹250 crore. This is the highest penalty in the Act. If a data breach occurs because an organisation did not implement basic security measures, this is the provision that applies.

Breach 2: Failure to notify the Board and affected Data Principals of a personal data breach, as required by Section 8(6) — penalty up to ₹200 crore. Knowing about a breach and failing to report it is treated almost as seriously as failing to prevent it.

Breach 3: Breach of obligations relating to children's data under Section 9 — penalty up to ₹200 crore. This covers failures to obtain verifiable parental consent, processing children's data in ways that cause harm, and related violations.

Breach 4: Breach of additional obligations that apply to Significant Data Fiduciaries under Section 10 — penalty up to ₹150 crore. These include failing to appoint a Data Protection Officer, failing to conduct Data Protection Impact Assessments, or failing to conduct periodic audits.

Breach 5: Breach of Data Principal duties under Section 15 — penalty up to ₹10,000. This applies to individuals, not organisations. If a Data Principal files a false or frivolous complaint, provides false information while exercising their rights, or suppresses material information, they face this penalty.

Breach 6: Breach of a voluntary undertaking accepted under Section 32 — penalty up to the amount that would have been applicable for the original breach. If an organisation promised corrective action to avoid a ₹250 crore penalty and then failed to follow through, the full original penalty becomes applicable.

Breach 7: Any other breach of the Act or Rules not covered above — penalty up to ₹50 crore. This is the catch-all category.

Section 33(2) lists seven factors the Board must consider when determining the actual penalty amount. These are: (a) the nature, gravity, and duration of the breach; (b) the type and nature of personal data affected; (c) whether the breach is repetitive in nature; (d) any gain made or loss avoided as a result of the breach; (e) what mitigation actions the person took after the breach; (f) proportionality and effectiveness of the penalty as a deterrent; and (g) the likely impact of the penalty on the person. These factors mean the Board does not automatically impose the maximum — it must weigh the circumstances of each case.

Section 34 directs that all penalties collected under the Act are credited to the Consolidated Fund of India. Section 42 gives the Central Government power to amend the Schedule by notification, but the amended penalty for any breach cannot exceed twice the amount originally specified in the Schedule. This means the ₹250 crore maximum for security safeguard failures could, by future government notification, increase to a maximum of ₹500 crore.

Section 37 introduces a consequence that goes beyond financial penalties. If the Data Protection Board has penalised a Data Fiduciary on two or more occasions, the Board may advise the Central Government to direct any intermediary to block public access to that Data Fiduciary's platform or services.

This is not an automatic process. The Board advises, and the Central Government decides whether to act on that advice. But the provision signals that repeat offenders face a potential business-ending consequence — not just fines, but the loss of ability to reach users in India.

The threshold is two or more penalties, not two or more complaints. This means the Board must have completed proceedings and actually imposed penalties at least twice before this power becomes available. A Data Fiduciary that resolves matters through voluntary undertakings, or that prevails in proceedings, would not trigger this provision.

For organisations that operate digital platforms or online services in India, this is the provision that carries the most operational risk. A financial penalty, even a large one, can be absorbed or appealed. A blocking order removes the ability to operate entirely.