DPDP Act 2023

Section 33

Penalties

THE STATUTE

Original Text

The Board may, after an inquiry under section 28 which is concluded within such period as may be prescribed, impose a monetary penalty in accordance with the provisions of this section. The penalty shall be imposed on the Data Fiduciary as follows: — (a) failing to fulfil obligations in relation to children's personal data under Section 9 or Significant Data Fiduciary obligations under Section 10 — up to ₹250 crore; (b) failing to implement reasonable security safeguards under Section 8(4), resulting in a personal data breach — up to ₹250 crore; (c) failing to notify the Board and Data Principal of a personal data breach under Section 8(5) — up to ₹200 crore; (d) failing to fulfil additional obligations under Sections 5, 6, 7, 8, 11, 12, 13 — up to ₹150 crore; (e) failing to comply with Board directions, orders, or instruments — up to ₹150 crore; (f) furnishing false information to the Board — up to ₹10,000.

Simplified

[DPDP Rules 2025 confirmed penalty hierarchy and 6-month inquiry timeline] Section 33 is the enforcement machinery of the DPDP Act — the penalties that give its rights framework teeth. The penalty architecture is graduated by seriousness: The highest penalty (₹250 crore) applies to: children's data violations (Section 9) and Significant Data Fiduciary obligation failures (Section 10); and security failures causing data breaches (Section 8(4)). A ₹200 crore penalty applies to breach notification failures. Core compliance failures (Sections 5-8, 11-13) attract up to ₹150 crore. Board non-compliance attracts ₹150 crore. Furnishing false information to the Board — a minor but important offence — attracts ₹10,000. There is a cumulative cap of ₹500 crore across all violations arising from a single set of circumstances. Comparing to GDPR: GDPR's maximum is 4% of global annual turnover or €20 million (whichever is higher) — potentially billions for large companies. DPDP's flat cap of ₹250-500 crore (approximately €27-55 million) is lower for large multinationals but significant for Indian companies. The Data Protection Board conducts an inquiry before imposing penalties — the accused has a right to be heard. Appeals lie to the High Court, not a tribunal.

Common Queries

The DPDP Act 2023 received Presidential assent on 11 August 2023 but has not been brought fully into force at once — Section 1(3) provides for phased commencement by Central Government notification. Different provisions are being notified at different dates, allowing the government to build the Data Protection Board infrastructure before full compliance obligations go live.

Yes. Section 1(2) extends the Act to India and also applies to processing outside India that is connected with offering goods or services to Data Principals in India. An Indian company with international operations that processes data of Indian users even outside India must comply.

The Act applies to all Data Fiduciaries by default, but the Central Government can exempt classes of small businesses or startups under Section 17(4). Until a specific exemption is notified, even small businesses processing digital personal data technically have DPDP obligations — though enforcement priority will likely focus on larger entities first.

The IT Act 2000 and its SPDI Rules 2011 were piecemeal, lacked enforcement teeth, had unclear extra-territorial reach, did not create Data Principal rights, and predated the explosion of digital data collection. The DPDP Act creates a comprehensive rights-based framework mandated by the Supreme Court's recognition of privacy as a fundamental right in Puttaswamy (2017).

Legal Context

The penalty schedule was substantially debated. The Srikrishna Committee had recommended turnover-based penalties (GDPR-style). The final DPDP Act uses flat caps, which are easier to administer but less deterrent for very large companies. The ₹250 crore maximum is approximately 3x the maximum penalty under the IT Act's Adjudicating Officer proceedings, representing a significant increase in regulatory enforcement capacity.

Key Rules & Provisions

Flat penalty caps (not turnover-based) — easier to administer, less deterrent for global tech giants.

₹500 crore cumulative cap per incident — potential ceiling on catastrophic fines.

Children's data and security failures attract the highest penalty (₹250 crore).

High Court (not tribunal) as appellate forum — aligns with constitutional adjudication standards.

DPDP Rules 2025 PIB factsheet confirms: ₹250 crore for security safeguard failures; ₹200 crore for breach notification failures and children's data violations; ₹50 crore for other violations.

Rule 19(9): Board must conclude inquiry within 6 months, extendable by 3 months at a time.

Rule 22: appeals to TDSAT (not High Court).

Related Case Laws

SEBI v. Kishore R. Ajmera (2016)

(2016) 6 SCC 368

RELEVANCE

The Supreme Court upheld SEBI's power to impose financial penalties for securities law violations, noting that the severity of the penalty must be proportionate to the gravity of the contravention. This proportionality principle applies equally to the DPBI's penalty decisions under Section 33 — the Board must calibrate penalties to the seriousness of the contravention.

Privacy Protocol Info

OffenceVarious DPDP Act contraventions — data breach, consent failure, children's data, security obligations

PunishmentFinancial penalty: ₹50 crore to ₹250 crore per contravention; cumulative cap ₹500 crore

Triable ByData Protection Board of India (with appeal to High Court)

Cross-References

9 : Children's Data Processing 10 : Significant Data Fiduciary Obligations 8 : Security Safeguards and Breach Notification 18 : Data Protection Board of India