After multiple drafts and several years of research, the eagerly anticipated Digital Personal Data Protection Act (DPDP) of 2023 came into effect on August 11, 2023. Its primary purpose is to safeguard the rights and responsibilities associated with the management of extensive digital personal data within the economy.
Under the DPDP Act, substantial fines are prescribed to discourage violations of its regulations. Up to the present time, there have been few instances that resulted in compensation or penalties due to cyber breaches. However, with the enforcement of the DPDP Act, this situation is likely to change. Therefore, it is crucial to make adequate preparations for compliance.
The penalties for failing to comply with the Act range from INR 10,000 to INR 200 crore, with a maximum cap of INR 250 crore. Notably, the Act has eliminated criminal sanctions, including the possibility of imprisonment, from its provisions.
By giving precedence to financial repercussions instead of criminal sanctions, the legislation aims to encourage responsible management of data while also protecting individuals’ privacy. These measures foster a sense of accountability and security in the digital age.
Misconducts Penalized under the Act
As per the Schedule in the DPDP Act, here are the maximum penalties for different types of breaches:
| Personal Data Breach | Up to INR 250 Crores |
|---|---|
| Failure to Notify Data Breach | Up to INR 200 Crores |
| Breach in Observance of Additional Obligations in Relation to Children | Up to INR 200 Crores |
| Breach of Additional Obligations of Significant Data Fiduciary | Up to INR 150 Crores |
| Breach of Duties under Section 15 | Up to INR 10 thousand |
| Breach of Voluntary Undertakings | Penalties corresponding to the relevant breach |
| Other Breaches | Up to INR 50 Crores |
Role of DPBI in Penalties
Chapter V of the DPDP Act talks about the Data Protection Board of India (DPBI), an entity established under the Act, which is responsible for imposing penalties. The primary role of this Board is to ensure adherence to the Act and safeguard the rights of Data Principals. The DPBI is responsible for addressing grievances and instances of Act violations and holds the authority to levy fines on violators.
When information regarding a breach or non-compliance is reported, the DPBI is authorized to conduct a comprehensive evaluation to determine whether substantial grounds warranting an investigation exist. If the DPBI is able to establish the legitimacy and significance of the complaint, it will proceed to initiate a formal inquiry into the matter. Additionally, the DPBI is vested with the ability to summon and interrogate witnesses, scrutinize data and documents, and take requisite measures to conduct a thorough investigation.
In cases of significant breaches, the DPBI possesses the jurisdiction to impose fines, the severity and classification of which are outlined in the Act’s Schedule, based on the nature of the transgression.
The DPDP Act empowers the DPBI to levy penalties in the following scenarios and against the following entities:
| Data Fiduciary | In respect of a personal data breach or a breach in observance of its obligations in relation to personal data or exercise of data principal’s rights. |
|---|---|
| Consent Manager | In respect of breach in observance of its obligations in relation to data principal’s personal data or breach of any condition of registration of the Consent Manager. |
| Intermediary | For breach of its obligation to block access to information when directed to do so by the Central Government. The DPBI will inquire into such breach upon reference by the Central Government. |
Factors Affecting the Penalty
Prior to imposing penalties, the DPBI is required to conduct an initial assessment of the merits, carry out inquiry proceedings regarding the reported breach, and adhere to the principles of natural justice. Under Section 33 (2), the factors affecting the penalties are as follows:
- (a) the nature, gravity, and duration of the non-compliance;
- (b) the type and nature of the personal data affected by the non-compliance;
- (c) repetitive nature of the non-compliance;
- (d) whether the person, as a result of the non-compliance, has realized a gain or avoided any loss;
- (e) whether the person took any action to mitigate the effects and consequences of the non-compliance and the timeliness and effectiveness of that action;
- (f) whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non-compliance with the provisions of this Act, and
- (g) the likely impact of the imposition of the financial penalty on the person.
Parting Thoughts
The recently enacted DPDP Act 2023 is widely recognized as a significant legal framework capable of reshaping the entire landscape of Data Protection. Adhering to the stipulations of the new Act presents numerous challenges for businesses. Enterprises will need to adjust to the new regulations, a step that will ultimately establish a basis for cultivating trust among consumers. In this ever-evolving technological age, Data Protection will play a crucial role in cultivating consumer trust and upholding the security of online data.
Disclaimer : No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.
