Penalties under the DPDP Act

‍₹50 Crore to ₹250 Crore: that’s the cost of a misstep in complying with India’s new Digital Personal Data Protection Act (DPDP Act). These fines are applicable per instance of violation: with stakes this high, ignorance is not bliss. 

The DPDP law presents a daunting compliance challenge requiring a myriad of operational changes across systems and vendors. We have previously broken down the DPDP Act in detail, covered its applicability, exemptions, and shared compliance tips in other articles. In this piece we will cover everything related to penalties under the DPDP Act.   

What are the Penalties under the DPDP Act?

The DPDP Act lists 6 categories of violations that can attract a penalty of up to a certain amount. The highest bracket of fines apply for obligations on data security, breach notification and children’s data processing. However, even small breaches of any consent obligations or other obligations can attract a penalty of up to ₹50 Crore per instance. 

So your business could be liable to pay ₹50 Crore for EACH of the following violations:

• Not collecting free, explicit, and specific user consent for using personal data
• Not displaying compliant consent notices at all touchpoints
• Not maintaining verifiable records for all user consents
• Sharing user data with third parties without consent
• Indefinite storage of data after withdrawal of consent
• Failure to let users exercise DPDP rights over their data
• This list goes on. For a detailed list of DPDP obligations, refer to our complete guide to the Digital Personal Data Protction Act.

Who will adjudicate DPDP violations?

The Data Protection Board (DPB) is the linchpin in the enforcement of the DPDP Act. The DPB is tasked with ensuring compliance, handling disputes, and addressing grievances related to data protection practices. The DPB will operate through a digital office model. This means from lodging complaints to the final decision-making everything will be handled digitally as far as practicable.

The DPB will take action upon receiving a complaint or notification regarding a potential breach of the DPDP Act. 

However, before filing a complaint with the board the user is required to seek grievance redressal from the data fiduciary or its consent manager. This means your business will need to provide an accessible grievance redressal mechanism and assign employees who will respond to user complaints. 

How will the Data Protection Board impose Penalties?

After exhausting the fiduciary’s grievance redressal mechanism, users will be able to file complaints with the DPB online: 

• • First, the DPB will assess if it is legitimate and not frivolous or lacking evidence. 
  • If the complaint is admitted, then the DPB conducts a detailed investigation to check whether the law was flouted. 
  • During investigations, the DPB will ensure that its actions don't hinder the daily operations of the business being investigated.
  • The DPB is equipped with powers similar to that of a civil court. This includes summoning individuals, examining evidence and issuing orders. 
  • Once the parties have had a fair hearing, the DPB can impose penalties and issue directions. 

The DPB is yet to be constituted and the exact procedure of its operations will be notified later. However, its immense power is well established in the text of the DPDP Act. Further, given that users will be able to file online complaints with ease, the DPB will be able to easily monitor any DPDP infractions. 

What factors are relevant for determining the Penalty?

 The DPB has wide discretion on the scope of sanctions it can impose with a list of relevant factors mentioned in the legislation:

1. Breach Characteristics: The nature, gravity, and duration of a violation are relevant. Consider a company that uses personal data for telemarketing without obtaining any consent from its users for five years. This direct violation of consent requirements could lead to substantial penalties, especially if a large amount of personal data is used.

2. Data Sensitivity: The type of personal data compromised will play a significant role. Breaches involving sensitive personal data would likely be viewed more severely. Let’s say a healthcare provider's systems are breached because of insufficient safeguards, revealing patients' medical records. Given the highly sensitive nature of health data, this breach could incur a higher penalty. Similarly, breaches in consent obligations on children’s data could attract a higher fine.

3. Recurrence: A pattern of non-compliance or repeat violations will warrant stiffer penalties to enforce corrective measures. An online platform repeatedly ignores user requests to withdraw consent for marketing and continues running ad campaigns on their whatsapp. The repetitive nature of this breach and the disregard for user autonomy could lead to increased penalties.

4. Financial Gains: If a data fiduciary has financially benefited from the breach, penalties may be calibrated to offset these gains, ensuring that non-compliance doesn't become a profitable venture. For instance, if a tech company sources user data in bulk without consent and resells it further, the penalty would be calculated to recoup any revenue from the sales.

5. Mitigation Efforts: Actions taken by an entity to mitigate the harm caused by a breach will be considered. Prompt, effective responses can reflect favourably during penalty assessments. Let’s say after a personal data breach exposing user payment information, an online retailer quickly notifies affected customers and offers free credit monitoring services and strengthens its security measures. These actions could be viewed favourably and potentially reduce the penalty.

6. Proportionality: While penalties are to be proportionate to the breach, the balance will aim to deter future violations. The penalty may be higher if the board decides to set an example for other businesses by charging punitive fines from one business. Let’s say a small startup inadvertently fails to provide options for exercise of user rights due to a coding error. If the startup demonstrates transparency and swift remediation efforts, the penalty might be lowered. Conversely, a large corporation committing a similar breach with a history of similar violations might face a punitive fine to set a precedent.

7. Business Impact: The potential impact of a penalty on an organisation's operations and viability may also be taken into account. For example, consider a small community-based non-profit organisation that loses its consent records due to an outdated malfunctioning software. Regulators might take into account the organisation's limited resources to reduce the penalty and avoid crippling the business.

How can you avoid DPDP Penalties?

Executing DPDP compliance is not an easy task. The immense scale and magnitude of changes required to get your operations in line with the DPDP Act are enough to make one’s head spin.

The first step to compliance is understanding the law and its impact on your business. You can take this step by reading our Consent Blog today. The next step is to draw up a detailed action plan. You can refer to our compliance roadmap to ensure you don't miss out on any key tips. 

Majority of the DPDP compliance challenge comes down to managing user consents. Therefore, the most important step is to onboard a Consent Manager to effectively manage all your consent obligations. You can get started today by signing up for a demo of Leegality Consent Manager. Fill out the form to join our waitlist today!

‍