Answer By law4u team
The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a comprehensive framework for the protection of personal data in India. It outlines specific penalties for various breaches to ensure compliance and safeguard individuals' privacy. The Data Protection Board (DPB) is empowered to impose these penalties, considering factors such as the nature and gravity of the breach, the type of personal data affected, and the actions taken by the data fiduciary to mitigate the breach.
Penalties Under the DPDP Act, 2023
Offence Maximum Penalty
Failure to take reasonable security safeguards to prevent data breaches ₹250 Crores
Failure to notify the Board or affected data principal of a data breach ₹200 Crores
Breach of obligations related to children's data ₹200 Crores
Breach of obligations by significant data fiduciaries ₹150 Crores
Breach of duties by data principals ₹10,000
Breach of terms of voluntary undertaking accepted by the Board Up to applicable breach penalty
Breach of any other provision of the Act or rules made thereunder ₹50 Crores
Note: All penalties are credited to the Consolidated Fund of India.
Factors Considered in Determining Penalties
The Data Protection Board considers the following factors when determining the amount of monetary penalty:
- Nature, gravity, and duration of the breach
- Type and nature of the personal data affected
- Repetitive nature of the breach
- Gain or loss resulting from the breach
- Mitigating actions taken and their effectiveness
- Proportionality and effectiveness of the penalty in ensuring compliance
- Likely impact of the penalty on the offender
Example
Scenario:
A significant data fiduciary fails to implement reasonable security safeguards, resulting in a data breach affecting a large number of individuals' personal data.
Steps:
- Incident Occurrence: The data fiduciary's system is compromised due to inadequate security measures.
- Notification: The fiduciary fails to notify the Data Protection Board or the affected individuals within the stipulated time frame.
- Investigation: The Data Protection Board conducts an inquiry and determines the breach is significant.
- Penalty Imposition: Considering the factors mentioned above, the Board imposes a penalty of ₹150 Crores on the data fiduciary.
This example illustrates the process and considerations involved in the imposition of penalties under the DPDP Act, 2023.
