Penalties and Adjudication under the DPDP Act, 2023: Powers of the Data Protection Board and Quantum of Fines

Posted On - 14 October, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a structured penalty and adjudication regime, enforced by the Data Protection Board of India (DPB). The Board is empowered to investigate breaches, adjudicate liability, and impose monetary penalties up to ₹250 crore per breach.

The Act adopts a risk-based approach, tailoring penalties to the gravity of non-compliance. Factors considered include the nature of the fiduciary, volume and sensitivity of data involved, harm caused to individuals, and duration of violation.

Introduction: Enforcement as the Backbone of Privacy Law

Strong rights and obligations are meaningless without credible enforcement mechanisms. The DPDP Act recognises this by empowering the Data Protection Board with sweeping powers of investigation, adjudication, and penalty imposition.

The penalty framework is not merely punitive, it is designed to incentivise preventive compliance and establish a culture of accountability in India’s digital economy.

The Data Protection Board of India: Structure and Powers

Nature of the Body: The DPB is an independent adjudicatory authority. Its members include experts in law, technology, and public administration.

Functions

  • Inquiry and Investigation: Initiate proceedings on complaints or suo motu.
  • Adjudication: Hear cases of alleged non-compliance.
  • Penalty Imposition: Levy monetary fines proportionate to violations.
  • Corrective Directions: Order erasure, cessation of processing, or compliance upgrades.

Procedural Safeguards

  • Principles of natural justice apply.
  • Fiduciaries have the right to be heard and to appeal to higher forums.

Categories of Breaches and Penalties

The Act prescribes different penalty slabs depending on the nature of breach:

1. Failure to take reasonable security safeguards

  • Up to ₹250 crore.
  • Applies to breaches exposing personal data due to negligence.

2. Failure to notify personal data breach

  • Up to ₹200 crore.
  • Fiduciaries must promptly notify the Board and affected individuals.

3. Failure to fulfil obligations regarding children’s data

  • Up to ₹200 crore.
  • Includes failure to obtain parental consent or engaging in profiling/advertising to children.

4. Non-fulfilment of Data Principal rights (access, correction, erasure)

  • Up to ₹50 crore.

5. Violation of duties by Significant Data Fiduciaries

  • Up to ₹150 crore.
  • Includes failure to conduct DPIAs, appoint DPOs, or undergo audits.

6. Breach of cross-border transfer restrictions  

  • Penalty quantum subject to Board’s discretion, potentially severe.

Criteria for Determining Penalties

The DPB considers multiple factors:

  • Nature, gravity, and duration of breach.
  • Sensitivity of data involved.
  • Volume of individuals affected.
  • Nature of fiduciary (startup vs. large enterprise).
  • Harm caused to Data Principals.
  • Whether the fiduciary acted wilfully, negligently, or repeatedly.
  • Cooperation during investigation.
  • Steps taken to mitigate damage.
  • This ensures proportionality in penalty imposition.

Hypothetical Penalty Scenarios

Scenario 1: Banking – Breach of KYC Data: A major bank suffers a breach of KYC data affecting 5 million customers due to outdated firewalls. The Board finds inadequate safeguards and imposes a ₹200 crore penalty, considering the sensitivity and scale of breach.

Scenario 2: E-Commerce – Mishandling Consent: An e-commerce platform continues to send targeted ads to users after withdrawal of consent. The Board imposes a ₹50 crore penalty for violation of erasure and consent obligations.

Scenario 3: Social Media – Children’s Data: A social media platform fails to verify parental consent for teen accounts and uses profiling for targeted ads. The Board imposes a ₹180 crore penalty, citing risk of harm to children.

Scenario 4: Healthcare – Breach Notification Failure: A hospital chain delays notifying patients of a ransomware attack exposing health records. The Board imposes a ₹100 crore penalty for failure to notify promptly.

Scenario 5: Fintech – Non-Compliance by SDF: A fintech company classified as an SDF fails to appoint a DPO and does not conduct DPIAs before launching a new credit scoring tool. The Board imposes a ₹120 crore penalty for governance failures.

Sectoral Implications

Banking and Fintech

  • High penalties possible for security breaches or misuse of financial data.
  • Strict scrutiny of grievance redressal and consent management.

Healthcare and Health-Tech

  • Sensitive health data attracts higher penalties.
  • Hospitals must invest in breach detection and reporting systems.

Social Media and Online Platforms

  • Children’s data obligations pose major liability risks.
  • Large user bases amplify penalty exposure.

E-Commerce and Retail

  • Consent withdrawal and erasure obligations critical.
  • High transaction volumes make compliance infrastructure essential.

IT/ITES and Outsourcing

  • Global clients may demand contractual safeguards against DPDP penalties.
  • Data processors must align with fiduciaries’ obligations.

Global Comparisons

GDPR (EU)

  • Penalties up to €20 million or 4% of global turnover, whichever is higher.
  • Multiple factors considered, similar to DPDP’s proportionality test.

LGPD (Brazil)

  • Fines up to 2% of turnover, capped at ~€9 million per violation.

PDPA (Singapore)

  • Fines up to 10% of annual turnover in Singapore or SGD 1 million.

CCPA (California)

  • Fines of $2,500 per violation or $7,500 per intentional violation.

India’s DPDP Act caps fines at ₹250 crore per breach, which is significant in absolute terms but may be lower relative to GDPR’s turnover-based model for global giants.

Compliance and Defence Strategies

  1. Preventive Safeguards: Implement strong security and privacy-by-design frameworks.
  2. Incident Response Protocols: Establish breach notification systems with clear escalation.
  3. Documentation: Maintain detailed records of compliance actions (DPIAs, DPO decisions, grievance logs).
  4. Cooperation with Regulators: Engage proactively with the DPB during inquiries to reduce penalty risk.
  5. Mitigation Evidence: Demonstrate remedial steps taken post-breach (user support, compensation).
  6. Appeal and Legal Defence: Challenge penalties where disproportionate, citing statutory criteria.

Risks of Non-Compliance

  • Financial Risk: High penalties (up to ₹250 crore) can cripple unprepared firms.
  • Operational Risk: Orders to cease processing may disrupt business models.
  • Reputational Harm: Media coverage of DPDP penalties damages consumer trust.
  • Contractual Liability: Breaches may trigger indemnities in B2B agreements.

Conclusion & Key Takeaways

The DPDP Act creates a robust adjudication and penalty regime under the Data Protection Board of India. Penalties are designed not only to punish but to deter negligence and incentivise compliance.

Key takeaways:

  • Penalties scale up to ₹250 crore per breach.
  • Board considers proportionality and mitigating factors.
  • Fiduciaries must prioritise security, consent management, and grievance redressal.
  • High-risk sectors (banking, healthcare, social media) face heightened exposure.
  • Proactive compliance is the best defence.

In India’s new privacy landscape, penalties are not abstract threats, they are concrete financial and reputational risks. Businesses that embed compliance culture early will not only avoid penalties but also gain consumer trust and competitive advantage.

Co–Authored by :- Aurelia Menezes