By Antony Alex, Founder & CEO, Rainmaker
Under the Digital Personal Data Protection Act 2023, substantial fines are prescribed to discourage violations of its regulations. In recent times, there have been a few instances in India that resulted in compensation or penalties due to cyber breaches. However, with the enforcement of the DPDP Act, this will likely change. It is therefore crucial for organisations to stay aware, educate their teams and remain compliant.
The penalties for failing to comply with the Act range from ₹10,000 to ₹250 crores. Notably, there is no mention of criminal sanctions in the Act, including the possibility of imprisonment.
Misconduct Penalised under the Act
As per the Schedule in the DPDP Act, here are the maximum penalties for different types of breaches:
-Personal Data Breach Up to ₹250 Crores
-Failure to Notify Data Breach Up to ₹200 Crores
-Breach in Observance of Additional Obligations in
-Relation to Children Up to ₹200 Crores
-Breach of Additional Obligations of Significant Data
-Fiduciary Up to ₹150 Crores
-Breach of Duties under Section 15 Up to ₹10 thousand
Breach of Voluntary Undertakings
-Penalties corresponding to the relevant breach
-Other Breaches Up to ₹50 Crores
Role of DPBI in Penalties
Chapter V of the DPDP Act mentions the establishment of the Data Protection Board of India (DPBI), an entity that will be responsible for imposing penalties. The primary role of this Board will be to ensure
adherence to the Act, safeguard the rights of Data Principals, address grievances and instances of Act violations, and hold the authority to levy fines on violators.
When information regarding a breach or non-compliance is reported, the DPBI will be authorised to conduct a comprehensive evaluation to determine whether substantial grounds warranting an investigation exist.
Additionally, the DPBI will have the ability to summon and interrogate witnesses, scrutinise data and documents, and take requisite measures to conduct a thorough investigation.
In cases of significant breaches, the DPBI will possess the jurisdiction to impose fines, the severity and classification of which are outlined in the Act’s Schedule, based on the nature of the transgression. The Act empowers the DPBI to levy penalties against entities such as a Data Fiduciary, which means a person who processes personal data (Data Fiduciary). A Data Fiduciary must obtain consent from the Data Principal, i.e., the individual to whom the personal data relates (Data Principal). To obtain consent, the Data Fiduciaries must first provide a notice specifying the particular personal data to be collected and the specific purpose for which it will be used (Notice).
A Data Principal may also appoint a consent manager, i.e., a person registered under the Act to act as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent and interoperable platform (Consent Manager). A Consent Manager shall be accountable to the Data Principal and a Data Principal shall have a right of redressal of grievances by the Consent Manager.
Factors affecting the penalty
Before imposing penalties, the DPBI will be required to conduct an initial assessment of the merits, carry out inquiry proceedings regarding the reported breach and adhere to the principles of natural justice.
Under Section 33(2), the factors affecting the penalties are as follows:
(a) the nature, gravity and duration of the non-compliance;
(b) the type and nature of the personal data affected by the non-compliance;
(c) repetitive nature of the non-compliance;
(d) whether the person, as a result of the non-compliance, has realised a gain or avoided any loss;
(e) whether the person took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action;
(f) whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non- compliance with the provisions of this Act, and
(g) the likely impact of the imposition of the financial penalty on the person.
Parting thoughts
The recently enacted DPDP Act 2023 is widely recognized as a significant legal framework capable of reshaping the entire landscape of Data Protection in India. Adhering to the stipulations of the new Act presents numerous challenges for businesses. Enterprises will need to adjust to the new regulations, a step that will ultimately establish a basis for cultivating trust among consumers and upholding the security of our online personal data.