DPDPA Section 33: Penalties Explained

Introduction - The Financial Stakes of Non-Compliance

The effectiveness of any data protection regime ultimately depends on the consequences it imposes for non-compliance. Section 33 of the Digital Personal Data Protection Act, 2023, read together with the Schedule appended to the Act, establishes a structured penalty framework that assigns specific monetary consequences to each category of violation. The penalty amounts are substantial - ranging from Rs 10,000 for Data Principal duty violations to Rs 250 crore (approximately USD 30 million) for the most serious breaches of personal data. These figures place the DPDPA among the more significant data protection penalty regimes globally, though they differ from the GDPR's percentage-of-turnover approach in favour of fixed maximum amounts. For Indian businesses, Section 33 transforms data protection compliance from an aspirational best practice into a financial imperative. The potential for penalties of Rs 50 crore, Rs 150 crore, or Rs 250 crore is material enough to affect the financial health of even large enterprises. For small and medium businesses, even the lower-tier penalties represent existential risks. Understanding the penalty structure, the factors that influence penalty determination, and the strategies for mitigating penalty exposure is essential for every organisation that processes personal data in India.

The Schedule - Penalty Amounts for Each Violation Category

The Schedule to the DPDPA is a tabular prescription that maps specific provisions of the Act to maximum penalty amounts. It creates a tiered framework that reflects the legislature's assessment of the relative severity of different types of violations. The most severe penalty - up to Rs 250 crore - applies to breaches of personal data resulting from failure to implement reasonable security safeguards under Section 8(5). This highest tier reflects the recognition that data breaches cause the most direct and widespread harm to Data Principals, as their personal information is exposed to unauthorised access. The second tier - up to Rs 200 crore - applies to two categories: failure to notify the Board and affected Data Principals of a personal data breach under Section 8(6), and non-fulfilment of additional obligations relating to children's data under Section 9. The equal penalty treatment of breach notification failures and children's data violations signals the legislature's view that concealing breaches and endangering children's data are comparably serious offences.

• Breach of personal data (Section 8(5)) - Up to Rs 250 crore
• Failure to notify data breach (Section 8(6)) - Up to Rs 200 crore
• Non-fulfilment of children's data obligations (Section 9) - Up to Rs 200 crore
• Non-fulfilment of additional Significant Data Fiduciary obligations (Section 10) - Up to Rs 150 crore
• Breach of any other provision of the Act - Up to Rs 50 crore
• Data Principal duty violations (Section 15) - Up to Rs 10,000

Tier 1 - Breach of Personal Data (Up to Rs 250 Crore)

The highest penalty tier applies to breaches of personal data resulting from a Data Fiduciary's failure to take reasonable security safeguards to prevent such breaches under Section 8(5). This provision targets the outcome - the breach itself - rather than merely the failure to implement safeguards. However, the penalty is calibrated against the reasonableness of the safeguards that were in place. An organisation that suffered a breach despite having implemented robust, industry-standard security measures may receive a lower penalty than one that had minimal or no safeguards in place. The Rs 250 crore maximum is not an automatic imposition - the Board has discretion to impose any amount up to this ceiling based on its assessment of the circumstances. Factors likely to increase the penalty toward the maximum include the volume of personal data affected, the sensitivity of the data (financial, health, or biometric data), the duration of the breach before detection, whether the breach was caused by negligence or systemic security failures, and whether the organisation had a history of previous breaches. Conversely, factors that may mitigate the penalty include prompt detection and containment, immediate notification, cooperation with the Board, implementation of remedial measures, and the absence of actual harm to Data Principals despite the breach.

Tier 2 - Breach Notification Failure and Children's Data (Up to Rs 200 Crore)

The Rs 200 crore penalty tier covers two distinct categories of violations. The first is failure to notify the Board and affected Data Principals of a personal data breach under Section 8(6). The DPDPA treats concealment of a breach as almost as serious as the breach itself. This reflects the understanding that timely notification enables Data Principals to take protective action - changing passwords, monitoring financial accounts, freezing credit - and enables the Board to coordinate a regulatory response. An organisation that suffers a breach and promptly notifies faces the Tier 1 penalty for the breach but avoids the Tier 2 penalty for notification failure. An organisation that suffers a breach and conceals it faces both penalties cumulatively - potentially up to Rs 450 crore in aggregate. The second category under this tier is non-fulfilment of additional obligations relating to children's data under Section 9. The Act treats children as a specially protected category of Data Principals whose data requires heightened safeguards. Violations such as processing children's data without verifiable parental consent, tracking or monitoring children's behaviour, or targeting advertising at children can each attract penalties of up to Rs 200 crore. Organisations operating in sectors that serve minors - education technology, social media, gaming, and entertainment - face particularly high exposure under this tier.

Tier 3 - Significant Data Fiduciary Obligations (Up to Rs 150 Crore)

Section 10 imposes additional obligations on entities designated as Significant Data Fiduciaries (SDFs) - typically large organisations processing substantial volumes of personal data or sensitive categories of data. The penalty for non-fulfilment of these additional SDF obligations is up to Rs 150 crore. SDF-specific obligations include appointing a Data Protection Officer based in India, appointing an independent data auditor, conducting periodic Data Protection Impact Assessments, and other measures prescribed by the Central Government. The Rs 150 crore penalty applies to each instance of non-fulfilment. An SDF that fails to appoint a DPO, fails to conduct a Data Protection Impact Assessment, and fails to engage an independent auditor could face up to Rs 450 crore in aggregate penalties across the three violations. This tier creates a strong financial incentive for designated SDFs to invest in the required compliance infrastructure, even though the upfront cost of hiring a DPO, engaging auditors, and conducting impact assessments is substantial. The cost of compliance infrastructure is a small fraction of the potential penalty exposure. For organisations that may be designated as SDFs based on the criteria prescribed by the Central Government, proactive investment in SDF compliance measures is a prudent risk management strategy.

Tier 4 - Other Provisions (Up to Rs 50 Crore) and Data Principal Duties

The residual category - breach of any other provision of the Act not specifically covered by the higher tiers - carries a penalty of up to Rs 50 crore. This catch-all tier covers violations such as failure to provide adequate notice under Section 5, processing data without valid consent or legitimate use ground, failure to comply with data erasure requests, failure to implement data localisation requirements for cross-border transfers, and failure to comply with Board directions. While Rs 50 crore is the lowest penalty for Data Fiduciary violations, it remains a significant financial consequence that should not be underestimated, particularly for small and medium enterprises. At the other end of the spectrum, the Schedule also prescribes penalties for Data Principals who violate their duties under Section 15. These duties include not filing false or frivolous complaints with the Board and not providing false information when exercising rights. The penalty for Data Principal duty violations is up to Rs 10,000 per violation. While modest compared to Data Fiduciary penalties, this provision is significant because it creates a disincentive against the misuse of the complaint mechanism and ensures that Data Principals exercise their rights responsibly.

Factors the Board Considers When Determining Penalty Amounts

Section 33 grants the Board discretion to impose penalties 'which may extend to' the maximum amounts specified in the Schedule. This means the Board must assess each case individually and determine an appropriate penalty within the prescribed range. While the specific factors the Board must consider will be elaborated through rules and evolving Board practice, established regulatory jurisprudence in India suggests the following considerations are likely to be relevant. The nature and gravity of the contravention - a deliberate violation is more serious than an inadvertent one, and a systematic violation is more serious than an isolated incident. The type and nature of the personal data affected - violations involving sensitive data such as financial information, health records, or biometric data warrant higher penalties. The number of Data Principals affected - a breach affecting millions of people is more serious than one affecting a handful. The duration of the contravention - ongoing violations that continue over extended periods justify higher penalties than promptly rectified incidents. The repetitiveness of the contravention - repeat offenders face higher penalties than first-time violators. The financial benefit obtained from the contravention - if the violation was commercially motivated, the penalty should exceed the financial benefit derived.

• Nature and gravity of the contravention - deliberate versus inadvertent
• Type of personal data affected - sensitivity and potential for harm
• Number of Data Principals affected - scale of impact
• Duration of the contravention - ongoing versus promptly rectified
• Whether the contravention was repetitive - history of violations
• Financial benefit obtained from the contravention
• Action taken by the Data Fiduciary to mitigate effects on Data Principals
• Degree of cooperation with the Board during the inquiry

Comparison with GDPR Fines and Global Penalty Frameworks

The DPDPA penalty framework differs from the GDPR approach in important ways. The GDPR prescribes penalties as a percentage of global annual turnover - up to 4% for the most serious violations - which means the penalty amount scales with the size of the organisation. Under the GDPR, a penalty against a company with EUR 10 billion in revenue could reach EUR 400 million, while the same violation by a company with EUR 1 million in revenue would face a maximum of EUR 40,000. The DPDPA, by contrast, uses fixed maximum amounts. The Rs 250 crore ceiling applies regardless of whether the violator has annual revenue of Rs 100 crore or Rs 100,000 crore. This means the DPDPA penalties are proportionally more burdensome for smaller organisations and less burdensome for very large ones. However, the fixed-ceiling approach provides greater certainty - organisations know their maximum exposure regardless of revenue fluctuations. In absolute terms, the DPDPA's maximum penalty of Rs 250 crore (approximately USD 30 million) is lower than the largest GDPR fines imposed to date, which have exceeded EUR 1 billion. But for the Indian market context, these penalties are highly significant and represent a quantum leap from the minimal penalties under the earlier IT Act Section 43A framework, which had no specified maximum and resulted in negligible enforcement action.

Penalty Accumulation and Aggregate Exposure

A critical aspect of the DPDPA penalty framework that organisations often overlook is that penalties can accumulate across multiple violations. The maximum amounts in the Schedule apply per violation, not per entity. An organisation that commits multiple violations faces the aggregate of all applicable penalties. Consider a scenario where a Data Fiduciary suffers a data breach affecting children's data and fails to notify the Board. This single incident triggers three penalty provisions: Section 8(5) for the breach itself (up to Rs 250 crore), Section 8(6) for failure to notify (up to Rs 200 crore), and Section 9 for the children's data violation (up to Rs 200 crore). The aggregate maximum exposure is Rs 650 crore from a single incident. Furthermore, if the organisation is a Significant Data Fiduciary that had also failed to appoint a DPO or conduct a Data Protection Impact Assessment, the aggregate exposure increases further. The Board can also impose penalties for ongoing violations that continue after the initial determination, creating the possibility of recurring penalties until the violation is rectified. This accumulation principle means that organisations must assess their total penalty exposure across all applicable provisions, not just the single highest penalty tier. A comprehensive risk assessment should map every processing activity against every applicable DPDPA provision and calculate the aggregate maximum exposure.

• Penalties apply per violation, not per entity - multiple violations accumulate
• A single data breach incident can trigger multiple penalty provisions simultaneously
• Aggregate exposure from a single incident can exceed Rs 650 crore
• SDF obligation failures add further penalty exposure on top of incident-related penalties
• Ongoing violations may attract recurring penalties until rectified
• Comprehensive risk assessment should calculate total aggregate exposure across all provisions

How Kraver.ai Helps

Kraver.ai's compliance platform directly addresses the penalty risks created by Section 33 and the Schedule through comprehensive, proactive compliance management. Our penalty risk assessment module maps your organisation's data processing activities against every penalty provision in the Schedule, calculating your aggregate maximum exposure and identifying the highest-risk areas that require immediate attention. The compliance gap analyser benchmarks your current measures against the 'reasonable security safeguards' standard that determines Tier 1 penalty exposure, providing specific, actionable recommendations for closing gaps. Our breach prevention and response module reduces both the likelihood of a breach (through continuous security posture monitoring) and the penalty impact if a breach occurs (through automated detection, containment, and notification workflows that ensure Tier 2 compliance). For organisations processing children's data, our age verification and parental consent module provides the technical controls needed to avoid Tier 2 children's data penalties. The SDF compliance dashboard tracks all additional obligations for Significant Data Fiduciaries, including DPO appointment, auditor engagement, and impact assessment scheduling, ensuring Tier 3 penalty exposure is eliminated. Start your penalty risk assessment with Kraver.ai today and understand your true exposure under Section 33.