Section 33 DPDPA

Penalties.


33.1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.

(2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:—

(a) the nature, gravity and duration of the breach;
(b) the type and nature of the personal data affected by the breach;
(c) repetitive nature of the breach;
(d) whether the person, as a result of the breach, has realised a gain or avoided any loss;
(e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
(f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and

(g) the likely impact of the imposition of the monetary penalty on the person.

Section 34 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 33 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Analysis and Legal Interpretation of Section 33 of the DPDP Act, 2023 – Penalties

Introduction

Section 33 of the Digital Personal Data Protection Act, 2023 (India) establishes the mechanism by which the Data Protection Board can impose penalties for non-compliance. It ensures that the Act’s obligations and rights are backed by meaningful, enforceable consequences. Through penalties, the Board encourages organizations and individuals to adhere strictly to the data protection standards set forth by the Act.

Key Elements of Section 33

1. Authority to Impose Penalties

Section 33(1) empowers the Data Protection Board to levy monetary penalties on entities and, in limited cases, individuals who violate the Act. This enforcement power transforms the Board into an effective regulator, not merely an advisory body.

2. Scope of Penalties

Penalties can be imposed for a variety of violations, including:

  • Failure to implement adequate security safeguards.
  • Not notifying the Board and affected individuals about a personal data breach.
  • Non-compliance with obligations related to children’s data.
  • Failure to meet additional obligations for Significant Data Fiduciaries.
  • Breaches of other provisions of the Act or associated rules.

By categorizing these violations, the Act provides clarity and discourages arbitrary imposition of penalties.

3. Reference to the Schedule for Penalty Caps

Section 33 refers to the Schedule for maximum penalty amounts. The Schedule sets distinct caps for various categories of violations. Some caps reach into hundreds of crores of rupees, indicating the seriousness of severe breaches. For instance, failing to maintain adequate security safeguards could invite a penalty of up to 250 crore rupees.

4. Discretion and Proportionality

While maximum penalties are prescribed, Section 33 gives the Board discretion to decide the actual penalty within the limit. Factors influencing this decision include:

  • The nature, gravity, and duration of the violation.
  • The extent of harm caused to Data Principals.
  • Mitigating actions taken by the violator (e.g., prompt breach notification).
  • Whether it’s a repeat offense, suggesting systemic non-compliance.

This ensures penalties are fair, proportionate, and genuinely reflective of the circumstances.

5. Due Process and Procedural Safeguards

Although not explicitly detailed in Section 33, the Act’s overall framework ensures entities have the opportunity to present evidence, argue mitigating factors, and seek a fair hearing. Such due process safeguards legitimacy and trust in the enforcement regime.

6. No Retention of Penalties by the Board

While Section 33 outlines the penalty mechanism, Section 34 clarifies that all collected penalties go to the Consolidated Fund of India, preventing any financial conflict of interest and ensuring the Board’s impartiality.

Illustrations

1. Negligent Data Security Leading to Breach

If an e-commerce company’s lax security results in a massive breach of customer financial data, the Board may impose a substantial fine. The exact amount would consider how promptly the breach was reported and what remedial steps were taken afterward.

2. Non-Compliance with Children’s Data Obligations

An EdTech platform collecting children’s data for targeted advertising may face a hefty penalty. The Board would consider if the firm willfully ignored the law and whether it stopped the unlawful processing upon discovery.

3. Significant Data Fiduciary Failing Audits

A large social media platform designated as a Significant Data Fiduciary ignores mandatory audits. The Board could impose a penalty nearing the upper limit, reflecting the large-scale risk posed by such non-compliance.

Legal Interpretation and Impact

Regulatory Deterrence:
Section 33 ensures data protection obligations are backed by strong deterrents, motivating investment in compliance and robust data management.

Global Alignment:
The penalty framework mirrors global standards, enhancing trust and making India’s data protection regime comparable to international frameworks like the EU’s GDPR.

Balancing Interests:
Discretion and proportionality prevent undue harshness for minor violations while ensuring serious or repeated offenders face significant consequences.

Conclusion

Section 33 of the DPDP Act, 2023, is central to enforcing India’s data protection framework. By granting the Data Protection Board authority to impose substantial, appropriate, and fair penalties, it ensures compliance isn’t optional. Combined with the Schedule’s clear categories and caps, Section 33 fosters a secure, privacy-focused digital environment that protects Data Principals and rewards responsible entities.