Global,India

Penalties For Contravention of The Digital Personal Data Protection Act, 2023

November 10, 2023 waterandshark 650x1280_PENALTIES_UNDER_DPDP_ACT_LOW_SIZE.jpg

Introduction

The digital landscape of India is growing at a tremendous pace. Availability of internet at cheaper rates has given rise to increased internet penetration in India. The advent of flagship programme of Digital India by the Government had led to more digital infrastructure being created in the country. Now, more and more people are connected to internet, and everything is going digital. As per the data from Ministry of Electronics and Information Technology, there are over 76 crore active internet users and over the next coming years this is expected to touch 120 crore (1.2 billion). India is one of the largest connected countries in the world and is amongst the highest consumers and producers of data per capita amongst the countries.

This boom of digital world also leads to increase in the crimes on internet as now more people are online in various digital platforms, which gives rise to cybercrimes. Protection and safety of an individual online has become as important as it is in offline world. Personal data which means any data about an individual who is identifiable by or in relation to such data is now on the internet on different digital platforms, phone applications, etc., which significantly increases the risk of data theft, data breach, and cyber-crimes.

The Government of India promulgated the Digital Personal Data Protection Act, 2023 (“DPDP Act”) with the intention to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

In this Blog we will be looking at penalties associated with the contravention of the DPDP Act.

Data Protection Board and Penalties

In accordance with the DPDP Act, the Data Protection Board (“Board”) has the authority to conduct inquiries and impose monetary penalties. If the Board determines on conclusion of an inquiry and after giving the person an opportunity of being heard, that breach of the provisions of the DPDP Act or the rules made thereunder by a person is significant, it may impose such monetary penalties as specified in the Schedule of the DPDP Act. All the sums realised by way of penalties imposed by the Board under the DPDP Act are credited to the Consolidated Fund of India.

Chapter VIII of the DPDP Act provides for Penalties and Adjudication whereby it is specified that while determining the amount of monetary penalty to be imposed, the Board shall take into the account the following matters:

  1. The nature, gravity, and duration of the breach.
  2. The type and nature of the personal data affected by the breach.
  3. Repetitive nature of the breach.
  4. Whether the person, because of the breach, has realised a gain or avoided any loss.
  5. Whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action.
  6. Whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act.
  7. The likely impact of the imposition of the monetary penalty on the person.

Extent of Penalties varies depending upon the provisions which are breached are explained below:

Sr. No Type of Data Breach Penalty (In INR)
1. If Data Fiduciary i.e., any company or organisation fails to protect personal data under its possession. May extend to 250 crores
2. If a Data Fiduciary fails to report a personal data breach to the Board and each affected data principal. May extend to 200 crores
3. If a Data Fiduciary fails to protect personal data of children in its possession or under its control. May extend to 200 crores
4. If a Significant Data Fiduciary fails to protect personal data of individuals in its possession or under its control. May extend to 150 crores
5. If an Individual to whom the personal data relates (aka. the Data Principal) is in the violation of duties of Data Principal. May extend to 10,000
6. If there is breach of any term of voluntary undertaking accepted by the Board. Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted.
7. In case of breach of any other provision of the DPDP Act or the rules made thereunder not mentioned above. May extend to 50 crores.

Conclusion

As we have explored in this blog, the DPDP Act empowers the Board to enforce compliance with stringent penalties for contravention. These penalties are not trivial, they range from fines of up to INR 10,000 for individuals violating their duties to massive fines of up to 250 crores for companies failing to protect personal data. It is clear that enterprises and organizations operating in the digital realm must take the DPDP Act seriously and diligently adhere to its provisions to avoid substantial financial repercussions. It is imperative that companies prioritize compliance with the DPDP Act to not only protect personal data but also to safeguard their own financial interests.

In an age where data is an invaluable asset, ensuring its protection has never been more critical. To learn more about how your business can navigate the complexities of this new data protection landscape, don't hesitate to contact us at legal@waterandshark.com.

Comment

Leave a Reply

Comment

Name

Email

Recent Posts
April 15, 20248 Successful Business Ideas in Dubai for Ladies
April 15, 2024Eco-Friendly Startups Dubai: Promoting Sustainability
April 15, 2024Opportunities For Tourism Business Dubai
April 15, 2024Top Sources for Startup Funding Dubai
April 11, 2024Dubai Free Zones: Advantages for Business Setup