Whatsapp
Navigating the Digital Frontier: India’s Personal Data Protection Act, 2023 – Part 3
In Part 1 and Part 2 of this series, we laid the groundwork by exploring the preliminary provisions and data protection obligations of India’s Digital Personal Data Protection Act, 2023. We also began to draw parallels with global regulations, situating India’s approach within the broader international context.
As we continue our journey into the heart of the Digital Personal Data Protection Act, 2023, Part 3 marks the final stage of this exploration, focusing on enforcing data protection and shaping a secure digital future. This concluding part examines the Act’s provisions on offences and penalties and offers a comprehensive analysis of its enforcement architecture, assessing its broader implications for individual privacy, national security, and India’s evolving digital economy.
The enforcement mechanism of any data protection legislation ultimately determines whether its provisions remain theoretical ideals or translate into tangible protections for individuals. India’s Digital Personal Data Protection Act, 2023, establishes a penalty framework designed to secure compliance through meaningful financial consequences, while preserving sufficient flexibility for contextual adjudication by the Data Protection Board of India. The Act received Presidential assent on August 11, 2023, and represents India’s first standalone statute devoted exclusively to the protection of digital personal data. While the foundational principles and individual rights provisions define the substantive obligations of data fiduciaries, it is the penalty regime under Chapter VIII and the miscellaneous provisions in Chapter IX that determine how the law will function in practice.
The Act’s enforcement architecture reflects a regulatory philosophy that diverges in important respects from global counterparts such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act. Instead of linking penalties to a percentage of global turnover, the DPDPA adopts a tiered structure prescribing fixed maximum penalties for specified categories of violations. This model enhances predictability for organizations by clearly delineating their maximum exposure, while still ensuring that penalties are sufficiently substantial to deter non-compliance. Notably, the Act does not criminalize data protection breaches through imprisonment, nor does it create private rights of action enabling individuals to directly sue data fiduciaries. Enforcement authority is instead centralized in the Data Protection Board of India, a design choice intended to promote consistency in regulatory outcomes and to avoid the fragmentation and excessive litigation observed in some other jurisdictions.
The Penalty Framework: Structure and Implementation
Section 33 of the DPDPA empowers the Data Protection Board to impose monetary penalties when it determines that a breach of the Act or rules is significant. The provision requires the Board to provide an opportunity for the person or entity under investigation to be heard before imposing any penalty, ensuring procedural fairness. The Schedule annexed to the Act specifies maximum penalty amounts for different categories of violations, creating a hierarchy that reflects the legislature’s assessment of relative severity [1]. The highest penalty, reaching up to INR 250 crore (approximately USD 30 million at current exchange rates), applies to failures by data processors or data fiduciaries to ensure reasonable safeguards for preventing personal data breaches. This substantial sum signals that security obligations constitute the apex of the compliance pyramid.
Failure to notify the Data Protection Board and affected data principals about personal data breaches attracts penalties up to INR 200 crore. The same maximum applies to non-fulfillment of obligations pertaining to children’s data, reflecting heightened concern for protecting minors in the digital ecosystem. Violations by significant data fiduciaries—a category the Act defines as those processing personal data at a scale and nature requiring additional obligations—can result in penalties up to INR 150 crore. For violations where no specific penalty is prescribed, the Board may impose penalties up to INR 50 crore. Even data principals themselves face potential penalties up to INR 10,000 if they violate their duties under Section 15, such as providing false information or registering frivolous complaints [2].
When determining the actual penalty amount within these maximum limits, Section 33 directs the Board to consider several factors. These include the nature, gravity, and duration of the breach; the type and nature of personal data affected; whether the breach was repeated or continued after the Board directed corrective action; whether the person derived financial gain or avoided losses through the breach; whether the person took action to mitigate effects and consequences; and whether the monetary penalty will be proportionate and effective to secure observance and deter future breaches. This multi-factor assessment mirrors approaches found in other jurisdictions and allows the Board to calibrate penalties appropriately rather than mechanically applying maximum amounts in every case.
The Board may also accept voluntary undertakings from persons or entities to ensure compliance at any stage of proceedings. If the Board accepts such an undertaking, it may suspend or terminate proceedings on related issues. However, failure to honor a voluntary undertaking is itself treated as a breach, allowing the Board to resume enforcement action. This mechanism encourages settlement and cooperative resolution while maintaining credibility through consequences for broken promises. Section 34 specifies that all sums realized through penalties shall be credited to the Consolidated Fund of India, preventing any financial conflict of interest and ensuring the Board’s impartiality [3].
Comparing Penalty Regimes: GDPR and CCPA
The GDPR’s penalty structure, articulated in Article 83, establishes two tiers of administrative fines. Less serious infringements can result in fines up to EUR 10 million or two percent of the undertaking’s total worldwide annual turnover from the preceding financial year, whichever is higher. More serious infringements—including violations of basic processing principles, data subject rights, and international transfer requirements—can result in fines up to EUR 20 million or four percent of total worldwide annual turnover, whichever is higher [4]. The percentage-based calculation means that fines can scale dramatically with company size, and the concept of “undertaking” under EU competition law principles means that parent company turnover may be considered even when a subsidiary committed the violation.
In practice, the GDPR has generated some of the largest data protection fines in history. Meta received a record EUR 1.2 billion penalty from Ireland’s Data Protection Commission in 2023 for unlawfully transferring personal data to the United States without adequate safeguards. Amazon was fined EUR 746 million by Luxembourg’s supervisory authority for processing personal information without proper consent mechanisms. These amounts, while representing small percentages of the companies’ global revenue, demonstrate the GDPR’s capacity to impose financially meaningful sanctions on even the largest technology companies [5].
California’s CCPA takes a different approach through Section 1798.155. Violations subject businesses to civil penalties of up to USD 2,500 per violation, or USD 7,500 per intentional violation. These penalties are enforced exclusively by the California Attorney General rather than through private litigation, except in cases involving data breaches where Section 1798.150 provides a limited private right of action. Under that provision, consumers may seek statutory damages of USD 100 to USD 750 per consumer per incident, or actual damages, whichever is greater. Before filing suit, consumers must provide businesses thirty days’ notice and an opportunity to cure violations, except in cases involving willful disregard for security [6].
The DPDPA’s fixed maximum penalties occupy middle ground between these approaches. Unlike the GDPR’s percentage-of-turnover model, Indian law provides greater certainty regarding worst-case exposure. Unlike the CCPA’s per-violation calculation, which could theoretically accumulate to massive amounts in cases affecting many consumers, the DPDPA establishes clear ceilings. However, the INR 250 crore maximum is substantially lower than potential GDPR fines for large multinationals, raising questions about whether penalties will prove sufficiently deterrent for global technology companies whose annual revenues measure in billions of dollars. For domestic Indian businesses and smaller enterprises, conversely, penalties in the hundreds of crores represent existential financial threats that should motivate serious compliance efforts.
Exemptions and Flexibility: Balancing Protection with Practicality
Chapter IV of the DPDPA, containing Sections 16 and 17, addresses special circumstances requiring distinct treatment. Section 17 enumerates various exemptions from the Act’s requirements, acknowledging that inflexible application of data protection rules could impede legitimate activities serving the public interest. The provisions of Chapter II (except specified subsections), Chapter III, and Section 16 do not apply when processing is necessary for enforcing legal rights or claims; preventing, detecting, investigating, or prosecuting offences; judicial functions; mergers and acquisitions; debt recovery; or public interest research and statistics [7].
More controversially, Section 17 also provides broad exemptions for state instrumentalities. When the Central Government notifies a state entity, that entity may be exempted from various obligations if processing personal data for purposes involving sovereignty, integrity, security of the state, friendly relations with foreign countries, maintaining public order, or preventing incitement to cognizable offences. Critics have expressed concern that these exemptions, lacking robust oversight mechanisms or sunset provisions, could facilitate surveillance without adequate checks on government power. The absence of specific procedural safeguards, judicial review requirements, or proportionality assessments in the exemption provisions represents a significant departure from the GDPR’s Article 23, which requires member states to maintain legislative measures clearly delineating the scope and application of restrictions on data subject rights [8].
Section 17 also addresses startups specifically, recognizing the challenges these entities face in achieving compliance with sophisticated data protection requirements. The provision allows the Central Government to exempt startups from certain requirements for specified periods, provided they meet criteria established by the department handling startup matters. This accommodation reflects policy priorities around fostering innovation and entrepreneurship, though it creates a two-tier system where established businesses face obligations that startups may temporarily avoid. The rationale is that nascent companies with limited resources and technical capabilities should not face compliance burdens that could strangle growth, but critics note that some of the most significant privacy violations have occurred at rapidly scaling technology startups.
Notably absent from Section 17’s exemptions is any express provision for journalistic purposes, an omission that has drawn sustained criticism from media organizations. The Editors Guild of India has repeatedly urged the Ministry of Electronics and Information Technology to exercise powers under Section 17(5)—which allows exempting any class of data fiduciaries for up to five years—to protect journalistic activities. The Guild argues that requiring journalists to obtain consent before processing personal data would fundamentally undermine investigative journalism and the media’s watchdog function. Previous drafts of India’s data protection legislation included journalistic exemptions similar to those found in the GDPR, which allows member states to reconcile data protection with freedom of expression and information. The final Act’s silence on this issue has created uncertainty about how journalism can continue operating under the DPDPA’s consent-centric framework [9].
Impact on National Security, Economic Development, and Privacy
The DPDPA’s enforcement provisions must be evaluated not merely as technical legal mechanisms but as instruments shaping India’s digital future across multiple dimensions. From a national security perspective, the state instrumentality exemptions reflect genuine concerns about maintaining sovereign capabilities in an environment where adversaries exploit personal data for intelligence gathering and influence operations. India faces unique security challenges, including persistent threats from state and non-state actors seeking to destabilize the nation. Intelligence and law enforcement agencies require flexibility to respond to these threats without procedural obstacles that could delay critical interventions.
However, the breadth of these exemptions and the absence of independent oversight create risks of overreach. Democratic governance requires balancing security imperatives against civil liberties, and history demonstrates that surveillance powers granted for legitimate purposes frequently expand beyond their original justification. The DPDPA lacks mechanisms comparable to those in some Western democracies, where judicial warrants, parliamentary oversight committees, or independent review boards provide checks on intelligence activities. Civil society organizations and privacy advocates have warned that Section 17’s exemptions could facilitate mass surveillance disproportionate to actual security needs, potentially chilling free expression and dissent.
From an economic development perspective, the DPDPA aims to position India as both a significant player in the global digital economy and a jurisdiction offering credible data protection standards. Foreign companies seeking to serve Indian consumers must comply with local law, while Indian companies aspiring to global markets need domestic regulations that facilitate rather than hinder international data flows. The Act’s approach to cross-border transfers—allowing transfers except to specifically prohibited jurisdictions—creates a more permissive environment than the GDPR’s framework requiring adequacy decisions or standard contractual clauses. This facilitates India’s integration into global supply chains and services ecosystems while reserving the government’s ability to block transfers when necessary.
The penalty structure influences economic behavior by making data protection a boardroom issue rather than merely a technology or legal compliance matter. When potential fines reach hundreds of crores, senior executives pay attention and allocate resources accordingly. This should drive investment in security infrastructure, privacy engineering, and governance frameworks. However, the effectiveness of penalties depends crucially on consistent enforcement. If the Data Protection Board develops a reputation for imposing nominal penalties or declining to pursue violations, the deterrent effect will dissipate. Conversely, if enforcement appears arbitrary or disproportionate, it could chill legitimate innovation and investment.
Procedural Safeguards and Dispute Resolution
Beyond the penalties themselves, the DPDPA establishes procedural mechanisms intended to ensure fair adjudication and provide alternatives to formal enforcement. The Act requires that data principals first exhaust the grievance redressal mechanism provided by data fiduciaries or consent managers before approaching the Board. This requirement reduces the Board’s caseload by filtering out matters that parties can resolve directly, though it also means individuals must navigate potentially company-controlled processes before accessing independent adjudication.
The Act provides for appeals from Board decisions to the Telecommunications Disputes Settlement and Appellate Tribunal, a specialized body with technical expertise relevant to digital matters. This appellate mechanism ensures that Board decisions face judicial scrutiny and reduces risks of regulatory overreach. The involvement of a specialized tribunal rather than general courts recognizes that data protection disputes often involve technical complexities requiring specific expertise. However, the choice of TDSAT rather than establishing a dedicated data protection appellate body has been questioned, as telecommunications and data privacy involve distinct policy considerations and technical domains.
Chapter VII also contemplates alternative dispute resolution mechanisms, encouraging mediation and conciliation as means of resolving conflicts without formal adjudication. This reflects best practices from other areas of law where ADR reduces costs, accelerates resolution, and preserves relationships. In the data protection context, ADR could be particularly valuable for disputes where both parties have legitimate interests—for instance, when a data principal seeks erasure but the fiduciary has legal obligations requiring retention, or when transparency and proprietary business concerns conflict.
Looking Forward: Implementation and Evolution
The Digital Personal Data Protection Rules notified in November 2025 have begun operationalizing the Act’s provisions, providing detailed requirements for notice formats, consent mechanisms, grievance procedures, and breach notifications. As these rules take effect and the Data Protection Board begins adjudicating cases, the practical implications of the penalty framework will become clearer. Early enforcement decisions will establish precedents influencing how subsequent cases are evaluated, and the Board’s interpretive choices will determine whether the Act evolves as a protective shield for individuals or primarily as a regulatory burden on businesses.
Several challenges lie ahead. The Board must build institutional capacity sufficient to handle complaints from a population of 1.4 billion people and oversee an economy where digital services touch nearly every aspect of life. It must develop expertise not only in legal and policy matters but also in the technical dimensions of data processing, security, and emerging technologies. The Board must calibrate enforcement to achieve deterrence without stifling innovation, provide clarity through guidance while remaining flexible enough to address novel situations, and maintain independence from both government pressure and industry capture.
The Act’s success will ultimately be measured not by the sophistication of its text but by whether it achieves its twin objectives: protecting individual privacy and enabling India’s digital economy to flourish. These goals are not inherently contradictory, but tensions between them will arise repeatedly. Strong data protection can enhance economic value by building consumer trust and reducing costs associated with breaches and litigation. Conversely, burdensome compliance requirements can divert resources from innovation and create barriers to entry that favor established players. The challenge for Indian policymakers, regulators, and courts will be navigating these tensions through enforcement decisions and regulatory evolution that serves both privacy and prosperity.
Conclusion: A Framework Taking Shape
India’s Digital Personal Data Protection Act represents a significant step in establishing a legal framework for the digital age, but it remains a work in progress. The penalty provisions create meaningful consequences for violations while preserving flexibility for contextual assessment. The exemptions acknowledge legitimate needs for processing personal data without consent in specific circumstances, though their breadth raises concerns about surveillance and government overreach. The Act’s enforcement model, centered on an independent Board rather than private litigation, reflects policy choices about how best to achieve compliance in India’s particular legal and social context.
Comparison with the GDPR and CCPA reveals both alignments and divergences, reflecting India’s unique position as a populous democracy with development aspirations, security challenges, and distinctive legal traditions. The fixed maximum penalties differ from the GDPR’s percentage approach and the CCPA’s per-violation model, offering greater certainty but potentially less deterrence for the largest companies. The exemptions for state instrumentalities exceed those in Western frameworks, raising questions about the balance between security and liberty. The absence of journalistic exemptions contrasts with European practice and may require correction to avoid chilling press freedom.
As implementation proceeds, the Data Protection Board’s performance will determine whether the DPDPA achieves its promise. Rigorous enforcement respecting procedural fairness, clear guidance helping organizations understand obligations, and willingness to adapt as technology and society evolve will be essential. The Act provides the structure, but the substance will emerge through the accumulation of decisions, rules, and interpretive guidance in the years ahead. India’s journey toward data protection continues, with the destination still taking shape.
References
[1] AM Legals. (2024). Penalties under the Digital Personal Data Protection Act, 2023: A Guide. Available at: https://amlegals.com/penalties-under-the-digital-personal-data-protection-act2023/
[2] Mondaq. (2024). Enforcement and Penalties Under the Digital Personal Data Protection Act, 2023. Available at: https://www.mondaq.com/india/data-protection/1543038/enforcement-and-penalties-under-the-digital-personal-data-protection-act-2023
[3] Tsaaro. (2025). Enforcement and Penalties under the DPDPA, 2023 and Draft DPDP Rules, 2025. Available at: https://tsaaro.com/blogs/enforcement-and-penalties-under-the-dpdpa-2023-and-draft-dpdp-rules-2025/
[4] GDPR.eu. (2019). What are the GDPR Fines? Available at: https://gdpr.eu/fines/
[5] Sprinto. (2025). GDPR Fines Explained: Penalties for Data Breaches. Available at: https://sprinto.com/blog/gdpr-fines/
[6] Consumer Privacy Act. (2019). Section 1798.155. Civil penalties. Available at: https://www.consumerprivacyact.com/section-1798-155-civil-penalties/
[7] India DPDPA. (2023). Article 17 – Exemptions. Available at: https://indiadpdpa.com/india-dpdpa-article-17-exemptions/
[8] Tsaaro. (2025). Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023. Available at: https://tsaaro.com/blogs/exemptions-under-the-digital-personal-data-protection-dpdp-act-2023/
[9] Medianama. (2025). EGI Reiterates Need To Protect Journalists Under DPDP Rules. Available at: https://www.medianama.com/2025/11/223-egi-journalists-indias-digital-data-protection-rules/
