November 10, 2023
The digital landscape of India is growing at a tremendous pace. Availability of internet at cheaper rates has led to increased internet penetration in India. The advent of the flagship programme Digital India by the Government has resulted in more digital infrastructure being created in the country. Now, more and more people are connected to the internet, and everything is going digital. According to the Ministry of Electronics and Information Technology, there are over 76 crore active internet users, and this number is expected to touch 120 crore (1.2 billion) in the coming years. India is one of the largest connected countries in the world and is among the highest consumers and producers of data per capita.
This boom in the digital world also leads to an increase in internet crimes as more people are online across various digital platforms, giving rise to cybercrimes. The protection and safety of individuals online have become as crucial as in the offline world. Personal data—any data about an individual identifiable by or in relation to such data—is now on the internet through different digital platforms, phone applications, etc., significantly increasing the risk of data theft, data breaches, and cyber-crimes.
The Government of India has promulgated the Digital Personal Data Protection Act, 2023 (“DPDP Act”) to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such data for lawful purposes and for related matters.
Under the DPDP Act, the Data Protection Board (“Board”) has the authority to conduct inquiries and impose monetary penalties. If the Board, after concluding an inquiry and giving the person an opportunity to be heard, finds that a breach of the DPDP Act or the rules made thereunder is significant, it may impose monetary penalties as specified in the Schedule of the DPDP Act. All sums realized by way of penalties imposed by the Board are credited to the Consolidated Fund of India.
Chapter VIII of the DPDP Act provides for Penalties and Adjudication. The Board must consider the following factors when determining the amount of monetary penalty to be imposed:
The extent of penalties varies depending on the provisions breached, as outlined below:
| Sr. No | Type of Data Breach | Penalty (In INR) |
|---|---|---|
| 1 | If a Data Fiduciary (any company or organization) fails to protect personal data under its possession. | May extend to 250 crores |
| 2 | If a Data Fiduciary fails to report a personal data breach to the Board and each affected data principal. | May extend to 200 crores |
| 3 | If a Data Fiduciary fails to protect personal data of children in its possession or under its control. | May extend to 200 crores |
| 4 | If a Significant Data Fiduciary fails to protect personal data of individuals in its possession or under its control. | May extend to 150 crores |
| 5 | If an Individual to whom the personal data relates (Data Principal) is in violation of duties of Data Principal. | May extend to 10,000 |
| 6 | If there is a breach of any term of a voluntary undertaking accepted by the Board. | Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. |
| 7 | In case of breach of any other provision of the DPDP Act or the rules made thereunder not mentioned above. | May extend to 50 crores |
As explored in this blog, the DPDP Act empowers the Board to enforce compliance with stringent penalties for contraventions. These penalties are significant, ranging from fines of up to INR 10,000 for individuals violating their duties to massive fines of up to 250 crores for companies failing to protect personal data. Enterprises and organizations operating in the digital realm must take the DPDP Act seriously and adhere diligently to its provisions to avoid substantial financial repercussions.
In an age where data is an invaluable asset, ensuring its protection has never been more critical. To learn more about how your business can navigate the complexities of this new data protection landscape, don't hesitate to contact us at legal@waterandshark.com.
