📧 contact@cyberlawacademy.com
💰 Part 3 of 5

Penalty Determination: Section 33 & The Schedule

Understanding DPDPA's graduated penalty structure — from ₹10,000 to ₹250 Crore, the seven mandatory determination factors, and proportionality principles for penalty calculation.

📖 ~40 mins read 📜 Section 33 & Schedule 💰 7 Penalty Categories

6.13 Section 33: Penalty Imposition

Section 33 is the penalty provision of DPDPA. It establishes a "significant breach" threshold — penalties are imposed only when the Board determines a breach is significant, not for every minor non-compliance.

Section 33(1): Triggering Condition

"If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule."

— Section 33(1), DPDPA 2023

Key Elements:

  • "Significant" breach: Board must determine breach is significant — not every violation triggers penalty
  • Inquiry conclusion: Penalty only after completed inquiry under Section 28
  • Opportunity of hearing: Mandatory natural justice compliance
  • Schedule reference: Penalty amounts specified in statutory Schedule
💡Significance Threshold

The "significant breach" requirement provides prosecutorial discretion. Minor, technical violations without real harm may not attract penalties. This prevents over-criminalization while maintaining deterrence for serious breaches.

6.14 The Penalty Schedule

The Schedule to DPDPA specifies maximum penalties for seven categories of breaches:

Sl.Breach of ProvisionsMaximum Penalty
1 Breach of reasonable security safeguards obligation (Section 8(5)) ₹250 Crore
2 Failure to notify Board/Data Principal of breach (Section 8(6)) ₹200 Crore
3 Breach of obligations relating to children (Section 9) ₹200 Crore
4 Breach of additional SDF obligations (Section 10) ₹150 Crore
5 Breach of Data Principal duties (Section 15) ₹10,000
6 Breach of voluntary undertaking terms (Section 32) As applicable to original breach
7 Any other breach of Act or Rules ₹50 Crore
⚠️Maximum, Not Mandatory

These are maximum penalties — the Board has discretion to impose lower amounts based on the Section 33(2) factors. The Schedule sets ceilings, not floors.

Section 42: Schedule Amendment Power

The Central Government may amend the Schedule by notification, with one crucial limitation:

"...no such notification shall have the effect of increasing any penalty specified therein to more than twice of what was specified in it when this Act was originally enacted."

— Section 42(1), DPDPA 2023

This means the maximum potential penalty for security breaches could reach ₹500 Crore (2x ₹250 Crore) through future amendments.

6.15 Section 33(2): Determination Factors

The Board must have regard to seven specified factors when determining penalty amount. These are mandatory considerations, not optional guidelines.

a

Nature, Gravity & Duration

The nature, gravity and duration of the breach — more serious, longer-lasting breaches warrant higher penalties

b

Type of Data Affected

The type and nature of personal data affected — sensitive data breaches (financial, health) warrant higher penalties

c

Repetitive Nature

Repetitive nature of the breach — repeat offenders face escalating penalties

d

Gain or Loss Avoided

Whether the person realised a gain or avoided any loss as a result — disgorgement principle

e

Mitigation Actions

Whether person took action to mitigate effects and consequences, and timeliness/effectiveness of such action

f

Proportionality & Deterrence

Whether penalty is proportionate and effective, having regard to need to secure observance and deter breach

g

Impact on Person

The likely impact of imposition of penalty on the person — ability to pay, business viability considerations

📋Practitioner Strategy

When representing a Data Fiduciary, build your penalty mitigation argument around these seven factors. Document: (1) swift remediation actions, (2) cooperation with Board, (3) no prior violations, (4) limited harm to Data Principals, (5) no financial gain from breach, (6) financial impact on business.

6.16 Factor Analysis for Practitioners

Factor (a): Nature, Gravity & Duration

Severity LevelCharacteristicsPenalty Impact
LowTechnical violation, no actual harm, brief durationLower end of range
MediumSome harm, moderate duration, partial remediationMid-range
HighSignificant harm, prolonged breach, systemic failureHigher end of range

Factor (b): Type of Data

  • Higher sensitivity: Financial data, health records, biometric data, children's data
  • Medium sensitivity: Contact information, purchase history, location data
  • Lower sensitivity: Publicly available information, anonymized/aggregated data

Factor (e): Mitigation — Key Defense Factor

This is often the most controllable factor. Effective mitigation includes:

  • Timely notification: Prompt reporting to Board and affected individuals
  • Technical remediation: Patching vulnerabilities, enhancing security
  • Support for affected persons: Credit monitoring, identity protection services
  • Root cause analysis: Investigating and addressing underlying issues
  • Policy improvements: Updated procedures to prevent recurrence
Mitigation Checklist

Post-breach, immediately document all mitigation steps with timestamps. This contemporaneous evidence is crucial for penalty reduction arguments. "We took these 12 specific steps within 48 hours of discovering the breach..."

6.17 Section 34: Consolidated Fund

"All sums realised by way of penalties imposed by the Board under this Act, shall be credited to the Consolidated Fund of India."

— Section 34, DPDPA 2023

This provision ensures:

  • Penalties go to the national exchequer, not the Board
  • Removes any institutional incentive for excessive penalties
  • Penalties are not compensation to Data Principals (separate civil remedies exist)
💡No Victim Compensation

DPDPA penalties are regulatory fines, not compensation to affected Data Principals. Data Principals seeking compensation must pursue separate civil remedies. However, mitigation efforts like voluntary compensation to affected individuals can be argued under Factor (e).

6.18 Comparison with GDPR Penalties

AspectDPDPA (India)GDPR (EU)
Maximum penalty₹250 Crore (~€28M)€20M or 4% global turnover (whichever higher)
Calculation basisFixed maximum amountsPercentage of turnover
Turnover linkNo direct link (but Factor (g) considers impact)Direct link to global turnover
Determination factors7 factors (Section 33(2))11 factors (Article 83(2))
Criminal penaltiesNoMember State option
💡Key Difference

GDPR's turnover-based penalties can be significantly higher for large multinationals. A company with €10B global turnover faces max GDPR penalty of €400M (4%), versus DPDPA's ₹250 Crore (~€28M) maximum. However, DPDPA's fixed caps provide more certainty for compliance budgeting.

🎯 Key Takeaways

  • "Significant breach" threshold: Not every violation triggers penalty
  • Seven penalty categories: ₹10,000 to ₹250 Crore maximum
  • Seven mandatory factors: Board must consider all when determining amount
  • Mitigation is key: Factor (e) rewards swift, effective remediation
  • Impact consideration: Factor (g) allows ability-to-pay arguments
  • No victim compensation: Penalties go to Consolidated Fund, not Data Principals
  • Amendment cap: Maximum can be doubled by notification (₹500 Cr potential)