Following the notification of the DPDP Rules, several organisations were concerned about whether penalties would take immediate effect. The government has clearly notified that the penalty-related provisions will become enforceable only eighteen months after the notification of the Rules, meaning they come into force on 13 May 2027. Until then, monetary sanctions cannot be imposed. This transitional period provides a timely opportunity to engage in deeper reflection on the design and constitutional robustness of the penalty framework, and these discussions may ultimately shape a more balanced and predictable enforcement ecosystem.

Role and Discretion of the Data Protection Board

The Data Protection Board of India (DPB) is the specialised adjudicatory body entrusted with investigating breaches, determining violations, and imposing penalties. Its functions are essentially quasi-judicial and mirror the role played by sectoral tribunals that operate according to the principles of natural justice. Neither the Act nor the Rules currently prescribe detailed procedural guidelines for the DPB’s inquiry process and penalty determination. In the absence of clear procedures, the Board retains substantial discretion in deciding how to determine the penalty for violations. As per the law, it could impose penalties, issue warnings, direct remedial actions, or even close cases where violations are minor or have been promptly addressed. Given this wide discretion, the development of detailed operational procedures becomes essential to ensure consistency, transparency, and fairness in enforcement.

Magnitude of Penalties and Their Deterrent Nature

The DPDP Act authorises some of the highest administrative monetary penalties in Indian law. The Act prescribes penalties of up to ₹250 crores for failing to implement reasonable security safeguards, up to ₹200 crores for failures involving breach notifications or violations concerning children’s data, up to ₹150 crores for non-compliance by Significant Data Fiduciaries, and up to ₹50 crores for other remaining categories of violations. Unlike regulatory sectors where penalties correspond to quantifiable economic harm, data protection violations often result in intangible, unpredictable, or non-economic forms of harm. This means that the consequences of similar lapses can differ significantly depending on context; a small organisation’s failure could lead to substantial harm, while a large organisation’s failure may produce comparatively limited consequences.

Penalties under the DPDP Act are therefore designed primarily as deterrents, rather than as mechanisms to compensate data principals. This is reinforced by the fact that penalties are credited to the Consolidated Fund of India, and the Act does not establish any dedicated compensation mechanism for affected individuals. While civil and tort law remedies remain formally available, the statute neither excludes nor explicitly recognises these avenues of redress. This raises a question of whether Data fiduciaries will eventually have to face both the penalty regime under the DPDP Act and class tort claims by the data Principals.

Factors Guiding Penalty Determination

Section 33(2) of the Act outlines a range of factors that the DPB must consider when determining the quantum of penalties, such as the nature, gravity, and duration of the breach; the type of personal data involved; whether the violation was repetitive; the advantage gained or loss avoided by the violator; the promptness and adequacy of mitigation efforts; and the proportionality and impact of the proposed penalty on the concerned entity. These considerations broadly reflect international regulatory practice. However, the Act departs notably from global standards by omitting turnover-based penalty caps, a central feature of the GDPR and many other contemporary privacy laws. The absence of such caps introduces uncertainty and places substantial responsibility on the DPB to develop a fair and defensible methodology for determining penalties.

Conceptual Ambiguities and Procedural Gaps

The DPB’s broad discretion increases the possibility of inconsistent enforcement unless clear procedural norms are established. Certain conceptual and practical ambiguities are evident. The Act does not create a standalone penalty for unlawful or unauthorised processing of personal data, even though such conduct lies at the core of privacy regulation worldwide. While one could argue that such violations fall within the residual penalty category, failing to identify them explicitly risks weakening deterrence and undermining the central objective of the Act. Similarly, the foundational requirement to implement “reasonable security safeguards,” which triggers the highest penalties under the Act, lacks clarity. The expression Reasonable security safeguards could be interpreted in many ways. Unless more clarity is brought by further rules or notifications, its meaning must ultimately be shaped through judicial interpretation.

The severity of monetary penalties under the DPDP Act may also prompt constitutional challenges. Litigation may arise under Article 19(1)(g), which protects the freedom to carry on trade or business, or under Article 14, which prohibits arbitrary state action. Indian courts have historically invalidated administrative penalties that are manifestly disproportionate or imposed without adequate rationale, and similar scrutiny is likely once the DPDP Act becomes operational. Questions regarding proportionality, the fairness of procedure, and the adequacy of reasoning will almost certainly be tested through judicial review, especially in cases where the DPB imposes large penalties without comprehensive statutory guidance.

Difficulties in Drawing Parallels with Other Regulatory Models

Another challenge that we can foresee is in the difficulty of drawing from the enforcement models of other Indian regulators. Many regulatory bodies, such as SEBI, the Competition Commission of India, and IRDAI, impose penalties that are closely tied to measurable economic harm or quantifiable indicators such as turnover, profit, or customer loss. Data protection violations, however, frequently involve harm that is intangible and more closely related to violations of the fundamental right to privacy, recognised by the Supreme Court in K.S. Puttaswamy v. Union of India. Historically, infringements of fundamental rights such as discrimination, untouchability, or forced labour have been addressed through criminal sanctions or constitutional remedies rather than administrative monetary penalties. The DPDP Act’s reliance solely on monetary penalties to address privacy violations therefore raises important questions about whether such penalties are adequate to safeguard a constitutional right and whether the DPB can exercise its powers consistently and effectively.

Need for Clarity Before Enforcement Begins

In conclusion, the penalty regime under the DPDP Act represents a significant evolution in India’s approach to personal data protection. While the Act is ambitious and seeks to strengthen accountability, it also introduces substantial challenges concerning proportionality, clarity, consistency of enforcement, and constitutional soundness. As the enforcement provisions come into effect after 2027, it is important that more detailed rules and clarifications are brought well in advance. Otherwise, we may have to wait for the judicial interpretations to have clarity on how these penalties are determined and how the broader enforcement ecosystem works. Although, considering the delay of our adjudicatory system, leaving to get it matured through judicial precedents is not a desirable option.