Chapter VIII: Penalty and Adjudication
Understanding penalty framework, adjudication mechanism, and enforcement under DPDPA
In the contemporary era, the protection of personal data and information is critical for individuals, organisations and governments. The Digital Personal Data Protection Act, 2023 ("DPDP Act") is a significant step by India in establishing a comprehensive legal framework to safeguard the personal data and rights of the Data Subjects while ensuring accountability of those who handle such data.
The aim of this article is to dive deeper into the penalty and the adjudication mechanism under the DPDP Act, particularly Section 33 and Section 34 and further examine the scope, implications and impact on stakeholders.
The provision outlines the cornerstone of the enforcement mechanism under the DPDP Act. It empowers the Data Protection Board of India to impose monetary penalties under the legislation in case of breach of the provisions of the DPDP Act. However, the provision uses the term "significant", that is, the Data Protection Board is empowered to impose monetary penalties upon determining a "significant" breach of the provisions of the DPDP Act.
Key Consideration: There is an ambiguity whether such a terminology signifies whether penalties will automatically be triggered in case of violation of any and every provision of the legislation or only those which are deemed substantial enough to warrant punitive action.
Procedural Fairness in the Imposition of Penalty
One of the most striking features of the DPDP Act is its commitment to procedural fairness. In other words, before imposing any monetary penalty, the Data Protection Board provides the disputing parties the "opportunity of being heard." This provision is in consonance with the principles of natural justice, thus, upholding Article 21 of the Constitution of India.
It prevents arbitrariness and allows organisations the chance to present the mitigating factors. This opportunity allows individuals and organisations to explain the circumstances surrounding the alleged violations. This helps the Data Protection Board to determine whether the violation actually occurred and if penalty would be appropriate in the given circumstances.
A Multi Factor Approach to Determine Penalty
Section 33(2) establishes a sophisticated framework for the determination of the penalty for the violation of the provisions of the legislation. The Data Protection Board must consider the following factors while calculating the appropriating penalties under the DPDP Act:
1. Nature, gravity and duration of the breach
This factor acknowledges that not all breaches are of the same intensity or equal in nature. A momentary technical oversight may receive lenient treatment, while deliberate and severe violations of core provisions are likely to face stricter penalties.
2. Type and nature of personal data affected
It is crucial to recognise the varying sensitivity of different categories of data as this provision allows for higher penalties when breaches involve particularly sensitive information such as health records, financial data, or biometric identifiers in comparison to non-sensitive personal data.
3. Repetitive nature of the breach
This factor creates escalating consequences for repeat offenders, incentivizing organizations to address root causes rather than treating penalties as a recurring business expense.
4. Financial gain or avoided loss
This pragmatic consideration ensures that violations cannot remain profitable even after penalties. When an organization profits from non-compliance, the Data Protection Board can factor this into the calculation of the penalties to eliminate the financial incentives for violations.
5. Mitigation efforts and their timeliness
This factor rewards responsible behavior following a breach. Organizations that promptly contain damage, notify affected individuals, and implement remedial measures may receive consideration for reduced penalties.
6. Proportionality and effectiveness of the penalty
This consideration balances deterrence with reasonableness. In other words, it ensures penalties achieve their purpose without being unnecessarily punitive. It recognizes that penalties must be substantial enough to deter future violations. However, they should not be so severe as to threaten the viability of an organisation.
7. Likely impact of the imposition of the penalty on the violator
This factor introduces an element of flexibility to adjust penalties based on the circumstances of the violation. A penalty that might be negligible for a multinational corporation could be devastating for a small startup or non-profit organization.
These factors establish a flexible framework for penalty determination. This framework encompasses considerations of the severity of the contravention, the nature of the personal data affected, any history of prior breaches, any financial benefits accrued or losses avoided by the entity due to the contravention, the remedial actions undertaken, the proportionality and efficacy of the penalty, and the likely impact of the penalty on the entity.
This approach facilitates the imposition of equitable penalties that are commensurate with the specific circumstances of each contravention and the entity involved.
Section 34 is a crucial provision within the DPDP Act as it establishes that all penalties collected under the DPDP Act must be credited to the Consolidated Fund of India. This provision ensures transparency in the handling of penalty amounts. Furthermore, it eliminates the potential conflict of interest that might arise if the enforcement body is directly benefitting from the penalties it has imposed.
The Data Protection Board might face several challenges in implementing the framework established under the DPDP Act including:
Development of consistent standards for "significant breaches."
Development and communication of clear approaches to weight the above mentioned factors to ensure fairness and transparency in calculating the penalties.
The Board must calibrate on the amount of penalty to effectively discourage the violations of the legislation without imposing unreasonable burdens, particularly on smaller entities.
Unlike the General Data Protection Regulation (GDPR) of the European Union, which specifies maximum penalties as percentages of global turnover, the DPDP Act relies on a Schedule of specified monetary penalties. This approach offers certainty about maximum exposure but may require periodic updates to maintain deterrent value amid changing economic conditions.
Sections 33 and 34 of the DPDP Act establish a sophisticated framework for the imposition of the penalties and the adjudication mechanism under the legislation. The framework balances deterrence with proportionality and procedural fairness. By creating meaningful consequences for non-compliance while allowing consideration of circumstantial factors, these provisions aim to foster a culture of data protection without imposing unreasonable burdens.
For organizations, the message is clear - investing in robust data protection practices is no longer optional but a financial imperative. For regulators, these provisions provide powerful tools to enforce compliance.
Once the legislation is implemented, stakeholders will closely watch how the Data Protection Board interprets and applies these provisions. The effectiveness of this framework will ultimately depend not just on the letter of the law but on the Data Protection Board's ability to balance firmness with fairness in its adjudication practices.
Get Started with Data> Nuance
Reach out to Data> Nuance to ensure compliance with the provisions of the DPDPA and ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!