Data Privacy Breach | Enforcement | Penalties under the DPDP Act

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), a data privacy breach, referred to as a "personal data breach," is defined as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability. This includes incidents such as cyberattacks, accidental data leaks, misconfigured databases, or insider misuse that expose, alter, or restrict access to personal data without lawful authority.

Table of Contents

1. What Constitutes a “Personal Data Breach”?
2. Mandatory Personal Data Breach Notification – Section 8(6)
3. Data Protection Board of India – Powers
4. Penalty Grid (Schedule)
5. Voluntary Undertaking (VU) – Section 32
6. Alternative Dispute Resolution (ADR)
7. Case‑Study Simulation
8. Criminal Liability
9. Insurance & Mitigation
10. Conclusion

Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.

1. What Constitutes a “Personal Data Breach”?

Section 2 (u) –

“…any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises confidentiality, integrity or availability of personal data.”

Examples –

• Ransomware encrypts the payroll server → loss of availability.
• Misconfigured S3 bucket exposes KYC PDFs → disclosure.
• Insider copies customer list to personal drive → unauthorised acquisition.

2. Mandatory Personal Data Breach Notification – Section 8(6)

Element	Requirement	Draft Rule Expectation*
Notify DPB	“As soon as practicable”	Email + online form within 72 hrs; include root‑cause & containment.
Notify Affected Data Principals	In form and manner as may be prescribed.	Direct email/SMS for high‑risk breaches; public notice if contacts are unavailable.
Form & Manner	To be prescribed	JSON schema + incident‑report template.

*MEITY consultation draft, Jan 2025.

Tip – Maintain a 24×7 incident‑response team with the authority to file notifications without a board bottleneck.

3. Data Protection Board of India – Powers

Power	Statutory Basis	Practical Effect
Inquiry		Issue notice, demand documents, summon officers.
Civil‑court powers	Sec 28(7)	Compel attendance, discovery, examination under oath.
Search & seizure		Seize servers, drives.
Monetary penalties	Schedule	Impose up to ₹250 crore per breach.
Voluntary Undertaking	Sec 32	Accept the corrective plan; suspend the inquiry unless the undertaking breached.
Power of Central Government to issue directions – to block for access by the public any information	Sec 37	Advise the Govt to block offending platform in extreme repetitive breach.

As per sec 29(2), Board’s orders appeal to TDSAT within 60 days; then further appeal to the Supreme Court.

4. Penalty Grid (Schedule)

Violation	Maximum Fine (₹)
No “reasonable security safeguards” → breach	250 crore
Breach, but no timely notification	200 crore
Children’s provisions violated	200 crore
SDF additional duties flouted	150 crore
Any other DPDP breach	50 crore
Frivolous complaint by an individual	10, 000

While determining the amount of monetary penalty, the DPB must consider the following factors namely –

• The nature, gravity and duration of breach
• The type and nature of personal data affected by breach
• Repetitive nature of breach
• Whether the person has realised a gain or avoided anyloss, as a result of breach
• Whether the person took any action to mitigate the effects and consequences of breach
• Whether monetary penalty to be imposed is proportionate and effective

5. Voluntary Undertaking (VU) – Section 32

• Fiduciary under inquiry can proffer a VU (e.g., upgrade encryption, hire CISO, undergo audit).
• DPB may accept; inquiry is paused.
• Breach of VU = fresh proceeding + penalties attached to the original violation.

VU is beneficial where fault is admitted and speedy remediation is achievable.

6. Alternative Dispute Resolution (ADR)

DPB may refer certain disputes to mediation (Sec 34) – expect use for low‑value grievances or first‑time offences, reducing litigation load. Mediated settlement is binding but still reportable in the compliance history.

7. Case‑Study Simulation

Scenario – FinTech ABC loses 1 million Aadhaar scans via a compromised API.

Timeline –

1. T + 0h – SOC detects exfiltration.
2. T + 6h – ABC triggers IRP, disables API, and quantifies scope.
3. T + 30h – Notifies DPB + users, offers 12‑month credit monitoring.
4. DPB opens inquiry, sees prompt actions; ABC submits VU (third‑party audit + bug bounty).
5. DPB accepts VU; imposes a token ₹5 crore fine for lapse, contingent on audit completion.

Prompt breach handling sliced potential exposure (₹250 crore) down to a manageable level.

8. Criminal Liability

The DPDP Act does not impose imprisonment. However, separate penal statutes (such as the IPC, IT Act Sec 66) may still apply to malicious insiders or hackers.

9. Insurance & Mitigation

• Cyber‑risk policies in India now expressly include DPDP fines (insurable as “civil penalty”, subject to public‑policy exceptions).
• Insurers demand – ISO 27001 certification, tabletop breach drills, vendor‑assessment program.

10. Conclusion

Robust preventative security remains first defence, but when incidents occur, speed, transparency and cooperation with DPB greatly mitigate financial and reputational fallout.

Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Scope and Key Definitions Under DPDP Act
Rights of Data Principals under the DPDP Act 2023
Lawful Processing and Consent under DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Obligations of Data Fiduciaries under DPDP Act 2023
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals