What are the maximum penalties under DPDP Act?

The maximum penalty is ₹250 Crores for failure to take reasonable security safeguards resulting in a data breach. Other penalties include ₹200 Crores for failure to notify the Data Protection Board after a breach, ₹200 Crores for violations related to children's data, and ₹50 Crores for general violations including consent failures.

Can individuals be fined under DPDP?

Yes. Data Principals (individuals) can be fined up to ₹10,000 for providing false information or filing frivolous complaints. However, the primary penalties target businesses — Data Fiduciaries and Data Processors.

What did the Supreme Court say about DPDP penalties?

In February 2026, the Chief Justice of India called Meta's data handling practices 'theft' and 'a mockery of constitutionalism.' The Court ordered Meta to rebuild WhatsApp's consent mechanism by March 16, 2026. This signals that courts will take an aggressive stance on DPDP enforcement.

DPDP Penalty Schedule India 2027 | Complete Breakdown

The Numbers

Complete DPDP Penalty Schedule

Violation	Section	Maximum Penalty	Example
Failure to take reasonable security safeguards	Section 8(5)	₹250 Cr	Data breach due to unencrypted storage, no access controls
Failure to notify Data Protection Board of breach	Section 8(6)	₹200 Cr	Not reporting breach within 72 hours
Failure to notify affected Data Principals	Section 8(6)	₹200 Cr	Not informing users their data was compromised
Obligations relating to children's data	Section 9	₹200 Cr	Processing minor's data without verifiable parental consent
Non-compliance by Significant Data Fiduciary	Section 10	₹150 Cr	Large platform failing DPO, audit, or DPIA requirements
General non-compliance (consent violations, etc.)	Section 8	₹50 Cr	Sending marketing without consent, bundled consent, no deletion mechanism
Data Principal providing false information	Section 15	₹10,000	Individual filing false complaints or providing fake data

Critical Note

These penalties are per violation, not per company. If a breach exposes 10 lakh users and you failed to notify each one, the Board can treat this as multiple violations. The law makes no distinction based on company size or turnover.

Real Cases

What These Penalties Look Like in Practice

VERIFIED Dominos India Breach (2021)

In 2021, Dominos India suffered a massive data breach exposing 18 Crore orders — names, phone numbers, email addresses, delivery locations, and payment details were dumped on the dark web. A searchable database was even made publicly accessible.

The Fallout

Customer data was publicly searchable by phone number. Jubilant FoodWorks faced massive backlash. At the time, India had no dedicated data protection law.

Under DPDP, this breach would attract:

• ₹250 Cr — Failure to take reasonable security safeguards (Section 8(5))
• ₹200 Cr — Failure to notify Board AND affected users (Section 8(6) — one obligation, one penalty)
Total potential exposure: ₹450 Crores

MobiKwik (2021) — The Denial Problem

Data of 11 Crore users — including KYC documents, Aadhaar cards, and payment records — was allegedly leaked. MobiKwik initially denied the breach entirely.

Under DPDP, denial would add ₹200 Crores in penalties for failure to notify — on top of the breach itself. The law requires notification to both the Board and affected users. Silence is not an option.

Supreme Court: "Theft" (Feb 2026)

CJI Surya Kant told Meta: "You are committing theft." Not "data misuse." Not "privacy violation." Theft.

• "A decent way of committing theft of private information"

• "A mockery of the constitutionalism of this country"

• "Cannot play with the right to privacy in the name of data sharing"

Meta walked in to fight the ₹213 Cr fine. Walked out agreeing to comply by March 16. No fight. No stay. Full implementation.

That word — "theft" — now lives in every privacy case that follows. Including yours.

The Hidden Risk

The ₹249.75 Crore Gap

A Real Contract I Saw Last Week

A founder showed me a DPDP software contract. ₹12 Lakhs per year for "complete compliance."

Vendor's Maximum Liability

₹25 Lakhs

Capped in fine print

Your DPDP Exposure

₹250 Crores

Per violation

The Gap: ₹249.75 Crores

That's your problem. Not theirs.

A Project By Meridian Bridge Strategy

Know Your Actual Penalty Exposure.

We map your specific stack to DPDP penalty exposure. Free 30-minute clarity call — your risks quantified, not generalized.

Book Free Clarity Call

DPDP Penalty Schedule