✓ Link copied
DPDPA 2023 Compliance

How News Media Houses Can Avoid Section 33 DPDPA Penalties Up to ₹250 Crore

Applies toNews Media Houses, Photojournalism Studios & Wire Services Operating in India
Primary lawDPDPA 2023 · Section 33
Penalty ceiling₹50 crore to ₹250 crore depending on violation category
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

Understanding Section 33: The DPDPA Penalty Framework

Section 33 of the Digital Personal Data Protection Act, 2023, establishes the penalty schedule that governs enforcement against data handlers. The Data Protection Board of India (DPBI) imposes penalties after inquiry, considering specific factors. As set out in Section 33(2), the Board examines:

The nature and gravity of the violation, its duration and repetition, any financial gain made by the entity, and available mitigating circumstances.

For news media and photojournalism operations, understanding this framework is critical because the penalty ceilings vary by violation type:

  • Up to ₹250 crore for failures in implementing security safeguards (Section 4)
  • Up to ₹200 crore for failures in breach notification (Section 6) or violations involving children’s data (Section 9)
  • Up to ₹150 crore for failures as a Significant Data Fiduciary or for consent and purpose-limitation violations
  • Up to ₹50 crore for all other violations

The highest-risk category for media organizations is security-safeguard failures, which occur when storing photographer credentials, journalist contacts, or sensitive editorial metadata without adequate encryption or access controls.

Step 1: Identify Which Penalty Category Applies to Your Operation

The first step is to map your organization to the Section 33 penalty schedule. Ask yourself:

  1. Do you store personal data as a news publisher or photojournalism studio? (Yes = You are a data processor or potentially a Significant Data Fiduciary)
  2. Have you suffered a data breach involving journalist credentials, source lists, or freelancer contact details? (Yes = Section 6 breach-notification failure, up to ₹200 crore)
  3. Do you collect parental consent for photo publication of minors or verification of juvenile contributors? (Yes = Section 9 compliance is critical; violations trigger ₹200 crore ceiling)
  4. Do you maintain legitimate-use grounds (editorial freedom, public interest) without explicit consent? (Yes = Section 5 legitimate-use claims must be defensible; failure triggers ₹150 crore consent-related ceiling)

Your answers determine the maximum penalty your organization faces under Section 33. Security failures top the scale; notification and Section 9 failures tie at ₹200 crore; consent and SDF failures sit at ₹150 crore.

Step 2: Assess Your Current Security Posture Against Section 4 Standards

Section 33(2) directs the DPBI to consider “nature and gravity” of violations. Security safeguards are the most heavily weighted factor because Section 4 mandates reasonable technical and organizational measures—encryption, access controls, audit logs, and incident response.

For a media house or photojournalism studio, audit your current state:

  1. Data inventory: Do you have a documented list of all personal data you collect (journalist names, source phone numbers, freelancer tax details, client contact information)?
  2. Encryption status: Is data encrypted at rest? Are passwords hashed with modern algorithms (bcrypt, Argon2)? Are database backups encrypted?
  3. Access controls: Can any staff member access all journalist or photographer records, or is access role-based (editors can view contributor data, accountants cannot)?
  4. Audit logging: Do your systems log who accessed what data, when, and from which IP address? Can you retrieve these logs if the DPBI subpoenas them?
  5. Incident response plan: Do you have a written plan for detecting, containing, and notifying stakeholders of a breach?

If you answer “no” to three or more, your organization is exposed to the maximum ₹250 crore penalty if a breach occurs.

Step 3: Implement Breach Notification Protocols (Section 6 Alignment)

Section 33 penalties for breach-notification failures (up to ₹200 crore) apply when:

  • A breach occurs and you do not notify affected individuals within 30 days, or
  • You do not notify the DPBI within 72 hours of discovery

News media organizations often downplay security incidents for reputational reasons—this is a critical compliance error under Section 33(2), which treats “duration” and “repetition” as aggravating factors.

Create a written breach-notification protocol with these elements:

  1. Incident discovery trigger: Define what counts as a breach (unauthorized access to journalist credentials, loss of a device with story notes, ransomware attack, etc.)
  2. Internal escalation chain: Designate who (CTO, Editor-in-Chief, Legal) must be notified immediately
  3. Timeline: Set a hard deadline for DPBI notification (72 hours) and individual notification (30 days)
  4. Notification template: Prepare a template email/SMS that includes:
    • What data was affected (names, phone numbers, email addresses, etc.)
    • When the breach occurred and when it was discovered
    • What measures you are taking to remediate
    • Contact details for questions
  5. Documentation: Log the breach, notification dates, and recipient responses in a file retained for DPBI inspection

The DPBI will examine these records if you face an inquiry. Proof of timely, clear notification substantially reduces penalties under Section 33(2)‘s “mitigation” factor.

For news media, the tension is acute: editorial freedom permits publication of journalist names and sources without explicit consent, but only within a genuine public-interest frame. DPDPA Section 5 allows legitimate use without consent if it aligns with the stated purpose and reasonable expectations.

To defend against consent-related penalties (up to ₹150 crore under Section 33):

  1. Document your legitimate-use policy: Write a 1-2 page policy stating that your organization collects and publishes personal data (journalist names, bylines, photographer credits) for legitimate purposes of editorial reporting, attribution, and public accountability.
  2. Link each data collection to a stated purpose: When you hire a freelancer, note that their name will appear in bylines (purpose: editorial attribution). When you collect a source’s phone number, note that it is used only for story research (purpose: editorial research; shared with no third party).
  3. Create a dissent log: If a journalist or freelancer objects to their name being published, document the objection and the outcome. If you overrode the objection (e.g., “public figure, editorial necessity”), record your reasoning.
  4. Define “public interest” narrowly: “Public interest” is not a blanket exemption. The DPBI will scrutinize whether publication of a freelancer’s email address in a public directory truly served public interest or whether it was a secondary business purpose (lead generation). Keep this line clear in writing.

This documentation will be the first thing the DPBI reviews if a journalist or freelancer files a complaint alleging wrongful processing. Your legitimate-use grounds must be defensible in writing.

Step 5: Establish a Data Governance Framework

The DPBI considers “repetition” and “duration” under Section 33(2). If your organization violated the DPDPA repeatedly over months—e.g., repeatedly failing to honor photo-removal requests or repeatedly publishing photographer contact details without consent—penalties will be higher.

Implement a governance framework to prevent repetition:

  1. Assign accountability: Designate a Data Protection Officer or compliance lead responsible for DPDPA adherence. The DPBI will want to know this person exists and is empowered.
  2. Create a data-removal process: When a photographer or journalist requests deletion of their profile or contact data, log the request, implement the deletion within 30 days, and confirm completion to the requester.
  3. Conduct quarterly audits: Review your systems quarterly for unauthorized data flows (e.g., journalist lists accidentally shared with marketing vendors), missing consent records, or unencrypted sensitive data.
  4. Train staff: Brief your editorial, technical, and HR teams annually on DPDPA obligations. Document this training.
  5. Maintain a compliance calendar: Track key DPDPA dates—consent expiry, breach notification windows, DPBI inquiry deadlines—in a shared calendar.

Proof of systemic governance will help you negotiate a lower penalty if you do face an inquiry. Section 33(2) explicitly considers “mitigating circumstances,” and a functioning governance framework is one.

Step 6: Prepare for a Data Protection Board Inquiry

If the DPBI issues a show-cause notice, they are asking: “Why should we not impose penalties under Section 33?” This is your opportunity to present evidence of compliance or mitigation.

  1. Organize your evidence files: Prepare folders with:
    • Breach notifications sent (with timestamps)
    • Consent records (signed journalist agreements, freelancer contracts)
    • Legitimate-use policy documentation
    • Audit logs or security certifications (ISO 27001, SOC 2)
    • Training records
    • Governance framework (DPO charter, data-removal logs, quarterly audit reports)
  2. Understand the aggravating factors: The DPBI will weigh:
    • Did you gain financial benefit from the violation? (E.g., sold journalist contacts to a vendor? That aggravates the penalty.)
    • Was the violation intentional or negligent? (Negligence = lower penalty; recklessness = higher)
    • Did you attempt remediation after discovering the breach? (Yes = mitigating factor)
  3. Prepare a mitigation statement: If penalties are likely, submit a written statement explaining:
    • The root cause of the violation (e.g., legacy system with no encryption)
    • Steps already taken to remediate
    • Timeline for full remediation
    • Any financial hardship the maximum penalty would cause (the DPBI may consider this under Section 33(2))
  4. Consider engaging external counsel: A data protection lawyer can negotiate with the DPBI and present your evidence more effectively than in-house staff.

The DPBI does not always impose the maximum penalty. If you can show good-faith effort toward compliance, Section 33(2)‘s mitigation factors may reduce your liability significantly.

Frequently Asked Questions

Q: Can a news outlet avoid Section 33 penalties by claiming editorial privilege?
A: Editorial privilege does not override DPDPA obligations. While Section 5 permits legitimate use (including editorial publication) without consent, this does not exempt you from security safeguards (Section 4) or breach-notification requirements (Section 6). If you suffer a breach and fail to notify within 72 hours, you face Section 33 penalties even if the breached data was originally collected for legitimate editorial purposes. Section 33(2) will not treat privilege as a mitigating factor for notification delays.

Q: What is the penalty if my photojournalism studio loses a laptop with freelancer tax details?
A: If the laptop data was unencrypted, this is a Section 4 security-safeguard failure, triggering up to ₹250 crore. If you detect the loss and notify the DPBI within 72 hours and affected freelancers within 30 days, Section 33(2) mitigation factors may apply, reducing the penalty. However, if you delay notification or attempt to cover up the breach, the penalty will be closer to the ₹250 crore ceiling.

Q: Does Section 33 allow installment payments for large penalties?
A: The DPDPA text does not specify installment options; Section 33 imposes penalties as a lump sum after DPBI inquiry. However, if you negotiate with the DPBI and demonstrate financial hardship, they may consider suspending or reducing the penalty under Section 33(2) mitigation factors. This is not guaranteed. Engage legal counsel early if facing a large penalty notice.

Q: If I have a breach but notify within the 72-hour window, am I automatically safe from Section 33 penalties?
A: Timely notification is one mitigation factor but not an automatic shield. If the breach resulted from negligent security (unencrypted databases, weak passwords, no access controls), the DPBI can still impose penalties for the underlying Section 4 violation. Notification mitigates the Section 6 breach-notification penalty (up to ₹200 crore) but does not erase the Section 4 penalty (up to ₹250 crore). You must address both security and notification to minimize risk.

Q: What if I am a small news publication with 10 staff and limited IT resources?
A: The DPDPA applies to all data handlers, regardless of size. However, Section 33(2) considers “nature and gravity” and “mitigating circumstances.” A small publication’s inability to afford enterprise-grade security tools may factor into the DPBI’s assessment. Document your good-faith efforts—basic encryption, access controls, incident response—and your resource constraints. The DPBI may impose a lower penalty on a small operator than on a large media conglomerate for the same violation, but you are not exempt from compliance. Prioritize security safeguards and breach notification above all else.

Section 33 DPDPA penaltiesNews media data protection IndiaPhotojournalism DPDPA complianceMedia house breach notificationData Protection Board India penaltiesDPDPA security safeguard requirementsJournalist data breach liability
VERIFIED DPDPAReady Editorial Desk 3 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →