Part I of this series established a sobering reality. The Digital Personal Data Protection (‘DPDP') Act (‘the Act’) offers the aggrieved Data Principal no direct compensatory path. Under the current framework, penalties are credited to the Consolidated Fund of India. However, while the statutory road may be narrow, it is not a dead end.

Before looking beyond the four corners of the Act, one internal mechanism warrants closer scrutiny. Section 31 of the Act provides that if the Board is of the opinion that a complaint may be resolved by mediation, it may direct the parties to attempt resolution through a mutually agreed mediator or as provided under existing Indian law.

In the neutral space of mediation, the parties are free to contract for direct financial restitution. This renders Section 31 the sole provision within the DPDP framework through which a Data Principal might realistically secure individual monetary relief.

Admittedly, this remedy is contingent upon the Board’s willingness to refer the matter, the fiduciary’s appetite for negotiation, and the inherent power asymmetries of an unrepresented individual facing a corporate behemoth. Nevertheless, it represents a vital window and should be the first port of call before a practitioner commits their client to the rigors of external litigation.

Beyond Section 31 of the Act, the quest for compensation necessitates a departure from the Act altogether. Yet, the DPDP Act does not become irrelevant the moment one steps outside its immediate jurisdiction. On the contrary, its statutory obligations now serve as the benchmark for the standard of care expected of Data Fiduciaries. To secure the redress that the statute declines to provide, practitioners must look to anchor the Act's requirements to three specific pillars:

• The Law of Torts: Leveraging the torts of negligence and breach of confidence.

• Consumer Protection: Treating data infractions as a "deficiency in service" under the Consumer Protection Act.

• Constitutional Tort: Invoking writ jurisdiction for fundamental rights violations where the breach involves state action or public functions.

The following sections analyze how these external pathways can be strategically fused with the DPDP Act to bridge the compensatory gap.

In the absence of a statutory right to compensation, the burden of redress shifts to the established principles of the common law. The American jurist William Prosser, organised the landscape of privacy torts into four categories that are arguably the most systematic taxonomy available:

1. Unreasonable intrusion upon the seclusion of another;

2. Appropriation of another's name or likeness;

3. Unreasonable publicity given to the other's private life; and

4. Publicity that unreasonably places the other in a false light before the public.

As Indian civil courts will likely see more privacy related claims in the days to come, we anticipate increased references to the Prosser framework and judicial developments in its application to domestic tort law.

Till then, negligence and breach of confidence remain the most widely recognized independent causes of action for a data breach victim. They are not exhaustive - other tortious causes of action may be relevant depending on the specific facts. However, negligence and breach of confidence translate most naturally to the data fiduciary relationship, and they connect most directly to the DPDP Act's own statutory obligations in a way that a plaintiff can use to their advantage.

The nexus between the Act and tortious causes of action rests upon a symbiotic legal theory. While the Act prescribes rigorous obligations for data fiduciaries, it remains conspicuously silent on a mechanism for civil redress. Conversely, though the common law offers a robust machinery for compensatory remedies, it often lacks a codified, modern standard of care against which a fiduciary’s technical omissions can be measured.

By integrating these two spheres, we resolve a critical doctrinal deficit. The DPDP Act functions as the normative anchor, establishing the contemporary standard of conduct; the common law then provides the procedural vehicle for recovery. While this jurisdictional bridge has yet to be tested in Indian courts, it represents the most coherent framework for addressing data harms.

Navigating the jurisdictional bar

A significant threshold challenge lies in Section 39 of the Act, which ousts the jurisdiction of civil courts over matters the Board is empowered to decide and prohibits courts from granting injunctions against actions taken under the Act. To survive a challenge under Section 39 of the Act, a plaintiff must clearly distinguish their suit as a claim for damages or restitution - reliefs the Board is not empowered to grant, rather than a mere adjudication of a statutory contravention. By framing the Act as the source of the "standard of care" rather than the cause of action itself, practitioners can argue that the civil suit is an independent proceeding in tort that does not usurp the Board's regulatory functions.

The valuation vacuum: Quantifying non-pecuniary harm

Additionally, both negligence and breach of confidence encounter a formidable obstacle - the quantification of non-pecuniary harm. While the judicial path is straightforward where a breach causes direct financial loss, Indian privacy litigation lacks a settled formula for valuing emotional distress or the "loss of control" over personal data. Consequently, until a clear precedent emerges, the assessment of damages will likely remain a matter of significant judicial discretion.

The Consumer Protection Act (‘CPA’), 2019, provides a significant statutory framework for individual redress that operates alongside the DPDP Act. Section 100 of the CPA explicitly clarifies that its provisions are in addition to, and not in derogation of, any other law. This suggests a concurrent jurisdictional model: while the Data Protection Board (‘DPB’) addresses regulatory compliance and systemic breaches, Consumer Commissions remain empowered to adjudicate contractual deficiency and individual grievances arising from the same facts.

Since the DPB’s primary mandate is regulatory enforcement rather than individual compensatory restitution, a claim for "deficiency in service" may be positioned as a distinct cause of action.

Deficiency in service and the scope of mental agony

The CPA allows for recovery on the grounds of "deficiency in service," - a broad category that effectively captures the failure of a service provider to implement necessary security safeguards. One notable feature of Consumer Commissions is their relative expertise in quantifying non-pecuniary harm, which are often the primary forms of injury in data breach cases where direct financial theft has not yet occurred.

The consideration challenge: Re-evaluating digital barter

The primary hurdle in this forum involves the requirement of "consideration." Many digital platforms are likely to contend that users of "free" services do not qualify as "consumers" under the CPA. However, this characterization ignores the economic reality of the data-driven market. It can be argued that in modern digital ecosystems, personal data serves as a form of digital currency.

Where the data fiduciary qualifies as a "State" or an "instrumentality of the State" under Article 12, a data breach transcends statutory non-compliance and becomes a constitutional default.

The judicial foundation: Privacy as a fundamental right

The constitutional argument is grounded in an evolving lineage of privacy jurisprudence, which arguably found its definitive expression in the decision of KS Puttaswamy v. Union of India. This allows a petitioner to argue that a State-led breach is not just a failure of "reasonable security safeguards" under the DPDP Act, but a direct infringement of a protected constitutional interest.

The remedial power: Public law damages

While the DPDP Act focuses on administrative penalties, Constitutional Courts possess the inherent power to award public law damages. In the context of a "State" data breach, a Writ petition can bypass the remedial silence of the DPDP Act to secure direct compensation for the victim.

Strategic limitations

Despite its potency, the constitutional approach is governed by several critical constraints that the practitioner must navigate. First, the Article 12 threshold limits maintainability to "State" entities, which would exclude a vast number of breaching parties. Second, courts may direct petitioners to first exhaust alternative remedies available – including those under the DPDP Act. Finally, practitioners must contend with the inherent limits of writ jurisdiction, as Constitutional Courts typically exhibit a marked reluctance to engage in the fact-intensive inquiries necessary to prove complex data breaches.

The DPDP Act was a genuine opportunity to build a privacy framework that placed the data principal at its centre. That appears to have been missed with the omission of a statutory compensation right for affected individuals. Until the Parliament revisits this, practitioners must now creatively explore the existing legal framework to help secure the remedies their clients deserve.

About the authors: Vaishnavi Viswanathan and Davis Kanjamala are Partners and Viswanathan G is a Director at Viswanathan & Associates.

Disclaimer: The opinions expressed in this article are those of the author. The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.