The hollow heart of data protection: How the DPDP Act abandons the data breach victim

The enactment of the Digital Personal Data Protection Act, 2023 marked a significant turning point in Indian privacy jurisprudence. Six years after the Supreme Court unanimously recognised privacy as a fundamental right in Justice KS Puttaswamy v. Union of India, India finally had a dedicated legislative framework governing the processing of personal data. The Act imposes obligations on data fiduciaries, grants data principals rights of access and erasure, and creates a Data Protection Board empowered to impose penalties reaching INR 250 crore. As the regulatory dust settles and the Data Protection Board (DPB) prepares to open its digital doors, litigators are waking up to a harsh reality. The DPDP Act is a phenomenal tool for state revenue and corporate deterrence, but it is a profoundly defective instrument for victim remediation..

A data principal, the individual whose personal data is collected, processed, and potentially exposed, cannot sue a data fiduciary for compensation. There is no statutory right to damages. Every rupee in penalties flows to the Consolidated Fund of India [Section 34, DPDP Act]. Whether the fiduciary's negligence results in devastating financial identity theft via leaked KYC documents, the profound social stigma of exposed medical records, or the terrifying reality of being stalked due to compromised location data, the statutory outcome is the same: the State enriches its coffers with multi-crore penalties, while the citizen whose data has been breached bears the financial and emotional costs of the fallout alone.

To understand the sheer magnitude of this conundrum, we must first look at what the DPDP Act left behind. 

For over a decade, civil remedies for data breaches were available through Section 43A of the Information Technology Act, 2000, read with the Sensitive Personal Data or Information Rules of 2011. Section 43A was fundamentally compensatory: it imposed direct liability on any body corporate that was negligent in maintaining reasonable security practices, thereby causing wrongful loss or gain. It was a statutory acknowledgement that the data breach victim had a personal injury worthy of individual redress, not merely a regulatory wrong deserving state penalty.

The SPDI Rules gave the provision operational content. They defined what categories of data attracted the heightened duty of care — passwords, financial information, health data, sexual orientation, and biometrics. The framework was imperfect, but it was, at minimum, a genuine compensatory mechanism.

Section 44(2)(a) of the DPDP Act, 2023, repeals Section 43A. In its place, it substitutes a purely penal framework under which the Data Protection Board can impose significant financial penalties on non-compliant fiduciaries - all of which flow to the state. The victim has been written out of the remedial equation entirely.

The contrast with the European General Data Protection Regulation is highly instructive. Article 82 of the GDPR establishes an explicit statutory right to compensation, ensuring that any person who has suffered material or non-material damage due to an infringement has the right to receive compensation from the responsible controller or processor. The provision is directly effective, and explicitly covers non-material damage. This standard recognises a fundamental truth about the nature of privacy violations: the primary harm is frequently dignitary and psychological rather than financial.

India's drafters were not ignorant of the GDPR standard

The Justice Srikrishna Committee's 2018 report, which formed the basis for earlier drafts of the personal Data Protection Bill, recommended a robust compensatory remedy for data principals. The framework even detailed specific factors for deciding the quantum of compensation, heavily mirroring the criteria used for calculating penalties.

These proposed factors included:

• The nature, duration, and extent of the compliance failure.

• The nature and extent of the harm suffered by the individual.

• Whether the violation was intentional or negligent.

• The fiduciary's transparency, data protection policies, and efforts to mitigate the damage.

• Any unfair financial gain or advantage acquired by the fiduciary.

• The repetitive nature of the default and the sensitivity of the personal data involved.

Despite this comprehensive groundwork, the recommendation for a compensatory remedy did not survive into the final Act. Given the extensive deliberation in the Srikrishna Committee report, it can be ostensibly argued that this omission is not a mere legislative oversight.

The Personal Data Protection Bill, 2019, which preceded the DPDP Act, carried these recommendations forward into draft legislative form. Clause 64 of the Bill empowered the Data Protection Authority to award compensation to the data principal and specified the factors for determining the quantum. This clause was ultimately excluded from the final version of the Act. Given the breadth of deliberation that preceded this outcome, the omission is a considered legislative choice.

The consequences of this statutory gap have far-reaching consequences. The penal-only approach creates a severe chilling effect on grievance redressal.

A data principal who files a complaint before the Board must engage counsel, gather and preserve digital evidence, potentially commission technical audits, and sustain an adjudicatory process of uncertain duration. When the ultimate victory results only in a penalty deposited into the Consolidated Fund, the complainant is left bearing their own legal costs while remaining wholly uncompensated for their actual injury. The financial and operational burdens far exceed any intended advantages. Once the element of personal benefit is stripped away, enforcement becomes a function of the Board's willingness to act suo motu — a power that regulators globally exercise sparingly and unpredictably.

The chilling effect is compounded for victims who seek to supplement a Board complaint with a civil law remedy. A data principal must additionally navigate uncodified legal doctrine, engage expert witnesses on cybersecurity standards, and endure the delays of the civil courts - all while the DPDP Act's repeal of Section 43A has stripped away the statutory benchmarks that would have anchored such a claim. The result is what can only be described as a two-front legal war: a regulatory proceeding before the Board from which the complainant derives no financial benefit, running concurrently with a civil suit from which they may eventually derive some benefit after years of proceedings and substantial expenditure.

The ordinary data principal - a salaried employee whose medical records were leaked, a student whose identity documents were exposed, a woman whose photographs were misused cannot sustain this burden. Only the well-resourced or the exceptionally determined will litigate at all. Consequently, when the vast majority of victims are priced out of the grievance process, data fiduciaries are left operating in a functional vacuum of accountability. Without the persistent threat of widespread, citizen-led enforcement, companies face little practical pressure or financial incentive to proactively invest in robust data security.

Under the current legislative framework, the remedies available to an aggrieved data principal offer a largely hollow victory - the satisfaction of corporate penalization without the substance of personal repair. Yet, the pursuit of justice for data subjects cannot simply end at the doors of the Data Protection Board. In the face of this statutory void, litigators must navigate outside the four corners of the Act. In the next part of this series, we will examine the surviving legal landscape and explore the alternative redress avenues and common law remedies that can still be leveraged to secure meaningful compensation for victims of data breaches.

About the authors: Vaishnavi Viswanathan and Davis Kanjamala are Partners and Viswanathan G is a Director at Viswanathan & Associates.

Disclaimer: The opinions expressed in this article are those of the author. The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.