India's Digital Personal Data Protection Bill was introduced in 2022 and became the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDP Act’) after being approved by both houses of Parliament and receiving the President’s assent in August 2023, which is yet to be implemented. This Act is applicable to personal data collected in digital form or data that is later converted into digital form. Its primary aim is to protect the personal information of individuals and hold organizations accountable for managing large amounts of such data, especially those with online operations and mobile apps.
Prior to the DPDP Act and at present, the only legal framework addressing digital data privacy issues is the Information Technology Act, 2000 (hereinafter referred to as ‘IT Act,) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as ‘IT Rules’). The DPDP Act tends to replace Section 43A of the IT Act and Rules.
Section 43A of the IT Act, along with the related rules, provides for compensation to individuals affected by the negligence of a company in handling sensitive personal data. It states that if a company, which owns, controls, or operates a computer resource containing sensitive personal data, fails to maintain reasonable security measures and causes Breach, it would be liable to pay compensation to the affected person. However, the DPDP Act does not include such provisions for compensation. Instead, it imposes penalties for non-compliance with the DPDP Act.
This paper advocates for the introduction of provisions compensating individuals affected by Data Breaches by way of dedicated fund. Before addressing the issue of victims being left without remedies, it is important to first understand what a Data Breach is?
Data Breach - a brief overview
Data is crucial for organizations as it helps them understand customers better and make informed decisions. However, as data becomes more valuable to businesses, it also becomes a target for cybercriminals who wants to exploit it for malicious purposes.
A Data Breach occurs when information is stolen or accessed without the owner’s consent. This can involve sensitive data, such as credit card details, customer information, trade secrets, or national security matters. A breach exposes confidential data to unauthorized individuals, who may view or share it without consent. A Data Breach can affect anyone, from individuals to large organizations and governments. Inadequate protection can also put others at risk.
One of the best examples of Data Breach is the Yahoo Data Breach case that occurred between 2013 and 2014, where hackers hacked Yahoo and stole personal information from over 1 billion user accounts, including names, email addresses, phone numbers, and hashed passwords. This massive breach was not reported until 2016, and it remains uncertain whether any legal action was taken against the perpetrators or not. Another significant incident is the Cambridge Analytica scandal from 2018, which revealed that the political consulting firm collected data from millions of Facebook users without their consent and used this data to influence elections in various countries, including India. In response to this scandal, the Indian government initiated an investigation into the breach, and fined Facebook Rs. 5 lakh for each day it failed to comply with the inquiry.
Additionally, in the cases of Jaiprakash Kulkarni v. Banking Ombudsman and IDBI Bank v. Sudhir S. Dhupia, massive Data Breaches took place in baking transactions, the banks were held liable and were compelled to pay compensation to the affected parties.
Penalty v. Compensation - The key issue
The primary issue in this situation is that individuals who are victims of a Data Breach will continue to face the negative consequences of having their personal information exposed or misused. This could include financial loss, identity theft, Data Theft or other privacy-related harm. However, these victims are not entitled to any direct compensation for their suffering or losses. While the DPDP Act does impose penalties on the organization responsible for the breach, such as fines up to 250 corers, it does not include provisions for compensating the individuals affected. As a result, those who are affected by the breach may have no remedy other than filing a separate suit to recover the damages they have suffered.
Furthermore, the lack of a clear compensation mechanism in the DPDP Act creates a hurdle in protecting privacy of individuals. The Act provides for the responsibility of organizations to protect personal data, but it fails to consider the direct impact on individuals who are victims of Data breaches. This leaves victims in a weaker position, as they may be left to deal with the consequences of the Data Breach without any compensation from the company at fault. In essence, while companies may face penalties for mishandling data, the affected parties are left without a clear mechanism to recover their losses. These situations bring forward the issue of accountability of the defaulters towards victims.
Section 43A – a victim centric approach
Section 43A of IT Act along with IT rules, established a framework consisting of eight key regulations with the intent to protect privacy of Individuals. This legal framework is significant in the context of data protection in India. The case, which laid down the essential elements of Section 43A is Vodafone India Ltd. v. Prashant Mahadeorao Buradkar, 2024, this judgment provided for the practical application of this section.
Under Section 43A of the IT Act, a victim to claim for compensation must first prove that a corporate body, ‘defined as any organization that possesses, handles, or processes sensitive personal data’ has failed in its obligation to implement and maintain reasonable security practices and procedures to protect sensitive personal data. Secondly, This failure led to unauthorized access or use of sensitive personal data. Thirdly, the victim must show that this breach led to either wrongful gain or loss. Lastly, there must be a direct link between the breach of security measures and the harm suffered by the individual due to unauthorized access or misuse of their sensitive personal information.
The legislative intent behind Section 43A was reinforced in the case of State Bank of India v. Suhas Enterprises and Others, which highlighted that personal data belonging to individuals, must be protected by organizations, if an entity fails to ensure this protection, it can be held liable for paying compensation to the affected individuals. Similarly, in Xxx v. Union Of India, represented by the Secretary of Government and Others, the Kerala High Court emphasized, that Section 43A establishes a legal framework recognizing for the first time the necessity of protecting personal data privacy.
Analysis of Penalties under DPDP Act
Chapter 8 of the DPDP Act, which states ‘Penalties and Adjudication’, lays down the procedures to be followed by the Data Protection Board (hereinafter referred to as the ‘Board’) when addressing Data Breaches. The chapter gives the Board the power to inquire the incidents of non-compliance with the DPDP Act and its rules, including any Data Breaches, and to impose fines on organizations found to be in violation of the same. Before imposing any penalty, the Board must conduct a thorough inquiry into the breach, offering the concerned party an opportunity of being heard. If the breach is found to be substantial, the Board is empowered to impose fines, with the specific penalty amounts that are mentioned in Schedule of the DPDP Act.
In determining the size of the penalty, the Board is required to take several key factors into account. These include the gravity of the breach, the scale of its impact, and its duration. The type of personal data affected is also a critical consideration, as certain types of data such as PII (Personally Identifiable Data) may attract more severe penalties. The Board will also look at whether the breach was a repeated offense, whether the organization involved gained financially or avoided losses as a result of the breach, and the actions taken to mitigate the effects of the breach. Specifically, the Board will evaluate the effectiveness and timeliness of the response to the incident, as well as the measures implemented to prevent similar breaches in the future.
Moreover, the Board has the responsibility to ensure that any penalty imposed serves both as a fair and effective measure against future violations and encourages compliance with the DPDP Act. The penalty must also be proportionate to the nature and scale of the breach, considering the potential impact on the organization involved. In its decision making process, the Board has the responsibility to balance the need for accountability with the need to promote the compliance to be done by others, ultimately ensuring that penalties serve their purpose without unduly harming the organization’s operations or future business prospects.
Section 34 - A Deterrent Approach
Section 34 - A Deterrent Approach
Section 34 of the DPDP Act provides provision, which states that all sums realized by way of penalties imposed by the Board are credited to the Consolidated Fund of India. The major concern is that the penalty fund recovered by the DPDP Act may compromise remedies available to victims, which is a significant issue that needs closer scrutiny. While the penalties collected by the Board are intended to serve as obstruction to prevent future breaches and to promote organizational compliance, however, these funds may not adequately address the harms suffered by the individuals whose data was subjected to breach. Under the current framework, the penalties are collected into a consolidated fund, but there is no direct provision for compensating the victims of the breach. This raises the concern that individuals who suffer from identity theft, Data Theft, financial loss, or other personal harms due to data breaches may not receive adequate relief under IT act as well, as the penalties imposed are not reserved specifically for victim compensation.
This situation could potentially shift the focus to from helping victims to get compensation to achieve regulatory goals. While imposing penalties on organizations is a necessary step in holding them accountable, it is also crucial to ensure that victim’s rights are also protected in the process. There is an urgent need for mechanisms that would allow for a more direct form of remedies for individuals, such as creating a designated fund or a system through which victims can seek compensation from the penalties imposed on companies. Without such mechanisms, the purpose of the penalties could unintentionally be weakened, as organizations may view penalties as a cost of doing business, while the individuals whose rights have been violated may not get any substantive benefit from the penalties.
Significance of Compensation: A Call for Change
In this context, the landmark judgment in Justice K.S. Puttawamy (Retd.) v. Union of India holds substantial importance. In this case, the Supreme Court held that the right to privacy is an intrinsic part of the right to life and personal liberty as enshrined in Article 21 of the Indian Constitution. The court further held that this right encompasses an individual's ability to have their personal data protected from unauthorized access and misuse. This judgment recognized privacy as a fundamental right inherent to all citizens.
Right to Privacy is a fundamental right that falls within the ambit of article 21 of the constitution. And the Supreme Court, in the case of Rudal Shah v. State of Bihar, held that victims of infringement of Fundamental rights are entitled to compensation. The court gave this principle when there was no explicit provision given for compensation to the victims in the text of the constitution. However, court gave the principle on the basis of interpretation of remedial powers. The Court's interpretation of its remedial powers emphasized the importance of compensation for violations of fundamental rights. This principle was reiterated in Bhim Singh v. State of Jammu & Kashmir.
Currently, DPDP Act gives regulatory provisions, stating that fines collected should go into the Consolidated Fund of India. However, there is a pressing need to create a dedicated fund specifically for compensating victims of Data Breaches. This approach is supported by precedents from cases like Equifax (2017), where the Federal Trade Commission imposed fines between $500 million and $700 million for a breach affecting 147 million consumers, including ‘compensation for victims in the settlement’. Similarly, T-Mobile (2022) settled a class-action lawsuit for $350 million after a Data Breach impacted 77 million customers, ‘providing compensation to those affected’. In another instance, Capital One (2020) was fined $80 million by the Office of the Comptroller of the Currency (OCC) and settled for $190 million in a class-action lawsuit following a breach that affected over 100 million individuals, ‘providing compensation to the victims’.
Establishing a separate fund from the fines collected would align with legislative intent of preventing data breaches and ensuring that victims receive appropriate relief. Such measures would enhance accountability.
Conclusion
Concluding on the same lines as stated earlier, while the DPDP Act provides a comprehensive framework for handling data breaches and imposing penalties on organizations responsible for mishandling Digital Personal Data. However, the current mechanism of the Act raises significant concerns, especially in relation to the lack of compensation for victims of Data Breaches. While the penalties collected from organizations serve as a preventive measure and a way to enforce compliance, they do not directly address the loss suffered by individuals whose personal information is exposed or misused. As a result, victims of Data Breaches are left without a clear mechanism of recovering the damages they incur, such as financial loss, identity theft, or privacy violations.
To ensure that the DPDP Act completely protects individuals and holds organizations accountable, there is a need for a more victim-centered approach along with regulatory goals. This could involve establishing a system like creating a dedicated fund through which victims can seek compensation from the penalties imposed on organizations. Without such provisions, the act may unintentionally shift focus away from the individuals affected by data breaches and prioritize regulatory goals. A clear mechanism for victim’s compensation would not only enhance fairness but also reinforce the purpose of data protection laws ensuring that both organizations and individuals are protected from the threats occurred due to Data Breach.
