Compensation for the Victims of Data Breach under The DPDPA, 2023

Introduction

India's Digital Personal Data Protection Bill was introduced in 2022 and became the Digital Personal Data Protection Act, 2023 (herein referred to as ‘DPDP Act’) after being approved by both houses of Parliament and receiving the President’s assent in August 2023, which is yet to be implemented. This Act is applicable to personal data collected in digital form or data that is later converted into digital form. Its primary aim is to protect the personal information of individuals and hold organizations accountable for managing large amounts of such data, especially those with online operations and mobile apps.

Prior to the DPDP Act and at present, the only legal framework addressing digital data privacy issues is the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (herein referred to as ‘IT Act and Rules’). The DPDP Act tends to replace Section 43A of the IT Act and Rules.

Section 43A of the IT Act, along with the related rules, provides for compensation to individuals affected by the negligence of a company in handling sensitive personal data. It stated that if a company, which owns, controls, or operates a computer resource containing sensitive personal data, failed to maintain reasonable security measures and caused Breach, it would be liable to pay compensation to the affected person. However, the DPDP Act does not include such provisions for compensation. Instead, it imposes penalties for non-compliance with the DPDP Act.

This paper advocates for the introduction of provisions compensating individuals affected by data breaches. Before addressing the issue of victims being left without remedies, it is important to first understand what a data breach is.

Data is crucial for organizations as it helps them understand customers better and make informed decisions. However, as data becomes more valuable to businesses, it also becomes a target for cybercriminals who wants to exploit it for malicious purposes.

A data breach occurs when information is stolen or accessed without the owner’s consent. This can involve sensitive data, such as credit card details, customer information, trade secrets, or national security matters. A breach exposes confidential data to unauthorized individuals, who may view or share it without consent.

While breaches can result from innocent mistakes, significant harm can occur if the stolen data, such as Personally Identifiable Information (PII) or corporate secrets, is sold or misused for financial gain or harm. Cybercriminals often plan their attacks by identifying vulnerabilities in a system, such as outdated software or security flaws.

Penalty v. Compensation- The key issue

The primary issue in this situation is that individuals who are victims of a data breach will continue to face the negative consequences of having their personal information exposed or misused. This could include financial loss, identity theft, or other privacy-related harm. However, these victims are not entitled to any direct compensation for their suffering or losses. While the Data Protection and Privacy (DPDP) Act does impose penalties on the organization responsible for the breach, such as fines upto 250 crores, it does not include provisions for compensating the individuals affected. As a result, those who are affected by the breach may have no remedy other than filing a separate suit to recover the damages they have suffered.

Furthermore, the lack of a clear compensation mechanism in the DPDP Act creates a gap in protecting individuals. The Act provides for the responsibility of organizations to protect personal data, but it fails to consider the direct impact on individuals who are victims of Data breaches. This leaves victims in a weaker position, as they may be left to deal with the consequences of the Data breach without any compensation from the company at fault. In essence, while companies may face penalties for mishandling data, the affected parties are left without a clear mechanism to recover their losses. These situations bring forward the issue of accountability of the defaulters towards victims.

Analysis of Penalties under the DPDP Act, 2023

Chapter 8 of the DPDP Act, which states ‘Penalties and Adjudication’, lays down the procedures to be followed by the Data Protection Board (herein referred to as the ‘Board’) when addressing data breaches. The chapter gives the Board the power to inquire the incidents of non-compliance with the DPDP Act and its rules, including any data breaches, and to impose fines on organizations found to be in violation of the same. Before imposing any penalty, the Board must conduct a thorough inquiry into the breach, offering the concerned party an opportunity of being heard. If the breach is found to be substantial, the Board is empowered to impose fines, with the specific penalty amounts that are mentioned in Schedule of the DPDP Act.

In determining the size of the penalty, the Board is required to take several key factors into account. These include the gravity of the breach, the scale of its impact, and its duration. The type of personal data affected is also a critical consideration, as certain types of data such as PII may attract more severe penalties. The Board will also look at whether the breach was a repeated offense, whether the organization involved gained financially or avoided losses as a result of the breach, and the actions taken to mitigate the effects of the breach. Specifically, the Board will evaluate the effectiveness and timeliness of the response to the incident, as well as the measures implemented to prevent similar breaches in the future.

Moreover, the Board has the responsibility to ensure that any penalty imposed serves both as a fair and effective measure against future violations and encourages compliance with the DPDP Act. The penalty must also be proportionate to the nature and scale of the breach, considering the potential impact on the organization involved. In its decision-making process, the Board has the responsibility to balance the need for accountability with the need to promote the compliance to be done by others, ultimately ensuring that penalties serve their purpose without unduly harming the organization’s operations or future business prospects.

Section 34: A deterrent approach

Section 34 of the DPDP Act provides provision, which states that all sums realized by way of penalties imposed by the Board are credited to the Consolidated Fund of India. The major concern is that the penalty fund recovered by the DPDP Act may compromise remedies available to victim, which is a significant issue that needs closer scrutiny. While the penalties collected by the Board are intended to serve as obstruction to prevent future breaches and to promote organizational compliance, however, these funds may not adequately address the harms suffered by the individuals whose data was subjected to breach. Under the current framework, the penalties are collected into a consolidated fund, but there is no direct provision for compensating the victims of the breach. This raises the concern that individuals who suffer from identity theft, financial loss, or other personal harms due to data breaches may not receive adequate relief under IT act as well, as the penalties imposed are not reserved specifically for victim compensation.

This situation could potentially shift the focus to from helping victims to get compensation to achieve regulatory goals. While imposing penalties on organizations is a necessary step in holding them accountable, it is also crucial to ensure that victim’s rights are also protected in the process. There is an urgent need for mechanisms that would allow for a more direct form of remedies for individuals, such as creating a designated fund or a system through which victims can seek compensation from the penalties imposed on companies. Without such mechanisms, the purpose of the penalties could unintentionally be weakened, as organizations may view penalties as a cost of doing business, while the individuals whose rights have been violated may not get any substantive benefit from the penalties.

Conclusion

Concluding on the same lines as stated earlier, while the DPDP Act provides a comprehensive framework for handling data breaches and imposing penalties on organizations responsible for mishandling Digital personal data. However, the current mechanism of the Act raises significant concerns, especially in relation to the lack of compensation for victims of data breaches. While the penalties collected from organizations serve as a preventive measure and a way to enforce compliance, they do not directly address the loss suffered by individuals whose personal information is exposed or misused. As a result, victims of data breaches are left without a clear mechanism of recovering the damages they incur, such as financial loss, identity theft, or privacy violations.

To ensure that the DPDP Act completely protects individuals and holds organizations accountable, there is a need for a more victim-centered approach along with regulatory goals. This could involve establishing a system through which victims can seek compensation from the penalties imposed on organizations. Without such provisions, the act may unintentionally shift focus away from the individuals affected by data breaches and prioritize regulatory goals. A clear mechanism for victim’s compensation would not only enhance fairness but also reinforce the purpose of data protection laws ensuring that both organizations and individuals are protected from the threats occurred due to Data Breach.