The DPDPA Illusion

Since the Digital Personal Data Protection Act, 2023 (DPDPA) arrived, many compliance teams assume it’s the only North Star. It isn’t. DPDPA centres on civil penalties and compliance obligations. India’s criminal liabilities for data theft and breaches live elsewhere—in the Information Technology Act, 2000; the Payment and Settlement Systems Act, 2007; and the Bharatiya Nyaya Sanhita (BNS), 2023. Some of these provisions carry imprisonment.

1) Information Technology Act, 2000 — The First Criminal Risk Zone

• Section 72 — Breach of confidentiality & privacy: unauthorized disclosure of records accessed under lawful authority; fines up to ₹5 lakh.
• Section 72A — Breach of lawful contract: disclosing personal data obtained under a contract without consent; penalties up to ₹25 lakh (typical risk vector: vendors/processors).
• Sections 43(b) & 66 — Unauthorized downloading/copying/extraction of data: imprisonment up to 3 years, fines up to ₹5 lakh, or both.

2) Payment and Settlement Systems Act, 2007 — The Banking & Fintech Trap

• Section 22(1) — Confidentiality obligations for payment system providers; limited disclosure exceptions.
• Section 26(4) — Criminal penalties: up to 6 months’ imprisonment, fines up to ₹5 lakh, or twice the damage amount, whichever is higher.

3) Bharatiya Nyaya Sanhita (BNS), 2023 — The Criminal Code Factor

“Data” qualifies as moveable property (Section 2(22)). That opens the door to classic property offences for digital assets.

• Section 303 — Theft: up to 3 years’ imprisonment (extendable to 5 years for repeat offences).
• Section 306 — Theft by employee: up to 7 years’ imprisonment; bail can be difficult.
• Section 316 — Criminal breach of trust: up to 7 years if by employee; up to 5 years otherwise.
• Section 317 — Dealing in stolen data: habitual dealing can attract up to 10 years or even life imprisonment.

What DPDPA Professionals Must Internalize

• Filing a neat breach report with the Data Protection Board does not insulate you from police action.
• Criminal cases are initiated by law enforcement; parallel to any DPDPA process.
• Directors/officers may face personal liability under vicarious liability provisions.
• In some theft-related offences, bail is not a given.

Practical Risk Controls (Before the Police Calls)

• Access governance: strict role-based access, least privilege, periodic recertification.
• Auditability: tamper-evident logs for access, exfiltration, and administrative actions.
• Contracts: watertight processor/vendor clauses on confidentiality, security, breach notice, audit rights, and indemnities.
• Training: explain the criminal consequences of data misuse—especially to sales, marketing, and IT teams.
• Incident readiness: preserve evidence, notify CERT-In/sectoral regulators as applicable, and coordinate legal + forensics from hour zero.

Conclusion:

In India’s legal ecosystem, data isn’t just a privacy artefact—it’s property. Steal it, misuse it, or leak it negligently, and you’re not only courting regulatory fines; you may be courting a judge in a criminal court.