Menu

CORPORATE LIABILITY FOR DATA BREACHES IN INDIA: EVOLVING STANDARDS UNDER THE INFORMATION TECHNOLOGY (IT) ACT AND DIGITAL PERSONAL DATA PROTECTION (DPDP) ACT.

Publications, Research paper
ABSTRACT

In the age of digital transformation, the Indian Corporations are using data-driven technology more and more, which leads to huge amount of sensitive and personal information. Data breaches have increased as a result of the incredible development in data collection, which has raised questions about the Consumer Protection and corporate responsibility.

In order to determine business culpability in cases of data breaches, this study looks at how legal standards under the Information Technology Act of 2000 (hereinafter referred it as “IT Act”) and the Digital Personal Data Protection Act of 2023 (hereinafter referred it as “DPD Act”) have evolved. In search of systemic flaws and compliance burdens, it examines statutory obligations, court rulings, enforcement strategies, and case law. This paper highlight’s how the DPDP Act’s consent and purpose limitation framework replaced the IT Act’s negligence-based regime.

While the IT Act laid the initial foundation through provisions like Section 43A, its framework has been criticized for vagueness and lack of effective enforcement. The DPDP act introduces a more structured, rights based, and enforcement- oriented approach and through the case studies like Zomato and Air India breaches, the paper illustrate the systemic shortcomings and the compliance burdens.

KEYWORDS

 Data Breach, Corporate Liability, DPDP Act, Information Technology Act, Data Protection, Reasonable Security Practices.

INTRODUCTION

In the contemporary digital economy, data is not simply collected as a result of technological progress, but a critical resource to be harnessed, frequently treated as “the new oil.” With the rapid expansion of India’s digital infrastructure, businesses across the e-commerce, fintech, healthcare, education, and telecommunications industries are capturing a wide range of personal and sensitive data to be stored and processed. The surge in data collection enhances both its worth and risk, making the user data legal protection corporate accountability frameworks more to critical than ever.  

For long, India’s approach to the regulation of data protection has been left as part of the broader legislative framework of the Information Technology Act of 2000. This was largely looked over fostering electronic and commerce and managing cyber offenses, and included scant regulations related to data privacy and security, the most notable being Section 43A which spoke about compensating for lack of “reasonable security practices.” Still these provisions faced a lack of clear enforcement and coordinated institutional backing (issue) which rendered them ineffective in terms of preventing corporate data breaches. The public’s growing concern, coupled with landmark judicial interventions similar to K.S. Puttaswamy v. Union of India (2017) & aligning with global privacy tendencies such as the European Union’s General Data Protection Regulation (hereinafter referred to as “GDPR”) and California Consumer   Privacy Act of 2018 (Herein after referred to as “CCPA”), prompted India to establish a distinct and more comprehensive data protection framework. This led to the enactment of the DPDP Act 2023 which seeks to legally entrench individual data rights, delineate the obligations of data fiduciaries, and institute a multi-layered enforcement-oriented regulatory architecture by founding the Data Protection Board of India.

This research paper explores evolution of the corporate data breach liability in India focusing on the proactive, vague and restrictive scope of the IT Act to the more systematic, rights driven, and enforcement-laden DPDP Act. It examines statutory provisions and landmark case law alongside enforcement gaps through a more holistic lens by integrating cross-jurisdictional perspectives. The case study of the Zomato and Air India data breaches exemplifies the gap between existing regulations and their practical application.

RESEARCH METHDOLOGY

This Paper emphasizes a Doctrinal research methodology, relying on analysis of statutes, delegated legislation,and judicial decisions. Primary sources include the IT Act, 2000, the DPDP Act, 2023, & associated rules and notifications.Secondary sources comprise journal articles, committee reports, and global data protection frameworks.

REVIEW OF LITERATURE

The flaws of the IT Act have been critically assessed by legal literature on India’s data protection environment. In his 2012 working paper for the Centre for Internet and Society, Rishabh Dara made the case that Section 43A of the IT Act was unclear in its 

Implementation and it is not effective .According to Swaminathan (2021), the insufficient central data protection authority meant that enforcement of the Sensitive Personal Data and Information (SPDI) Rules was essentially nonexistent.Academics such as Bhairav Acharya highlighted the necessity of a thorough, rights-based legal framework, which culminated in the 2018 Justice B.N. Srikrishna Committee Report. The enactment of DPDP Act in 2023 has been analyzed by legal experts, who lauded its structure but criticized the wide discretionary powers granted to the executive.

METHOD
CORPORATE LIABILITY UNDER THE IT ACT, 2000

A corporate entity is obligated by Section 43A, introduced via an amendment in 2008, which holds a “body corporate” is responsible to pay the compensation if it is negligent in implementing “reasonable security practices and procedures” and thereby causes loss or improper gain to any person. In order to operationalize Section 43A the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 commonly referred to as the SPDI Rules—were notified. These rules defined “sensitive personal data or information” (SPDI) to include items such as passwords, health conditions and biometric information. The SPDI Rules required companies to implement security practices compliant with recognized international standards, such as international Organization for standardization (hereinafter “ISO”) or International Electrotechnical Commission (hereinafter “IEC”) 27001, unless a sector-specific standard applied.

However this provision has not established an independent data protection authority or any ombudsman grievance redressal. Instead, adjudicating officers appointed under the Section-46 of the Act.

In Addition, Section 72A of the Act introduced a criminal penalty for disclosing personal information gained through the lawful contract without the individual’s consent or through any breach of the wrongful agreement. However this provision is not applied very frequently, in some particular cases involving corporations owing to the challenges posed by stringent evidence requirements and complicated legal procedures. In the case of Karmanya Singh sareen v. Union of India the petitioners, has concerned about the privacy implications of the Whats app’s updated  terms of service following its acquisition by Facebook, challenged the app’s policy of sharing the users data  with the Facebook and its subsidiaries.

 They argued that the data is sharing  without an explicit user consent and with insufficient  safeguards, stating  it has violated the right to privacy and it is contrary to Section 43A of the IT Act.This case has highlighted the growing awareness and concern with the civil society about how these corporations manage  the user data. It has brought a wide awareness among the users on how statutory obligations are and actual corporate practices in handling personal data, especially in the absence of a robust enforcement authority.

Although the supreme court did not give the final verdict on the merits of section 43A in this case, it referred to the privacy concerns to the Constitution Bench in the K.S.Puttaswamy case, eventually Right to privacy is declared as a fundamental right under Article 21 of the Constitution. However, the Karmanya Singh Sareen case highlighted the weakness of the IT Act 2000, It showed that even though users could complain about how companies misuse their data, they had to depend on long and indirect methods like filing constitutional cases, instead of having a clear and direct system under the IT Act to handle such issue.

Karmanya Singh Sareen served as a symbolic and procedural precursor to the demand for a dedicated data protection legislation.Despite the Petitioner’s invocation of Section 43A, the case reinforced that the provision was not enough to regulate complex data ecosystem in the absence of an empowered regulator.

ZOMATO DATA BREACH

Another major case study is Zomato Data Breach in 2017, one of the India’s leading food delivery platforms, suffered a significant data breach affecting approximately 17 million users accounts. This breached data included user emails and hashed passwords, although Zomato claimed that payment information remained secure as it was stored separately.

The hacker reportedly accessed the database through internal vulnerabilities and later offered the data for sale on the dark web. Zomato responded by resetting affected passwords and issuing a public statement acknowledging the breach.

Legal and Regulatory Implications:

  1. The breach occurred under the IT Act regime. While Section 43A mandated that corporations must implement “reasonable security practices,” there was no follow-up enforcement action by adjudicatory authorities or the judiciary.
  2. The company claimed ISO/IEC 27001 compliance, which raised concerns about the practical implementation and monitoring of such standards.
  3. No user compensation or government penalty followed, underscoring the lack of an institutional enforcement mechanism under the IT Act.

Critical Analysis:
This incident highlighted the gap between statutory obligations and actual enforcement.At the time of the breach, section 43A of the IT Act stated that body corporation’s who failed to put in place reasonable security practices were liable to compensate where such failure resulted in would be loss or gain. The accompanying SPDI Rules specified ISO/IEC 27001 as an example of a reasonable standard. But, in Zomato’s case, there were no public enforcement actions or adjudications undertaken which went under this section.

This lack of action shows one of the central gaps within the IT Act structure — the gaps are the absence of centralized enforcement body and a centralized enforcement body, along with proceedings that are only initiated by a victim to an officer far removed and technically slim proficient. For all the publicized scale of the breach, not a single user or regulator lodged a formal complaint on Section 43A and there seems to be no documentation of the company being investigated or prosecuted by any statutory body. This passive regulatory stance illustrates an aspect that the machinery put in place by the IT Act lacks robustness, especially considering the growing influence of big technology companies.

CORPORATE LIABILITY UNDER THE DPDP ACT, 2023

The Digital Personal Data Protection Act, 2023 represents a transformative step in India’s data governance landscape, replacing the inconsistent framework of the IT Act with a more coherent, rights-based, and enforcement-driven rules and regulations. The Act codifies the duties of organizations that process personal data, introduces institutional mechanisms for oversight, and imposes penalties for non-compliance. It is modeled partly on international best practices, particularly the EU’s General Data Protection Regulation (GDPR), but is tailored to India’s socioeconomic & digital environment.

This act mainly focus about the three core stakeholders. They are:

  1. Data Principals- This include an individual whose personal data is being stored.
  2. Data Fiduciaries- This include corporations that determine the purpose and the means of processing personal data.
  3. Data Processors-These are the third parties who process the data on behalf of the data fiduciaries.

The Important Obligations Imposed on Corporations

The DPDP Act, mandates a range of duties that corporate must comply while handling the personal data. The key provisions include:

  1. Lawful and consent-Based processing (section 5-6): Before collecting or processing a data principal’s sensitive information, the corporations get the free, informed, and explicit consent of the principal. Additionally they must offer the choice to revoke the consent at any moment.
  2. Purpose Limitation (Section 7): Information may only be gathered for legitimate reasons that are made explicit to the user and may not be used for any other purpose without further permission.
  3. Data Minimization (Section 8): Businesses must make sure that the amount of personal information they gather is only enough to fulfill its stated purpose.
  4. Accuracy and Storage Limitation (Section-9): Data Fiduciaries are expected to preserve data accuracy and refrain from keeping personal information longer than is required.
  5. Breach Notification (section-16): The corporations must notify to the Data Protection Board of India in case of any personal data breaches and must notify the Data Principals in a prompt and transparent manner.
  6. Grievance Redress (section-14): Data Fiduciaries are required to establish an internal grievance redressal mechanism and resolve complaints within specified timelines.
PENALTIES AND ENFORCEMENT

The creation of a Data Protection Board of India (DPBI) as a central regulatory body charged with deciding on infractions and monitoring compliance is one of the most obvious departures from the IT Act. Schedule I of the Act lists the Penalties. The few punishment clauses includes, 

1.  According to Section 33 if there is a failure to prevent a breach of the personal data then it fines of up to ₹250 crore.
2. It might up to ₹200 crore if processing children’s data without the proper security. 
3.In case of persistent non-compliance or inability to meet duties pertaining to Data Principal rights. It costs Up to ₹150 crore.

These penalties represent a marked shift from the low and inconsistently enforced compensatory mechanism under section 43A of the IT Act.

CORPORATE COMPLIANCE CHALLENGES

However the DPDP Act has the clarity and structure, its implementation poses several compliance’s challenges for corporations as it is a recent statute

  1. Operational challenge: As many companies especially the small scale companies lack the technical infrastructure and legal expertise it is difficult for the companies to align with the recent norms.
  2. Constant Fatigue: User experience gets effected when there is a constant prompt for consent and withdrawal mechanisms. This may lead to superficial compliance.
  3. Lack of Precedents: Since this DPDP Act is new, corporations may face   uncertainties in interpreting obligations until judicial precedents and regulatory guidelines are fully developed.
CONTRAST WITH THE IT ACT.

Unlike the framework set under IT Act of 2000, The Digital Personal Data Protection (DPDP) Act of 2023 shifts focus towards enforcement of corporate negligence on data breaches by introducing clear responsibilities and obligations.

Under the IT Act and specifically Section 43A, liability was mostly civil and limited to proof of “negligence in implementing reasonable security practices” which suffered from vague legal phrasing, lacked definitions for key terms such as “reasonable security”, and shifted the burden of evidence to the claimant. The absence of a centralized authority with consistent, deterrent mechanisms to oversee data protection led to a disregard for compliance and vague rebuttals to legally binding guidelines. There also wasn’t an overarching legal body to monitor adherence to data protection rules.

In contrast, the DPDP Act establishes a clearly defined framework, and centralizes control under the Data Protection Board which has jurisdiction over proactive breach investigations, issuance of show-cause notices, and imposition of administrative sanctions. The transition from compensatory victim-led models to more proactive and punitive frameworks captures shifts in regulatory philosophy. Under the new framework, the state assumes an active enforcement role, and the corporations can be held accountable even in the absence of individual complaints.

Moreover, the DPDP Act lays down clearer, more prescriptive compliance obligations, these principles align closely with international best practices, particularly those found in the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. As a result, Indian corporations that comply with the DPDP Act will be better positioned to integrate with global data flows, engage in cross-border transactions, and adhere to foreign adequacy assessments a critical factor for multinational business operations and cloud-based service providers.

In essence, while the IT Act provided a basic and reactive framework for data protection, the DPDP Act establishes a proactive, rights-based, and institutionally robust regime, thereby transforming corporate obligations from a vague compliance checklist to a strategic governance imperative.

AIR INDIA DATA BREACH

Air India Data Breach, in February 2021, Air India disclosed that it had suffered a massive data breach impacting 4.5 million customers’ worldwide, including Indian and international passengers. The breach originated from compromised systems of SITA, a third-party data processor managing passenger service systems for multiple global airlines. The compromised data included names, passport information, ticket details, frequent flyer data, and in some cases, credit card information (though CVV numbers were reportedly not exposed). The breach occurred in late 2020, but passengers were informed only in May 2021, raising concerns about delayed breach disclosure.

Legal and Regulatory Considerations:  

Also, as was the case with Zomato, this happened before the DPDP Act came into effect. The IT Act’s failure to include breach notification requirements meant there were considerable delays notifying affected users. The presence of a third-party processor (SITA) added a layer of complexity to the liability issue. While Air India had contractual obligations for adequate data protections, there was no Section 43A enforcement for non-compliance.  

Critical Analysis 

This specific breach has emphasized two more systemic problems they are: 

  • The deficiency within Indian law regarding the contractual protective walls between data controllers and data processors.
  • The absence of users basic safety protocols, such as mandatory breach notifications, left users in the dark for months without any form of protection.  

The Air India case underscored the necessity of a dedicated data protection authority for India, as well as clearly defined procedural and jurisdictional frameworks for complex, multi-jurisdictional, third-party data processing systems.

Aadhaar Database Exposures

Aadhaar is India’s extensive identity system that gathers biometric and demographic details of individuals. Administered by the UIDAI, it stores sensitive informationn like names, addresses, fingerprints, and iris scans. However, multiple instances of data breaches and inadequate security measures over the years have sparked major concerns about the protection and privacy of this personal data.

Connection to the DPDP Act, 2023

The repeated Aadhaar data leaks and the Puttaswamy case were key reasons why the Digital Personal Data Protection (DPDP) Act, 2023 was introduced. This new law:

  1. Makes it mandatory for companies and government bodies to protect personal data.
  2. Requires them to report data breaches.
  3. Allows the government to fine companies that don’t follow the rules.
SUGGESTIONS

To make sure that India’s data protection regime effectively holds corporations accountable while safeguarding individual privacy rights, for the future outlook several improvements can be considered:

  1. Clarify “Reasonable Security Practices” with Industry-Specific Standards

Under both the IT Act and the DPDP Act, companies are required to implement “reasonable security practices.” However, the term is vague and open to interpretation. To provide clarity and ensure consistent implementation:

  • The government should issue sector-specific guidelines, referencing international standards like ISO/IEC 27001, NIST SP 800-53, or ISO/IEC 27701.
  • Small and medium enterprises (SMEs) should be given scalable compliance models based on risk exposure and data volume.
2. Establish Mandatory Data Breach Reporting Timelines

The DPDP Act mandates breach notifications but does not prescribe strict timelines.

  • India should adopt a time-bound breach disclosure requirement—preferably within 72 hours, as followed under the EU’s GDPR.
  • Clear protocols for public notification in cases of large-scale breaches must be established to ensure transparency.
3. Empower and Ensure Independence of the Data Protection Board

While the DPDP Act creates the Data Protection Board of India, its independence and functional autonomy remain unclear.

  • The Board should be vested with independent investigatory, adjudicatory, and enforcement powers.
  • Appointments should be merit-based and include experts in law, cyber security, and technology, ensuring credibility and impartiality.
4. Implement Strong Whistle blower Protections

Employees who witness internal violations of data protection laws must be able to report non-compliance without fear of retaliation.

  • A whistle blower framework should be established within companies and enforced through mandatory compliance audits.
5. Introduce Periodic Compliance Audits
  • Large corporations and Significant Data Fiduciaries should be required to undergo annual third-party audits.
  • Audit findings must be reported to the Data Protection Board and made partially public to ensure transparency.
6. Public Awareness and Data Literacy Campaigns

Most users in India are unaware of how their data is collected, processed, or transferred.

  • The government and private sector must collaborate to launch nationwide campaigns promoting awareness of data rights, consent, and grievance mechanisms.
7. Develop a Unified Grievance Redress Mechanism

Victims of data breaches often struggle with fragmented legal and administrative routes for justice.

  • A single-window digital platform should be introduced for filing complaints, accessing case status, and receiving redress.
8. Incentivize Privacy-by-Design in Corporate Practices

Instead of only punishing breaches, the law should reward good behavior.

  • Offer tax incentives, compliance certificates, or public recognition to companies that implement privacy-by-design frameworks, ensuring data protection is built into product development from the start.
9. Strengthen Penalty Recovery Mechanisms

While the DPDP Act imposes substantial fines, their actual recovery and enforcement remain to be tested.

  • A clear, time-bound process must be created for levying and recovering fines.
  • For large companies, penalties should be proportional to global turnover, as in the GDPR.
CONCLUSION

The risks of data breaches have increased dramatically due to the exponential rise of digital technology and the growing reliance on personal data. The Digital Personal Data Protection Act of 2023, which replaced the Information Technology Act of 2000, marks a significant change in Indian law and policy regarding business liability for data protection. Although the IT Act established fundamental data security requirements, it had ambiguous language, lax enforcement, and few accountability systems.

By creating a systematic legal framework, imposing explicit compliance obligations, and instituting administrative sanctions that are enforced by a specialized Data Protection Board, the DPDP Act represents a significant advancement. Its emphasis on consent, purpose limitation, and data reduction, along with its conformity to international standards like the GDPR, demonstrate an intention to update India’s data governance framework.

REFERENCES

  1. Rishab Dara, Intermediary Liability in India: Chilling Effects on Free Expression, Centre for Internet & Society (Apr.2012), 

https://cis-india.org/internet-governance/intermediary-liability-in-india.pdf

  1. Justice B.N. Srikrishna Comm., A Free and Fair Digital Economy: Protecting privacy, Empowering Indians (2018), 
  2. Malavika Raghavan, The DPDP Act: Promise and Pitfalls, 19 Indian J.L. &T Tech. (2023)
  3. Information Technology Act, No. 21 of 2000 Section 43A, India Code (2000)
  4. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R.313(E), Gazette of India, May 25, 2011
  5. Karmanaya Sing Sareen v. Union of India, (2017) 10 S.C.C.1 (India)
  6. K.S. Puttaswamy v. Union Of India, (2017) 10 S.C.C. (India)
  7. Zomato Hacked: 17 Million User Records Stolen, The Economic Times (May 19, 2017),https://economictimes.indiatimes.com/small-biz/startups/zomato-hacked-hackers-steal-data-of-17-million-users/articleshow/58742044.cms?from=mdr 
  8. Air India Data Breach: Personal Info of 4.5 Million Leaked, Business Standard (May 22, 2021), https://www.business-standard.com/article/companies/air-india-data-hacked-passport-credit-cards-and-other-details-leaked-121052101535_1.html 
  9.  Regulation 2016/ 679 of the European Parliament and of the Council of 27 April 2016 on the protection of Natural Persons with Regard to the Processing of personal Data and on the Free Movement of such Data (General Data Protection Regulation), 2016 O.J. (L 119)

Research paper by,

Mallela Harshitha

Presidency University, Bangalore.