Blog on Removal of Section 43A of IT ACT 2000 with regard to New

DPDP ACT Rules 2025

Introduction
India's Digital Personal Data Protection Bill was introduced in 2022 and became the
Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDP Act’)
after being approved by both houses of Parliament and receiving the President’s
assent in August 2023, which is yet to be implemented. This Act is applicable to
personal data collected in digital form or data that is later converted into digital form.
Its primary aim is to protect the personal information of individuals and hold
organizations accountable for managing large amounts of such data, especially
those with online operations and mobile apps.

Prior to the DPDP Act and at present, the only legal framework addressing digital
data privacy issues is the Information Technology Act, 2000 (hereinafter referred to
as ‘IT Act,) and the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter
referred to as ‘IT Rules’). The DPDP Act tends to replace Section 43A of the IT Act
and Rules.

Section 43A of the IT Act, along with the related rules, provides for compensation to
individuals affected by the negligence of a company in handling sensitive personal
data. It states that if a company, which owns, controls, or operates a computer
resource containing sensitive personal data, fails to maintain reasonable security
measures and causes Breach, it would be liable to pay compensation to the affected
person. However, the DPDP Act does not include such provisions for compensation.
Instead, it imposes penalties for non-compliance with the DPDP Act.

This blog addresses the introduction of provisions compensating individuals affected

by Data Breaches by way of dedicated compensatory fund or from the
people/organization who breach the data. Before addressing the issue of victims
being left without remedies, it is important to first understand what is a Data Breach
with regard to Indian Scenario?

Overview on India’s Data Breach and How People Suffer: Arising tensions

A Data Breach occurs when information is stolen or accessed without the owner’s
consent. This can involve sensitive data, such as credit card details, customer
information, trade secrets, or national security matters. A breach exposes
confidential data to unauthorized individuals, who may view or share it without
consent. A Data Breach can affect anyone, from individuals to large organizations
and governments. Inadequate protection can also put others at risk.
Data breach incidents rising
Reports indicate a significant rise in data breaches affecting Indian users. India
saw several data breaches in 2024. In September, millions of personal records,
including medical details of Star Health Insurance customers, were leaked online. A
UK-based researcher first reported the breach, with claims that a hacker named
XenZen had accessed the data.
In July, personal information of around 7.9 million customers from Mumbai-based
stockbroking firm Angel One was leaked, exposing sensitive details such as bank
account numbers. Earlier, in January, a massive breach exposed 750 million
individuals' personal data, including Aadhaar information, with the data being sold by
threat actors online.
Reports of personal data breaches and cyber security incidents adversely impacting
thousands of people and businesses are frequent. A recent study reported 388 data
breaches, 107 data leaks, 39 ransomware activities, and 59 cases of access sales or
leaks in the first six months of 2024.

People suffer: Data breaches can have a profound impact on users. Victims
may face financial losses, such as fraudulent charges or the costs associated with
securing their credit and identity. Data breaches also erode trust in the affected
institutions.

Just last couple of years, the Indian Council of Medical Research

(ICMR) suffered a massive leak that compromised the personal data of 81.5 crore
individuals, potentially making it one of the largest breaches in India’s history.
The stolen data included Aadhaar numbers, passport details, home addresses,
and possibly sensitive medical records related to COVID-19 testing. The
breach exposed millions of people to the risk of identity theft and financial fraud,
as their Aadhaar numbers could be exploited to access banking services or
government schemes. The compromised medical records also caused serious
privacy violations with personal health data being exposed.

You can use websites like Have I Been Pwned (HIBP) and Firefox Monitor to
check if your email addresses or phone numbers have been compromised in a
data breach. These services collect information from publicly disclosed breaches
and provide notifications if your data appears in their databases. Additionally,
Google’s Dark Web Report feature (available through Google One) can help you
monitor if your personal information, like email addresses and phone numbers,
has surfaced on the dark web.

In another example, Zomato experienced this first hand in 2021 when data of 17
million users was stolen and put up for sale. Zomato faced significant market
valuation drops due to loss of consumer trust and potential fines. It further bore
heavy direct costs of securing the breach, legal fees, and compensation to users.
Financial Implications: Data breaches can lead to direct financial losses through
fraud or the necessity of remedial actions, such as legal fees and compensations.
Indirect costs include potential fines imposed for non-compliance with data
protection laws, which under the DPDP Act can reach up to ₹250 Crores. Personal
data breaches attract the highest slab of penalties under the DPDP Act without
remedy to the person or victim.

Legal Consequences: Beyond financial penalties, failing to manage data

securely can lead to legal actions and regulatory directives that significantly impact
a business. Such directives can disrupt operations, increase scrutiny and
operational costs, erode trust with partners, damage market reputation, and
necessitate costly upgrades for compliance. Additionally, in the cases of Jaiprakash
Kulkarni v. Banking Ombudsman and IDBI Bank v. Sudhir S. Dhupia, massive Data
Breaches took place in banking transactions, the banks were held liable and were
compelled to pay compensation to the affected parties.

Last year, the Reserve Bank of India (RBI) imposed a ban on Kotak Mahindra
Bank, barring it from onboarding new customers through online and mobile
channels and from issuing new credit cards. This action was taken due to serious
deficiencies identified in the bank’s IT systems, including shortcomings in IT
inventory management, patch and change management, user access
management, vendor risk management, and data security. The bank was required
to conduct a comprehensive external audit, approved by the RBI, to address these
deficiencies.

The key battle - Penalty v. Compensation

The primary issue in this situation is that individuals who are victims of a Data Breach
will continue to face the negative consequences of having their personal information
exposed or misused. This could include financial loss, identity theft, Data Theft or other
privacy-related harm. However, these victims are not entitled to any direct compensation
for their suffering or losses. While the DPDP Act does impose penalties on the
organization responsible for the breach, such as fines up to 250 corers, it does not
include provisions for compensating the individuals affected. As a result, those who are
affected by the breach may have no remedy other than filing a separate suit to recover
the damages they have suffered.

Furthermore, the lack of a clear compensation mechanism in the DPDP Act creates a
hurdle in protecting privacy of individuals. The Act provides for the responsibility of
organizations to protect personal data, but it fails to consider the direct impact on
individuals who are victims of Data breaches. This leaves victims in a weaker position,
as they may be left to deal with the consequences of the Data Breach without any
compensation from the company at fault. In essence, while companies may face
penalties for mishandling data, the affected parties are left without a clear mechanism to
recover their losses. These situations bring forward the issue of accountability of the
defaulters towards victims.
Section 43A – a victim’s middlemost approach
Section 43A of IT Act along with IT rules, established a framework consisting of eight
key regulations with the intent to protect privacy of Individuals. This legal framework
is significant in the context of data protection in India. The case, which laid down the
essential elements of Section 43A is Vodafone India Ltd. v. Prashant Mahadeorao
Buradkar, 2024, this judgment provided for the practical application of this section.

Under Section 43A of the IT Act, a victim to claim for compensation must first prove
that a corporate body, ‘defined as any organization that possesses, handles, or
processes sensitive personal data’ has failed in its obligation to implement and
maintain reasonable security practices and procedures to protect sensitive personal
data. Secondly, This failure led to unauthorized access or use of sensitive personal
data. Thirdly, the victim must show that this breach led to either wrongful gain or
loss. Lastly, there must be a direct link between the breach of security measures and
the harm suffered by the individual due to unauthorized access or misuse of their
sensitive personal information.

The legislative intent behind Section 43A was reinforced in the case of State Bank of
India v. Suhas Enterprises and Others, which highlighted that personal data
belonging to individuals, must be protected by organizations, if an entity fails to
ensure this protection, it can be held liable for paying compensation to the affected
individuals. Similarly, in Xxx v. Union of India, represented by the Secretary of
Government and Others, the Kerala High Court emphasized, that Section 43A
establishes a legal framework recognizing for the first time the necessity of
protecting personal data privacy.