Compensation for data breach by a company under a non-notified law DPDP Act 2023

This is to understand the applicable law on a certain day in India and specifically about laws that are published by gazette notification but are awaiting a followup rule publication. Representative Chronology: Day 1: [IT act 2000][1] is passed and has 43A section for corporate body responsibility for data protection. This has very low penalty defined for violations. Day 20: A new law [DPDP 2023][3] is approved by the president, but not yet notified since the "rules"/ guidelines under the law are still being discussed with the stakeholders. This law removes section 43A from the 2000 law. This has a very high penalty defined for cybersecurity violations. Day 30: A data breach happens due to gross negligence by a company and it gets fixed in some days. Day 40: The aforementioned "rules" are published for DPDP. The enforcement "board" members are also announced so the law is a ground reality now. 1. So on day 31, can someone sue the company for negligence under 43A section even though the section 43A stands removed? 2. On day 41, can someone retroactively sue the company for negligence of day 30 under DPDP? [1]: https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf [3]: https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

12 Answers

Here are the answers based on the chronology you provided:

On Day 31, can someone sue the company for negligence under Section 43A of the IT Act, 2000?
- No, Section 43A would no longer be applicable after the new law (DPDP 2023) has been approved by the President, even though the rules have not yet been notified. Once the DPDP 2023 comes into force, Section 43A is removed from the IT Act. Therefore, after the approval of DPDP, Section 43A ceases to have legal effect. The company can no longer be sued under Section 43A after the new law has been passed, even if the rules are still pending.

On Day 41, can someone retroactively sue the company for negligence on Day 30 under the DPDP 2023?
- It depends on the specific provisions of the DPDP 2023 and its rules once they are finalized and enforced. If the rules and enforcement provisions are published on Day 40, the law could be applied retroactively depending on the provisions within DPDP 2023. However, generally, laws don't apply retroactively unless explicitly stated. The company could potentially be sued for negligence under the DPDP 2023 only after it has been notified and the enforcement mechanisms are in place. The rules published on Day 40 would define the scope of application, penalties, and enforcement.

Thanks and Regards,
Advocate Aman Verma
Legal Corridor

Aman Verma

Advocate, Delhi

116 Answers

Talk to Advocate Aman Verma

The DPDP Act was passed in early August 2023. The act will be enforced when the central government issues a notification for the same.

companycannot be sued retrospectively for negligence as the section stands removed

Ajay Sethi

Advocate, Mumbai

Available Now

97330 Answers

7863 Consultations

Talk to Advocate Ajay Sethi NOW!

The individuals who are harmed by a data breach may be able to sue the company for damages under the India Digital Personal Data Protection Act (DPDP Act):

A company can be held liable if it is negligent in implementing reasonable security practices and procedures (RSPP). This includes non-compliance with the data processing principles, such as notice, consent, purpose limitation, data accuracy, and grievance redressal.

Data principals must first seek redressal through the Data Fiduciary's grievance mechanism. They can only approach the DPB if they are unable to get their grievance redressed through this mechanism.
Penalties are assessed based on several factors, including the nature, duration, and recurrence of violations.

T Kalaiselvan

Advocate, Vellore

Available Now

87527 Answers

2349 Consultations

Talk to Advocate T Kalaiselvan NOW!

No they can’t sue retrospectively unless there is provision for the same in law

Prashant Nayak

Advocate, Mumbai

Available Now

32737 Answers

209 Consultations

Talk to Advocate Prashant Nayak NOW!

Can someone sue under Section 43A of the IT Act after it is removed (on Day 31)?
- No, Section 43A cannot be invoked after its repeal. Once the law is replaced by the Digital Personal Data Protection Act, 2023 (DPDP Act), the provisions of the old law no longer apply, unless expressly saved by a saving clause in the new law. For acts committed before the repeal, legal recourse depends on transitional provisions or general law principles.

Can someone sue under DPDP Act for a breach that occurred on Day 30 (before its enforcement)?
- No, the DPDP Act cannot apply retroactively unless explicitly stated in the Act itself. Generally, laws do not operate retroactively unless there is specific language indicating retrospective applicability. Negligence before the enforcement of the DPDP Act would not be covered under its provisions.

Options for Victims:

Victims can still explore remedies under tort law (for negligence) or other applicable general laws.

For breaches occurring before DPDP Act enforcement, remedies under existing laws at the time of the breach (e.g., IT Act provisions, consumer protection laws) may still be explored, provided they were active when the breach occurred.

For detailed, personalized advice, consider a phone consultancy. Hope you find the information helpful. You are free to contact me for further discussion. If you could spare two minutes of your time to write a review, it would be greatly appreciated and bring immense happiness to read it. Thank you. Shubham Goyal.

Shubham Goyal

Advocate, Delhi

Available Now

392 Answers

Talk to Advocate Shubham Goyal NOW!

Dear Client,

On Day 31, the company can still be sued for negligence under Section 43A of the IT Act, 2000, in case the DPDP Act, 2023 has not been notified. Unless the new law is in force, the IT Act is still applicable, and the data protection obligations shall be governed by Section 43A. However, as the penalty under Section 43A is restricted, the compensation could be meager.

On Day 41

Once the DPDP Act, 2023 is notified and is fully in operation, it can only be prospectively applied unless the Act specifically provides otherwise. Thus, for instance, a violation on Day 30 would not be covered under the DPDP Act, as the breach took place before the enforcement of the Act. You will have to pursue the same under the law that was effective on the date of the breach, i.e., under Section 43A of the IT Act, 2000. Pursuing a claim

Do let me know if I can help you further.

Anik Miu

Advocate, Bangalore

10316 Answers

121 Consultations

Talk to Advocate Anik Miu

Data breached on day 30. Dpdp came into force on day 40.

Breach is governed by Section 43A as dpdp came into force repelling Section 43A on day 40. (Section 43A removed after gap of 10 days)

Penal law operates prospectively, breach on day 40 not covered by new Act.

Ravi Shinde

Advocate, Hyderabad

4318 Answers

42 Consultations

Talk to Advocate Ravi Shinde

# Applicable Laws

1. *IT Act 2000 (Section 43A)*: This section imposed liability on corporate bodies for data protection. Although it had a low penalty for violations, it was the applicable law until the DPDP Act 2023 was notified.

2. *DPDP Act 2023*: This law was approved by the President on Day 20 but wasn't notified until Day 40, when the rules were published. The DPDP Act 2023 removes Section 43A from the IT Act 2000 and introduces stricter penalties for cybersecurity violations.

# Answers to Your Questions

*1. Can someone sue the company for negligence under Section 43A on Day 31?*

Although Section 43A was removed from the IT Act 2000 when the DPDP Act 2023 was approved (Day 20), the DPDP Act 2023 wasn't notified until Day 40. Since the DPDP Act 2023 wasn't in force on Day 31, Section 43A was technically still applicable. However, it's essential to note that the court might consider the legislative intent and the fact that the DPDP Act 2023 was approved, albeit not notified.

*2. Can someone retroactively sue the company for negligence on Day 30 under the DPDP Act 2023 on Day 41?*

Generally, laws are not applied retroactively, especially when they impose stricter penalties. The DPDP Act 2023 came into force on Day 40, when it was notified. Applying the DPDP Act 2023 retroactively to an incident that occurred on Day 30 might be challenging.

However, Indian courts have, in some cases, applied laws retroactively if:

- The new law is beneficial to the parties involved.

- The legislative intent is clear.

- The parties had sufficient notice of the impending change.

In this scenario, since the DPDP Act 2023 imposes stricter penalties, it's unlikely that the court would apply it retroactively. Nevertheless, the court's decision would depend on the specific circumstances and the arguments presented.

Keep in mind that these answers provide a general understanding of the applicable laws and are not exhaustive. For a more detailed analysis, consult with a legal expert specializing in Indian data protection laws.

- Adv.LavishTegta (High court of himachal pradesh)

Lavish Tegta

Advocate, Shimla

12 Answers

Talk to Advocate Lavish Tegta

Since the data breach did not cause a tangible financial loss, what quanta of damages can be claimed? What is the compensation for breach of right to privacy, putting users at risk of phishing/ scamming , and breach of contract ? Section 43A has no specified penalty so the default is of Rs 25k only as per IT act. Any other calculations that can be used like salary or net worth?

Can this be tried in a consumer court on the grounds that the privacy policy and terms of service came between user and company were violated? There was no purchase of company's product in the company website as a result of this breach. Company also doesn't disclose data grievance officer. Company also didn't react to information about breach on time. Regulator also did not admit complaint. The case is not pending anywhere else. Does this fit under "consumer" definition? The company fits under single brand inventory e-commerce entity as per my understanding.

Asked 1 day ago

If they are service provider and you are consumer then only it will come under CP Act 2019

Prashant Nayak

Advocate, Mumbai

Available Now

32737 Answers

209 Consultations

Talk to Advocate Prashant Nayak NOW!

Since section 43A has no specific penalty, the compensation that can be awarded is of 25k only

You can file a complaint before the consumer forum if you so desire

Ajay Sethi

Advocate, Mumbai

Available Now

97330 Answers

7863 Consultations

Talk to Advocate Ajay Sethi NOW!

T Kalaiselvan

Advocate, Vellore

Available Now

87527 Answers

2349 Consultations

Talk to Advocate T Kalaiselvan NOW!

The quantum of damages for a data breach without tangible financial loss is challenging to quantify but may include nominal compensation under Section 43A of the IT Act (default ₹25,000) or punitive damages if negligence is severe. Courts may consider privacy violations, emotional distress, and the potential risks of phishing/scamming. While the Consumer Protection Act, 2019, requires a consumer relationship, free services linked to paid offerings or violations of terms of service (ToS) and privacy policies may suffice. A consumer court claim could be strengthened by statutory violations, such as the non-disclosure of a grievance officer, failure to respond to breach notifications, or gross negligence. Alternatives include filing with a cyber adjudicating officer or pursuing tort-based claims in civil court. Establishing a breach of privacy and negligence will be crucial to seek appropriate compensation.

Aman Verma

Advocate, Delhi

116 Answers

Talk to Advocate Aman Verma

Compensation for data breach by a company under a non-notified law DPDP Act 2023

12 Answers

Ask a Lawyer