Corporate Liability for Data Breaches under the Digital Personal Data Protection Act, 2023: Legal Challenges and Regulatory Responses
Authors/Creators
Description
Rapid digitalisation has transformed personal data into a critical economic resource for corporate entities, simultaneously increasing exposure to cyber threats and large-scale data breaches. Indian corporations now routinely collect, store, and process vast quantities of personal data, often without commensurate investment in cybersecurity governance. Persistent data breach incidents have exposed the inadequacy of India’s earlier legal framework, which relied primarily on the Information Technology Act, 2000 and subordinate rules. The Digital Personal Data Protection Act, 2023 (DPDP Act) represents a decisive shift towards a
comprehensive rights-based regulatory regime governing digital personal data. This paper critically examines corporate liability for data breaches under the DPDP Act by analysing its constitutional foundations, statutory architecture, and enforcement mechanisms. It evaluates the extent to which the Act imposes fiduciary-style obligations on corporate data handlers and assesses whether its penalty regime effectively deters negligent data governance practices. Drawing upon Indian and international jurisprudence, including developments in the European Union, the United Kingdom, the United States, and Australia, the study identifies structural gaps and implementation challenges within the Indian framework. The paper argues
that although the DPDP Act aligns Indian data protection law with global standards, its effectiveness depends on regulatory clarity, institutional independence, and the integration of cybersecurity oversight into corporate governance structures. The study concludes with policyoriented recommendations aimed at strengthening corporate accountability and safeguarding
informational privacy in India’s evolving digital economy.
Files
Reserch+Paper+Dipanshu.pdf
Files
(480.3 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:489b5a00e20e7fed8777823ee7e54169
|
480.3 kB | Preview Download |
Additional details
References
- Viktor Mayer-Schönberger& Thomas Ramge, Reinventing Capitalism in the Age of Big Data 12–15 (Basic Books 2018).
- World Economic Forum, Global Cybersecurity Outlook 2024 (2024).
- CERT-In, Annual Report 2022–23 (Gov't of India).
- Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
- Information Technology Act, No. 21 of 2000, §§ 43, 66 (India)
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, r. 8
- Rahul Matthan, Privacy 3.0 97–101 (HarperCollins 2018).
- Srikrishna Committee Report, A Free and Fair Digital Economy ¶ 2.19 (2018).
- Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos, 2014 E.C.R. I-317.
- Digital Personal Data Protection Act, No. 22 of 2023, § 2(i) (India).
- Regulation (EU) 2016/679, art. 4(7), 2016 O.J. (L 119) 1.
- Julie E. Cohen, What Privacy Is For, 126 Harv. L. Rev. 1904 (2013).