The first part of this series shed light on a significant limitation within the Digital Personal Data Protection (DPDP) Act. This legislation does not offer a direct path for compensation to Data Principals who have suffered harm. Currently, penalties imposed under the Act are directed into the Consolidated Fund of India, not towards individual restitution. However, this does not mean that affected parties are left without options. The framework, though restrictive, offers certain avenues worth exploring.
Section 31: Mediation as a Path to Restitution
One internal mechanism within the DPDP Act, Section 31, provides a potential remedy. It allows the Data Protection Board to recommend mediation for resolving complaints. During mediation, the parties involved can negotiate financial compensation, making Section 31 the only provision within the DPDP Act that could potentially lead to direct monetary relief for a Data Principal. However, this possibility largely depends on the Board’s inclination to refer cases for mediation, the willingness of the involved parties to negotiate, and the power dynamics between individuals and corporations. Despite these challenges, mediation should be considered before opting for external litigation.
External Legal Frameworks: Securing Redress
Beyond the scope of Section 31, seeking compensation often requires venturing outside the DPDP Act. However, the obligations imposed by the DPDP Act can serve as a benchmark for the standard of care expected of Data Fiduciaries. Lawyers can leverage the Act’s requirements in conjunction with other legal frameworks to pursue compensation:
- The Law of Torts: Utilize torts such as negligence and breach of confidence.
- Consumer Protection: Classify data breaches as a “deficiency in service” under the Consumer Protection Act.
- Constitutional Tort: Invoke writ jurisdiction for breaches involving state action or public functions.
The subsequent sections explore how these external avenues can be integrated with the DPDP Act to address the gap in compensatory measures.
Common Law Remedies: A Foundational Approach
In the absence of statutory compensation rights, the principles of common law become essential. The American jurist William Prosser categorized privacy torts into four distinct types: unreasonable intrusion upon seclusion, appropriation of another’s likeness, unreasonable publicity of private life, and false light before the public. As privacy-related claims become more prevalent in Indian courts, we anticipate the Prosser framework will gain relevance in domestic tort law. Until then, negligence and breach of confidence remain the most recognized causes of action for data breach victims.
The relationship between the DPDP Act and tortious causes of action rests on a complementary legal theory. While the Act stipulates rigorous fiduciary obligations, it does not provide a civil redress mechanism. Conversely, common law offers robust compensatory remedies but often lacks a modern standard of care. By combining these two elements, a more coherent framework for addressing data harms emerges.
Overcoming Jurisdictional Challenges
A significant obstacle is Section 39 of the DPDP Act, which restricts civil court jurisdiction over matters the Board can decide and prevents courts from issuing injunctions against actions under the Act. To bypass this, plaintiffs must frame their suits as claims for damages or restitution, which the Board cannot grant, rather than merely adjudicating statutory contraventions. By using the Act as a “standard of care” rather than the cause of action, practitioners can argue that the civil suit is independent of the Board’s regulatory duties.
Quantifying Non-Pecuniary Harm
Quantifying non-pecuniary harm, such as emotional distress, poses a challenge in negligence and breach of confidence claims. While direct financial losses are straightforward, privacy litigation in India lacks a settled formula for valuing non-pecuniary harm. Until clear precedents are established, damage assessments will likely rely on judicial discretion.
Consumer Protection as a Remedy
The Consumer Protection Act (CPA) 2019 offers a statutory framework for individual redress alongside the DPDP Act. Section 100 of the CPA clarifies that its provisions complement, rather than override, other laws. This creates a concurrent jurisdiction model: while the Data Protection Board addresses regulatory compliance, Consumer Commissions can handle contractual deficiencies and individual grievances.
Claims of “deficiency in service” can be a distinct cause of action, allowing recovery for failing to implement necessary security measures. Consumer Commissions, with their expertise in quantifying non-pecuniary harm, offer an avenue for addressing primary injuries in data breaches.
Reevaluating Consideration in Digital Markets
A hurdle in consumer protection claims is the requirement of “consideration.” Many digital platforms argue that users of free services are not “consumers” under the CPA. However, this view overlooks the economic reality of data-driven markets, where personal data acts as digital currency.
Constitutional Remedies for State Breaches
When a data fiduciary is a “State” or an “instrumentality of the State” under Article 12, data breaches become constitutional violations. The constitutional argument is anchored in privacy jurisprudence, notably the KS Puttaswamy v. Union of India decision, which frames a State-led breach as an infringement of constitutional rights.
Constitutional courts can award public law damages, bypassing the DPDP Act’s focus on administrative penalties. A writ petition can secure direct compensation for victims of state-led data breaches.
Strategic Limitations of Constitutional Claims
Despite its potential, the constitutional approach faces several constraints. The Article 12 threshold restricts applicability to State entities, excluding many parties. Courts may require petitioners to exhaust alternative remedies available under the DPDP Act. Additionally, the fact-intensive nature of data breach cases may deter courts from engaging in detailed inquiries.
More Read
Conclusion
The DPDP Act missed the opportunity to center the data principal by omitting a statutory compensation right for individuals. Until Parliament revisits this, practitioners must creatively leverage the existing legal framework to secure the remedies their clients deserve.
About the authors: Vaishnavi Viswanathan and Davis Kanjamala are Partners, and Viswanathan G is a Director at Viswanathan & Associates.
Disclaimer: The views expressed in this article are those of the authors and do not necessarily reflect the opinion of Bar & Bench.
