Internet users are being dominated by the increasing consequences of data breaches. Cyberattacks pose a continuous danger to government agencies and large corporations alike. However, in all the news of infiltrated systems and stolen data, one important voice is still missing: the victims. This article advocates that India’s data protection and privacy laws must deter breaches and provide a vital safety measure: restitution for individuals whose personal data is compromised.
An analogy from the criminal justice system and the cyber contraventions (Sections 43 & and 43A) of the Information Technology Act, 2000, where this concept exists, is crucial when arguing for victim compensation. Therefore, it becomes necessary to debate it in the recently passed Digital Personal Data Protection Act, 2023. The number of data breaches is increasing. In 2022, the All-India Institute of Medical Sciences (AIIMS) in Delhi experienced a sophisticated cyberattack on its systems, exposing the personal data of millions of residents. To retrieve the data, the hackers demanded a substantial crypto ransom of nearly INR 200 crores. The AIIMS data leak, therefore, emphasizes the urgent need for stronger data protection regulations in India, including procedures for compensating victims. The necessity for retribution becomes evident when considering the number of potential victims in this situation. The data of millions of people was compromised in a previous case, such as Justice K.S. Puttuswamy vs. UOI (also known as the “Aadhaar Card Case”) in 2017, which is regarded as a landmark ruling for the “Right to Privacy” and served as a foundation for the “DPDP Act, 2023.”
We must realize that victim compensation offers functional advantages beyond merely being fair, such as:
- Accountability: Companies that directly compensate victims are more likely to prioritize data security.
- Enforcement: Individuals become more likely to report breaches when they know they may be compensated.
- Support: Financial aid can offset breach-related costs, acknowledging the hardship caused.
What is the in-hand process for India?
In India, data protection is firmly based on the DPDP Act. However, to protect people’s privacy and ensure accountability, we cannot rely solely on penalties as a means of enforcement. Here’s what we should think about:
1. Modify the Law about Victim Compensation
- Establishment of the Fund: Section 34 of the DPDP Act mandates that all penalties collected under the Act be credited to the “Consolidated Fund of India”. Thus, we advocate that it shall be implemented in a way that provides a specific percentage of the fines gathered by the data fiduciary or any other actor under the DPDP Act be paid to the victim.
- Provide Direct Support: This fund would offer victims financial resources to help mitigate the damage caused by data breaches, including identity theft, economic losses, mental distress, and reputational harm.
2. Set Fair Compensation Standards
- Develop Clear Guidelines: Establish transparent guidelines to determine fair compensation amounts, considering factors such as the severity of the data breach, the type of data compromised, and the extent of harm caused to individuals.
3. Compensation is one story, but deterrence is another part
- Graded Penalties: Implementing a graduated penalty system that suspends services for repeat offenders and uses reputational damage as a powerful deterrent is necessary. Fines alone are not enough to address the issue.
Some Good Practices that can be followed
- Government Support: Businesses, particularly micro, Small, and medium-sized enterprises (MSMEs), can receive government support to invest in robust data security measures and training. In the long term, this preventative strategy may decrease breaches.
- Stress the significance of corporate responsibility for data security: Encourage companies to implement internal privacy compliance initiatives and cultivate a culture of data protection.
Global Lessons in Respect to Victim Compensation
Of course, determining fair compensation is a complex process. Subjective damages like emotional distress are hard to quantify. India’s Information Technology Act of 2000 discusses victim compensation as part of the Cyber Contraventions, but one of its essential contraventions (S.43A) has now been omitted, and this provision is not being fulfilled in the DPDP Act, 2023.
Countries like Australia and Singapore offer victim compensation funds for individuals impacted by data breaches, while California allows consumers to sue companies for data breach-related violations. Repeat offenders could even see their services suspended in the following countries. This highlights the growing global trend toward stricter data privacy regulations and the increasing consequences for companies that fail to comply with these regulations. However, it is time to examine hybrid approaches, where a portion of the fines could be used to create a compensation fund for victims.
Conclusion: Data Protection That Puts People First
Globally, companies value our personal information. A crucial step in safeguarding this priceless resource is India’s Digital Personal Data Protection Act, which prioritises consent and penalises companies that fail to comply with its provisions. However, when those sanctions focus solely on governmental fines, those whose data has been compromised are left behind. We need a system that recognizes the need for effective social deterrents as well as the individual’s right to redress.
*Authored By: Ms. Paakhhi Garg, Director-Trainings, World Cyber Security Forum) & Prof. (Dr.) Nachiketa Mittal, Registrar & Professor of Law, NLU Tripura