Introduction

India’s emergence as a data-driven economy has dramatically expanded the scale at which corporations collect, process, and monetise personal data. While this digital growth has accelerated financial inclusion, online commerce, and innovation, it has simultaneously exposed deep vulnerabilities in corporate data-protection systems. In recent years, India has witnessed several major breaches including the Aadhaar exposure, BigBasket’s 2020 breach affecting millions of consumers, and incidents involving Domino’s, Dr. Lal PathLabs, and numerous digital-payment platforms revealing significant lapses in corporate cybersecurity infrastructure and regulatory oversight[1]. The absence of a unified statutory data-protection regime meant that corporate accountability largely depended on contractual standards and the limited provisions of the Information Technology Act, 2000.

The Supreme Court’s ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India[2] recognised privacy as a fundamental right, emphasising the risks posed by both state and private entities handling personal data.This constitutional shift laid the groundwork for the Digital Personal Data Protection Act, 2023 (DPDP Act), India’s first comprehensive statute governing personal-data processing. The Act introduces explicit duties for corporations (termed Data Fiduciaries), mandatory breach-notification requirements, and significant penalties, marking a decisive transition toward a rights-centric approach.

This article analyses how the DPDP Act constructs corporate accountability for data breaches, evaluates its strengths and limitations, and situates the legislation within India’s evolving privacy and corporate-governance framework.

1. STATUTORY DUTIES OF DATA FIDUCIARIES UNDER THE DPDP ACT

1. Principles of Lawful Processing, Security, and Purpose Limitation-

Sections 4 to 9 of the DPDP Act impose legally enforceable duties on corporations processing personal data, including principles of legality, purpose limitation, data minimisation, accuracy, retention limits, and mandatory implementation of “reasonable security safeguards.” These provisions reflect globally accepted privacy principles embedded in the GDPR. The statutory language signals a legislative intent to treat corporations as custodians of personal data with obligations extending beyond mere technological compliance.

2. Departure from the IT Act, 2000-

Until the DPDP Act, corporate liability for data breaches relied on Section 43A of the Information Technology Act, 2000, which imposed compensation for negligence in maintaining “reasonable security practices[3].” However, the provision lacked regulatory clarity, leaving enforcement inconsistent. The DPDP Act closes this gap by explicitly defining duties, breach-reporting obligations, and enforcement mechanisms under a dedicated Data Protection Board (DPB)[4].

3. Significant Data Fiduciaries and Enhanced Obligations-

The Act designates certain corporations as “Significant Data Fiduciaries” based on sensitivity and volume of data processed. These entities must conduct Data Protection Impact Assessments, undergo annual audits, and appoint a Data Protection Officer. This risk-based model mirrors the GDPR and Singapore’s PDPA. It ensures that corporations handling high-risk data maintain proportionately stronger safeguards.

2. MANDATORY BREACH REPORTING AND TRANSPARENCY REQUIREMENTS

1. Statutory Duty to Report Data Breaches-

Section 8(6) mandates that corporations notify both the DPB and affected individuals of any breach “as may be prescribed.” Mandatory reporting is crucial in a jurisdiction where studies indicate chronic underreporting of breaches due to reputational concerns[5].

2. Importance of Mandatory Reporting-

Mandatory disclosure enables:

1. Affected individuals to take timely steps to mitigate harm, and

2. The DPB to investigate, impose penalties, and ensure systemic corrective action.

Globally, regulators impose severe penalties for delayed reporting—such as the U.K. ICO’s fines on British Airways and Marriott for failure to promptly disclose breaches. The DPDP Act aligns with this international shift toward transparency-centric regulation.

3. Penalty Architecture and Deterrence-

Under Section 33, penalties for breach-related violations may reach ₹250 crore, with additional penalties for non-disclosure.This mirrors the GDPR’s fine model under Articles 83–84. The scale of penalties reflects Parliament’s intention to incentivise robust data-protection practices and deter corporate negligence.

3. CORPORATE GOVERNANCE, DIRECTOR LIABILITY, AND DATA PROTECTION

1. Intersection with Duties Under the Companies Act, 2013-

Corporate accountability under the DPDP Act intersects with directors’ duties under Section 166 of the Companies Act, 2013, which require directors to exercise care, skill, and diligence. Inadequate security measures that lead to breaches expose the corporation to penalties and may constitute breach of directors’ fiduciary obligations.

2. SEBI’s Cybersecurity and Disclosure Framework-

SEBI’s Listing Obligations and Disclosure Requirements (LODR) mandate disclosure of cyber security incidents for listed companies[6]. The 2023 amendments strengthen these obligations. Thus, corporations face overlapping responsibilities under DPDP and SEBI regulations, making data governance a central compliance issue.

3. Data as a Corporate Asset-

Global governance principles emphasise that corporate boards must treat data as a strategic asset that requires targeted oversight. The OECD’s corporate-governance guidelines highlight cybersecurity and data risks as integral to enterprise-risk management[7]. The Equifax breach in the United States demonstrated how inadequate cybersecurity governance can expose corporations to significant financial, legal, and reputational harm[8].

4. JUDICIAL AND GLOBAL INFLUENCES ON CORPORATE ACCOUNTABILITY

1. Constitutional Backdrop: The Puttaswamy Doctrine-

The Puttaswamy ruling’s emphasis on proportionality, dignity, and informational autonomy shapes the interpretive framework for private-sector data processing[9].  Although the DPDP Act is a statutory regime for private actors, courts may rely on constitutional principles to assess corporate actions.

2. Persuasive International Jurisprudence-

The Court of Justice of the European Union’s decision in Google Spain established the principle that data controllers must ensure lawful processing regardless of data location[10]. Further, Schrems I and Schrems II emphasised corporate accountability in cross-border transfers, which is relevant for Indian corporations operating globally[11].

3. Policy Reports and Executive Directions-

NITI Aayog’s Data Governance Framework and CERT-In’s 2022 cybersecurity directions collectively shape India’s evolving data-protection ecosystem. Their recommendations emphasise risk assessment, breach preparedness, and incident-response architecture[12].

5. EVALUATING THE DPDP ACT’S ACCOUNTABILITY FRAMEWORK

1. Strengths-

The DPDP Act’s strengths include:

• Clear statutory duties

• Mandatory reporting

• A penalty system tailored for deterrence

• A specialised regulatory authority

• A risk-based compliance model

These elements collectively establish a more robust framework than India’s earlier fragmented regime.

2. Limitations-

However, challenges persist:

1. Dependence on future rulemaking: Operational clarity remains pending.

2. Broad “deemed consent” provisions: Risk weakening individual rights and enabling corporate overreach.

3. Regulatory capacity: DPB effectiveness depends on its technical expertise and independence.

3.  Long-Term Impact on Corporate Behaviour-

International experience suggests that regulatory enforcement, transparency, and high penalties can transform corporate culture. Over time, India is likely to see a similar shift as corporations adapt internal processes, governance frameworks, and privacy-by-design principles.

Conclusion

The Digital Personal Data Protection Act, 2023, marks a transformative shift in India’s corporate-regulatory landscape by establishing a comprehensive accountability model for data breaches. Through explicit duties, strong penalties, mandatory reporting, and governance-linked compliance, the Act elevates data protection from a peripheral technical concern to a central element of corporate strategy. While certain ambiguities, particularly concerning subordinate rules and deemed consent, require careful interpretation, the Act effectively aligns India with global privacy standards and lays the foundation for a culture of corporate responsibility. As India’s digital economy grows, the DPDP Act will play an essential role in protecting individual autonomy, fostering public trust, and ensuring that corporations uphold rigorous standards of data protection.

Disclaimer: This article is intende⁠d solely for educatio‍nal and informa‍tional⁠ purposes. It does not constitute legal advice and s⁠houl‍d not be relied upon a⁠s such. While every eff‌ort has been ma‌de to ensure th‍e accuracy, reliabili‍ty, a‌nd completeness of th‍e informat‌i‌on provided, ClearLaw.online, th‍e author, and the publisher disclaim any liability for er‍r⁠ors, omissions, or inadv⁠ert‍ent i‍naccuracies. Readers‍ are strongly advised to‍ con⁠sult a qualified legal professional for gu‍idance‌ on a⁠ny specific l‌egal issue or matte‍r‌.

[1]  Data Security Council of India, Cybersecurity Annual Report (2021).

[2] (2017) 10 SCC 1

[3]  Information Technology Act, 2000, Sec. 43A.

[4]  Digital Personal Data Protection Act, Sec. 27.

[5] NITI Aayog, Data Governance Framework (2021).

[6]  SEBI (LODR) Regulations, 2015, Reg. 30.

[7]  OECD, Principles of Corporate Governance (2015).

[8] U.S. House Oversight Committee, Equifax Breach Report (2018)

[9] SUPRA NOTE 2

[10] Google Spain SL v. AEPD, Case C-131/12 (CJEU 2014).

[11] Schrems v. Data Protection Commissioner, Case C-362/14 (2015).

[12] CERT-In, Cybersecurity Directions (2022).