A data breach in India triggers a multi-track litigation strategy spanning criminal complaints, civil recovery suits, and regulatory proceedings before the Data Protection Board of India — effective redress requires timely and coordinated action across all three tracks.
In the present digital age, individuals share personal information for banking, shopping, healthcare, education and communication, including phone numbers, addresses, financial records, identity documents and biometric data. When such information is accessed, disclosed or misused without permission, it constitutes an unauthorised data breach. Consequences can be severe: financial fraud, identity theft, reputational damage and mental distress for victims, and credibility loss and regulatory action for companies.
The Data Protection Board of India is the adjudicating authority under the Digital Personal Data Protection Act, 2023 (DPDPA). Section 18 establishes the Board as an independent regulatory body with quasi-judicial powers, functioning autonomously from the Government while remaining subject to review by the High Court. The Board is composed of a Chairperson (generally a retired High Court Judge), a Vice Chairperson with judicial background, and members with expertise in technology, law and public policy. Its powers include inquiring into complaints, calling for evidence, summoning parties, and imposing penalties. Any natural person whose data rights are violated may file a complaint; registered data protection NGOs may do so on behalf of affected individuals.
Litigation in data breach matters proceeds across multiple tracks. The first step is collection and preservation of evidence: screenshots, server logs, emails, transaction details and expert forensic reports, all compliant with electronic evidence standards. A criminal complaint is filed with the cyber-crime police station, whose investigation may involve digital forensics, seizure of devices and tracing of offenders. Simultaneously, legal notices are sent to the company or platform demanding immediate action; takedown notices are issued to intermediaries for unlawful content online. Once the investigation report establishes liability, a civil recovery suit may be filed claiming compensation for financial loss, mental harassment and reputational damage. In parallel, a complaint before the Data Protection Board may result in regulatory penalties on the Data Fiduciary for failure to maintain reasonable safeguards or report the breach.
Under the DPDPA Rules 2025, a digital-first complaint mechanism operates through the official portal. The complainant submits identification details, a description of the violation, the respondent’s identity, supporting evidence, and relief sought. The Secretariat conducts a preliminary review within seven days to assess jurisdiction, completeness, and prima facie admissibility; deficiencies may be cured within fourteen days. If admitted, the respondent (Data Fiduciary) receives thirty days to respond. The Board may summon witnesses, direct document production, commission technical audits, or seek information from sectoral regulators. It aims to complete adjudication within six months, though complex cases may require more time. Monetary penalties, corrective directions, or cessation orders may be imposed.
Any party dissatisfied with the Board’s order may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within sixty days. TDSAT has powers similar to a civil court and its orders are enforceable as decrees. Further appeal on substantial questions of law lies before the Supreme Court of India.