Litigation
March 1, 2026

Data Breach and Digital Privacy in India: From Criminal Complaint to DPBI Adjudication

A data breach in India triggers a multi-track litigation strategy spanning criminal complaints, civil recovery suits, and regulatory proceedings before the Data Protection Board of India — effective redress requires timely and coordinated action across all three tracks.

Introduction

In the present digital age, individuals share personal information for banking, shopping, healthcare, education and communication, including phone numbers, addresses, financial records, identity documents and biometric data. When such information is accessed, disclosed or misused without permission, it constitutes an unauthorised data breach. Consequences can be severe: financial fraud, identity theft, reputational damage and mental distress for victims, and credibility loss and regulatory action for companies.

The Data Protection Board of India

The Data Protection Board of India is the adjudicating authority under the Digital Personal Data Protection Act, 2023 (DPDPA). Section 18 establishes the Board as an independent regulatory body with quasi-judicial powers, functioning autonomously from the Government while remaining subject to review by the High Court. The Board is composed of a Chairperson (generally a retired High Court Judge), a Vice Chairperson with judicial background, and members with expertise in technology, law and public policy. Its powers include inquiring into complaints, calling for evidence, summoning parties, and imposing penalties. Any natural person whose data rights are violated may file a complaint; registered data protection NGOs may do so on behalf of affected individuals.

Litigation Procedure in Data Breach Matters

Litigation in data breach matters proceeds across multiple tracks. The first step is collection and preservation of evidence: screenshots, server logs, emails, transaction details and expert forensic reports, all compliant with electronic evidence standards. A criminal complaint is filed with the cyber-crime police station, whose investigation may involve digital forensics, seizure of devices and tracing of offenders. Simultaneously, legal notices are sent to the company or platform demanding immediate action; takedown notices are issued to intermediaries for unlawful content online. Once the investigation report establishes liability, a civil recovery suit may be filed claiming compensation for financial loss, mental harassment and reputational damage. In parallel, a complaint before the Data Protection Board may result in regulatory penalties on the Data Fiduciary for failure to maintain reasonable safeguards or report the breach.

DPBI Complaint Process

Under the DPDPA Rules 2025, a digital-first complaint mechanism operates through the official portal. The complainant submits identification details, a description of the violation, the respondent’s identity, supporting evidence, and relief sought. The Secretariat conducts a preliminary review within seven days to assess jurisdiction, completeness, and prima facie admissibility; deficiencies may be cured within fourteen days. If admitted, the respondent (Data Fiduciary) receives thirty days to respond. The Board may summon witnesses, direct document production, commission technical audits, or seek information from sectoral regulators. It aims to complete adjudication within six months, though complex cases may require more time. Monetary penalties, corrective directions, or cessation orders may be imposed.

Appeal Before TDSAT

Any party dissatisfied with the Board’s order may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within sixty days. TDSAT has powers similar to a civil court and its orders are enforceable as decrees. Further appeal on substantial questions of law lies before the Supreme Court of India.

Key Takeaways

  • A data breach in India triggers a coordinated multi-track response: criminal complaint to the cyber-crime police, legal notices and takedown demands to intermediaries, civil recovery suit for damages, and regulatory complaint before the Data Protection Board of India.
  • The Data Protection Board of India (DPBI), established under Section 18 of the DPDPA, 2023, is an independent quasi-judicial body empowered to adjudicate complaints, impose monetary penalties, and direct corrective steps against Data Fiduciaries.
  • Preservation of electronic evidence — server logs, screenshots, forensic reports — in legally admissible form is the critical first step; delays in collection can permanently compromise the ability to establish liability.
  • DPBI complaints must be filed within two years of the complainant’s knowledge of the violation; the Board’s digital portal allows submission, and any deficiency in the complaint may be cured within fourteen days of notification.
  • Appeals from DPBI orders lie before TDSAT within sixty days; further appeal on substantial questions of law lies before the Supreme Court, providing a structured three-tier remedial architecture for data protection disputes.

Related Insights