[Adarsh Philip Roy is a PG student at West Bengal National University of Juridical Sciences (WBNUJS), Kolkata.]
The Digital Personal Data Protection Act, 2023 (DPDPA) establishes a framework for the collection, storage, processing, and ultimately the protection of personal data. On closer examination, however, this seemingly progressive law carries a controversial twist. Unlike other global data protection laws, the DPDPA pointedly shuts the courthouse doors to individuals seeking monetary redress for data harms. Section 39 of the Act bars civil courts from exercising jurisdiction over matters entrusted to the board. The law funnels all grievances through an administrative pipeline, first to the offending company itself and then to a government-appointed Data Protection Board, with no other recourse.
Therefore, when a data principal has her data privacy rights violated, she has to approach the board as the sole forum for enforcement. To compound this limitation of litigation burden, even if the board finds the company at fault, it cannot award her compensation or damages; it can only levy fines on the data fiduciaries, which are to be paid into the government coffers.
The result of this system is what I would call ‘rights without courts’, meaning an enforcement framework where the individual suffers a legal injury, but the law provides no mechanism to remedy the harm. To understand the contours of this debate, we must examine closely what the law states.
The Two-Step Redressal Path under the DPDPA
The DPDPA creates a two-step grievance redressal process for Data Principals.
- Complain to the Data Fiduciary: If you, as a data principal, have a complaint about how your personal data was handled, say, your data was leaked, or your rights under the Act were denied, the first stop is the Data Fiduciary’s internal grievance mechanism. The “Data Fiduciary” is the entity or company handling your data. Every data fiduciary must provide readily available means to address user grievances. You lodge your complaint with the data fiduciary itself (or its designated grievance officer/“Consent Manager”, if the organisation has a consent manager), and the data fiduciary or such other entity must respond within a prescribed period. The idea is to allow the data fiduciary to resolve the issue directly. The data principal is also obliged to exhaust the remedy of contacting the data fiduciary before escalating it to the board.
- Escalate to the Data Protection Board of India: If the fiduciary’s response is unsatisfactory or ignores your grievance, your only next recourse is to file a complaint with the Data Protection Board of India. You cannot file a lawsuit in any civil court or consumer forum for data privacy violations. The Board is established as an independent adjudicatory authority under the Act and is empowered to receive and investigate these complaints. This means that all data protection disputes must be resolved exclusively by the Board, with no parallel civil lawsuits permitted.
To better understand this predicament, we can construct a hypothetical situation. Aarav is a 12-year-old boy already struggling with long-standing mental health issues. Without his parents knowing, he downloads a popular online gaming app that collects his personal data and exposes him to highly immersive, dark content. This dark content included glorifying violence or self-harm. According to Section 9 of the DPDP Act, data fiduciaries must obtain verifiable consent from a parent or guardian to process personal data of children. The company, in violation of the DPDPA, never obtained the verified consent of his parents.
As Aarav played the game more, its design and content fed into his vulnerabilities. One day, the app introduced a “challenge” which essentially included a challenge to inflict self-harm upon himself and upload it as a video in an online community of gamers. Aarav complied, being a naive 12-year-old. The video was subsequently leaked and went viral online. In the leaked videos, his face was clearly visible. Overnight, Aarav was left exposed, humiliated, and emotionally devastated. His parents eventually found out about their son through social media, and the incident left profound and lasting scars on both him and his family.
Yet when his parents turn to Indian data privacy law for justice, they find the doors of the courts firmly shut. The DPDPA forces them to complain first to the very company whose negligence endangered their child’s well-being, and then, if unsatisfied, to the Data Protection Board of India. Even if the board takes cognisance of the violation and fines the company for failing to obtain parental consent, the penalty is paid only to the government. This fine is meant to punish the company and deter future violations, but Aarav and his family will not see a paisa of it.
To understand just how extraordinary, and frankly regressive, this move is, one must recognise that the legislature has not merely failed to strengthen existing remedies but has actively rolled back the only statutory compensation mechanism individuals previously had, making the post-DPDPA landscape significantly worse. Section 43A of the Information Technology Act, 2000, which held companies handling sensitive personal data liable to pay compensation if they were negligent in maintaining reasonable security practices and, as a result, negligence caused wrongful loss or gain, was completely omitted by virtue of Section 44(2) of the DPDPA. This now-defunct provision gave individuals the right to sue for damages when their sensitive data was mishandled, with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, defining what constitutes sensitive data and reasonable security standards. By dismantling this liability regime without supplying any equivalent private law remedy, the DPDPA engineers a rights framework without consequences, effectively insulating private corporations from monetary accountability for violations of individual privacy.
This shift represents a significant regression in India’s data protection framework, where the state completely forecloses a right without proper justification. The state receives the benefits of a private individual’s data privacy sufferings. Such an approach not only diminishes the substantive value of the rights formally conferred on data principals but also undermines the very rationale of data protection law.
Executive Control and Independence Issues
Critics argue that the Board’s structural independence is not assured as its composition and tenure are tightly controlled by the Executive. All adjudication happens within this Executive-controlled framework by removing courts from the equation. This concentration of power could be worrisome if, for example, a data breach involves a politically connected entity. A reasonable question arises as to whether an executive-dependent board feels the same liberty to enforce the law as an independent court, where judicial officers are appointed and maintained independently. Any perceptions (or reality) of bias, selective enforcement, or inefficiency at the board level could erode trust in the redress system.
Global Position on Judicial Remedies for Data Privacy Violations
To truly gauge and understand how unusual the DPDPA’s no-courts approach is, we can look into data privacy laws worldwide. Under the European Union’s GDPR, individuals enjoy multiple avenues for redress. Under Article 79 (Right to an effective judicial remedy against a controller or processor), data subjects have the right to bring a private action against the errant data controller or processor in court. Article 82 (Right to compensation and liability) states that any person who has suffered material or non-material damage due to an infringement of the right conferred by the GDPR has the right to receive compensation from the controller or processor responsible. The GDPR’s approach recognises that regulatory enforcement and private lawsuits are complementary.
Though limited, Section 1798.150 of the California Consumer Privacy Act (CCPA) gives consumers the right to sue companies for certain data breaches. In the UK (which mirrored the EU approach in its Data Protection Act 2018), individuals can claim compensation for data misuse, including for emotional distress, by virtue of Ssection 168 of the Act.
Regulators deter and punish violations in the public interest on a large scale, while private actions ensure that individuals are made whole for their personal injuries. One does not negate the other. In fact, the possibility of civil liability under GDPR raises the stakes for companies beyond worrying about an administrative fine. Organisations must also consider potential class-action lawsuits or individual damage claims that could be enormous financial burdens in the long run. This dual pressure leads to greater accountability from private entities that vie for personal data for monetary gain.
When enforcement is limited solely to administrative fines, especially in a large and resource-intensive digital economy, major corporations often internalise these penalties as routine compliance costs rather than meaningful deterrents. For companies with deep financial reserves, such fines become an investment in risk rather than a consequence for violating rights, thereby weakening the preventive function of data protection law and creating perverse incentives to underinvest in genuine privacy safeguards.
Conclusion
India’s data protection regime now stands at a crossroads. By eliminating the only statutory compensation mechanism that previously existed and by funnelling all disputes into an executive-controlled administrative body, the DPDPA creates a system where fundamental rights exist without meaningful remedies. Individuals harmed by data misuse are left with no civil pathway to seek damages, and companies face only administrative fines that many can easily absorb as operational expenses. This model not only fragments the right to privacy but also dilutes accountability at a structural level.
If India is to uphold the constitutional promise of effective redress and align itself with global standards that recognise the indispensable role of independent courts, the current framework requires urgent correction. Parliament must reconsider Section 39 of the DPDPA, restore judicial access, and reintroduce a mechanism for private compensation claims. Only then will the law move from symbolic recognition of privacy rights to genuine protection.