Introduction
In recent years, India has witnessed an alarming increase in the number and scale of data breaches affecting government bodies, private companies, and even critical healthcare institutions. From the AIIMS ransomware attack that disrupted hospital services for days, to the Aadhaar-related leaks that exposed sensitive personal information of millions, these incidents have made it clear: India is not merely dealing with a cybersecurity crisis, but also a regulatory vacuum.
While India's digital economy continues to expand at a staggering pace, its data governance framework has struggled to keep up. Currently, much of the responsibility to disclose and address data breaches rests with the entities themselves, without meaningful oversight or enforcement. This article explores how India's current model of self-regulation fails to protect individuals and outlines why a shift towards real accountability, through statutory mandates and independent oversight, is both urgent and necessary.
India's Existing Legal Framework on Data Breach Reporting:
At present, India does not have a single, comprehensive data protection law that governs data breach reporting. Instead, the legal landscape is patchy and largely sector-specific. The primary statute that loosely deals with the issue is the Information Technology Act, 2000, particularly Section 43A and associated rules such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Under these rules, companies are expected to adopt reasonable security measures and report certain breaches.
In 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions under the IT Act. These mandate that specific types of cybersecurity incidents, such as data breaches and ransomware attacks, must be reported within six hours of detection. While this was a welcome move, its implementation has been questionable. There are concerns over the breadth of incidents covered, the lack of clarity on enforcement mechanisms, and the absence of obligations to notify affected individuals.
Beyond this, regulatory authorities such as the RBI, IRDAI, and SEBI have their own breach reporting norms tailored for their respective sectors. But these, too, vary significantly in scope, content, and enforcement, leading to inconsistencies.
Why Self-Regulation Falls Short?
Self-regulation in the context of data breach reporting presumes that organisations will act in good faith, prioritising transparency over reputational risk. But this presumption has proved to be naïve. Many companies delay or even avoid reporting breaches, fearing financial loss, regulatory scrutiny, or public backlash.
One stark example is the JustDial breach discovered in 2019, where user data, including names and mobile numbers, was reportedly accessible without any authentication. There was no formal disclosure to the public, and only after security researchers flagged it did the issue surface. Similarly, the MobiKwik data breach in 2021, which allegedly exposed data of over 100 million users, was repeatedly denied by the company despite mounting evidence.
This culture of denial and underreporting highlights a serious flaw in the self-regulatory model: there is no real incentive to disclose unless mandated by law. Without a central authority to independently investigate and penalize non-compliance, organisations often weigh the benefits of silence over the risks of accountability.
Global Comparisons: How Other Nations Handle It:
Globally, several jurisdictions have moved towards strong, legally mandated data breach reporting obligations.
1. European Union (GDPR): Under the General Data Protection Regulation (GDPR), companies must report personal data breaches to supervisory authorities within 72 hours of becoming aware of the incident. If the breach is likely to result in a high risk to individuals, the affected individuals must also be informed without undue delay. Non-compliance can lead to fines of up to €20 million or 4% of global turnover, whichever is higher.
2. United States: While the U.S. lacks a federal data breach law, all 50 states have enacted breach notification laws. These typically require businesses to notify both regulators and affected consumers. Notably, some states like California have public databases listing all reported breaches, promoting transparency.
3. Singapore and Australia: Singapore's Personal Data Protection Act (PDPA) requires breach notifications to the Personal Data Protection Commission and individuals if the breach is likely to result in significant harm. Similarly, Australia's Privacy Amendment (Notifiable Data Breaches) Act 2017 establishes mandatory reporting obligations with clear timelines.
These jurisdictions share certain features that India lacks: clarity on breach thresholds, fixed notification timelines, mandatory individual notifications, and independent enforcement authorities.
The Digital Personal Data Protection Act, 2023
India's newly enacted Digital Personal Data Protection Act (DPDPA), 2023 is a crucial development. It introduces Structured data protection obligations for organisations (now termed "Data Fiduciaries") and establishes a Data Protection Board of India to monitor compliance and enforce penalties.
Under the Digital Personal Data Protection Act 2023, a Data Fiduciary is required to inform the Board about personal data breaches and may also be directed to notify affected data principals. However, several concerns remain:
- Discretionary Notification: The requirement to notify individuals is not automatic but is subject to the Board's discretion.
- No Statutory Timeline: The Act does not define a fixed timeframe for breach notification, unlike GDPR's 72-hour rule.
- Vague Breach Thresholds: What constitutes a reportable breach is not clearly defined, leaving room for interpretation.
- Government Control: The central government retains significant control over rule-making and appointments to the Board, which may impact independence.
Despite these limitations, the Act is a step forward and offers a skeleton upon which robust, rights-based data governance can be built.
What Needs to Change: Towards Real Accountability
To truly transition from self-regulation to accountability, India must operationalise the Digital Personal Data Protection Act 2023 with detailed subordinate legislation and accompanying reforms. Here are key recommendations:
- 1. Define Reportable Breaches Precisely: Introduce detailed rules clarifying what kinds of breaches are "reportable," including not just financial harm but reputational, mental, and social impacts.
- 2. Establish Fixed Timelines: Mandate a clear and reasonable timeframe (preferably 72 hours) for notifying the Data Protection Board. Include staggered timelines for internal investigation, stakeholder notification, and public disclosures.
- 3. Make Victim Notification Automatic: Notification to affected individuals should not be left to the Board's discretion. Data principals must be informed directly, enabling them to mitigate harm.
- 4. Set Up a Public Breach Registry: Create a publicly accessible database of reported breaches, much like California's. This will promote transparency and allow independent researchers to track patterns and trends.
- 5. Ensure Independent Oversight: The Data Protection Board should function independently of political influence, with multi-stakeholder representation and transparent appointments.
- 6. Strengthen Penalty Mechanisms: The Board must have the power and willingness to impose meaningful penalties that deter violations. Penalties should be proportionate to the severity of non-compliance.
- 7. Build Enforcement Capacity: Without trained personnel and infrastructure, even the best laws remain ineffective. India must invest in regulatory and forensic expertise to ensure quick and fair enforcement.
Way Forward
To transition from a regime of self-regulation to genuine accountability, India must take concrete steps to operationalise the Digital Personal Data Protection Act 2023, effectively. The first priority should be the introduction of clear and detailed rules that define what constitutes a reportable data breach, along with mandatory timelines, ideally within 72 hours, for reporting to the Data Protection Board and affected individuals.
Direct notification to users must become a legal obligation, not a discretionary action. Individuals have a right to be informed when their personal data is compromised, so they can take protective measures. Furthermore, a centralised and publicly accessible data breach registry should be created to enable transparency, track patterns, and enhance public awareness.
The Data Protection Board must be made operationally independent, with adequate technical capacity and investigative powers. Merely creating the Board on paper will not ensure enforcement. India must also invest in regulatory infrastructure, cybersecurity audits, and personnel training.
Finally, there must be a shift in organisational mindset, from viewing breach reporting as a risk to reputation, to embracing it as a core part of ethical digital governance. Only then can India build a privacy framework rooted in trust, rights, and resilience.
Conclusion
India stands at a critical juncture. As it pushes towards a trillion-dollar digital economy and builds ambitious platforms like Digital India, the protection of personal data must be treated not just as a technical or regulatory issue, but as a fundamental right.
Data breaches compromise not only privacy but also trust. In a country with growing digital inclusion but limited digital literacy, the consequences of opaque, unregulated data practices can be particularly damaging. Self-regulation has failed to deliver either transparency or accountability. The future must belong to a framework where individuals are informed, empowered, and protected. The Digital Personal Data Protection Act 2023 provides the foundation. Now, it must be built upon with urgency, clarity, and courage. Because in the digital age, safeguarding data is safeguarding democracy itself.
We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution can help you to understand EU GDPR and its ramificationsand design a solution to meet compliance and the regulatoryframework of EU GDPR and avoid potentially costly fines.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.
For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025
We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025
We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – AI Nexus Home|AI-Nexus