Data breach grievance

When personal data held by a service provider, employer, hospital, educational institution, or any other organisation is exposed through a breach — whether by hacking, insider misuse, accidental disclosure, or unauthorised sharing with third parties — the affected individual has a layered remedies framework operating under three distinct statutes that may apply in parallel depending on the nature of the data, the nature of the breach, and the operational status of the regulator at the time of the breach.

The Digital Personal Data Protection Act, 2023 (DPDPA) is the principal statute governing personal data protection in India. The Act creates the Data Protection Board of India as the adjudicatory body for data-principal complaints, imposes obligations on data fiduciaries (entities holding the data) including reasonable security safeguards under Section 8, breach-notification obligations to the Board and to affected data principals, and an internal grievance-redressal mechanism that the data principal must approach before escalating to the Board (Section 13). Penalties under the Act extend up to ₹250 crore for significant breaches. Operationalisation has been phased — the Act received presidential assent in August 2023, the implementation Rules have been notified in stages, and the Data Protection Board has been progressively constituted; the operational status of the Board's complaint-intake mechanism for any specific complaint should be verified at the time of filing through the official MeitY notifications and the Board's published portal.

Running in parallel and continuing to operate during the phased DPDPA transition, the Information Technology Act, 2000 Section 43A (compensation for failure to protect sensitive personal data or information) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) provides a compensation route adjudicated by the IT Adjudicating Officer (Secretary, IT Department of the State) for claims up to ₹5 crore and by the Telecom Disputes Settlement and Appellate Tribunal for higher claims; this route remains operative until the DPDPA fully supersedes through complete commencement notifications. Where the breach involves a service provider whose service has been deficient (a hospital that leaked medical records, a bank that exposed account data, an e-commerce platform with a data-leak history), the Consumer Protection Act, 2019 supplies a parallel deficiency-of-service route at the District Consumer Disputes Redressal Commission (jurisdiction up to ₹50 lakh), the State Commission (₹50 lakh to ₹2 crore), or the National Commission (above ₹2 crore). Where the breach involves criminal hacking, the Information Technology Act §66 read with §43 along with the Bharatiya Nyaya Sanhita 2023 cheating and breach-of-trust provisions are the offences for cybercrime.gov.in / Cyber Cell complaint.

In Uttarakhand, the multi-channel approach is the practical norm. The first written grievance is sent to the data fiduciary's published grievance officer (every fiduciary is required to publish contact details under DPDPA Section 13 and parallel obligations under IT Rules 2021 Rule 3(2) for intermediaries); the response window is fifteen days under DPDPA-aligned practice, with reasoned disposal required. Where the fiduciary fails to act, the Data Protection Board complaint is filed online once the Board's intake portal is operational; in the interim or as a parallel route, the IT Adjudicating Officer is approached. The Adjudicating Officer for IT Act §43A claims in Uttarakhand is the Secretary of the Department of Information Technology, Government of Uttarakhand, sitting at the State Secretariat at Dehradun. The Consumer Forum route is filed at the District Commission at the place of residence of the affected person or the place where the deficient service was rendered.

Where the breach involves criminal conduct (data theft, unauthorised access, ransomware), the cybercrime.gov.in complaint and the State Cyber Crime Police Station route described in the cybercrime-gov-complaint service applies in parallel. For institutional-side incident reporting — where the affected person is the data fiduciary itself responding to a breach — the CERT-In Direction issued under §70B IT Act dated 28 April 2022 prescribes a six-hour reporting window from breach detection to CERT-In; this is a fiduciary-side obligation and is described here only for completeness, since it does not run to the affected individual. The civil route (suit for damages on negligence, breach of confidence, or breach of contract) is filed at the District Court or High Court depending on claim value, with the Court at the place of residence of the affected person or the place where the breach was suffered having jurisdiction.

NyaySetu Law's data breach grievance service drafts the data-fiduciary grievance-officer notice invoking DPDPA Section 13 and the parallel IT Rules / SPDI obligations, drafts the Data Protection Board complaint (when filed) or the IT Adjudicating Officer complaint under IT Act §43A as the operative route at the time of filing, drafts the Consumer Forum complaint where a service-deficiency dimension exists, drafts the cybercrime.gov.in complaint where criminal conduct is involved, and prepares the civil notice and pleadings where damages are pursued through the civil route. The strategy across the four channels is calibrated to the breach category, the data sensitivity, the quantum of injury, and the operational status of the DPB at the time of filing. You send the grievance-officer notice from your registered email, file the regulator complaints with your credentials, and authorise the consumer / civil filings.